|
From: <sv...@va...> - 2016-10-01 11:54:58
|
Author: mjw
Date: Sat Oct 1 12:54:51 2016
New Revision: 15997
Log:
Don't check bad iovec array in process_vm_readv/writev. Bug #369441.
Found by LTP testcases/kernel/syscalls/cma/process_vm01.
Modified:
trunk/NEWS
trunk/coregrind/m_syswrap/syswrap-linux.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Sat Oct 1 12:54:51 2016
@@ -187,6 +187,7 @@
369362 Bad sigaction arguments crash valgrind
369383 x86 sys_modify_ldt wrapper crashes on bad ptr
369402 Bad set/get_thread_area pointer crashes valgrind
+369441 bad lvec argument crashes process_vm_readv/writev syscall wrappers
n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
Modified: trunk/coregrind/m_syswrap/syswrap-linux.c
==============================================================================
--- trunk/coregrind/m_syswrap/syswrap-linux.c (original)
+++ trunk/coregrind/m_syswrap/syswrap-linux.c Sat Oct 1 12:54:51 2016
@@ -5004,8 +5004,8 @@
ARG2, ARG3 * sizeof(struct vki_iovec) );
PRE_MEM_READ( "process_vm_readv(rvec)",
ARG4, ARG5 * sizeof(struct vki_iovec) );
- if (ARG2 != 0) {
- /* TODO: Don't do any of the following if lvec is invalid */
+ if (ARG2 != 0
+ && ML_(safe_to_deref) ((void *)ARG2, sizeof(struct vki_iovec) * ARG3)) {
const struct vki_iovec *vec = (const struct vki_iovec *)ARG2;
UInt i;
for (i = 0; i < ARG3; i++)
@@ -5042,8 +5042,8 @@
ARG2, ARG3 * sizeof(struct vki_iovec) );
PRE_MEM_READ( "process_vm_writev(rvec)",
ARG4, ARG5 * sizeof(struct vki_iovec) );
- if (ARG2 != 0) {
- /* TODO: Don't do any of the following if lvec is invalid */
+ if (ARG2 != 0
+ && ML_(safe_to_deref) ((void *)ARG2, sizeof(struct vki_iovec) * ARG3)) {
const struct vki_iovec *vec = (const struct vki_iovec *)ARG2;
UInt i;
for (i = 0; i < ARG3; i++)
|