From 106336018105c55ddb4f31e9bd518a9b5827c7af Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sat, 1 Oct 2016 11:54:48 +0000
Subject: [PATCH] Fix crash in vmsplice linux kernel wrapper when iovec is bad.
 Bug #369361.

Found by LTP testcases/kernel/syscalls/vmsplice/vmsplice02.

git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15993
---
 NEWS                                |  1 +
 coregrind/m_syswrap/syswrap-linux.c | 12 ++++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index fca22bed0b..051c1a6a4f 100644
--- a/NEWS
+++ b/NEWS
@@ -183,6 +183,7 @@ where XXXXXX is the bug number as listed below.
 369356  pre_mem_read_sockaddr syscall wrapper can crash with bad sockaddr
 369359  msghdr_foreachfield can crash when handling bad iovec
 369360  Bad sigprocmask old or new sets can crash valgrind
+369361  vmsplice syscall wrapper crashes on bad iovec
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap
diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index 797448427a..6f9a8beedd 100644
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -5310,10 +5310,14 @@ PRE(sys_vmsplice)
       for (iov = (struct vki_iovec *)ARG2;
            iov < (struct vki_iovec *)ARG2 + ARG3; iov++) 
       {
-         if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
-            PRE_MEM_WRITE( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
-         else
-            PRE_MEM_READ( "vmsplice(iov[...])", (Addr)iov->iov_base, iov->iov_len );
+         if (ML_(safe_to_deref) (iov, sizeof(struct vki_iovec))) {
+            if ((fdfl & VKI_O_ACCMODE) == VKI_O_RDONLY)
+               PRE_MEM_WRITE( "vmsplice(iov[...])",
+                             (Addr)iov->iov_base, iov->iov_len );
+            else
+               PRE_MEM_READ( "vmsplice(iov[...])",
+                            (Addr)iov->iov_base, iov->iov_len );
+         }
       }
    }
 }
-- 
2.47.2