Sanitize signal mask in ppoll and pselect syscalls

Reported and Linux patch contributed by Steven Smith <sos22@archy.org.uk>
Fixes BZ#359871



git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15823

NEWS

@@ -79,6 +79,7 @@ where XXXXXX is the bug number as listed below.
 359733  amd64 implement ld.so strchr/index override like x86
 359829  PowerPC test none/tests/ppc64/test_isa_2_07.c uninitialized memory
         references was fixed.
+359871  Incorrect mask handling in ppoll
 
 n-i-bz Fix incorrect (or infinite loop) unwind on RHEL7 x86 and amd64
 n-i-bz massif --pages-as-heap=yes does not report peak caused by mmap+munmap

coregrind/m_syswrap/priv_syswrap-main.h

@@ -38,6 +38,9 @@
 extern
 void ML_(fixup_guest_state_to_restart_syscall) ( ThreadArchState* arch );
 
+extern
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask);
+
 #if defined(VGO_darwin)
 /* Longjmp to scheduler after client calls workq_ops(WQOPS_THREAD_RETURN)*/
 extern

coregrind/m_syswrap/syswrap-amd64-linux.c

@@ -1018,7 +1018,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_fchmodat,		 sys_fchmodat),         // 268
    LINX_(__NR_faccessat,	 sys_faccessat),        // 269
 
-   LINX_(__NR_pselect6,		 sys_pselect6),         // 270
+   LINXY(__NR_pselect6,		 sys_pselect6),         // 270
    LINXY(__NR_ppoll,		 sys_ppoll),            // 271
    LINX_(__NR_unshare,		 sys_unshare),          // 272
    LINX_(__NR_set_robust_list,	 sys_set_robust_list),  // 273

coregrind/m_syswrap/syswrap-arm-linux.c

@@ -1188,7 +1188,7 @@ static SyscallTableEntry syscall_main_table[] = {
 
    LINX_(__NR_arm_fadvise64_64,  sys_fadvise64_64),     // 270 */(Linux?)
 
-   LINX_(__NR_pselect6,          sys_pselect6),         // 335
+   LINXY(__NR_pselect6,          sys_pselect6),         // 335
    LINXY(__NR_ppoll,             sys_ppoll),            // 336
 
    LINXY(__NR_epoll_pwait,       sys_epoll_pwait),      // 346

coregrind/m_syswrap/syswrap-arm64-linux.c

@@ -924,7 +924,7 @@ static SyscallTableEntry syscall_main_table[] = {
    GENX_(__NR_writev,            sys_writev),            // 66
    GENXY(__NR_pread64,           sys_pread64),           // 67
    GENX_(__NR_pwrite64,          sys_pwrite64),          // 68
-   LINX_(__NR_pselect6,          sys_pselect6),          // 72
+   LINXY(__NR_pselect6,          sys_pselect6),          // 72
    LINXY(__NR_ppoll,             sys_ppoll),             // 73
    LINXY(__NR_signalfd4,         sys_signalfd4),         // 74
    LINX_(__NR_readlinkat,        sys_readlinkat),        // 78

coregrind/m_syswrap/syswrap-linux.c

@@ -62,6 +62,7 @@
 #include "priv_types_n_macros.h"
 #include "priv_syswrap-generic.h"
 #include "priv_syswrap-linux.h"
+#include "priv_syswrap-main.h"
 #include "priv_syswrap-xen.h"
 
 // Run a thread from beginning to end and return the thread's
@@ -1272,9 +1273,18 @@ POST(sys_get_robust_list)
    POST_MEM_WRITE(ARG3, sizeof(struct vki_size_t *));
 }
 
