|
From: <sv...@va...> - 2016-10-01 11:54:57
|
Author: mjw
Date: Sat Oct 1 12:54:50 2016
New Revision: 15996
Log:
linux-x86 check get/set_thread_area pointer before use. Bug #369402.
Modified:
trunk/NEWS
trunk/coregrind/m_syswrap/syswrap-x86-linux.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Sat Oct 1 12:54:50 2016
@@ -186,6 +186,7 @@
369361 vmsplice syscall wrapper crashes on bad iovec
369362 Bad sigaction arguments crash valgrind
369383 x86 sys_modify_ldt wrapper crashes on bad ptr
+369402 Bad set/get_thread_area pointer crashes valgrind
n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
Modified: trunk/coregrind/m_syswrap/syswrap-x86-linux.c
==============================================================================
--- trunk/coregrind/m_syswrap/syswrap-x86-linux.c (original)
+++ trunk/coregrind/m_syswrap/syswrap-x86-linux.c Sat Oct 1 12:54:50 2016
@@ -634,7 +634,7 @@
vg_assert(8 == sizeof(VexGuestX86SegDescr));
vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
- if (info == NULL)
+ if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
return VG_(mk_SysRes_Error)( VKI_EFAULT );
gdt = (VexGuestX86SegDescr*)VG_(threads)[tid].arch.vex.guest_GDT;
@@ -686,7 +686,7 @@
vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
vg_assert(8 == sizeof(VexGuestX86SegDescr));
- if (info == NULL)
+ if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
return VG_(mk_SysRes_Error)( VKI_EFAULT );
idx = info->entry_number;
|