Bug 218987 - [patch][linux] panic in linux_sys_futex() with FUTEX_WAKE_OP
Summary: [patch][linux] panic in linux_sys_futex() with FUTEX_WAKE_OP
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Dmitry Chagin
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-05-01 09:36 UTC by luke.tw
Modified: 2017-05-08 10:52 UTC (History)
1 user (show)

See Also:

Attachments
patch for linux_sys_futex() (397 bytes, patch)
2017-05-01 09:36 UTC, luke.tw 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description luke.tw 2017-05-01 09:36:43 UTC 
Created attachment 182207 [details]
patch for linux_sys_futex()

In linux compat layer, the syscall futex does not handle FUTEX_WAKE_OP well when using the same address for arguments uaddr and uaddr2. 

The following linux program can result in kernel panic.

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <sys/syscall.h>

#include <linux/futex.h>
#include <sys/time.h>

static int
futex(int *uaddr, int futex_op, int val,
		int val2, int *uaddr2, int val3)
{
	return syscall(SYS_futex, uaddr, futex_op, val,
			val2, uaddr, val3);
}

int main(void){
	int ret;
	int addr;

	ret = futex(&addr, FUTEX_WAKE_OP, 1, 1, &addr, 2);
	printf("ret: %d\n", ret);
}
Comment 1 Dmitry Chagin freebsd_committer freebsd_triage 2017-05-01 11:48:52 UTC 
take
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-05-01 12:26:34 UTC 
A commit references this bug:

Author: dchagin
Date: Mon May  1 12:25:37 UTC 2017
New revision: 317645
URL: https://svnweb.freebsd.org/changeset/base/317645

Log:
  Fix NULL pointer dereference in futex_wake_op() in case when the same
  address specified for arguments uaddr and uaddr2.

  PR:		218987
  Reported by:	luke.tw gmail
  MFC after:	1 week

Changes:
  head/sys/compat/linux/linux_futex.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-05-08 10:52:30 UTC 
A commit references this bug:

Author: dchagin
Date: Mon May  8 10:51:30 UTC 2017
New revision: 317936
URL: https://svnweb.freebsd.org/changeset/base/317936

Log:
  MFC r317645:

  Fix NULL pointer dereference in futex_wake_op() in case when the same
  address specified for arguments uaddr and uaddr2.

  PR:		218987

Changes:
_U  stable/11/
  stable/11/sys/compat/linux/linux_futex.c