359733 amd64 implement ld.so strchr/index override like x86
359829 PowerPC test none/tests/ppc64/test_isa_2_07.c uninitialized memory
references was fixed.
+359871 Incorrect mask handling in ppoll
n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
extern
void ML_(fixup_guest_state_to_restart_syscall) ( ThreadArchState* arch );
+extern
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask);
+
#if defined(VGO_darwin)
/* Longjmp to scheduler after client calls workq_ops(WQOPS_THREAD_RETURN)*/
extern
LINX_(__NR_fchmodat, sys_fchmodat), // 268
LINX_(__NR_faccessat, sys_faccessat), // 269
- LINX_(__NR_pselect6, sys_pselect6), // 270
+ LINXY(__NR_pselect6, sys_pselect6), // 270
LINXY(__NR_ppoll, sys_ppoll), // 271
LINX_(__NR_unshare, sys_unshare), // 272
LINX_(__NR_set_robust_list, sys_set_robust_list), // 273
LINX_(__NR_arm_fadvise64_64, sys_fadvise64_64), // 270 */(Linux?)
- LINX_(__NR_pselect6, sys_pselect6), // 335
+ LINXY(__NR_pselect6, sys_pselect6), // 335
LINXY(__NR_ppoll, sys_ppoll), // 336
LINXY(__NR_epoll_pwait, sys_epoll_pwait), // 346
GENX_(__NR_writev, sys_writev), // 66
GENXY(__NR_pread64, sys_pread64), // 67
GENX_(__NR_pwrite64, sys_pwrite64), // 68
- LINX_(__NR_pselect6, sys_pselect6), // 72
+ LINXY(__NR_pselect6, sys_pselect6), // 72
LINXY(__NR_ppoll, sys_ppoll), // 73
LINXY(__NR_signalfd4, sys_signalfd4), // 74
LINX_(__NR_readlinkat, sys_readlinkat), // 78
#include "priv_types_n_macros.h"
#include "priv_syswrap-generic.h"
#include "priv_syswrap-linux.h"
+#include "priv_syswrap-main.h"
#include "priv_syswrap-xen.h"
// Run a thread from beginning to end and return the thread's
POST_MEM_WRITE(ARG3, sizeof(struct vki_size_t *));
}
+struct pselect_sized_sigset {
+ const vki_sigset_t *ss;
+ vki_size_t ss_len;
+};
+struct pselect_adjusted_sigset {
+ struct pselect_sized_sigset ss; /* The actual syscall arg */
+ vki_sigset_t adjusted_ss;
+};
+
PRE(sys_pselect6)
{
- *flags |= SfMayBlock;
+ *flags |= SfMayBlock | SfPostOnFail;
PRINT("sys_pselect6 ( %ld, %#lx, %#lx, %#lx, %#lx, %#lx )",
SARG1, ARG2, ARG3, ARG4, ARG5, ARG6);
PRE_REG_READ6(long, "pselect6",
ARG4, ARG1/8 /* __FD_SETSIZE/8 */ );
if (ARG5 != 0)
PRE_MEM_READ( "pselect6(timeout)", ARG5, sizeof(struct vki_timeval) );
- if (ARG6 != 0)
- PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(void *)+sizeof(vki_size_t) );
+ if (ARG6 != 0) {
+ const struct pselect_sized_sigset *pss =
+ (struct pselect_sized_sigset *)ARG6;
+ PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(*pss) );
+ if (!ML_(safe_to_deref)(pss, sizeof(*pss))) {
+ ARG6 = 1; /* Something recognisable to POST() hook. */
+ } else {
+ struct pselect_adjusted_sigset *pas;
+ pas = VG_(malloc)("syswrap.pselect6.1", sizeof(*pas));
+ ARG6 = (Addr)pas;
+ pas->ss.ss = (void *)1;
+ pas->ss.ss_len = pss->ss_len;
+ if (pss->ss_len == sizeof(*pss->ss)) {
+ PRE_MEM_READ("pselect6(sig->ss)", (Addr)pss->ss, pss->ss_len);
+ if (ML_(safe_to_deref)(pss->ss, sizeof(*pss->ss))) {
+ pas->adjusted_ss = *pss->ss;
+ pas->ss.ss = &pas->adjusted_ss;
+ VG_(sanitize_client_sigmask)(&pas->adjusted_ss);
+ }
+ }
+ }
+ }
+}
+POST(sys_pselect6)
+{
+ if (ARG6 != 0 && ARG6 != 1) {
+ VG_(free)((struct pselect_adjusted_sigset *)ARG6);
+ }
}
