x86_64: fix mincore_validate and msync_validate

The calls to mincore() or msync() are not checking for actual accessibility
this could lead to SIGSEGV if the address from a mapped page with the
PROT_NONE property occurs on the stack.
Hence an attempt to write one byte from the checked address to a pipe will
fail if the address is not readable.

3 files changed, 197 insertions, 2 deletions

diff --git a/src/x86_64/Ginit.c b/src/x86_64/Ginit.c
index 2bb238e1..c66d59ba 100644
--- a/src/x86_64/Ginit.c
+++ b/src/x86_64/Ginit.c
@@ -72,10 +72,57 @@ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
 #define PAGE_SIZE 4096
 #define PAGE_START(a)   ((a) & ~(PAGE_SIZE-1))
 
+static int mem_validate_pipe[2] = {-1, -1};
+
+static inline void
+open_pipe (void)
+{
+  /* ignore errors for closing invalid fd's */
+  close (mem_validate_pipe[0]);
+  close (mem_validate_pipe[1]);
+
+  pipe2 (mem_validate_pipe, O_CLOEXEC | O_NONBLOCK);
+}
+
+ALWAYS_INLINE
+static int
+write_validate (void *addr)
+{
+  int ret = -1;
+  ssize_t bytes = 0;
+
+  do
+    {
+      char buf;
+      bytes = read (mem_validate_pipe[0], &buf, 1);
+    }
+  while ( errno == EINTR );
+
+  int valid_read = (bytes > 0 || errno == EAGAIN || errno == EWOULDBLOCK);
+  if (!valid_read)
+    {
+      // re-open closed pipe
+      open_pipe ();
+    }
+
+  do
+    {
+      ret = write (mem_validate_pipe[1], addr, 1);
+    }
+  while ( errno == EINTR );
+
+  return ret;
+}
+
 static int (*mem_validate_func) (void *addr, size_t len);
 static int msync_validate (void *addr, size_t len)
 {
-  return msync (addr, len, MS_ASYNC);
+  if (msync (addr, len, MS_ASYNC) != 0)
+    {
+      return -1;
+    }
+
+  return write_validate (addr);
 }
 
 #ifdef HAVE_MINCORE
@@ -96,7 +143,7 @@ static int mincore_validate (void *addr, size_t len)
       if (!(mvec[i] & 1)) return -1;
     }
 