+struct pselect_sized_sigset {
+    const vki_sigset_t *ss;
+    vki_size_t ss_len;
+};
+struct pselect_adjusted_sigset {
+    struct pselect_sized_sigset ss; /* The actual syscall arg */
+    vki_sigset_t adjusted_ss;
+};
+
 PRE(sys_pselect6)
 {
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
    PRINT("sys_pselect6 ( %ld, %#lx, %#lx, %#lx, %#lx, %#lx )",
          SARG1, ARG2, ARG3, ARG4, ARG5, ARG6);
    PRE_REG_READ6(long, "pselect6",
@@ -1293,15 +1303,41 @@ PRE(sys_pselect6)
 		     ARG4, ARG1/8 /* __FD_SETSIZE/8 */ );
    if (ARG5 != 0)
       PRE_MEM_READ( "pselect6(timeout)", ARG5, sizeof(struct vki_timeval) );
-   if (ARG6 != 0)
-      PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(void *)+sizeof(vki_size_t) );
+   if (ARG6 != 0) {
+      const struct pselect_sized_sigset *pss =
+          (struct pselect_sized_sigset *)ARG6;
+      PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(*pss) );
+      if (!ML_(safe_to_deref)(pss, sizeof(*pss))) {
+         ARG6 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         struct pselect_adjusted_sigset *pas;
+         pas = VG_(malloc)("syswrap.pselect6.1", sizeof(*pas));
+         ARG6 = (Addr)pas;
+         pas->ss.ss = (void *)1;
+         pas->ss.ss_len = pss->ss_len;
+         if (pss->ss_len == sizeof(*pss->ss)) {
+            PRE_MEM_READ("pselect6(sig->ss)", (Addr)pss->ss, pss->ss_len);
+            if (ML_(safe_to_deref)(pss->ss, sizeof(*pss->ss))) {
+               pas->adjusted_ss = *pss->ss;
+               pas->ss.ss = &pas->adjusted_ss;
+               VG_(sanitize_client_sigmask)(&pas->adjusted_ss);
+            }
+         }
+      }
+   }
+}
+POST(sys_pselect6)
+{
+   if (ARG6 != 0 && ARG6 != 1) {
+       VG_(free)((struct pselect_adjusted_sigset *)ARG6);
+   }
 }
 
 PRE(sys_ppoll)
 {
    UInt i;
    struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
    PRINT("sys_ppoll ( %#lx, %lu, %#lx, %#lx, %lu )\n", ARG1,ARG2,ARG3,ARG4,ARG5);
    PRE_REG_READ5(long, "ppoll",
                  struct vki_pollfd *, ufds, unsigned int, nfds,
@@ -1319,18 +1355,33 @@ PRE(sys_ppoll)
 
    if (ARG3)
       PRE_MEM_READ( "ppoll(tsp)", ARG3, sizeof(struct vki_timespec) );
-   if (ARG4)
-      PRE_MEM_READ( "ppoll(sigmask)", ARG4, sizeof(vki_sigset_t) );
+   if (ARG4 != 0 && sizeof(vki_sigset_t) == ARG5) {
+      const vki_sigset_t *guest_sigmask = (vki_sigset_t *)ARG4;
+      PRE_MEM_READ( "ppoll(sigmask)", ARG4, ARG5);
+      if (!ML_(safe_to_deref)(guest_sigmask, sizeof(*guest_sigmask))) {
+         ARG4 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         vki_sigset_t *vg_sigmask =
+             VG_(malloc)("syswrap.ppoll.1", sizeof(*vg_sigmask));
+         ARG4 = (Addr)vg_sigmask;
+         *vg_sigmask = *guest_sigmask;
+         VG_(sanitize_client_sigmask)(vg_sigmask);
+      }
+   }
 }
 
 POST(sys_ppoll)
 {
-   if (RES > 0) {
+   vg_assert(SUCCESS || FAILURE);
+   if (SUCCESS && (RES >= 0)) {
       UInt i;
       struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
       for (i = 0; i < ARG2; i++)
 	 POST_MEM_WRITE( (Addr)(&ufds[i].revents), sizeof(ufds[i].revents) );
    }
+   if (ARG4 != 0 && ARG5 == sizeof(vki_sigset_t) && ARG4 != 1) {
+      VG_(free)((vki_sigset_t *) ARG4);
+   }
 }
 
 

coregrind/m_syswrap/syswrap-main.c

@@ -1657,7 +1657,7 @@ static const SyscallTableEntry* get_syscall_entry ( Int syscallno )
 /* Add and remove signals from mask so that we end up telling the
    kernel the state we actually want rather than what the client
    wants. */
-static void sanitize_client_sigmask(vki_sigset_t *mask)
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask)
 {
    VG_(sigdelset)(mask, VKI_SIGKILL);
    VG_(sigdelset)(mask, VKI_SIGSTOP);
@@ -1979,7 +1979,7 @@ void VG_(client_syscall) ( ThreadId tid, UInt trc )
          PRINT(" --> [async] ... \n");
 
          mask = tst->sig_mask;
-         sanitize_client_sigmask(&mask);
+         VG_(sanitize_client_sigmask)(&mask);
 