PRE(sys_ppoll)
{
UInt i;
struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
- *flags |= SfMayBlock;
+ *flags |= SfMayBlock | SfPostOnFail;
PRINT("sys_ppoll ( %#lx, %lu, %#lx, %#lx, %lu )\n", ARG1,ARG2,ARG3,ARG4,ARG5);
PRE_REG_READ5(long, "ppoll",
struct vki_pollfd *, ufds, unsigned int, nfds,
if (ARG3)
PRE_MEM_READ( "ppoll(tsp)", ARG3, sizeof(struct vki_timespec) );
- if (ARG4)
- PRE_MEM_READ( "ppoll(sigmask)", ARG4, sizeof(vki_sigset_t) );
+ if (ARG4 != 0 && sizeof(vki_sigset_t) == ARG5) {
+ const vki_sigset_t *guest_sigmask = (vki_sigset_t *)ARG4;
+ PRE_MEM_READ( "ppoll(sigmask)", ARG4, ARG5);
+ if (!ML_(safe_to_deref)(guest_sigmask, sizeof(*guest_sigmask))) {
+ ARG4 = 1; /* Something recognisable to POST() hook. */
+ } else {
+ vki_sigset_t *vg_sigmask =
+ VG_(malloc)("syswrap.ppoll.1", sizeof(*vg_sigmask));
+ ARG4 = (Addr)vg_sigmask;
+ *vg_sigmask = *guest_sigmask;
+ VG_(sanitize_client_sigmask)(vg_sigmask);
+ }
+ }
}
POST(sys_ppoll)
{
- if (RES > 0) {
+ vg_assert(SUCCESS || FAILURE);
+ if (SUCCESS && (RES >= 0)) {
UInt i;
struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
for (i = 0; i < ARG2; i++)
POST_MEM_WRITE( (Addr)(&ufds[i].revents), sizeof(ufds[i].revents) );
}
+ if (ARG4 != 0 && ARG5 == sizeof(vki_sigset_t) && ARG4 != 1) {
+ VG_(free)((vki_sigset_t *) ARG4);
+ }
}
/* Add and remove signals from mask so that we end up telling the
kernel the state we actually want rather than what the client
wants. */
-static void sanitize_client_sigmask(vki_sigset_t *mask)
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask)
{
VG_(sigdelset)(mask, VKI_SIGKILL);
VG_(sigdelset)(mask, VKI_SIGSTOP);
PRINT(" --> [async] ... \n");
mask = tst->sig_mask;
- sanitize_client_sigmask(&mask);
+ VG_(sanitize_client_sigmask)(&mask);
/* Gack. More impedance matching. Copy the possibly
modified syscall args back into the guest state. */
LINX_ (__NR_readlinkat, sys_readlinkat),
LINX_ (__NR_fchmodat, sys_fchmodat),
LINX_ (__NR_faccessat, sys_faccessat),
- LINX_ (__NR_pselect6, sys_pselect6),
+ LINXY (__NR_pselect6, sys_pselect6),
LINXY (__NR_ppoll, sys_ppoll),
PLAX_ (__NR_unshare, sys_unshare),
PLAX_ (__NR_splice, sys_splice),
PLAXY(__NR_spu_run, sys_spu_run), // 278
PLAX_(__NR_spu_create, sys_spu_create), // 279
- LINX_(__NR_pselect6, sys_pselect6), // 280
+ LINXY(__NR_pselect6, sys_pselect6), // 280
LINXY(__NR_ppoll, sys_ppoll), // 281
LINXY(__NR_openat, sys_openat), // 286
LINX_(__NR_inotify_add_watch, sys_inotify_add_watch), // 276
LINX_(__NR_inotify_rm_watch, sys_inotify_rm_watch), // 277
- LINX_(__NR_pselect6, sys_pselect6), // 280
+ LINXY(__NR_pselect6, sys_pselect6), // 280
LINXY(__NR_ppoll, sys_ppoll), // 281
LINXY(__NR_openat, sys_openat), // 286
LINX_(__NR_fchmodat, sys_fchmodat), // 299
LINX_(__NR_faccessat, sys_faccessat), // 300
- LINX_(__NR_pselect6, sys_pselect6), // 301
+ LINXY(__NR_pselect6, sys_pselect6), // 301
LINXY(__NR_ppoll, sys_ppoll), // 302
LINX_(__NR_unshare, sys_unshare), // 303
LINX_(__NR_set_robust_list, sys_set_robust_list), // 304
#include "priv_types_n_macros.h"
#include "priv_syswrap-generic.h"
+#include "priv_syswrap-main.h"
#include "priv_syswrap-solaris.h"
/* Return the number of non-dead and daemon threads.