-  return 0;
+  return write_validate (addr);
 }
 #endif
 
@@ -107,6 +154,8 @@ static int mincore_validate (void *addr, size_t len)
 HIDDEN void
 tdep_init_mem_validate (void)
 {
+  open_pipe ();
+
 #ifdef HAVE_MINCORE
   unsigned char present = 1;
   unw_word_t addr = PAGE_START((unw_word_t)&present);
diff --git a/tests/Ltest-mem-validate.c b/tests/Ltest-mem-validate.c
new file mode 100644
index 00000000..1cacb9f0
--- /dev/null
+++ b/tests/Ltest-mem-validate.c
@@ -0,0 +1,143 @@
+/* libunwind - a platform-independent unwind library
+   Copyright (C) 2003-2004 Hewlett-Packard Co
+	Contributed by David Mosberger-Tang <davidm@hpl.hp.com>
+
+This file is part of libunwind.
+
+Copyright (c) 2003 Hewlett-Packard Co.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  */
+
+#include "compiler.h"
+
+#include <libunwind.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/resource.h>
+#include <sys/mman.h>
+
+#define panic(args...)				\
+	{ fprintf (stderr, args); exit (-1); }
+
+void * stack_start;
+
+#define PAGE_SIZE 4096
+
+void do_backtrace (void)
+{
+  void* buffer[1024];
+  int size = 1024;
+  mprotect((void*)((uintptr_t)stack_start & ~(PAGE_SIZE - 1)),
+           PAGE_SIZE, PROT_NONE);
+
+  unw_cursor_t cursor;
+  unw_word_t ip, sp;
+  unw_context_t uc;
+  int ret;
+  int steps = 0;
+
+  unw_getcontext (&uc);
+  if (unw_init_local (&cursor, &uc) < 0)
+    panic ("unw_init_local failed!\n");
+
+  do
+    {
+      unw_get_reg (&cursor, UNW_REG_IP, &ip);
+      unw_get_reg (&cursor, UNW_REG_SP, &sp);
+
+      ret = unw_step (&cursor);
+      if (ret < 0)
+	{
+	  unw_get_reg (&cursor, UNW_REG_IP, &ip);
+	}
+      steps ++;
+    }
+  while (ret > 0);
+
+  if (steps < 5)
+    {
+      exit(-1);
+    }
+
+  mprotect((void*)((uintptr_t)stack_start & ~(PAGE_SIZE - 1)),
+           PAGE_SIZE, PROT_READ|PROT_WRITE);
+}
+
+void consume_and_run (int depth)
+{
+  unw_cursor_t cursor;
+  unw_context_t uc;
+  char string[1024];
+
+  sprintf (string, "hello %p %p\n", &cursor, &uc);
+  if (depth == 0) {
+    do_backtrace();
+  } else {
+    consume_and_run(depth - 1);
+  }
+}
+
+int
+main (int argc, char **argv UNUSED)
+{
+  int start;
+  unw_context_t uc;
+  unw_cursor_t cursor;
+
+  stack_start = &start;
+
+  // Initialize pipe mem validate check, opens file descriptors
+  unw_getcontext(&uc);
+  if (unw_init_local (&cursor, &uc) < 0)
+    panic ("unw_init_local failed!\n");
+
+  int i;
+  for (i = 3; i < 10; i++)
+    {
+
+      pid_t childpid = fork();
+      if (!childpid)
+        {
+          /* Close fds and make sure we still work */
+          int ret = close(i);
+        }
+
+      int status;
+      if (childpid)
+        {
+          wait(&status);
+          if (WIFEXITED(status))
+              return WEXITSTATUS(status);
+          else
+            return -1;
+        }
+      else
+        {
+          consume_and_run (10);
+
+          return 0;
+        }
+    }
+
+  return 0;
+}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 7287e7b4..b1394fc6 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -46,6 +46,7 @@ endif #!ARCH_IA64
 			Gtest-resume-sig-rt Ltest-resume-sig-rt		 \
 			Gtest-trace Ltest-trace				 \
 			Ltest-init-local-signal				 \
+			Ltest-mem-validate				 \
 			test-async-sig test-flush-cache test-init-remote \
 			test-mem test-reg-state Ltest-varargs		 \
 			Ltest-nomalloc Ltest-nocalloc Lrs-race
@@ -149,6 +150,7 @@ Ltest_nomalloc_SOURCES = Ltest-nomalloc.c
 Ltest_nocalloc_SOURCES = Ltest-nocalloc.c
 Gtest_trace_SOURCES = Gtest-trace.c ident.c
 Ltest_trace_SOURCES = Ltest-trace.c ident.c
+Ltest_mem_validate_SOURCES = Ltest-mem-validate.c
 
 LIBUNWIND = $(top_builddir)/src/libunwind-$(arch).la
 LIBUNWIND_ptrace = $(top_builddir)/src/libunwind-ptrace.la
@@ -203,6 +205,7 @@ Ltest_resume_sig_rt_LDADD = $(LIBUNWIND_local)
 Lperf_simple_LDADD = $(LIBUNWIND_local)
 Ltest_trace_LDADD = $(LIBUNWIND_local)
 Lperf_trace_LDADD = $(LIBUNWIND_local)
+Ltest_mem_validate_LDADD = $(LIBUNWIND) $(LIBUNWIND_local)
 
 test_setjmp_LDADD = $(LIBUNWIND_setjmp)
 ia64_test_setjmp_LDADD = $(LIBUNWIND_setjmp)