From owner-freebsd-bugs  Tue Jan  7 13:50:04 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id NAA13689
          for bugs-outgoing; Tue, 7 Jan 1997 13:50:04 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id NAA13683;
          Tue, 7 Jan 1997 13:50:02 -0800 (PST)
Resent-Date: Tue, 7 Jan 1997 13:50:02 -0800 (PST)
Resent-Message-Id: <199701072150.NAA13683@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org,
        cacho@crysophylax.sc.iteso.mx
Received: from crysophylax.sc.iteso.mx (crysophylax.sc.iteso.mx [148.201.1.32])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA13441
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Jan 1997 13:43:49 -0800 (PST)
Received: (from cacho@localhost) by crysophylax.sc.iteso.mx (8.8.3/8.8.3) id PAA14614; Tue, 7 Jan 1997 15:43:27 -0600 (CST)
Message-Id: <199701072143.PAA14614@crysophylax.sc.iteso.mx>
Date: Tue, 7 Jan 1997 15:43:27 -0600 (CST)
From: Hector Gonzalez Jaime <cacho@crysophylax.sc.iteso.mx>
Reply-To: cacho@crysophylax.sc.iteso.mx
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/2406: shmat(2) blues
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         2406
>Category:       kern
>Synopsis:       shmat(2) fails under 2.1.6R
>Confidential:   yes
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan  7 13:50:01 PST 1997
>Last-Modified:
>Originator:     Hector Gonzalez Jaime
>Organization:
ITESO university, Guadalajara, Mexico.
>Release:        FreeBSD 2.1.6-RELEASE i386
>Environment:

Different systems running FreeBSD 2.1.6 and 2.1.5, with GENERIC kernels or
shared memory enabled kernels.

>Description:

misuse of shmat(2) can reboot a system without core dump, panic or anything.
when shmat is sent an unallocated pointer by any user that previously requested
shared memory, it will not fail or dump core, but will cause a reset.

>How-To-Repeat:

run shmg first, then shmd.

--shmg.c--
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
 
main()
{
 
  void *apunta;
  int shmid;
 
  shmid = shmget(10,8192,SHM_R | SHM_W | IPC_CREAT);
 
  return 0;
}
--end
--shmd.c
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
 
main()
{
 
  void *apunta;
  int shmid;
 
  shmid = shmget(10,8192,0);
  printf ("%d\n",shmid);
 
  shmat (shmid,apunta,SHM_RND); 
  perror("shmat");
 
  shmctl (shmid,IPC_RMID,0);
 
  return 0;
}
--end.

>Fix:
	
	

>Audit-Trail:
>Unformatted: