From 1d8e98d431806865368495fd13f8e988a6d512da Mon Sep 17 00:00:00 2001
From: Johannes Ziegenbalg <address@hidden>
Date: Tue, 6 Sep 2016 18:46:28 +0200
Subject: [PATCH] [PATCH] x86_64: fix mincore_validate and msync_validate

The calls to mincore() or msync() are not checking for actual accessibility
this could lead to SIGSEGV if the address from a mapped page with the
PROT_NONE property occurs on the stack.
---
 src/x86_64/Ginit.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/x86_64/Ginit.c b/src/x86_64/Ginit.c
index 7827576..7edc914 100644
--- a/src/x86_64/Ginit.c
+++ b/src/x86_64/Ginit.c
@@ -72,10 +72,27 @@ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
 #define PAGE_SIZE 4096
 #define PAGE_START(a)   ((a) & ~(PAGE_SIZE-1))
 
+static int null_fd[2];
 static int (*mem_validate_func) (void *addr, size_t len);
 static int msync_validate (void *addr, size_t len)
 {
-  return msync (addr, len, MS_ASYNC);
+  if (msync (addr, len, MS_ASYNC) != 0)
+    {
+      return -1;
+    }
+
+  if (write (null_fd[1], addr, 1) == -1)
+    {
+      return -1;
+    }
+  else
+    {
+      /* Remove written byte from the pipe buffer. */
+      char buf[1];
+      read (null_fd[0], buf, 1);
+    }
+
+  return 0;
 }
 
 #ifdef HAVE_MINCORE
@@ -96,6 +113,17 @@ static int mincore_validate (void *addr, size_t len)
       if (!(mvec[i] & 1)) return -1;
     }
 
+  if (write (null_fd[1], addr, 1) == -1)
+    {
+      return -1;
+    }
+  else
+    {
+      /* Remove written byte from the pipe buffer. */
+      char buf[1];
+      read (null_fd[0], buf, 1);
+    }
+
   return 0;
 }
 #endif
@@ -107,6 +135,8 @@ static int mincore_validate (void *addr, size_t len)
 HIDDEN void
 tdep_init_mem_validate (void)
 {
+  while (pipe (null_fd) == -1 ) {}
+
 #ifdef HAVE_MINCORE
   unsigned char present = 1;
   unw_word_t addr = PAGE_START((unw_word_t)&present);
-- 
2.9.3