From 0cc9e9099bf1d7a5275f214e9538b51398f3960e Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sat, 1 Oct 2016 11:54:50 +0000
Subject: [PATCH] linux-x86 check get/set_thread_area pointer before use. Bug
 #369402.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15996
---
 NEWS                                    | 1 +
 coregrind/m_syswrap/syswrap-x86-linux.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index d0c1d43f30..2ded124ff6 100644
--- a/NEWS
+++ b/NEWS
@@ -186,6 +186,7 @@ where XXXXXX is the bug number as listed below.
 369361  vmsplice syscall wrapper crashes on bad iovec
 369362  Bad sigaction arguments crash valgrind
 369383  x86 sys_modify_ldt wrapper crashes on bad ptr
+369402  Bad set/get_thread_area pointer crashes valgrind
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c
index 0d8ff45763..62d886a7fc 100644
--- a/coregrind/m_syswrap/syswrap-x86-linux.c
+++ b/coregrind/m_syswrap/syswrap-x86-linux.c
@@ -634,7 +634,7 @@ static SysRes sys_set_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    gdt = (VexGuestX86SegDescr*)VG_(threads)[tid].arch.vex.guest_GDT;
@@ -686,7 +686,7 @@ static SysRes sys_get_thread_area ( ThreadId tid, vki_modify_ldt_t* info )
    vg_assert(sizeof(HWord) == sizeof(VexGuestX86SegDescr*));
    vg_assert(8 == sizeof(VexGuestX86SegDescr));
 
-   if (info == NULL)
+   if (info == NULL || ! ML_(safe_to_deref)(info, sizeof(vki_modify_ldt_t)))
       return VG_(mk_SysRes_Error)( VKI_EFAULT );
 
    idx = info->entry_number;
-- 
2.47.2