          /* Gack.  More impedance matching.  Copy the possibly
             modified syscall args back into the guest state. */

coregrind/m_syswrap/syswrap-mips64-linux.c

@@ -889,7 +889,7 @@ static SyscallTableEntry syscall_main_table[] = {
    LINX_ (__NR_readlinkat, sys_readlinkat),
    LINX_ (__NR_fchmodat, sys_fchmodat),
    LINX_ (__NR_faccessat, sys_faccessat),
-   LINX_ (__NR_pselect6, sys_pselect6),
+   LINXY (__NR_pselect6, sys_pselect6),
    LINXY (__NR_ppoll, sys_ppoll),
    PLAX_ (__NR_unshare, sys_unshare),
    PLAX_ (__NR_splice, sys_splice),

coregrind/m_syswrap/syswrap-ppc32-linux.c

@@ -1194,7 +1194,7 @@ static SyscallTableEntry syscall_table[] = {
    PLAXY(__NR_spu_run,            sys_spu_run),               // 278
    PLAX_(__NR_spu_create,         sys_spu_create),            // 279
 
-   LINX_(__NR_pselect6,          sys_pselect6),          // 280
+   LINXY(__NR_pselect6,          sys_pselect6),          // 280
    LINXY(__NR_ppoll,             sys_ppoll),             // 281
 
    LINXY(__NR_openat,            sys_openat),            // 286

coregrind/m_syswrap/syswrap-ppc64-linux.c

@@ -1110,7 +1110,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_inotify_add_watch,  sys_inotify_add_watch), // 276
    LINX_(__NR_inotify_rm_watch,   sys_inotify_rm_watch),  // 277
 
-   LINX_(__NR_pselect6,          sys_pselect6),           // 280
+   LINXY(__NR_pselect6,          sys_pselect6),           // 280
    LINXY(__NR_ppoll,             sys_ppoll),              // 281
 
    LINXY(__NR_openat,            sys_openat),             // 286

coregrind/m_syswrap/syswrap-s390x-linux.c

@@ -992,7 +992,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_fchmodat,  sys_fchmodat),                               // 299
 
    LINX_(__NR_faccessat,  sys_faccessat),                             // 300
-   LINX_(__NR_pselect6, sys_pselect6),                                // 301
+   LINXY(__NR_pselect6, sys_pselect6),                                // 301
    LINXY(__NR_ppoll, sys_ppoll),                                      // 302
    LINX_(__NR_unshare, sys_unshare),                                  // 303
    LINX_(__NR_set_robust_list,  sys_set_robust_list),                 // 304

coregrind/m_syswrap/syswrap-solaris.c

@@ -71,6 +71,7 @@
 
 #include "priv_types_n_macros.h"
 #include "priv_syswrap-generic.h"
+#include "priv_syswrap-main.h"
 #include "priv_syswrap-solaris.h"
 
 /* Return the number of non-dead and daemon threads.
@@ -7327,7 +7328,7 @@ PRE(sys_pollsys)
    UWord i;
    struct vki_pollfd *ufds = (struct vki_pollfd *)ARG1;
 
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
 
    PRINT("sys_pollsys ( %#lx, %lu, %#lx, %#lx )", ARG1, ARG2, ARG3, ARG4);
    PRE_REG_READ4(long, "poll", pollfd_t *, fds, vki_nfds_t, nfds,
@@ -7343,18 +7344,37 @@ PRE(sys_pollsys)
 
    if (ARG3)
       PRE_MEM_READ("poll(timeout)", ARG3, sizeof(vki_timespec_t));
-   if (ARG4)
+
+   if (ARG4) {
       PRE_MEM_READ("poll(set)", ARG4, sizeof(vki_sigset_t));
+
+      const vki_sigset_t *guest_sigmask = (vki_sigset_t *) ARG4;
+      if (!ML_(safe_to_deref)(guest_sigmask, sizeof(vki_sigset_t))) {
+         ARG4 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         vki_sigset_t *vg_sigmask =
+            VG_(malloc)("syswrap.pollsys.1", sizeof(vki_sigset_t));
+         ARG4 = (Addr) vg_sigmask;
+         *vg_sigmask = *guest_sigmask;
+         VG_(sanitize_client_sigmask)(vg_sigmask);
+      }
+   }
 }
 
