From owner-freebsd-bugs  Sun Dec  3 18:00:17 1995
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id SAA14009
          for bugs-outgoing; Sun, 3 Dec 1995 18:00:17 -0800
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id SAA13956
          ; Sun, 3 Dec 1995 18:00:12 -0800
Resent-Date: Sun, 3 Dec 1995 18:00:12 -0800
Resent-Message-Id: <199512040200.SAA13956@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, nox@jelal.hb.north.de
Received: from deceased.hb.north.de (deceased.hb.north.de [194.94.232.249])
          by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id RAA13675
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 3 Dec 1995 17:50:50 -0800
Received: from jelal.hb.north.de by deceased.hb.north.de with uucp
	(Smail3.1.29.1) id m0tMQ1R-000ZZ6C; Mon, 4 Dec 95 02:48 MET
Received: by jelal.hb.north.de (SMail-ST 0.95gcc/2.5+)
	id AA00063; Sun, 3 Dec 1995 19:11:10 +0100 (CET)
Received: (from nox@localhost) by saturn (8.6.11/8.6.9) id QAA01012; Sun, 3 Dec 2000 16:44:37 +0100
Message-Id: <200012031544.QAA01012@saturn>
Date: Sun, 3 Dec 1995 16:44:37 +0100
From: nox@jelal.hb.north.de
Reply-To: nox@jelal.hb.north.de
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/865: bogus shmdt(2) call -> page fault
Sender: owner-bugs@freebsd.org
Precedence: bulk


>Number:         865
>Category:       kern
>Synopsis:       bogus shmdt(2) call can crash system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec  3 18:00:08 PST 1995
>Last-Modified:
>Originator:     Juergen Lock
>Organization:
Orga-what? :)
>Release:        FreeBSD 2.0-BUILT-19950603 i386
>Environment:

	2.1.0 kernel (rest partly 2.0.5...)

>Description:


>How-To-Repeat:

	#include <sys/shm.h>

	main () {
		shmdt(0);
	}

>Fix:
	
Index: sys/kern/sysv_shm.c
@@ -173,6 +173,8 @@
 	int i;
 
 	shmmap_s = (struct shmmap_state *)p->p_vmspace->vm_shm;
+	if (shmmap_s == NULL)
+		return EINVAL;
 	for (i = 0; i < shminfo.shmseg; i++, shmmap_s++)
 		if (shmmap_s->shmid != -1 &&
 		    shmmap_s->va == (vm_offset_t)uap->shmaddr)
>Audit-Trail:
>Unformatted: