Bug 359724 - getsockname syscall might crash - deref_UInt should check make sure it is safe to deref
Summary: getsockname syscall might crash - deref_UInt should check make sure it is saf...
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: general (other bugs)
Version First Reported In: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-23 21:21 UTC by Mark Wielaard
Modified: 2016-02-23 21:28 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Wielaard 2016-02-23 21:21:17 UTC 
This was one of the easy hacks as presented at Fosdem a year ago.
https://archive.fosdem.org/2015/schedule/event/valgrind_easy_hack/attachments/slides/731/export/events/attachments/valgrind_easy_hack/slides/731/valgrind_easy_hacks.html#slide26

The LTP getsockname01 testcase crashes valgrind because it calls deref_UInt which doesn't check whether it is safe to derefence.

The patch is simply:

diff --git a/coregrind/m_syswrap/syswrap-generic.c b/coregrind/m_syswrap/syswrap-generic.c
index 061c1e1..2eaf505 100644
--- a/coregrind/m_syswrap/syswrap-generic.c
+++ b/coregrind/m_syswrap/syswrap-generic.c
@@ -1200,7 +1200,7 @@ static UInt deref_UInt ( ThreadId tid, Addr a, const HChar* s )
 {
    UInt* a_p = (UInt*)a;
    PRE_MEM_READ( s, (Addr)a_p, sizeof(UInt) );
-   if (a_p == NULL)
+   if (a_p == NULL || ! ML_(safe_to_deref) (a_p, sizeof(UInt)))
       return 0;
    else
       return *a_p;
Comment 1 Mark Wielaard 2016-02-23 21:28:49 UTC 
valgrind svn r15809