#2696 closed defect (fixed)

Unpredictable errno value returned by sem_wait() in case of semaphore deletion

Reported by: Sebastian Huber Owned by: Sebastian Huber
Priority: normal Milestone: 5.1
Component: unspecified Version: 4.10
Severity: normal Keywords:
Cc: Blocked By:
Blocking:

Description

_POSIX_Semaphore_Delete() used -1 for the thread queue flush status which in turn resulted in an invalid memory access in _POSIX_Semaphore_Translate_core_semaphore_return_code().

Change History (5)

comment:1 Changed on Apr 19, 2016 at 1:10:50 PM by Joel Sherrill

I went back to the 4.8 branch and the translation was a switch in semaphorewaitsupp.c which covered all cases. Also the error returned was not -1 but CORE_SEMAPHORE_WAS_DELETED.

Somewhere along the line, the code was changed to a table lookup and range checking was moved to an ifdef DEBUG.

I have no idea why the status returned is no longer CORE_SEMAPHORE_WAS_DELETED which would likely not result in an out of range access.

Did the debug check catch this error? If not, then the debug check is insufficient.

comment:2 Changed on Apr 19, 2016 at 1:14:45 PM by Sebastian Huber

There was no test case, so the debug check was simply not triggered.

comment:3 Changed on Apr 21, 2016 at 5:33:39 AM by Sebastian Huber <sebastian.huber@…>

Resolution: fixed
Status: newclosed

In 90f1265e5dffe0f834ee9c55640a34fd90be8f12/rtems:

score: Fix _CORE_semaphore_Flush()

Use proper CORE_semaphore_Status for _CORE_semaphore_Flush() and
_CORE_semaphore_Destroy() operations.

Close #2696.

comment:4 Changed on May 11, 2017 at 7:31:02 AM by Sebastian Huber

Milestone: 4.124.12.0

comment:5 Changed on Nov 9, 2017 at 6:27:14 AM by Sebastian Huber

Milestone: 4.12.05.1

Milestone renamed

Note: See TracTickets for help on using tickets.