Bug 218987

Summary: [patch][linux] panic in linux_sys_futex() with FUTEX_WAKE_OP
Product: Base System Reporter: luke.tw
Component: kernAssignee: Dmitry Chagin <dchagin>
Status: Closed FIXED    
Severity: Affects Only Me CC: dchagin
Priority: --- Keywords: patch
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch for linux_sys_futex() none

Description luke.tw 2017-05-01 09:36:43 UTC 
Created attachment 182207 [details]
patch for linux_sys_futex()

In linux compat layer, the syscall futex does not handle FUTEX_WAKE_OP well when using the same address for arguments uaddr and uaddr2. 

The following linux program can result in kernel panic.

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <sys/syscall.h>

#include <linux/futex.h>
#include <sys/time.h>

static int
futex(int *uaddr, int futex_op, int val,
		int val2, int *uaddr2, int val3)
{
	return syscall(SYS_futex, uaddr, futex_op, val,
			val2, uaddr, val3);
}

int main(void){
	int ret;
	int addr;

	ret = futex(&addr, FUTEX_WAKE_OP, 1, 1, &addr, 2);
	printf("ret: %d\n", ret);
}
Comment 1 Dmitry Chagin freebsd_committer freebsd_triage 2017-05-01 11:48:52 UTC 
take
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-05-01 12:26:34 UTC 
A commit references this bug:

Author: dchagin
Date: Mon May  1 12:25:37 UTC 2017
New revision: 317645
URL: https://svnweb.freebsd.org/changeset/base/317645

Log:
  Fix NULL pointer dereference in futex_wake_op() in case when the same
  address specified for arguments uaddr and uaddr2.

  PR:		218987
  Reported by:	luke.tw gmail
  MFC after:	1 week

Changes:
  head/sys/compat/linux/linux_futex.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-05-08 10:52:30 UTC 
A commit references this bug:

Author: dchagin
Date: Mon May  8 10:51:30 UTC 2017
New revision: 317936
URL: https://svnweb.freebsd.org/changeset/base/317936

Log:
  MFC r317645:

  Fix NULL pointer dereference in futex_wake_op() in case when the same
  address specified for arguments uaddr and uaddr2.

  PR:		218987

Changes:
_U  stable/11/
  stable/11/sys/compat/linux/linux_futex.c