Bug 424012 - fix crash if readv/writev have invalid but not NULL arg2 iovec pointer

2026-02-03 01:51:29 +00:00 · 2020-11-09 09:30:31 +01:00 · 2020-11-09 09:30:31 +01:00 · 3aa3482774
commit 3aa3482774
parent 7967aea84b
3 changed files with 35 additions and 4 deletions
--- a/coregrind/m_syswrap/syswrap-generic.c
+++ b/coregrind/m_syswrap/syswrap-generic.c
@ -4291,8 +4291,7 @@ PRE(sys_readv)
      if ((Int)ARG3 >= 0)
         PRE_MEM_READ( "readv(vector)", ARG2, ARG3 * sizeof(struct vki_iovec) );

-      if (ARG2 != 0) {
-         /* ToDo: don't do any of the following if the vector is invalid */
+      if (ML_(safe_to_deref)((const void*)ARG2, ARG3*sizeof(struct vki_iovec *))) {
         vec = (struct vki_iovec *)(Addr)ARG2;
         for (i = 0; i < (Int)ARG3; i++)
            PRE_MEM_WRITE( "readv(vector[...])",
@ -4644,8 +4643,8 @@ PRE(sys_writev)
      if ((Int)ARG3 >= 0)
         PRE_MEM_READ( "writev(vector)", 
                       ARG2, ARG3 * sizeof(struct vki_iovec) );
-      if (ARG2 != 0) {
-         /* ToDo: don't do any of the following if the vector is invalid */
+
+      if (ML_(safe_to_deref)((const void*)ARG2, ARG3*sizeof(struct vki_iovec *))) {
         vec = (struct vki_iovec *)(Addr)ARG2;
         for (i = 0; i < (Int)ARG3; i++)
            PRE_MEM_READ( "writev(vector[...])",
--- a/memcheck/tests/writev1.c
+++ b/memcheck/tests/writev1.c
@ -82,6 +82,26 @@ int main(void)
 	else 
        	fprintf(stderr, "Error readv returned a positive value\n");

+        // test with totally bogus iovec pointer
+        // see bugz 424012
+        if (writev(fd, (const struct iovec *)1, 1) < 0) {
+        	if (errno == EFAULT) 
+                	fprintf(stderr, "Received EFAULT as expected\n");
+                else 
+                	fprintf(stderr, "Expected EFAULT, got %d\n", errno);
+        }
+        else
+        	fprintf(stderr, "Error writev returned a positive value\n");
+
+        if (readv(fd, (const struct iovec *)1, 1) < 0) {
+        	if (errno == EFAULT) 
+                	fprintf(stderr, "Received EFAULT as expected\n");
+                else 
+                	fprintf(stderr, "Expected EFAULT, got %d\n", errno);
+        }
+	else
+        	fprintf(stderr, "Error readv returned a positive value\n");
+
        unlink(f_name);
        
 	return 0;
--- a/memcheck/tests/writev1.stderr.exp
+++ b/memcheck/tests/writev1.stderr.exp
@ -7,3 +7,15 @@ Syscall param writev(vector[...]) points to unaddressable byte(s)
 Received EFAULT as expected
 Received EINVAL as expected
 Received EINVAL as expected
+Syscall param writev(vector) points to unaddressable byte(s)
+   ...
+   by 0x........: main (writev1.c:87)
+ Address 0x........ is not stack'd, malloc'd or (recently) free'd
+
+Received EFAULT as expected
+Syscall param readv(vector) points to unaddressable byte(s)
+   ...
+   by 0x........: main (writev1.c:96)
+ Address 0x........ is not stack'd, malloc'd or (recently) free'd
+
+Received EFAULT as expected