UWord i;
struct vki_pollfd *ufds = (struct vki_pollfd *)ARG1;
- *flags |= SfMayBlock;
+ *flags |= SfMayBlock | SfPostOnFail;
PRINT("sys_pollsys ( %#lx, %lu, %#lx, %#lx )", ARG1, ARG2, ARG3, ARG4);
PRE_REG_READ4(long, "poll", pollfd_t *, fds, vki_nfds_t, nfds,
if (ARG3)
PRE_MEM_READ("poll(timeout)", ARG3, sizeof(vki_timespec_t));
- if (ARG4)
+
+ if (ARG4) {
PRE_MEM_READ("poll(set)", ARG4, sizeof(vki_sigset_t));
+
+ const vki_sigset_t *guest_sigmask = (vki_sigset_t *) ARG4;
+ if (!ML_(safe_to_deref)(guest_sigmask, sizeof(vki_sigset_t))) {
+ ARG4 = 1; /* Something recognisable to POST() hook. */
+ } else {
+ vki_sigset_t *vg_sigmask =
+ VG_(malloc)("syswrap.pollsys.1", sizeof(vki_sigset_t));
+ ARG4 = (Addr) vg_sigmask;
+ *vg_sigmask = *guest_sigmask;
+ VG_(sanitize_client_sigmask)(vg_sigmask);
+ }
+ }
}
POST(sys_pollsys)
{
- if (RES >= 0) {
+ vg_assert(SUCCESS || FAILURE);
+
+ if (SUCCESS && (RES >= 0)) {
UWord i;
vki_pollfd_t *ufds = (vki_pollfd_t*)ARG1;
for (i = 0; i < ARG2; i++)
POST_FIELD_WRITE(ufds[i].revents);
}
+
+ if ((ARG4 != 0) && (ARG4 != 1)) {
+ VG_(free)((vki_sigset_t *) ARG4);
+ }
}
PRE(sys_labelsys)
LINXY(__NR_preadv, sys_preadv), // 69
LINX_(__NR_pwritev, sys_pwritev), // 70
LINXY(__NR_sendfile, sys_sendfile), // 71
- LINX_(__NR_pselect6, sys_pselect6), // 72
+ LINXY(__NR_pselect6, sys_pselect6), // 72
LINXY(__NR_ppoll, sys_ppoll), // 73
LINXY(__NR_signalfd4, sys_signalfd4), // 74
LINX_(__NR_splice, sys_splice), // 75
LINX_(__NR_readlinkat, sys_readlinkat), // 305
LINX_(__NR_fchmodat, sys_fchmodat), // 306
LINX_(__NR_faccessat, sys_faccessat), // 307
- LINX_(__NR_pselect6, sys_pselect6), // 308
+ LINXY(__NR_pselect6, sys_pselect6), // 308
LINXY(__NR_ppoll, sys_ppoll), // 309
LINX_(__NR_unshare, sys_unshare), // 310
nestedfns.stderr.exp nestedfns.stdout.exp nestedfns.vgtest \
nodir.stderr.exp nodir.vgtest \
pending.stdout.exp pending.stderr.exp pending.vgtest \
+ ppoll_alarm.stdout.exp ppoll_alarm.stderr.exp ppoll_alarm.vgtest \
procfs-linux.stderr.exp-with-readlinkat \
procfs-linux.stderr.exp-without-readlinkat \
procfs-linux.vgtest \
procfs-non-linux.vgtest \
procfs-non-linux.stderr.exp-with-readlinkat \
procfs-non-linux.stderr.exp-without-readlinkat \
+ pselect_alarm.stdout.exp pselect_alarm.stderr.exp pselect_alarm.vgtest \
pth_atfork1.stderr.exp pth_atfork1.stdout.exp pth_atfork1.vgtest \
pth_blockedsig.stderr.exp \
pth_blockedsig.stdout.exp pth_blockedsig.vgtest \
mmap_fcntl_bug \
munmap_exe map_unaligned map_unmap mq \
pending \
+ ppoll_alarm \
procfs-cmdline-exe \
+ pselect_alarm \
pth_atfork1 pth_blockedsig pth_cancel1 pth_cancel2 pth_cvsimple \
pth_empty pth_exit pth_exit2 pth_mutexspeed pth_once pth_rwlock \
pth_stackalign \
../../VEX/libvexmultiarch-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a \
../../VEX/libvex-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a @LIB_UBSAN@
