os/kernel/semaphore: avoid probable memory corruption.#7192
Merged
ewoodev merged 1 commit intoSamsung:masterfrom Mar 19, 2026
Merged
os/kernel/semaphore: avoid probable memory corruption.#7192ewoodev merged 1 commit intoSamsung:masterfrom
ewoodev merged 1 commit intoSamsung:masterfrom
Conversation
singh-aditya-04
force-pushed
the
security_fix
branch
3 times, most recently
from
54e57f2 to
023601a
Compare
vivek1-j
reviewed
Mar 18, 2026
| if (wtcb->npend_reprio < CONFIG_SEM_NNESTPRIO) { | ||
| wtcb->pend_reprios[wtcb->npend_reprio] = reqprio; | ||
| wtcb->npend_reprio++; | ||
| } else { |
Contributor
There was a problem hiding this comment.
Please check indentation.
Line 146 and 148
if the number of threads exceed the CONFIG_SEM_NNESTPRIO
it can cause the static array defined in TCB to overflow
and cause corruption in tcb data.
To avoid this, restrict the sched priority information upto
CONFIG_SEM_NNESTPRIO threads only and print error log if it exceeds.
struct tcb_s {
---------------------------------------
uint8_t npend_reprio; /* Number of nested reprioritizations */
uint8_t pend_reprios[CONFIG_SEM_NNESTPRIO];
uint8_t base_priority; /* "Normal" priority of the thread */
--------------------------------------
}
Reproduction log details:
[Attacker-79] Started
[Attacker-71] Triggering else branch (prio 71)
sem_boostholderprio: npend_reprio:21 << Debug print added to print number of threads waiting
[Attacker-80] Started
[Attacker-72] Triggering else branch (prio 72)
sem_boostholderprio: npend_reprio:22 << This exceeds the CONFIG value of 16
[Attacker-81] Started
[Attacker-73] Triggering else branch (prio 73)
sem_boostholderprio: npend_reprio:23
[Attacker-82] Started
Signed-off-by: Aditya Singh <aditya.s4@samsung.com>
Signed-off-by: Aashish Lakhwara <aashish.l@samsung.com>
singh-aditya-04
force-pushed
the
security_fix
branch
from
023601a to
3030b58
Compare
ewoodev
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
if the number of threads exceed the CONFIG_SEM_NNESTPRIO it can cause the static array defined in TCB to overflow and cause corruption in tcb data.
To avoid this, restrict the sched priority information upto CONFIG_SEM_NNESTPRIO threads only and print error log if it exceeds.
struct tcb_s {
}
Reproduction log details:
[Attacker-79] Started
[Attacker-71] Triggering else branch (prio 71)
sem_boostholderprio: npend_reprio:21 << Debug print added to print number of threads waiting
[Attacker-80] Started
[Attacker-72] Triggering else branch (prio 72)
sem_boostholderprio: npend_reprio:22 << This exceeds the CONFIG value of 16
[Attacker-81] Started
[Attacker-73] Triggering else branch (prio 73)
sem_boostholderprio: npend_reprio:23
[Attacker-82] Started