sem_remove(): fix the loop that compacts sem array on semaphores removal.

As written now, it copies random kernel memory from beyond the bounds
of the array.

Reported and tested by:	pho
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation (kib)
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D23694
This commit is contained in:
Konstantin Belousov 2020-02-15 23:19:23 +00:00
parent 4cb6ea7e8e
commit a7b61c0af1

@ -584,8 +584,9 @@ sem_remove(int semidx, struct ucred *cred)
sema[i].u.__sem_base > semakptr->u.__sem_base)
mtx_lock_flags(&sema_mtx[i], LOP_DUPOK);
}
for (i = semakptr->u.__sem_base - sem; i < semtot; i++)
sem[i] = sem[i + semakptr->u.sem_nsems];
for (i = semakptr->u.__sem_base - sem + semakptr->u.sem_nsems;
i < semtot; i++)
sem[i - semakptr->u.sem_nsems] = sem[i];
for (i = 0; i < seminfo.semmni; i++) {
if ((sema[i].u.sem_perm.mode & SEM_ALLOC) &&
sema[i].u.__sem_base > semakptr->u.__sem_base) {