[Valgrind-developers] [valgrind] Sanity check io_submit addresses before dereferencing

[Mark W. <ma...@so...>]

https://sourceware.org/cgit/valgrind/commit/?id=cd870f321b2ab0056b1e003afcf455a552642b22

commit cd870f321b2ab0056b1e003afcf455a552642b22
Author: Mark Wielaard <ma...@kl...>
Date:   Fri Jul 4 23:14:18 2025 +0200

    Sanity check io_submit addresses before dereferencing
    
    The LTP io_submit03 test fails under valgrind memcheck because it
    tests bad struct iocb attay addresses. Fix this by explicitly checking
    the struct iocb pointer and each array element pointer are safe to
    deref in the linux sys_io_submit PRE handler.

Diff:
---
 coregrind/m_syswrap/syswrap-linux.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index d2d0c70588..f2e1c49790 100644
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -2690,12 +2690,15 @@ PRE(sys_io_submit)
                  vki_aio_context_t, ctx_id, long, nr,
                  struct iocb **, iocbpp);
    PRE_MEM_READ( "io_submit(iocbpp)", ARG3, ARG2*sizeof(struct vki_iocb *) );
-   if (ARG3 != 0) {
+   if (ML_(safe_to_deref)((void *)(Addr)ARG3, ARG2*sizeof(struct vki_iocb *))) {
       for (i = 0; i < ARG2; i++) {
          struct vki_iocb *cb = ((struct vki_iocb **)(Addr)ARG3)[i];
          struct vki_iovec *iov;
 
          PRE_MEM_READ( "io_submit(iocb)", (Addr)cb, sizeof(struct vki_iocb) );
+         if (!ML_(safe_to_deref)(&cb->aio_lio_opcode,
+                                 sizeof(cb->aio_lio_opcode)))
+            continue;
          switch (cb->aio_lio_opcode) {
          case VKI_IOCB_CMD_PREAD:
             PRE_MEM_WRITE( "io_submit(PREAD)", cb->aio_buf, cb->aio_nbytes );