From owner-freebsd-bugs@FreeBSD.ORG  Wed Jul 26 08:04:15 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@freebsd.org
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B993616A4E7
	for <freebsd-bugs@freebsd.org>; Wed, 26 Jul 2006 08:04:15 +0000 (UTC)
	(envelope-from shangjie.li@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E2A643D62
	for <freebsd-bugs@freebsd.org>; Wed, 26 Jul 2006 08:04:08 +0000 (GMT)
	(envelope-from shangjie.li@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so3209430uge
	for <freebsd-bugs@freebsd.org>; Wed, 26 Jul 2006 01:04:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=Ph5H6baIN4BojQI1taAOt1GIpAP7JHP4qtWUojD+NRre83fZC047CtjjeAHpavxypaQCDEfXSL10hC/Dwr/+vc11ktCaxprRUQFwQX368iYiNnIkgG/sl2TxAsNo5hlrCrxLuI+jBWa106pdPKaTIGUXDx21/dM0Zt9WCYRI4sY=
Received: by 10.78.160.2 with SMTP id i2mr2907565hue;
	Wed, 26 Jul 2006 01:04:06 -0700 (PDT)
Received: by 10.78.127.20 with HTTP; Wed, 26 Jul 2006 01:04:06 -0700 (PDT)
Message-ID: <de71d27b0607260104g1ba570aci2c5980a55d1bb3bf@mail.gmail.com>
Date: Wed, 26 Jul 2006 16:04:06 +0800
From: "=?GB2312?B?wO7J0L3c?=" <shangjie.li@gmail.com>
To: freebsd-bugs@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: semctl bug
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2006 08:04:15 -0000

In file kern/sysv_sem.c:
554 __semctl(td, uap)
555         struct thread *td;
556         struct __semctl_args *uap;
557 {
558         int semid = uap->semid; <<<here  1
559         int semnum = uap->semnum;
560         int cmd = uap->cmd;
561         u_short *array;
562         union semun *arg = uap->arg;
563         union semun real_arg;
564         struct ucred *cred = td->td_ucred;
565         int i, rval, error;
566         struct semid_ds sbuf;
567         struct semid_kernel *semakptr;
568         struct mtx *sema_mtxp;
569         u_short usval, count;
570
571         DPRINTF(("call to semctl(%d, %d, %d, 0x%x)\n",
572             semid, semnum, cmd, arg));
573         if (!jail_sysvipc_allowed && jailed(td->td_ucred))
574                 return (ENOSYS);
575
576         array = NULL;
577
578         switch(cmd) {
579         case SEM_STAT:
580                 if (semid < 0 || semid >= seminfo.semmni) <<<here 2
581                         return (EINVAL);
582                 if ((error = copyin(arg, &real_arg, sizeof(real_arg))) != 0)
583                         return (error);
584                 semakptr = &sema[semid];<<<here 3

>From line 558 to line 578, there must be a mechism to convert the
sem_id to the internal sema array index. In fact, it was missing,
which make the semctl syscall not work well. The  return valure of
semget, the semaphore ID, is larger than 65535.  when test on line 580
return  EINVAL in any case. Following code also using the semid which
is from user directly as index of sema[] array.
-- 
--
|Best regards.
|Shangjie, Li (Ph.D candidate)
|Institute of Software, Chinese Academy of Sciences,
|P.O. Box 8718, Beijing 100080, CHINA
|Phone: (8610)62561197/62635158-1008(O), 82680528(H)
|Email: shangjie02@ios.cn
>---------------------------------------------------<