Bug 369383

Summary: x86 sys_modify_ldt wrapper crashes on bad ptr
Product: [Developer tools] valgrind Reporter: Mark Wielaard <mark>
Component: generalAssignee: Julian Seward <jseward>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: 3.12 SVN   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Fix crash in sys_modify_ldt wrapper on bad ptr.

Description Mark Wielaard 2016-09-26 16:15:40 UTC 
LTP testcases/kernel/syscalls/modify_ldt/modify_ldt01:

==30317== Syscall param modify_ldt(ptr) points to unaddressable byte(s)
==30317==    at 0x412FFF9: modify_ldt (in /usr/lib/libc-2.23.so)
==30317==    by 0x8049BCD: main (modify_ldt01.c:188)
==30317==  Address 0x805efff is 4095 bytes after the brk data segment limit 0x805e000
==30317== 
--30317-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--30317-- si_code=1;  Faulting address: 0x805F000;  sp: 0x62a5ce34

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==30317==    at 0x380B70B7: read_ldt (syswrap-x86-linux.c:541)
==30317==    by 0x380B70B7: sys_modify_ldt (syswrap-x86-linux.c:603)
==30317==    by 0x380B70B7: vgSysWrap_x86_linux_sys_modify_ldt_before (syswrap-x86-linux.c:1037)


Reproducible: Always
Comment 1 Mark Wielaard 2016-09-26 16:18:16 UTC 
Created attachment 101298 [details]
Fix crash in sys_modify_ldt wrapper on bad ptr.

Make sure ptr is safe_to_deref if not NULL.
Also fixup some corner case error return codes.
We have to do that ourselves since we never actually call into the kernel.
Comment 2 Mark Wielaard 2016-10-01 11:57:40 UTC 
valgrind svn r15995