From: Mark Wielaard Date: Sat, 1 Oct 2016 11:54:51 +0000 (+0000) Subject: Don't check bad iovec array in process_vm_readv/writev. Bug #369441. X-Git-Tag: svn/VALGRIND_3_13_0~369 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cb131bf04187f329c2e0c71f0cad7382a78f023;p=thirdparty%2Fvalgrind.git Don't check bad iovec array in process_vm_readv/writev. Bug #369441. Found by LTP testcases/kernel/syscalls/cma/process_vm01. git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15997 --- diff --git a/NEWS b/NEWS index 2ded124ff6..a0b8e16100 100644 --- a/NEWS +++ b/NEWS @@ -187,6 +187,7 @@ where XXXXXX is the bug number as listed below. 369362 Bad sigaction arguments crash valgrind 369383 x86 sys_modify_ldt wrapper crashes on bad ptr 369402 Bad set/get_thread_area pointer crashes valgrind +369441 bad lvec argument crashes process_vm_readv/writev syscall wrappers n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c index e53de6c985..115922307a 100644 --- a/coregrind/m_syswrap/syswrap-linux.c +++ b/coregrind/m_syswrap/syswrap-linux.c @@ -5004,8 +5004,8 @@ PRE(sys_process_vm_readv) ARG2, ARG3 * sizeof(struct vki_iovec) ); PRE_MEM_READ( "process_vm_readv(rvec)", ARG4, ARG5 * sizeof(struct vki_iovec) ); - if (ARG2 != 0) { - /* TODO: Don't do any of the following if lvec is invalid */ + if (ARG2 != 0 + && ML_(safe_to_deref) ((void *)ARG2, sizeof(struct vki_iovec) * ARG3)) { const struct vki_iovec *vec = (const struct vki_iovec *)ARG2; UInt i; for (i = 0; i < ARG3; i++) @@ -5042,8 +5042,8 @@ PRE(sys_process_vm_writev) ARG2, ARG3 * sizeof(struct vki_iovec) ); PRE_MEM_READ( "process_vm_writev(rvec)", ARG4, ARG5 * sizeof(struct vki_iovec) ); - if (ARG2 != 0) { - /* TODO: Don't do any of the following if lvec is invalid */ + if (ARG2 != 0 + && ML_(safe_to_deref) ((void *)ARG2, sizeof(struct vki_iovec) * ARG3)) { const struct vki_iovec *vec = (const struct vki_iovec *)ARG2; UInt i; for (i = 0; i < ARG3; i++)