Don't panic on user-controlled state in semaphore syscalls.

Reported-by: syzbot+beb099a67f670386a367@syzkaller.appspotmail.com
PiperOrigin-RevId: 386521361

2 files changed, 16 insertions, 5 deletions

diff --git a/pkg/sentry/kernel/semaphore/semaphore.go b/pkg/sentry/kernel/semaphore/semaphore.go
index b7879d284..8610d3fc1 100644
--- a/pkg/sentry/kernel/semaphore/semaphore.go
+++ b/pkg/sentry/kernel/semaphore/semaphore.go
@@ -214,15 +214,14 @@ func (r *Registry) Remove(id ipc.ID, creds *auth.Credentials) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 
-	r.reg.Remove(id, creds)
-
 	index, found := r.findIndexByID(id)
 	if !found {
-		// Inconsistent state.
-		panic(fmt.Sprintf("unable to find an index for ID: %d", id))
+		return linuxerr.EINVAL
 	}
 	delete(r.indexes, index)
 
+	r.reg.Remove(id, creds)
+
 	return nil
 }
 
@@ -245,7 +244,8 @@ func (r *Registry) newSetLocked(ctx context.Context, key ipc.Key, creator fs.Fil
 
 	index, found := r.findFirstAvailableIndex()
 	if !found {
-		panic("unable to find an available index")
+		// See linux, ipc/sem.c:newary().
+		return nil, linuxerr.ENOSPC
 	}
 	r.indexes[index] = set.obj.ID
 
diff --git a/test/syscalls/linux/semaphore.cc b/test/syscalls/linux/semaphore.cc
index f72957f89..87b66aa98 100644
--- a/test/syscalls/linux/semaphore.cc
+++ b/test/syscalls/linux/semaphore.cc
@@ -1019,6 +1019,17 @@ TEST(SemaphoreTest, SemInfo) {
   EXPECT_EQ(info.semvmx, kSemVmx);
 }
 
+TEST(SempahoreTest, RemoveNonExistentSemaphore) {
+  EXPECT_THAT(semctl(-1, 0, IPC_RMID), SyscallFailsWithErrno(EINVAL));
+}
+
+TEST(SempahoreTest, RemoveDeletedSemaphore) {
+  int id;
+  EXPECT_THAT(id = semget(IPC_PRIVATE, 1, 0), SyscallSucceeds());
+  EXPECT_THAT(semctl(id, 0, IPC_RMID), SyscallSucceeds());
+  EXPECT_THAT(semctl(id, 0, IPC_RMID), SyscallFailsWithErrno(EINVAL));
+}
+
 }  // namespace
 }  // namespace testing
 }  // namespace gvisor