linux-x86 check get/set_thread_area pointer before use. Bug #369402.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15996

diff --git a/NEWS b/NEWS
index d0c1d43f3034d24803c5d68c2ed262a96bf5ba0a..2ded124ff6d865c5dac3c9c6b537fd508df4cf72 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -186,6 +186,7 @@ where XXXXXX is the bug number as listed below.
 369361  vmsplice syscall wrapper crashes on bad iovec
 369362  Bad sigaction arguments crash valgrind
 369383  x86 sys_modify_ldt wrapper crashes on bad ptr
+369402  Bad set/get_thread_area pointer crashes valgrind
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap

diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c
index 0d8ff4576315e14acf876259a82b62a20d8ffc3b..62d886a7fc026d76bc9b33b8bace3adf4edb88c7 100644 (file)
--- a/coregrind/m_syswrap/syswrap-x86-linux.c
+++ b/coregrind/m_syswrap/syswrap-x86-linux.c
@@ -634,7 +634,7 @@ static SysRes sys_set_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    gdt = (VexGuestX86SegDescr*)VG_(threads)[tid].arch.vex.guest_GDT;
@@ -686,7 +686,7 @@ static SysRes sys_get_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    idx = info->entry_number;