Bug 359724

Summary: getsockname syscall might crash - deref_UInt should check make sure it is safe to deref
Product: [Developer tools] valgrind Reporter: Mark Wielaard <mark>
Component: generalAssignee: Julian Seward <jseward>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Mark Wielaard 2016-02-23 21:21:17 UTC 
This was one of the easy hacks as presented at Fosdem a year ago.
https://archive.fosdem.org/2015/schedule/event/valgrind_easy_hack/attachments/slides/731/export/events/attachments/valgrind_easy_hack/slides/731/valgrind_easy_hacks.html#slide26

The LTP getsockname01 testcase crashes valgrind because it calls deref_UInt which doesn't check whether it is safe to derefence.

The patch is simply:

diff --git a/coregrind/m_syswrap/syswrap-generic.c b/coregrind/m_syswrap/syswrap-generic.c
index 061c1e1..2eaf505 100644
--- a/coregrind/m_syswrap/syswrap-generic.c
+++ b/coregrind/m_syswrap/syswrap-generic.c
@@ -1200,7 +1200,7 @@ static UInt deref_UInt ( ThreadId tid, Addr a, const HChar* s )
 {
    UInt* a_p = (UInt*)a;
    PRE_MEM_READ( s, (Addr)a_p, sizeof(UInt) );
-   if (a_p == NULL)
+   if (a_p == NULL || ! ML_(safe_to_deref) (a_p, sizeof(UInt)))
       return 0;
    else
       return *a_p;
Comment 1 Mark Wielaard 2016-02-23 21:28:49 UTC 
valgrind svn r15809