Don't panic on user-controlled state in semaphore syscalls.

Reported-by: syzbot+beb099a67f670386a367@syzkaller.appspotmail.com PiperOrigin-RevId: 386521361
author: Rahat Mahmood <rahat@google.com> 2021-07-23 13:34:24 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-07-23 13:37:33 -0700
commit: 3d0a9300050ad9a72d452ec862827e35e3f38dcc (patch)
tree: 04a8d8c216d6357f08755aad0744b80bae24f0a0 /pkg
parent: 0eea96057a8559ae542a0cccfd61ceddc26ceb35 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/pkg/sentry/kernel/semaphore/semaphore.go b/pkg/sentry/kernel/semaphore/semaphore.go
index b7879d284..8610d3fc1 100644
--- a/pkg/sentry/kernel/semaphore/semaphore.go
+++ b/pkg/sentry/kernel/semaphore/semaphore.go
@@ -214,15 +214,14 @@ func (r *Registry) Remove(id ipc.ID, creds *auth.Credentials) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 
-	r.reg.Remove(id, creds)
-
 	index, found := r.findIndexByID(id)
 	if !found {
-		// Inconsistent state.
-		panic(fmt.Sprintf("unable to find an index for ID: %d", id))
+		return linuxerr.EINVAL
 	}
 	delete(r.indexes, index)
 
+	r.reg.Remove(id, creds)
+
 	return nil
 }
 
@@ -245,7 +244,8 @@ func (r *Registry) newSetLocked(ctx context.Context, key ipc.Key, creator fs.Fil
 
 	index, found := r.findFirstAvailableIndex()
 	if !found {
-		panic("unable to find an available index")
+		// See linux, ipc/sem.c:newary().
+		return nil, linuxerr.ENOSPC
 	}
 	r.indexes[index] = set.obj.ID
author	Rahat Mahmood <rahat@google.com>	2021-07-23 13:34:24 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-07-23 13:37:33 -0700
commit	3d0a9300050ad9a72d452ec862827e35e3f38dcc (patch)
tree	04a8d8c216d6357f08755aad0744b80bae24f0a0 /pkg
parent	0eea96057a8559ae542a0cccfd61ceddc26ceb35 (diff)