 POST(sys_pollsys)
 {
-   if (RES >= 0) {
+   vg_assert(SUCCESS || FAILURE);
+
+   if (SUCCESS && (RES >= 0)) {
       UWord i;
       vki_pollfd_t *ufds = (vki_pollfd_t*)ARG1;
       for (i = 0; i < ARG2; i++)
          POST_FIELD_WRITE(ufds[i].revents);
    }
+
+   if ((ARG4 != 0) && (ARG4 != 1)) {
+      VG_(free)((vki_sigset_t *) ARG4);
+   }
 }
 
 PRE(sys_labelsys)

coregrind/m_syswrap/syswrap-tilegx-linux.c

@@ -1202,7 +1202,7 @@ static SyscallTableEntry syscall_table[] = {
   LINXY(__NR_preadv,            sys_preadv),               // 69
   LINX_(__NR_pwritev,           sys_pwritev),              // 70
   LINXY(__NR_sendfile,          sys_sendfile),             // 71
-  LINX_(__NR_pselect6,          sys_pselect6),             // 72
+  LINXY(__NR_pselect6,          sys_pselect6),             // 72
   LINXY(__NR_ppoll,             sys_ppoll),                // 73
   LINXY(__NR_signalfd4,         sys_signalfd4),            // 74
   LINX_(__NR_splice,            sys_splice),               // 75

coregrind/m_syswrap/syswrap-x86-linux.c

@@ -1766,7 +1766,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_readlinkat,	 sys_readlinkat),       // 305
    LINX_(__NR_fchmodat,		 sys_fchmodat),         // 306
    LINX_(__NR_faccessat,	 sys_faccessat),        // 307
-   LINX_(__NR_pselect6,		 sys_pselect6),         // 308
+   LINXY(__NR_pselect6,		 sys_pselect6),         // 308
    LINXY(__NR_ppoll,		 sys_ppoll),            // 309
 
    LINX_(__NR_unshare,		 sys_unshare),          // 310

none/tests/Makefile.am

@@ -142,12 +142,14 @@ EXTRA_DIST = \
 	nestedfns.stderr.exp nestedfns.stdout.exp nestedfns.vgtest \
 	nodir.stderr.exp nodir.vgtest \
 	pending.stdout.exp pending.stderr.exp pending.vgtest \
+	ppoll_alarm.stdout.exp ppoll_alarm.stderr.exp ppoll_alarm.vgtest \
 	procfs-linux.stderr.exp-with-readlinkat \
 	procfs-linux.stderr.exp-without-readlinkat \
 	procfs-linux.vgtest \
 	procfs-non-linux.vgtest \
 	procfs-non-linux.stderr.exp-with-readlinkat \
 	procfs-non-linux.stderr.exp-without-readlinkat \
+	pselect_alarm.stdout.exp pselect_alarm.stderr.exp pselect_alarm.vgtest \
 	pth_atfork1.stderr.exp pth_atfork1.stdout.exp pth_atfork1.vgtest \
 	pth_blockedsig.stderr.exp \
 	pth_blockedsig.stdout.exp pth_blockedsig.vgtest \
@@ -215,7 +217,9 @@ check_PROGRAMS = \
 	mmap_fcntl_bug \
 	munmap_exe map_unaligned map_unmap mq \
 	pending \
+	ppoll_alarm \
 	procfs-cmdline-exe \
+	pselect_alarm \
 	pth_atfork1 pth_blockedsig pth_cancel1 pth_cancel2 pth_cvsimple \
 	pth_empty pth_exit pth_exit2 pth_mutexspeed pth_once pth_rwlock \
 	pth_stackalign \
@@ -289,6 +293,8 @@ libvexmultiarch_test_LDADD = \
 	../../VEX/libvexmultiarch-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a \
 	../../VEX/libvex-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a @LIB_UBSAN@
 libvexmultiarch_test_SOURCES = libvex_test.c
+ppoll_alarm_LDADD	= -lpthread
+pselect_alarm_LDADD	= -lpthread
 pth_atfork1_LDADD	= -lpthread
 pth_blockedsig_LDADD	= -lpthread
 pth_cancel1_CFLAGS	= $(AM_CFLAGS) -Wno-shadow

