Bug 369359

Summary: msghdr_foreachfield can crash when handling bad iovec
Product: [Developer tools] valgrind Reporter: Mark Wielaard <mark>
Component: generalAssignee: Julian Seward <jseward>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Fix crash in msghdr_foreachfield when iov_len isn't safe to dereference.

Description Mark Wielaard 2016-09-25 22:10:21 UTC 
LTP testcases/kernel/syscalls/recvmsg/recvmsg01 crashes valgrind:

==29561== Syscall param recvmsg(msg.msg_iov[134]) points to unaddressable byte(s)
==29561==    at 0x4F2C690: __recvmsg_nocancel (syscall-template.S:81)
==29561==    by 0x402B0E: main (recvmsg01.c:224)
==29561==  Address 0x6b636f7364750001 is not stack'd, malloc'd or (recently) free'd
==29561== 
--29561-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--29561-- si_code=1;  Faulting address: 0x618008;  sp: 0x80327ad40

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==29561==    at 0x38093BD5: msghdr_foreachfield (syswrap-generic.c:1063)
==29561==    by 0x38092CDF: vgPlain_client_syscall (syswrap-main.c:1906)
==29561==    by 0x3808F8B2: handle_syscall (scheduler.c:1118)
==29561==    by 0x38090E76: vgPlain_scheduler (scheduler.c:1435)
==29561==    by 0x380A027A: thread_wrapper (syswrap-linux.c:103)
==29561==    by 0x380A027A: run_a_thread_NORETURN (syswrap-linux.c:156)


Reproducible: Always
Comment 1 Mark Wielaard 2016-09-25 22:13:34 UTC 
Created attachment 101287 [details]
Fix crash in msghdr_foreachfield when iov_len isn't safe to dereference.

Also stop checking when max length of bytes have been reached.
Comment 2 Mark Wielaard 2016-10-01 12:00:10 UTC 
valgrind svn r15991