Sanity check io_submit addresses before dereferencing

The LTP io_submit03 test fails under valgrind memcheck because it
tests bad struct iocb attay addresses. Fix this by explicitly checking
the struct iocb pointer and each array element pointer are safe to
deref in the linux sys_io_submit PRE handler.

diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index d2d0c70588064cd5a512426abfa9454c2dc58909..f2e1c4979067c0b2d46cdf3b459c6f6617ec41ab 100644 (file)
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -2690,12 +2690,15 @@ PRE(sys_io_submit)
                  vki_aio_context_t, ctx_id, long, nr,
                  struct iocb **, iocbpp);
    PRE_MEM_READ( "io_submit(iocbpp)", ARG3, ARG2*sizeof(struct vki_iocb *) );
-   if (ARG3 != 0) {
+   if (ML_(safe_to_deref)((void *)(Addr)ARG3, ARG2*sizeof(struct vki_iocb *))) {
       for (i = 0; i < ARG2; i++) {
          struct vki_iocb *cb = ((struct vki_iocb **)(Addr)ARG3)[i];
          struct vki_iovec *iov;
 
          PRE_MEM_READ( "io_submit(iocb)", (Addr)cb, sizeof(struct vki_iocb) );
+         if (!ML_(safe_to_deref)(&cb->aio_lio_opcode,
+                                 sizeof(cb->aio_lio_opcode)))
+            continue;
          switch (cb->aio_lio_opcode) {
          case VKI_IOCB_CMD_PREAD:
             PRE_MEM_WRITE( "io_submit(PREAD)", cb->aio_buf, cb->aio_nbytes );