From: Ivo Raisr Date: Thu, 23 Mar 2017 23:22:21 +0000 (+0000) Subject: Fix for 377698 - Missing memory check for futex() uaddr arg for FUTEX_WAKE, X-Git-Tag: svn/VALGRIND_3_13_0~146 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9f02db4c8a829a69816bbd172f13bafa2c1a95f;p=thirdparty%2Fvalgrind.git Fix for 377698 - Missing memory check for futex() uaddr arg for FUTEX_WAKE, and FUTEX_WAKE_BITSET, check only 4 args for FUTEX_WAKE_BITSET, and 2 args for FUTEX_TRYLOCK_PI. Fixes BZ#377698. Patch by: diane.meirowitz@oracle.com git-svn-id: svn://svn.valgrind.org/valgrind/trunk@16285 --- diff --git a/NEWS b/NEWS index 7d529dfb47..56c7053c78 100644 --- a/NEWS +++ b/NEWS @@ -147,6 +147,9 @@ where XXXXXX is the bug number as listed below. 377376 memcheck/tests/linux/getregset fails with glibc2.24 377427 PPC64, lxv instruction failing on odd destination register 377478 PPC64: ISA 3.0 setup fixes +377698 Missing memory check for futex() uaddr arg for FUTEX_WAKE + and FUTEX_WAKE_BITSET, check only 4 args for FUTEX_WAKE_BITSET, + and 2 args for FUTEX_TRYLOCK_PI 377717 Fix massive space leak when reading compressed debuginfo sections Release 3.12.0 (20 October 2016) diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c index 4136f59b4f..c79b98c7ce 100644 --- a/coregrind/m_syswrap/syswrap-linux.c +++ b/coregrind/m_syswrap/syswrap-linux.c @@ -1610,9 +1610,11 @@ PRE(sys_futex) } break; case VKI_FUTEX_WAKE_BITSET: - PRE_REG_READ6(long, "futex", - vki_u32 *, futex, int, op, int, val, - int, dummy, int, dummy2, int, val3); + PRE_REG_READ3(long, "futex", + vki_u32 *, futex, int, op, int, val); + if (VG_(tdict).track_pre_reg_read) { + PRA6("futex", int, val3); + } break; case VKI_FUTEX_WAIT: case VKI_FUTEX_LOCK_PI: @@ -1622,10 +1624,10 @@ PRE(sys_futex) break; case VKI_FUTEX_WAKE: case VKI_FUTEX_FD: - case VKI_FUTEX_TRYLOCK_PI: PRE_REG_READ3(long, "futex", vki_u32 *, futex, int, op, int, val); break; + case VKI_FUTEX_TRYLOCK_PI: case VKI_FUTEX_UNLOCK_PI: default: PRE_REG_READ2(long, "futex", vki_u32 *, futex, int, op); @@ -1655,13 +1657,10 @@ PRE(sys_futex) case VKI_FUTEX_FD: case VKI_FUTEX_TRYLOCK_PI: case VKI_FUTEX_UNLOCK_PI: - PRE_MEM_READ( "futex(futex)", ARG1, sizeof(Int) ); - break; - case VKI_FUTEX_WAKE: case VKI_FUTEX_WAKE_BITSET: - /* no additional pointers */ - break; + PRE_MEM_READ( "futex(futex)", ARG1, sizeof(Int) ); + break; default: SET_STATUS_Failure( VKI_ENOSYS ); // some futex function we don't understand diff --git a/memcheck/tests/arm64-linux/scalar.c b/memcheck/tests/arm64-linux/scalar.c index e8f2e43149..cd8cb2af99 100644 --- a/memcheck/tests/arm64-linux/scalar.c +++ b/memcheck/tests/arm64-linux/scalar.c @@ -1068,8 +1068,8 @@ int main(void) #define FUTEX_WAIT 0 #endif // XXX: again, glibc not doing 6th arg means we have only 5s errors - GO(__NR_futex, "5s 2m"); - SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL; + GO(__NR_futex, "4s 2m"); + SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL; // __NR_sched_setaffinity 241 GO(__NR_sched_setaffinity, "3s 1m"); diff --git a/memcheck/tests/arm64-linux/scalar.stderr.exp b/memcheck/tests/arm64-linux/scalar.stderr.exp index 1dc2035262..fdfdb371a2 100644 --- a/memcheck/tests/arm64-linux/scalar.stderr.exp +++ b/memcheck/tests/arm64-linux/scalar.stderr.exp @@ -1958,7 +1958,7 @@ Syscall param fremovexattr(name) points to unaddressable byte(s) 130: __NR_tkill n/a ----------------------------------------------------- ----------------------------------------------------- - 98: __NR_futex 5s 2m + 98: __NR_futex 4s 2m ----------------------------------------------------- Syscall param futex(futex) contains uninitialised byte(s) ... diff --git a/memcheck/tests/darwin/scalar.c b/memcheck/tests/darwin/scalar.c index af4def4d32..d74996c657 100644 --- a/memcheck/tests/darwin/scalar.c +++ b/memcheck/tests/darwin/scalar.c @@ -1654,8 +1654,8 @@ int main(void) #define FUTEX_WAIT 0 #endif // XXX: again, glibc not doing 6th arg means we have only 5s errors - GO(__NR_futex, "5s 2m"); - SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL; + GO(__NR_futex, "4s 2m"); + SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL; // __NR_sched_setaffinity 241 GO(__NR_sched_setaffinity, "3s 1m"); diff --git a/memcheck/tests/x86-linux/scalar.c b/memcheck/tests/x86-linux/scalar.c index c0a318b3db..6c6089196d 100644 --- a/memcheck/tests/x86-linux/scalar.c +++ b/memcheck/tests/x86-linux/scalar.c @@ -1068,8 +1068,8 @@ int main(void) #define FUTEX_WAIT 0 #endif // XXX: again, glibc not doing 6th arg means we have only 5s errors - GO(__NR_futex, "5s 2m"); - SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL; + GO(__NR_futex, "4s 2m"); + SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL; // __NR_sched_setaffinity 241 GO(__NR_sched_setaffinity, "3s 1m"); diff --git a/memcheck/tests/x86-linux/scalar.stderr.exp b/memcheck/tests/x86-linux/scalar.stderr.exp index d1af3136c3..ebee0640ac 100644 --- a/memcheck/tests/x86-linux/scalar.stderr.exp +++ b/memcheck/tests/x86-linux/scalar.stderr.exp @@ -3300,7 +3300,7 @@ Syscall param sendfile64(offset) points to unaddressable byte(s) Address 0x........ is not stack'd, malloc'd or (recently) free'd ----------------------------------------------------- -240: __NR_futex 5s 2m +240: __NR_futex 4s 2m ----------------------------------------------------- Syscall param futex(futex) contains uninitialised byte(s) ...