Linux: Dumping a renderer can traverse an invalid pointer.

breakpad/linux/minidump_writer.cc

 // Copyright (c) 2009, Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 129 matching lines @@
   U16(out->extended_registers + 20, info.fpregs.fos);
   U32(out->extended_registers + 24, info.fpxregs.mxcsr);
 
   memcpy(out->extended_registers + 32, &info.fpxregs.st_space, 128);
   memcpy(out->extended_registers + 160, &info.fpxregs.xmm_space, 128);
 }
 
 // Juggle an x86 ucontext into minidump format
 //   out: the minidump structure
 //   info: the collection of register structures.
-static void CPUFillFromUContext(MDRawContextX86 *out, const ucontext *uc) {
+static void CPUFillFromUContext(MDRawContextX86 *out, const ucontext *uc,
+                                const struct _libc_fpstate* fp) {
   const greg_t* regs = uc->uc_mcontext.gregs;
-  const fpregset_t fp = uc->uc_mcontext.fpregs;
 
   out->context_flags = MD_CONTEXT_X86_FULL |
                        MD_CONTEXT_X86_FLOATING_POINT;
 
   out->gs = regs[REG_GS];
   out->fs = regs[REG_FS];
   out->es = regs[REG_ES];
   out->ds = regs[REG_DS];
 
   out->edi = regs[REG_EDI];
@@ skipping 77 matching lines @@
   out->flt_save.error_offset = info.fpregs.rip;
   out->flt_save.error_selector = 0; // We don't have this.
   out->flt_save.data_offset = info.fpregs.rdp;
   out->flt_save.data_selector = 0;  // We don't have this.
   out->flt_save.mx_csr = info.fpregs.mxcsr;
   out->flt_save.mx_csr_mask = info.fpregs.mxcsr_mask;
   memcpy(&out->flt_save.float_registers, &info.fpregs.st_space, 8 * 16);
   memcpy(&out->flt_save.xmm_registers, &info.fpregs.xmm_space, 16 * 16);
 }
 
-static void CPUFillFromUContext(MDRawContextAMD64 *out, const ucontext *uc) {
+static void CPUFillFromUContext(MDRawContextAMD64 *out, const ucontext *uc,
+                                const struct _libc_fpstate* fpregs) {
   const greg_t* regs = uc->gregs;
-  const fpregset_t fpregs = uc->fpregs;
 
   out->context_flags = MD_CONTEXT_AMD64_FULL;
 
   out->cs = regs[REG_CSGSFS] & 0xffff;
 
   out->fs = (regs[REG_CSGSFS] >> 32) & 0xffff;
   out->gs = (regs[REG_CSGSFS] >> 16) & 0xffff;
 
   out->eflags = regs[REG_EFL];
 
@@ skipping 38 matching lines @@
 namespace google_breakpad {
 
 class MinidumpWriter {
  public:
   MinidumpWriter(const char* filename,
                  pid_t crashing_pid,
                  const ExceptionHandler::CrashContext* context)
       : filename_(filename),
         siginfo_(&context->siginfo),
         ucontext_(&context->context),
+        float_state_(&context->float_state),
         crashing_tid_(context->tid),
         dumper_(crashing_pid) {
   }
 
   bool Init() {
     return dumper_.Init() && minidump_writer_.Open(filename_) &&
            dumper_.ThreadsSuspend();
   }
 
   ~MinidumpWriter() {
@@ skipping 112 matching lines @@
           return false;
         uint8_t* stack_copy = (uint8_t*) dumper_.allocator()->Alloc(stack_len);
         dumper_.CopyFromProcess(stack_copy, thread.thread_id, stack, stack_len);
         memory.Copy(stack_copy, stack_len);
         thread.stack.start_of_memory_range = (uintptr_t) (stack);
         thread.stack.memory = memory.location();
         TypedMDRVA<RawContextCPU> cpu(&minidump_writer_);
         if (!cpu.Allocate())
           return false;
         my_memset(cpu.get(), 0, sizeof(RawContextCPU));
-        CPUFillFromUContext(cpu.get(), ucontext_);
+        CPUFillFromUContext(cpu.get(), ucontext_, float_state_);
         thread.thread_context = cpu.location();
         crashing_thread_context_ = cpu.location();
       } else {
         ThreadInfo info;
         if (!dumper_.ThreadInfoGet(dumper_.threads()[i], &info))
           return false;
         UntypedMDRVA memory(&minidump_writer_);
         if (!memory.Allocate(info.stack_len))
           return false;
         uint8_t* stack_copy =
@@ skipping 214 matching lines @@
     const unsigned pid_len = my_int_len(pid);
     my_itos(buf + 6, pid, pid_len);
     buf[6 + pid_len] = '/';
     memcpy(buf + 6 + pid_len + 1, filename, my_strlen(filename) + 1);
     return WriteFile(result, buf);
   }
 
   const char* const filename_;  // output filename
   const siginfo_t* const siginfo_;  // from the signal handler (see sigaction)
   const struct ucontext* const ucontext_;  // also from the signal handler
+  const struct _libc_fpstate* const float_state_;  // ditto
   const pid_t crashing_tid_;  // the process which actually crashed
   LinuxDumper dumper_;
   MinidumpFileWriter minidump_writer_;
   MDLocationDescriptor crashing_thread_context_;
 };
 
 bool WriteMinidump(const char* filename, pid_t crashing_process,
                    const void* blob, size_t blob_size) {
   if (blob_size != sizeof(ExceptionHandler::CrashContext))
     return false;
   const ExceptionHandler::CrashContext* context =
       reinterpret_cast<const ExceptionHandler::CrashContext*>(blob);
   MinidumpWriter writer(filename, crashing_process, context);
   if (!writer.Init())
     return false;
   return writer.Dump();
 }
 
 }  // namespace google_breakpad