ipc/sem.c : process loops infinitely in exit_sem()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Ioanna Alifieraki | ||
Xenial |
Fix Released
|
Medium
|
Ioanna Alifieraki | ||
Bionic |
Fix Released
|
Medium
|
Ioanna Alifieraki | ||
Disco |
Won't Fix
|
Medium
|
Ioanna Alifieraki | ||
Eoan |
Fix Released
|
Medium
|
Ioanna Alifieraki | ||
Focal |
Fix Released
|
Medium
|
Ioanna Alifieraki |
Bug Description
[Description]
Commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage
in exit_sem()") removes a lock that is needed. This leads to a process
looping infinitely in exit_sem() and can also lead to a crash.
[Test case]
Using the reproducer found in [1] is fairly easy to reach a point where
one of the child processes is looping infinitely in exit_sem between
for(;;) and if (semid == -1) block, while it's trying to free its last
sem_undo structure which has already been freed by freeary().
Once commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()") the issue is not reproducible any more.
[Other]
Patch submitted upstream :
https:/
CVE References
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in linux (Ubuntu Eoan): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in linux (Ubuntu Disco): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Eoan): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1858834
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.