Linux: Dumping a renderer can traverse an invalid pointer.

A ucontext isn't a POD datatype, so we can end up sending it to the
browser and then walking an embedded pointer which is only valid in
the renderer context.

This fix sends the floating point registers (which were at the other
end of said pointer) in the context and stops using the pointer in the
ucontext.

BUG=13465
http://codereview.chromium.org/119249


git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17771 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 10 insertions, 5 deletions

diff --git a/breakpad/linux/exception_handler.cc b/breakpad/linux/exception_handler.cc
index ad7a11d..a1c8379 100644
--- a/breakpad/linux/exception_handler.cc
+++ b/breakpad/linux/exception_handler.cc
@@ -261,6 +261,8 @@ bool ExceptionHandler::HandleSignal(int sig, siginfo_t* info, void* uc) {
   CrashContext context;
   memcpy(&context.siginfo, info, sizeof(siginfo_t));
   memcpy(&context.context, uc, sizeof(struct ucontext));
+  memcpy(&context.float_state, ((struct ucontext *)uc)->uc_mcontext.fpregs,
+         sizeof(context.float_state));
   context.tid = sys_gettid();
 
   if (crash_handler_ && crash_handler_(&context, sizeof(context),
diff --git a/breakpad/linux/exception_handler.h b/breakpad/linux/exception_handler.h
index 6176c94..b579a6a 100644
--- a/breakpad/linux/exception_handler.h
+++ b/breakpad/linux/exception_handler.h
@@ -146,6 +146,7 @@ class ExceptionHandler {
     siginfo_t siginfo;
     pid_t tid;  // the crashing thread.
     struct ucontext context;
+    struct _libc_fpstate float_state;
   };
 
  private:
diff --git a/breakpad/linux/minidump_writer.cc b/breakpad/linux/minidump_writer.cc
index fbec6bd..2a93347 100644
--- a/breakpad/linux/minidump_writer.cc
+++ b/breakpad/linux/minidump_writer.cc
@@ -147,9 +147,9 @@ static void CPUFillFromThreadInfo(MDRawContextX86 *out,
 // Juggle an x86 ucontext into minidump format
 //   out: the minidump structure
 //   info: the collection of register structures.
-static void CPUFillFromUContext(MDRawContextX86 *out, const ucontext *uc) {
+static void CPUFillFromUContext(MDRawContextX86 *out, const ucontext *uc,
+                                const struct _libc_fpstate* fp) {
   const greg_t* regs = uc->uc_mcontext.gregs;
-  const fpregset_t fp = uc->uc_mcontext.fpregs;
 
   out->context_flags = MD_CONTEXT_X86_FULL |
                        MD_CONTEXT_X86_FLOATING_POINT;
@@ -247,9 +247,9 @@ static void CPUFillFromThreadInfo(MDRawContextAMD64 *out,
   memcpy(&out->flt_save.xmm_registers, &info.fpregs.xmm_space, 16 * 16);
 }
 
-static void CPUFillFromUContext(MDRawContextAMD64 *out, const ucontext *uc) {
+static void CPUFillFromUContext(MDRawContextAMD64 *out, const ucontext *uc,
+                                const struct _libc_fpstate* fpregs) {
   const greg_t* regs = uc->gregs;
-  const fpregset_t fpregs = uc->fpregs;
 
   out->context_flags = MD_CONTEXT_AMD64_FULL;
 
@@ -308,6 +308,7 @@ class MinidumpWriter {
       : filename_(filename),
         siginfo_(&context->siginfo),
         ucontext_(&context->context),
+        float_state_(&context->float_state),
         crashing_tid_(context->tid),
         dumper_(crashing_pid) {
   }
@@ -440,7 +441,7 @@ class MinidumpWriter {
         if (!cpu.Allocate())
           return false;
         my_memset(cpu.get(), 0, sizeof(RawContextCPU));
-        CPUFillFromUContext(cpu.get(), ucontext_);
+        CPUFillFromUContext(cpu.get(), ucontext_, float_state_);
         thread.thread_context = cpu.location();
         crashing_thread_context_ = cpu.location();
       } else {
@@ -675,6 +676,7 @@ class MinidumpWriter {
   const char* const filename_;  // output filename
   const siginfo_t* const siginfo_;  // from the signal handler (see sigaction)
   const struct ucontext* const ucontext_;  // also from the signal handler
+  const struct _libc_fpstate* const float_state_;  // ditto
   const pid_t crashing_tid_;  // the process which actually crashed
   LinuxDumper dumper_;
   MinidumpFileWriter minidump_writer_;