Bug 483786 - Incorrect parameter indexing in FreeBSD clock_nanosleep syscall wrapper
Summary: Incorrect parameter indexing in FreeBSD clock_nanosleep syscall wrapper
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: memcheck (show other bugs)
Version: 3.22.0
Platform: Other FreeBSD
: NOR normal
Target Milestone: ---
Assignee: Paul Floyd
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-16 19:30 UTC by Pat Kelsey
Modified: 2024-03-17 07:53 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Patch (1.00 KB, patch)
2024-03-16 19:30 UTC, Pat Kelsey 		Details
Test Program (759 bytes, text/plain)
2024-03-16 19:31 UTC, Pat Kelsey 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Pat Kelsey 2024-03-16 19:30:47 UTC 
Created attachment 167335 [details]
Patch

In coregrind/m_syswrap/syswrap-freebsd.c, PRE(sys_clock_nanosleep) and POST(sys_clock_nanosleep) each refer to the struct timespec arguments of the syscall by the wrong indexes (using ARG1 and ARG2 instead of ARG3 and ARG4, respectively).

The result is that errors in the third and fourth arguments to clock_nanosleep() are always missed, and spurious errors concerning those arguments are generated based on the values supplied to the first two arguments.

The attached patch resolves the issue, as verified with the attached test program.  The same bug does not appear in the Linux variant of this syscall wrapper.

The attached test program was built using:

cc -Wall -o valgrind-test valgrind-test.c

The output of an unpatched 3.22.0 valgrind run of the test program is:

$valgrind ./valgrind-test
==95892== Memcheck, a memory error detector
==95892== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==95892== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==95892== Command: ./valgrind-test
==95892==
==95892== Syscall param clock_nanosleep(rqtp) points to unaddressable byte(s)
==95892==    at 0x4994F2A: __sys_clock_nanosleep (in /lib/libc.so.7)
==95892==    by 0x20197A: valgrind_should_complain (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==    by 0x201A2A: main (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==95892==
==95892== Syscall param clock_nanosleep(rqtp) points to unaddressable byte(s)
==95892==    at 0x4994F2A: __sys_clock_nanosleep (in /lib/libc.so.7)
==95892==    by 0x2019BA: valgrind_should_not_complain (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==    by 0x201A2F: main (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==95892==
==95892== Syscall param clock_nanosleep(rqtp) points to unaddressable byte(s)
==95892==    at 0x4994F2A: __sys_clock_nanosleep (in /lib/libc.so.7)
==95892==    by 0x2019FD: valgrind_should_not_complain2 (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==    by 0x201A34: main (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==95892==
==95892== Syscall param clock_nanosleep(rmtp) points to unaddressable byte(s)
==95892==    at 0x4994F2A: __sys_clock_nanosleep (in /lib/libc.so.7)
==95892==    by 0x2019FD: valgrind_should_not_complain2 (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==    by 0x201A34: main (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95892==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
==95892==
==95892==
==95892== HEAP SUMMARY:
==95892==     in use at exit: 0 bytes in 0 blocks
==95892==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==95892==
==95892== All heap blocks were freed -- no leaks are possible
==95892==
==95892== For lists of detected and suppressed errors, rerun with: -s
==95892== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)


The output of the patched 3.22.0 valgrind run of the test program is (with path differences to the patched binary elided):

$valgrind ./valgrind-test
==95928== Memcheck, a memory error detector
==95928== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==95928== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==95928== Command: ./valgrind-test
==95928==
==95928== Syscall param clock_nanosleep(rqtp) points to uninitialised byte(s)
==95928==    at 0x498CF2A: __sys_clock_nanosleep (in /lib/libc.so.7)
==95928==    by 0x20197A: valgrind_should_complain (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95928==    by 0x201A2A: main (in /usr/home/pkelsey/valgrind-test/valgrind-test)
==95928==  Address 0x1ffc000990 is on thread 1's stack
==95928==  in frame #1, created by valgrind_should_complain (???:)
==95928==
==95928==
==95928== HEAP SUMMARY:
==95928==     in use at exit: 0 bytes in 0 blocks
==95928==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==95928==
==95928== All heap blocks were freed -- no leaks are possible
==95928==
==95928== Use --track-origins=yes to see where uninitialised values come from
==95928== For lists of detected and suppressed errors, rerun with: -s
==95928== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Comment 1 Pat Kelsey 2024-03-16 19:31:26 UTC 
Created attachment 167336 [details]
Test Program
Comment 2 Paul Floyd 2024-03-17 06:44:57 UTC 
Thanks for the patch and reproducer.

I think that was me

Author: Paul Floyd <pjfloyd@wanadoo.fr>
Date:   Sun Jun 21 23:11:15 2020 +0200

    Last bunch of syscalls + scalar for a bit

Not a very helpful checkin comment.

Thanks for the patch. I added the reproducer as a regression test and also slightly modified the POST so that rmtp only gets written if the syscall was interrupted.

commit 8d8e4a889cc3a02a5c04e5c4f23f9a191b0a6726 (HEAD -> master, origin/master, origin/HEAD)
Author: Paul Floyd <pjfloyd@wanadoo.fr>
Date:   Sun Mar 17 07:41:42 2024 +0100

    Bug 483786 -- Incorrect parameter indexing in FreeBSD clock_nanosleep syscall wrapper
Comment 3 Pat Kelsey 2024-03-17 07:53:46 UTC 
Thanks!