none/tests/ppoll_alarm.c

@@ -0,0 +1,55 @@
+/* Tries to exploit bug in ppoll mask handling:
+   https://bugs.kde.org/show_bug.cgi?id=359871
+   where client program was able to successfully block VG_SIGVGKILL. */
+
+#define _GNU_SOURCE /* for ppoll */
+#include <poll.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+    pthread_mutex_lock(&mutex);
+    ready = 1;
+    pthread_cond_signal(&cond);
+    pthread_mutex_unlock(&mutex);
+
+    sigset_t ss;
+    sigfillset(&ss);
+    while (1) {
+        struct timespec ts = {10000, 0};
+        ppoll(NULL, 0, &ts, &ss);
+    }
+
+    return NULL;
+}
+
+int
+main()
+{
+    pthread_t thr;
+    int ret = pthread_create(&thr, NULL, mythr, NULL);
+    if (ret != 0) {
+        fprintf(stderr, "pthread_create failed\n");
+        return 1;
+    }
+
+    pthread_mutex_lock(&mutex);
+    while (ready == 0) {
+        pthread_cond_wait(&cond, &mutex);
+    }
+    pthread_mutex_unlock(&mutex);
+
+    alarm(1); /* Unhandled SIGALRM should cause exit. */
+    while (1)
+        sleep(1);
+
+    return 0;
+}

none/tests/ppoll_alarm.vgtest

@@ -0,0 +1,3 @@
+prog: ppoll_alarm
+vgopts: -q
+stderr_filter: filter_stderr

none/tests/pselect_alarm.c

@@ -0,0 +1,61 @@
+/* Tries to exploit bug in pselect mask handling:
+   https://bugs.kde.org/show_bug.cgi?id=359871
+   where client program was able to successfully block VG_SIGVGKILL. */
+
+#include <sys/select.h>
+#include <assert.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+    pthread_mutex_lock(&mutex);
+    ready = 1;
+    pthread_cond_signal(&cond);
+    pthread_mutex_unlock(&mutex);
+
+    sigset_t ss;
+    sigfillset(&ss);
+    while (1) {
+        struct timespec ts = {10000, 0};
+        pselect(0, NULL, NULL, NULL, &ts, &ss);
+    }
+
+    return NULL;
+}
+
+int
+main()
+{
+    pthread_t thr;
+    int ret = pthread_create(&thr, NULL, mythr, NULL);
+    if (ret != 0) {
+        fprintf(stderr, "pthread_create failed\n");
+        return 1;
+    }
+
+    pthread_mutex_lock(&mutex);
+    while (ready == 0) {
+        pthread_cond_wait(&cond, &mutex);
+    }
+    pthread_mutex_unlock(&mutex);
+
+#if defined(VGO_linux)
+    assert(pselect(0, NULL, NULL, NULL, NULL, (sigset_t *)12) == -1);
+    assert(errno == EFAULT);
+#endif
+
+    alarm(1); /* Unhandled SIGALRM should cause exit. */
+    while (1)
+        sleep(1);
+
+    return 0;
+}

none/tests/pselect_alarm.vgtest

@@ -0,0 +1,3 @@
+prog: pselect_alarm
+vgopts: -q
+stderr_filter: filter_stderr

tests/filter_stderr_basic

@@ -46,7 +46,7 @@ sed "/warning: line info addresses out of order/d" |
 # of the bash process. Newer bash versions redirect such messages properly.
 # Suppress any redirected abnormal termination messages. You can find the
 # complete list of messages in the bash source file siglist.c.
-perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error)( \(core dumped\))?$/' |
+perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error|Killed)( \(core dumped\))?$/' |
 
 # Similar as above, but for ksh on Solaris/illumos.
 perl -n -e 'print if !/^(Memory fault|Killed) $/' |