From: Mark Wielaard <mark@klomp.org>
Date: Fri, 11 Jul 2025 15:18:47 +0000 (+0200)
Subject: Check ppoll ufds array is safe to deref before checking fd members
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=300d541a82d9966e833e4db9028011121253a19b;p=thirdparty%2Fvalgrind.git

Check ppoll ufds array is safe to deref before checking fd members

LTP ppoll01 provides a bad fds array to ppoll as a testcase.
memcheck should warn (through PRE_MEM_READ) this array is bad.
But it shouldn't try to derefence anything if is isn't safe.
---

diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index a5e1f9d65..51a47a16f 100644
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -2041,6 +2041,8 @@ static void ppoll_pre_helper ( ThreadId tid, SyscallArgLayout* layout,
    for (i = 0; i < ARG2; i++) {
       PRE_MEM_READ( "ppoll(ufds.fd)",
                     (Addr)(&ufds[i].fd), sizeof(ufds[i].fd) );
+      if (!ML_(safe_to_deref)(&ufds[i].fd, sizeof(ufds[i].fd)))
+         break;
       if (ufds[i].fd >= 0) {
          PRE_MEM_READ( "ppoll(ufds.events)",
                        (Addr)(&ufds[i].events), sizeof(ufds[i].events) );