strace seg with select and -ve nfds

[Denys Vlasenko]

On 11/04/2013 10:39 PM, Dr. David Alan Gilbert wrote:
> The 'trinity' fuzz tester managed to trigger a seg of strace
> when doing a select() with a -ve nfds value but pointing to a valid large
> buffer (on x86 Linux).
> 
> My patch below fixes this; I'm not 100% happy because:
>   1) It seems way too complicated - can't we quit earlier when we find
>      the length is weird?

Yes, it can be simpler.

>   2) It's odd the way the code reads the arg for fdsize and then later
>      reads it again for nfds, I think that's really the underlying
>      reason this tripped.

I propose to do simply this:

+       nfds = fdsize;
        fdsize = (((fdsize + 7) / 8) + sizeof(long)-1) & -sizeof(long);
+       /* We had bugs a-la "while (j < args[0])" and "umoven(args[0])" below.
+        * Instead of args[0], use nfds for fd count, fdsize for array lengths.
+        */

and use nfds in those two places where we incorrectly use arg[0] now.

>   3) I'd like some reassurance that my understanding of the way
>      strace's arg types work is right.
> 
> (WTH does strace use int for nfds?)

Because having more than 2^31-1 file descriptors in one process is insanity.


> Thoughts?

I applied a slightly simplified version of your fix to strace git, please try it.

-- 
vda