From: Mark Wielaard Date: Sat, 1 Oct 2016 11:54:40 +0000 (+0000) Subject: Fix pre_mem_read_sockaddr crash on invalid syscall arguments. Bug #369356. X-Git-Tag: svn/VALGRIND_3_13_0~376 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31e1b8c9bab13d6c758bb8b0185df07b26dbcfe1;p=thirdparty%2Fvalgrind.git Fix pre_mem_read_sockaddr crash on invalid syscall arguments. Bug #369356. Don't do any more checks if it isn't safe to inspect the address family. Likewise, don't check sun_path if the string address isn't safe. Found by LTP testcases/kernel/syscalls/bind/bind01. git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15990 --- diff --git a/NEWS b/NEWS index 67a0ecbb94..ae55de72f6 100644 --- a/NEWS +++ b/NEWS @@ -180,6 +180,7 @@ where XXXXXX is the bug number as listed below. 361253 [s390x] ex_clone.c:42: undefined reference to `pthread_create' 369169 ppc64 fails jm_int_isa_2_07 test 369209 valgrind loops and eats up all memory if cwd doesn't exist. +369356 pre_mem_read_sockaddr syscall wrapper can crash with bad sockaddr n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap diff --git a/coregrind/m_syswrap/syswrap-generic.c b/coregrind/m_syswrap/syswrap-generic.c index ed44494350..be887b1653 100644 --- a/coregrind/m_syswrap/syswrap-generic.c +++ b/coregrind/m_syswrap/syswrap-generic.c @@ -1128,12 +1128,20 @@ void pre_mem_read_sockaddr ( ThreadId tid, VG_(sprintf) ( outmsg, description, "sa_family" ); PRE_MEM_READ( outmsg, (Addr) &sa->sa_family, sizeof(vki_sa_family_t)); + /* Don't do any extra checking if we cannot determine the sa_family. */ + if (! ML_(safe_to_deref) (&sa->sa_family, sizeof(vki_sa_family_t))) { + VG_(free) (outmsg); + return; + } + switch (sa->sa_family) { case VKI_AF_UNIX: - VG_(sprintf) ( outmsg, description, "sun_path" ); - PRE_MEM_RASCIIZ( outmsg, (Addr) saun->sun_path ); - // GrP fixme max of sun_len-2? what about nul char? + if (ML_(safe_to_deref) (&saun->sun_path, sizeof (Addr))) { + VG_(sprintf) ( outmsg, description, "sun_path" ); + PRE_MEM_RASCIIZ( outmsg, (Addr) saun->sun_path ); + // GrP fixme max of sun_len-2? what about nul char? + } break; case VKI_AF_INET: