Date: Tue, 7 Jan 1997 15:43:27 -0600 (CST) From: Hector Gonzalez Jaime <cacho@crysophylax.sc.iteso.mx> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/2406: shmat(2) blues Message-ID: <199701072143.PAA14614@crysophylax.sc.iteso.mx> Resent-Message-ID: <199701072150.NAA13683@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2406
>Category: kern
>Synopsis: shmat(2) fails under 2.1.6R
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 7 13:50:01 PST 1997
>Last-Modified:
>Originator: Hector Gonzalez Jaime
>Organization:
ITESO university, Guadalajara, Mexico.
>Release: FreeBSD 2.1.6-RELEASE i386
>Environment:
Different systems running FreeBSD 2.1.6 and 2.1.5, with GENERIC kernels or
shared memory enabled kernels.
>Description:
misuse of shmat(2) can reboot a system without core dump, panic or anything.
when shmat is sent an unallocated pointer by any user that previously requested
shared memory, it will not fail or dump core, but will cause a reset.
>How-To-Repeat:
run shmg first, then shmd.
--shmg.c--
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
main()
{
void *apunta;
int shmid;
shmid = shmget(10,8192,SHM_R | SHM_W | IPC_CREAT);
return 0;
}
--end
--shmd.c
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
main()
{
void *apunta;
int shmid;
shmid = shmget(10,8192,0);
printf ("%d\n",shmid);
shmat (shmid,apunta,SHM_RND);
perror("shmat");
shmctl (shmid,IPC_RMID,0);
return 0;
}
--end.
>Fix:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701072143.PAA14614>