system/5197: 3.9 Kernel panic with more than 10 semaphores

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

system/5197: 3.9 Kernel panic with more than 10 semaphores

Peter Haag
>Number:         5197
>Category:       system
>Synopsis:       Kernel panic obsd 3.9 , when more than 10 semaphores are allocated
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 10 09:10:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Peter Haag
>Release:        OpenBSD 3.9
>Organization:
net
>Environment:
        <machine, os, target, libraries (multiple lines)>
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        When more than 10 semaphores are allocated from different processes, the kernel dies:

        uvm_fault(0xd3ac36e4, 0x0, 0, 1) -> e
        kernel: page fault trap, code=0
        Stopped at sys_semget+0x138: movzwl 0x14(%eax), %edx

        Can be reproduced on any hardware.

        Appended are VMware screenshots showing the panic message, ps and trace outputs

>How-To-Repeat:
        out of the box 3.9 installation
       
        the shell script starts several instancies of the crashme

#!/bin/sh

TESTDIR='nftestdir'

for num in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
   mkdir -p $TESTDIR/${num}
   echo $num
   ./crashme $TESTDIR/${num} &
   sleep 1
done

Stripped down code to reproduce the panic - crashme.c

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/sem.h>
#include <string.h>
#include <syslog.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>
#include <signal.h>

static int sem_id, shm_id;

int main(int argc, char **argv) {
int sem_key, shm_key;
union semun sem_val;
char *path;

        path = argv[1];

        shm_key = ftok(path, 1);
        if ( shm_key == - 1 ) {
                perror("ftok() failed.");
                return -1;
        }

        shm_id = shmget(shm_key, 64, 0600);

        sem_key = ftok(path, 2);
        if ( sem_key == - 1 ) {
                perror("ftok() failed.");
                return -1;
        }

        sem_id = semget(sem_key, 1, IPC_CREAT | 0600);
        if ( sem_id == - 1 ) {
                perror("semget() failed.");
                return -1;
        }

        sem_val.val = 1;
        if ( semctl(sem_id, 0, SETVAL, sem_val) == -1) {
                perror("semctl() failed.");
                return -1;
        }

        sleep(60);

        return 0;
}

>Fix:
        <how to correct or work around the problem, if known (multiple lines)>

--
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [hidden email] Web: http://www.switch.ch/security

[demime 1.01d removed an attachment of type image/png which had a name of screenshot2.png]

[demime 1.01d removed an attachment of type image/png which had a name of screenshot3.png]

[demime 1.01d removed an attachment of type image/png which had a name of screenshot1.png]

[demime 1.01d removed an attachment of type image/png which had a name of screenshot4.png]


>Release-Note:
>Audit-Trail:
>Unformatted: