diff options
author | Dr. David Alan Gilbert <dave@treblig.org> | 2013-11-05 11:54:51 +0100 |
---|---|---|
committer | Denys Vlasenko <dvlasenk@redhat.com> | 2013-11-05 11:54:51 +0100 |
commit | 025f1082b6c9573772472cc9039c2e10225c2c42 (patch) | |
tree | ab275532c13c67dcc7d430be1c9810820b5a64f2 /test | |
parent | 0b4060f61f1bb101b5d8d084714b7d2feacdb199 (diff) | |
download | strace-025f1082b6c9573772472cc9039c2e10225c2c42.tar.gz strace-025f1082b6c9573772472cc9039c2e10225c2c42.tar.bz2 strace-025f1082b6c9573772472cc9039c2e10225c2c42.tar.xz |
Fix select decoding with bogus (huge or negative) nfds.
We used to allocate and fetch bit arrays using a sanitized
length, but then iterate over them with "j < arg[0]" condition,
where arg[0] is not sanitized. This segfaults if arg[0] is huge
or negative. This change fixes this.
Add test/select.c to capture the case.
Signed-off-by: Dr. David Alan Gilbert <dave@treblig.org>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/.gitignore | 1 | ||||
-rw-r--r-- | test/Makefile | 2 | ||||
-rw-r--r-- | test/select.c | 23 |
3 files changed, 25 insertions, 1 deletions
diff --git a/test/.gitignore b/test/.gitignore index 7eb39cf..c73b64a 100644 --- a/test/.gitignore +++ b/test/.gitignore @@ -10,4 +10,5 @@ wait_must_be_interruptible threaded_execve mtd ubi +select sigreturn diff --git a/test/Makefile b/test/Makefile index 92142b1..cc7d47a 100644 --- a/test/Makefile +++ b/test/Makefile @@ -3,7 +3,7 @@ CFLAGS += -Wall PROGS = \ vfork fork sig skodic clone leaderkill childthread \ sigkill_rain wait_must_be_interruptible threaded_execve \ - mtd ubi sigreturn + mtd ubi select sigreturn all: $(PROGS) diff --git a/test/select.c b/test/select.c new file mode 100644 index 0000000..523d75c --- /dev/null +++ b/test/select.c @@ -0,0 +1,23 @@ +/* dave@treblig.org */ +#include <sys/select.h> +#include <sys/time.h> +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +char buffer[1024*1024*2]; + +int main() +{ + fd_set rds; + FD_ZERO(&rds); + FD_SET(2, &rds); + /* Start with a nice simple select */ + select(3, &rds, &rds, &rds, NULL); + /* Now the crash case that trinity found, -ve nfds + * but with a pointer to a large chunk of valid memory + */ + select(-1, (fd_set *)buffer, NULL, NULL, NULL); + return 0; +} |