Bug 369441

Summary: bad lvec argument crashes process_vm_readv/writev syscall wrappers
Product: [Developer tools] valgrind Reporter: Mark Wielaard <mark>
Component: generalAssignee: Julian Seward <jseward>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Don't check bad iovec array in process_vm_readv/writev.

Description Mark Wielaard 2016-09-27 19:24:25 UTC 
LTP testcases/kernel/syscalls/cma/process_vm01 crashes valgrind:

==3940== Syscall param process_vm_readv(lvec) points to unaddressable byte(s)
==3940==    at 0x4129977: syscall (in /usr/lib/libc-2.23.so)
==3940==    by 0x804A414: test_process_vm_readv (process_vm.h:42)
==3940==    by 0x804A414: cma_test_params_read (process_vm01.c:137)
==3940==    by 0x8049E33: cma_test_iov_invalid (process_vm01.c:294)
==3940==    by 0x8049E33: cma_test_errnos (process_vm01.c:410)
==3940==    by 0x8049E33: main (process_vm01.c:91)
==3940==  Address 0xffffffff is not stack'd, malloc'd or (recently) free'd
==3940== 
--3940-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exit
ing
--3940-- si_code=1;  Faulting address: 0x3;  sp: 0x628dde4c

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==3940==    at 0x380A3E79: vgSysWrap_linux_sys_process_vm_readv_before (syswrap-linux.c:5012)

==3961== Syscall param process_vm_writev(lvec) points to unaddressable byte(s)
==3961==    at 0x4129977: syscall (in /usr/lib/libc-2.23.so)
==3961==    by 0x804A3C4: test_process_vm_writev (process_vm.h:55)
==3961==    by 0x804A3C4: cma_test_params_write (process_vm01.c:145)
==3961==    by 0x8049E33: cma_test_iov_invalid (process_vm01.c:294)
==3961==    by 0x8049E33: cma_test_errnos (process_vm01.c:410)
==3961==    by 0x8049E33: main (process_vm01.c:91)
==3961==  Address 0xffffffff is not stack'd, malloc'd or (recently) free'd
==3961== 
--3961-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exit
ing
--3961-- si_code=1;  Faulting address: 0x3;  sp: 0x629a8e4c

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==3961==    at 0x380A40F9: vgSysWrap_linux_sys_process_vm_writev_before (syswrap-linux.c:5050)


Reproducible: Always
Comment 1 Mark Wielaard 2016-09-27 19:26:16 UTC 
Created attachment 101321 [details]
Don't check bad iovec array in process_vm_readv/writev.

The TODO comment already said what to do.
Comment 2 Mark Wielaard 2016-10-01 11:56:16 UTC 
valgrind svn r15997