|
From: <sv...@va...> - 2016-10-01 11:54:51
|
Author: mjw
Date: Sat Oct 1 12:54:40 2016
New Revision: 15990
Log:
Fix pre_mem_read_sockaddr crash on invalid syscall arguments. Bug #369356.
Don't do any more checks if it isn't safe to inspect the address family.
Likewise, don't check sun_path if the string address isn't safe.
Found by LTP testcases/kernel/syscalls/bind/bind01.
Modified:
trunk/NEWS
trunk/coregrind/m_syswrap/syswrap-generic.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Sat Oct 1 12:54:40 2016
@@ -180,6 +180,7 @@
361253 [s390x] ex_clone.c:42: undefined reference to `pthread_create'
369169 ppc64 fails jm_int_isa_2_07 test
369209 valgrind loops and eats up all memory if cwd doesn't exist.
+369356 pre_mem_read_sockaddr syscall wrapper can crash with bad sockaddr
n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
Modified: trunk/coregrind/m_syswrap/syswrap-generic.c
==============================================================================
--- trunk/coregrind/m_syswrap/syswrap-generic.c (original)
+++ trunk/coregrind/m_syswrap/syswrap-generic.c Sat Oct 1 12:54:40 2016
@@ -1128,12 +1128,20 @@
VG_(sprintf) ( outmsg, description, "sa_family" );
PRE_MEM_READ( outmsg, (Addr) &sa->sa_family, sizeof(vki_sa_family_t));
+ /* Don't do any extra checking if we cannot determine the sa_family. */
+ if (! ML_(safe_to_deref) (&sa->sa_family, sizeof(vki_sa_family_t))) {
+ VG_(free) (outmsg);
+ return;
+ }
+
switch (sa->sa_family) {
case VKI_AF_UNIX:
- VG_(sprintf) ( outmsg, description, "sun_path" );
- PRE_MEM_RASCIIZ( outmsg, (Addr) saun->sun_path );
- // GrP fixme max of sun_len-2? what about nul char?
+ if (ML_(safe_to_deref) (&saun->sun_path, sizeof (Addr))) {
+ VG_(sprintf) ( outmsg, description, "sun_path" );
+ PRE_MEM_RASCIIZ( outmsg, (Addr) saun->sun_path );
+ // GrP fixme max of sun_len-2? what about nul char?
+ }
break;
case VKI_AF_INET:
|