libvexmultiarch_test_SOURCES = libvex_test.c
+ppoll_alarm_LDADD = -lpthread
+pselect_alarm_LDADD = -lpthread
pth_atfork1_LDADD = -lpthread
pth_blockedsig_LDADD = -lpthread
pth_cancel1_CFLAGS = $(AM_CFLAGS) -Wno-shadow
--- /dev/null
+/* Tries to exploit bug in ppoll mask handling:
+ https://bugs.kde.org/show_bug.cgi?id=359871
+ where client program was able to successfully block VG_SIGVGKILL. */
+
+#define _GNU_SOURCE /* for ppoll */
+#include <poll.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+ pthread_mutex_lock(&mutex);
+ ready = 1;
+ pthread_cond_signal(&cond);
+ pthread_mutex_unlock(&mutex);
+
+ sigset_t ss;
+ sigfillset(&ss);
+ while (1) {
+ struct timespec ts = {10000, 0};
+ ppoll(NULL, 0, &ts, &ss);
+ }
+
+ return NULL;
+}
+
+int
+main()
+{
+ pthread_t thr;
+ int ret = pthread_create(&thr, NULL, mythr, NULL);
+ if (ret != 0) {
+ fprintf(stderr, "pthread_create failed\n");
+ return 1;
+ }
+
+ pthread_mutex_lock(&mutex);
+ while (ready == 0) {
+ pthread_cond_wait(&cond, &mutex);
+ }
+ pthread_mutex_unlock(&mutex);
+
+ alarm(1); /* Unhandled SIGALRM should cause exit. */
+ while (1)
+ sleep(1);
+
+ return 0;
+}
--- /dev/null
+prog: ppoll_alarm
+vgopts: -q
+stderr_filter: filter_stderr
--- /dev/null
+/* Tries to exploit bug in pselect mask handling:
+ https://bugs.kde.org/show_bug.cgi?id=359871
+ where client program was able to successfully block VG_SIGVGKILL. */
+
+#include <sys/select.h>
+#include <assert.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+ pthread_mutex_lock(&mutex);
+ ready = 1;
+ pthread_cond_signal(&cond);
+ pthread_mutex_unlock(&mutex);
+
+ sigset_t ss;
+ sigfillset(&ss);
+ while (1) {
+ struct timespec ts = {10000, 0};
+ pselect(0, NULL, NULL, NULL, &ts, &ss);
+ }
+
+ return NULL;
+}
+
+int
+main()
+{
+ pthread_t thr;
+ int ret = pthread_create(&thr, NULL, mythr, NULL);
+ if (ret != 0) {
+ fprintf(stderr, "pthread_create failed\n");
+ return 1;
+ }
+
+ pthread_mutex_lock(&mutex);
+ while (ready == 0) {
+ pthread_cond_wait(&cond, &mutex);
+ }
+ pthread_mutex_unlock(&mutex);
+
+#if defined(VGO_linux)
+ assert(pselect(0, NULL, NULL, NULL, NULL, (sigset_t *)12) == -1);
+ assert(errno == EFAULT);
+#endif
+
+ alarm(1); /* Unhandled SIGALRM should cause exit. */
+ while (1)
+ sleep(1);
+
+ return 0;
+}
--- /dev/null
+prog: pselect_alarm
+vgopts: -q
+stderr_filter: filter_stderr
# of the bash process. Newer bash versions redirect such messages properly.
# Suppress any redirected abnormal termination messages. You can find the
# complete list of messages in the bash source file siglist.c.
-perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error)( \(core dumped\))?$/' |
+perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error|Killed)( \(core dumped\))?$/' |
# Similar as above, but for ksh on Solaris/illumos.
perl -n -e 'print if !/^(Memory fault|Killed) $/' |
projects / thirdparty / valgrind.git / commitdiff
