|
From: <sv...@va...> - 2016-10-01 11:54:54
|
Author: mjw
Date: Sat Oct 1 12:54:48 2016
New Revision: 15993
Log:
Fix crash in vmsplice linux kernel wrapper when iovec is bad. Bug #369361.
Found by LTP testcases/kernel/syscalls/vmsplice/vmsplice02.
Modified:
trunk/NEWS
trunk/coregrind/m_syswrap/syswrap-linux.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Sat Oct 1 12:54:48 2016
@@ -183,6 +183,7 @@
369356 pre_mem_read_sockaddr syscall wrapper can crash with bad sockaddr
369359 msghdr_foreachfield can crash when handling bad iovec
369360 Bad sigprocmask old or new sets can crash valgrind
+369361 vmsplice syscall wrapper crashes on bad iovec
n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
Modified: trunk/coregrind/m_syswrap/syswrap-linux.c
==============================================================================
--- trunk/coregrind/m_syswrap/syswrap-linux.c (original)
+++ trunk/coregrind/m_syswrap/syswrap-linux.c Sat Oct 1 12:54:48 2016
@@ -5310,10 +5310,14 @@
for (iov = (struct vki_iovec *)ARG2;
iov < (struct vki_iovec *)ARG2 + ARG3; iov++)
{
- if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
- PRE_MEM_WRITE( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
- else
- PRE_MEM_READ( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
+ if (ML_(safe_to_deref) (iov, sizeof(struct vki_iovec))) {
+ if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
+ PRE_MEM_WRITE( "vmsplice(iov[...])",
+ (Addr)iov->iov_base, iov->iov_len );
+ else
+ PRE_MEM_READ( "vmsplice(iov[...])",
+ (Addr)iov->iov_base, iov->iov_len );
+ }
}
}
}
|