From 3d0a9300050ad9a72d452ec862827e35e3f38dcc Mon Sep 17 00:00:00 2001
From: Rahat Mahmood <rahat@google.com>
Date: Fri, 23 Jul 2021 13:34:24 -0700
Subject: Don't panic on user-controlled state in semaphore syscalls.

Reported-by: syzbot+beb099a67f670386a367@syzkaller.appspotmail.com
PiperOrigin-RevId: 386521361
---
 pkg/sentry/kernel/semaphore/semaphore.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'pkg/sentry/kernel')

diff --git a/pkg/sentry/kernel/semaphore/semaphore.go b/pkg/sentry/kernel/semaphore/semaphore.go
index b7879d284..8610d3fc1 100644
--- a/pkg/sentry/kernel/semaphore/semaphore.go
+++ b/pkg/sentry/kernel/semaphore/semaphore.go
@@ -214,15 +214,14 @@ func (r *Registry) Remove(id ipc.ID, creds *auth.Credentials) error {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 
-	r.reg.Remove(id, creds)
-
 	index, found := r.findIndexByID(id)
 	if !found {
-		// Inconsistent state.
-		panic(fmt.Sprintf("unable to find an index for ID: %d", id))
+		return linuxerr.EINVAL
 	}
 	delete(r.indexes, index)
 
+	r.reg.Remove(id, creds)
+
 	return nil
 }
 
@@ -245,7 +244,8 @@ func (r *Registry) newSetLocked(ctx context.Context, key ipc.Key, creator fs.Fil
 
 	index, found := r.findFirstAvailableIndex()
 	if !found {
-		panic("unable to find an available index")
+		// See linux, ipc/sem.c:newary().
+		return nil, linuxerr.ENOSPC
 	}
 	r.indexes[index] = set.obj.ID
 
-- 
cgit v1.2.3