[Bug]: bad system call using semget from libandroid-sysv-semaphore

[knyipab]

Problem description

I am building a package (jack2) that uses SYSV semaphore (libandroid-sysv-semaphore). However, it prompts bad system call in runtime. I can reproduce the issue with a simple test example below. Not sure if this is dependent on Android version, Linux kernel, or vendor.

What steps will reproduce the bug?

Here is an example taken from qt6-qtbase configure file: https://github.com/qt/qtbase/blob/79e00b0b25765b85b112b601fee70184b1efe3c0/src/corelib/configure.cmake#L258-L272.

sysv_sem.cpp

#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <fcntl.h>

int main(void)
{
    key_t unix_key = ftok("test", 'Q');
    semctl(semget(unix_key, 1, 0666 | IPC_CREAT | IPC_EXCL), 0, IPC_RMID, 0);
    return 0;
}

commands to run

g++ -o sysv_sem sysv_sem.cpp -landroid-sysv-semaphore --debug
./sysv_sem

And it prints bad system call.

Output from gdb

Program received signal SIGSYS, Bad system call.
#0  0x0000007ff32be1c4 in syscall ()
   from /apex/com.android.runtime/lib64/bionic/libc.so
#1  0x0000007ff6a479b0 in semget ()
   from /data/data/com.termux/files/usr/lib/libandroid-sysv-semaphore.so
#2  0x00000055555567bc in main () at sysv_sem.cpp:9

What is the expected behavior?

No response

System information

Termux Variables:
TERMUX_API_VERSION=0.50.1
TERMUX_APK_RELEASE=GITHUB
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=10415
TERMUX_IS_DEBUGGABLE_BUILD=1
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.0
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://mirrors.tuna.tsinghua.edu.cn/termux/apt/termux-main stable main
# x11-repo (sources.list.d/x11.list)
deb https://mirrors.tuna.tsinghua.edu.cn/termux/apt/termux-x11 x11 main
# tur-repo (sources.list.d/tur.list)
deb https://tur.kcubeterm.com tur-packages tur tur-on-device tur-continuous tur-multilib
Updatable packages:
clang/stable 18.1.7-1 aarch64 [upgradable from: 18.1.7]
code-oss/tur-packages 1.90.0 aarch64 [upgradable from: 1.89.1]
command-not-found/stable 2.4.0-28 aarch64 [upgradable from: 2.4.0-27]
darktable/tur-packages 4.6.1-1 aarch64 [upgradable from: 4.6.1]
debianutils/stable 5.19 aarch64 [upgradable from: 5.18]
glib-bin/stable 2.80.3 aarch64 [upgradable from: 2.80.2]
glib/stable 2.80.3 aarch64 [upgradable from: 2.80.2]
libcompiler-rt/stable 18.1.7-1 aarch64 [upgradable from: 18.1.7]
libllvm/stable 18.1.7-1 aarch64 [upgradable from: 18.1.7]
libopenmpt/stable 0.7.8 aarch64 [upgradable from: 0.7.7]
lld/stable 18.1.7-1 aarch64 [upgradable from: 18.1.7]
llvm/stable 18.1.7-1 aarch64 [upgradable from: 18.1.7]
mpv/stable 0.38.0 aarch64 [upgradable from: 0.38.0]
pango/stable 1.54.0 aarch64 [upgradable from: 1.52.2]
pipewire/stable 1.1.82-1 aarch64 [upgradable from: 1.1.82-1]
python-ensurepip-wheels/stable 3.11.9-2 all [upgradable from: 3.11.9-1]
python-fitsio/tur-packages 1.2.2 aarch64 [upgradable from: 1.2.1]
python-scipy/tur-packages 1:1.13.1-1 aarch64 [upgradable from: 1:1.13.1]
python/stable 3.11.9-2 aarch64 [upgradable from: 3.11.9-1]
termux-tools/stable 1.42.4 all [upgradable from: 1.42.3]
xfce4-session/x11 4.18.4 aarch64 [upgradable from: 4.18.3-1]
xfce4-settings/x11 4.18.5 aarch64 [upgradable from: 4.18.4]
termux-tools version:
1.42.3
Android version:
14
Kernel build information:
Linux localhost 5.15.123-android13-8-28577358-abF9460ZSS2CXD1 #1 SMP PREEMPT Mon Apr 1 02:09:15 UTC 2024 aarch64 Android
Device manufacturer:
samsung
Device model:
SM-F9460
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so
Installed termux plugins:
com.termux.widget versionCode:13
com.termux.x11 versionCode:14
com.termux.api versionCode:51

[Biswa96]

I can reproduce the issue in my Android device (Linux 4.19.312 Android 14). Here is the strace output.

SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7397c5a9d0, si_syscall=__NR_semget, si_arch=AUDIT_ARCH_AARCH64}

[sylirre]

This library doesn't actually implements system call replacement stubs.

int semget(key_t key, int n, int flags) {                                       
#if defined(SYS_semget)                                                         
  return syscall(SYS_semget, key, n, flags);                                    
#else                                                                           
  return syscall(SYS_ipc, SEMGET, key, n, flags, 0, 0);                         
#endif                                                                          
}

If semget isn't allowed by seccomp on Android 14, then crash could be expected with current implementation.

[licy183]

semget-related syscalls are disabled since Android 8.0. A related issue has been reported in #17780.

I could implement them using libandroid-shmem if I have more free time, but I'm currently doing an internship...

[knyipab]

For jack2, I ended up using posix semaphore and submitted a PR in #20544.

For qt6-qtbase, it specifies libandroid-sysv-semaphore as deps. But I tested both QSemaphore and QSystemSemaphore and they all work fine. I doubt if sysv semaphore is indeed used as the backend for qt6.

It is still good to have a fix, perhaps for the sake of other depending packages or for termux users who compiled depending programs themselves. Appreciated and no pressure.