On 11/04/2013 10:39 PM, Dr. David Alan Gilbert wrote:
> The 'trinity' fuzz tester managed to trigger a seg of strace
> when doing a select() with a -ve nfds value but pointing to a valid large
> buffer (on x86 Linux).
>
> My patch below fixes this; I'm not 100% happy because:
> 1) It seems way too complicated - can't we quit earlier when we find
> the length is weird?
Yes, it can be simpler.
> 2) It's odd the way the code reads the arg for fdsize and then later
> reads it again for nfds, I think that's really the underlying
> reason this tripped.
I propose to do simply this:
+ nfds = fdsize;
fdsize = (((fdsize + 7) / 8) + sizeof(long)-1) & -sizeof(long);
+ /* We had bugs a-la "while (j < args[0])" and "umoven(args[0])" below.
+ * Instead of args[0], use nfds for fd count, fdsize for array lengths.
+ */
and use nfds in those two places where we incorrectly use arg[0] now.
> 3) I'd like some reassurance that my understanding of the way
> strace's arg types work is right.
>
> (WTH does strace use int for nfds?)
Because having more than 2^31-1 file descriptors in one process is insanity.
> Thoughts?
I applied a slightly simplified version of your fix to strace git, please try
it.
--
vda
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Strace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/strace-devel
