Fix crash in vmsplice linux kernel wrapper when iovec is bad. Bug #369361.

Found by LTP testcases/kernel/syscalls/vmsplice/vmsplice02.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15993

diff --git a/NEWS b/NEWS
index fca22bed0b4a09936e6bb7bedbade2d7f8d08d4f..051c1a6a4f35c8b4b545ab18da8925e5647792a4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -183,6 +183,7 @@ where XXXXXX is the bug number as listed below.
 369356  pre_mem_read_sockaddr syscall wrapper can crash with bad sockaddr
 369359  msghdr_foreachfield can crash when handling bad iovec
 369360  Bad sigprocmask old or new sets can crash valgrind
+369361  vmsplice syscall wrapper crashes on bad iovec
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap

diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index 797448427a6888508f8ff1160bff81f4a657844a..6f9a8beedd5b1dc0cbaff4f21d77192526d68c1a 100644 (file)
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -5310,10 +5310,14 @@ PRE(sys_vmsplice)
       for (iov = (struct vki_iovec *)ARG2;
            iov < (struct vki_iovec *)ARG2 + ARG3; iov++) 
       {
-         if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
-            PRE_MEM_WRITE( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
-         else
-            PRE_MEM_READ( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
+         if (ML_(safe_to_deref) (iov, sizeof(struct vki_iovec))) {
+            if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
+               PRE_MEM_WRITE( "vmsplice(iov[...])",
+                             (Addr)iov->iov_base, iov->iov_len );
+            else
+               PRE_MEM_READ( "vmsplice(iov[...])",
+                            (Addr)iov->iov_base, iov->iov_len );
+         }
       }
    }
 }