Bug 369383 - x86 sys_modify_ldt wrapper crashes on bad ptr
Summary: x86 sys_modify_ldt wrapper crashes on bad ptr
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: general (other bugs)
Version First Reported In: 3.12 SVN
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-26 16:15 UTC by Mark Wielaard
Modified: 2016-10-01 11:57 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Fix crash in sys_modify_ldt wrapper on bad ptr. (2.30 KB, patch)
2016-09-26 16:18 UTC, Mark Wielaard 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Wielaard 2016-09-26 16:15:40 UTC 
LTP testcases/kernel/syscalls/modify_ldt/modify_ldt01:

==30317== Syscall param modify_ldt(ptr) points to unaddressable byte(s)
==30317==    at 0x412FFF9: modify_ldt (in /usr/lib/libc-2.23.so)
==30317==    by 0x8049BCD: main (modify_ldt01.c:188)
==30317==  Address 0x805efff is 4095 bytes after the brk data segment limit 0x805e000
==30317== 
--30317-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--30317-- si_code=1;  Faulting address: 0x805F000;  sp: 0x62a5ce34

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==30317==    at 0x380B70B7: read_ldt (syswrap-x86-linux.c:541)
==30317==    by 0x380B70B7: sys_modify_ldt (syswrap-x86-linux.c:603)
==30317==    by 0x380B70B7: vgSysWrap_x86_linux_sys_modify_ldt_before (syswrap-x86-linux.c:1037)


Reproducible: Always
Comment 1 Mark Wielaard 2016-09-26 16:18:16 UTC 
Created attachment 101298 [details]
Fix crash in sys_modify_ldt wrapper on bad ptr.

Make sure ptr is safe_to_deref if not NULL.
Also fixup some corner case error return codes.
We have to do that ourselves since we never actually call into the kernel.
Comment 2 Mark Wielaard 2016-10-01 11:57:40 UTC 
valgrind svn r15995