From: Mark Wielaard <mark@klomp.org>
Date: Sat, 1 Oct 2016 11:54:50 +0000 (+0000)
Subject: linux-x86 check get/set_thread_area pointer before use. Bug #369402.
X-Git-Tag: svn/VALGRIND_3_13_0~370
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0cc9e9099bf1d7a5275f214e9538b51398f3960e;p=thirdparty%2Fvalgrind.git

linux-x86 check get/set_thread_area pointer before use. Bug #369402.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15996
---

diff --git a/NEWS b/NEWS
index d0c1d43f30..2ded124ff6 100644
--- a/NEWS
+++ b/NEWS
@@ -186,6 +186,7 @@ where XXXXXX is the bug number as listed below.
 369361  vmsplice syscall wrapper crashes on bad iovec
 369362  Bad sigaction arguments crash valgrind
 369383  x86 sys_modify_ldt wrapper crashes on bad ptr
+369402  Bad set/get_thread_area pointer crashes valgrind
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c
index 0d8ff45763..62d886a7fc 100644
--- a/coregrind/m_syswrap/syswrap-x86-linux.c
+++ b/coregrind/m_syswrap/syswrap-x86-linux.c
@@ -634,7 +634,7 @@ static SysRes sys_set_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    gdt = (VexGuestX86SegDescr*)VG_(threads)[tid].arch.vex.guest_GDT;
@@ -686,7 +686,7 @@ static SysRes sys_get_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    idx = info->entry_number;