Fix for 377698 - Missing memory check for futex() uaddr arg for FUTEX_WAKE,

and FUTEX_WAKE_BITSET, check only 4 args for FUTEX_WAKE_BITSET, and 2 args for FUTEX_TRYLOCK_PI. Fixes BZ#377698. Patch by: diane.meirowitz@oracle.com git-svn-id: svn://svn.valgrind.org/valgrind/trunk@16285
2026-02-04 02:18:37 +00:00 · 2017-03-23 23:22:21 +00:00 · 2017-03-23 23:22:21 +00:00 · d9f02db4c8
commit d9f02db4c8
parent e21ebbcae5
7 changed files with 19 additions and 17 deletions
--- a/3
+++ b/3
@ -147,6 +147,9 @@ where XXXXXX is the bug number as listed below.
 377376  memcheck/tests/linux/getregset fails with glibc2.24
 377427  PPC64, lxv instruction failing on odd destination register 
 377478  PPC64: ISA 3.0 setup fixes
+377698  Missing memory check for futex() uaddr arg for FUTEX_WAKE
+        and FUTEX_WAKE_BITSET, check only 4 args for FUTEX_WAKE_BITSET,
+        and 2 args for FUTEX_TRYLOCK_PI
 377717  Fix massive space leak when reading compressed debuginfo sections

 Release 3.12.0 (20 October 2016)
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@ -1610,9 +1610,11 @@ PRE(sys_futex)
      }
      break;
   case VKI_FUTEX_WAKE_BITSET:
-      PRE_REG_READ6(long, "futex", 
-                    vki_u32 *, futex, int, op, int, val,
-                    int, dummy, int, dummy2, int, val3);
+      PRE_REG_READ3(long, "futex",
+                    vki_u32 *, futex, int, op, int, val);
+      if (VG_(tdict).track_pre_reg_read) {
+         PRA6("futex", int, val3);
+      }
      break;
   case VKI_FUTEX_WAIT:
   case VKI_FUTEX_LOCK_PI:
@ -1622,10 +1624,10 @@ PRE(sys_futex)
      break;
   case VKI_FUTEX_WAKE:
   case VKI_FUTEX_FD:
-   case VKI_FUTEX_TRYLOCK_PI:
      PRE_REG_READ3(long, "futex", 
                    vki_u32 *, futex, int, op, int, val);
      break;
+   case VKI_FUTEX_TRYLOCK_PI:
   case VKI_FUTEX_UNLOCK_PI:
   default:
      PRE_REG_READ2(long, "futex", vki_u32 *, futex, int, op);
@ -1655,13 +1657,10 @@ PRE(sys_futex)
   case VKI_FUTEX_FD:
   case VKI_FUTEX_TRYLOCK_PI:
   case VKI_FUTEX_UNLOCK_PI:
-      PRE_MEM_READ( "futex(futex)", ARG1, sizeof(Int) );
-     break;
-
   case VKI_FUTEX_WAKE:
   case VKI_FUTEX_WAKE_BITSET:
-      /* no additional pointers */
-      break;
+      PRE_MEM_READ( "futex(futex)", ARG1, sizeof(Int) );
+     break;

   default:
      SET_STATUS_Failure( VKI_ENOSYS );   // some futex function we don't understand
--- a/memcheck/tests/arm64-linux/scalar.c
+++ b/memcheck/tests/arm64-linux/scalar.c
@ -1068,8 +1068,8 @@ int main(void)
   #define FUTEX_WAIT   0
   #endif
   // XXX: again, glibc not doing 6th arg means we have only 5s errors
-   GO(__NR_futex, "5s 2m");
-   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL;
+   GO(__NR_futex, "4s 2m");
+   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL;

   // __NR_sched_setaffinity 241
   GO(__NR_sched_setaffinity, "3s 1m");
--- a/memcheck/tests/arm64-linux/scalar.stderr.exp
+++ b/memcheck/tests/arm64-linux/scalar.stderr.exp
@ -1958,7 +1958,7 @@ Syscall param fremovexattr(name) points to unaddressable byte(s)
 130:          __NR_tkill n/a
 -----------------------------------------------------
 -----------------------------------------------------
- 98:          __NR_futex 5s 2m
+ 98:          __NR_futex 4s 2m
 -----------------------------------------------------
 Syscall param futex(futex) contains uninitialised byte(s)
   ...
--- a/memcheck/tests/darwin/scalar.c
+++ b/memcheck/tests/darwin/scalar.c
@ -1654,8 +1654,8 @@ int main(void)
   #define FUTEX_WAIT   0
   #endif
   // XXX: again, glibc not doing 6th arg means we have only 5s errors
-   GO(__NR_futex, "5s 2m");
-   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL;
+   GO(__NR_futex, "4s 2m");
+   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL;

   // __NR_sched_setaffinity 241
   GO(__NR_sched_setaffinity, "3s 1m");
--- a/memcheck/tests/x86-linux/scalar.c
+++ b/memcheck/tests/x86-linux/scalar.c
@ -1068,8 +1068,8 @@ int main(void)
   #define FUTEX_WAIT   0
   #endif
   // XXX: again, glibc not doing 6th arg means we have only 5s errors
-   GO(__NR_futex, "5s 2m");
-   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1, x0, x0); FAIL;
+   GO(__NR_futex, "4s 2m");
+   SY(__NR_futex, x0+FUTEX_WAIT, x0, x0, x0+1); FAIL;

   // __NR_sched_setaffinity 241
   GO(__NR_sched_setaffinity, "3s 1m");
--- a/memcheck/tests/x86-linux/scalar.stderr.exp
+++ b/memcheck/tests/x86-linux/scalar.stderr.exp
@ -3300,7 +3300,7 @@ Syscall param sendfile64(offset) points to unaddressable byte(s)
 Address 0x........ is not stack'd, malloc'd or (recently) free'd

 -----------------------------------------------------
-240:          __NR_futex 5s 2m
+240:          __NR_futex 4s 2m
 -----------------------------------------------------
 Syscall param futex(futex) contains uninitialised byte(s)
   ...