From cacho@crysophylax.sc.iteso.mx  Tue Jan  7 13:43:50 1997
Received: from crysophylax.sc.iteso.mx (crysophylax.sc.iteso.mx [148.201.1.32])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA13441
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Jan 1997 13:43:49 -0800 (PST)
Received: (from cacho@localhost) by crysophylax.sc.iteso.mx (8.8.3/8.8.3) id PAA14614; Tue, 7 Jan 1997 15:43:27 -0600 (CST)
Message-Id: <199701072143.PAA14614@crysophylax.sc.iteso.mx>
Date: Tue, 7 Jan 1997 15:43:27 -0600 (CST)
From: Hector Gonzalez Jaime <cacho@crysophylax.sc.iteso.mx>
Reply-To: cacho@crysophylax.sc.iteso.mx
To: FreeBSD-gnats-submit@freebsd.org
Subject: shmat(2) blues
X-Send-Pr-Version: 3.2

>Number:         2406
>Category:       kern
>Synopsis:       shmat(2) fails under 2.1.6R
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan  7 13:50:01 PST 1997
>Closed-Date:    Tue Feb 25 15:56:48 PST 1997
>Last-Modified:  Tue Feb 25 15:57:57 PST 1997
>Originator:     Hector Gonzalez Jaime
>Release:        FreeBSD 2.1.6-RELEASE i386
>Organization:
ITESO university, Guadalajara, Mexico.
>Environment:

Different systems running FreeBSD 2.1.6 and 2.1.5, with GENERIC kernels or
shared memory enabled kernels.

>Description:

misuse of shmat(2) can reboot a system without core dump, panic or anything.
when shmat is sent an unallocated pointer by any user that previously requested
shared memory, it will not fail or dump core, but will cause a reset.

>How-To-Repeat:

run shmg first, then shmd.

--shmg.c--
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
 
main()
{
 
  void *apunta;
  int shmid;
 
  shmid = shmget(10,8192,SHM_R | SHM_W | IPC_CREAT);
 
  return 0;
}
--end
--shmd.c
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdio.h>
 
main()
{
 
  void *apunta;
  int shmid;
 
  shmid = shmget(10,8192,0);
  printf ("%d\n",shmid);
 
  shmat (shmid,apunta,SHM_RND); 
  perror("shmat");
 
  shmctl (shmid,IPC_RMID,0);
 
  return 0;
}
--end.

>Fix:
	
	

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Tue Feb 25 15:56:48 PST 1997 
State-Changed-Why:  
The originator reports that this has been fixed in later releases. 
>Unformatted:
