Blob Blame History Raw
commit 515c3b6de3eff6ddf88fd14a0084b8ad0c692553
Author: iraisr <iraisr@a5019735-40e9-0310-863c-91ae7b9d1cf9>
Date:   Tue Mar 8 09:04:48 2016 +0000

    Sanitize signal mask in ppoll and pselect syscalls
    Reported and Linux patch contributed by Steven Smith <sos22@archy.org.uk>
    Fixes BZ#359871
    
    
    
    git-svn-id: svn://svn.valgrind.org/valgrind/trunk@15823 a5019735-40e9-0310-863c-91ae7b9d1cf9

diff --git a/coregrind/m_syswrap/priv_syswrap-main.h b/coregrind/m_syswrap/priv_syswrap-main.h
index cabad7c..3164c81 100644
--- a/coregrind/m_syswrap/priv_syswrap-main.h
+++ b/coregrind/m_syswrap/priv_syswrap-main.h
@@ -38,6 +38,9 @@
 extern
 void ML_(fixup_guest_state_to_restart_syscall) ( ThreadArchState* arch );
 
+extern
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask);
+
 #if defined(VGO_darwin)
 /* Longjmp to scheduler after client calls workq_ops(WQOPS_THREAD_RETURN)*/
 extern
diff --git a/coregrind/m_syswrap/syswrap-amd64-linux.c b/coregrind/m_syswrap/syswrap-amd64-linux.c
index 7c88bc2..4a8344b 100644
--- a/coregrind/m_syswrap/syswrap-amd64-linux.c
+++ b/coregrind/m_syswrap/syswrap-amd64-linux.c
@@ -1018,7 +1018,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_fchmodat,		 sys_fchmodat),         // 268
    LINX_(__NR_faccessat,	 sys_faccessat),        // 269
 
-   LINX_(__NR_pselect6,		 sys_pselect6),         // 270
+   LINXY(__NR_pselect6,		 sys_pselect6),         // 270
    LINXY(__NR_ppoll,		 sys_ppoll),            // 271
    LINX_(__NR_unshare,		 sys_unshare),          // 272
    LINX_(__NR_set_robust_list,	 sys_set_robust_list),  // 273
diff --git a/coregrind/m_syswrap/syswrap-arm-linux.c b/coregrind/m_syswrap/syswrap-arm-linux.c
index 3ccad12..224070c 100644
--- a/coregrind/m_syswrap/syswrap-arm-linux.c
+++ b/coregrind/m_syswrap/syswrap-arm-linux.c
@@ -1188,7 +1188,7 @@ static SyscallTableEntry syscall_main_table[] = {
 
    LINX_(__NR_arm_fadvise64_64,  sys_fadvise64_64),     // 270 */(Linux?)
 
-   LINX_(__NR_pselect6,          sys_pselect6),         // 335
+   LINXY(__NR_pselect6,          sys_pselect6),         // 335
    LINXY(__NR_ppoll,             sys_ppoll),            // 336
 
    LINXY(__NR_epoll_pwait,       sys_epoll_pwait),      // 346
diff --git a/coregrind/m_syswrap/syswrap-arm64-linux.c b/coregrind/m_syswrap/syswrap-arm64-linux.c
index 8d3027d..abddff1 100644
--- a/coregrind/m_syswrap/syswrap-arm64-linux.c
+++ b/coregrind/m_syswrap/syswrap-arm64-linux.c
@@ -924,7 +924,7 @@ static SyscallTableEntry syscall_main_table[] = {
    GENX_(__NR_writev,            sys_writev),            // 66
    GENXY(__NR_pread64,           sys_pread64),           // 67
    GENX_(__NR_pwrite64,          sys_pwrite64),          // 68
-   LINX_(__NR_pselect6,          sys_pselect6),          // 72
+   LINXY(__NR_pselect6,          sys_pselect6),          // 72
    LINXY(__NR_ppoll,             sys_ppoll),             // 73
    LINXY(__NR_signalfd4,         sys_signalfd4),         // 74
    LINX_(__NR_readlinkat,        sys_readlinkat),        // 78
diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c
index f2d1076..6fdacda 100644
--- a/coregrind/m_syswrap/syswrap-linux.c
+++ b/coregrind/m_syswrap/syswrap-linux.c
@@ -62,6 +62,7 @@
 #include "priv_types_n_macros.h"
 #include "priv_syswrap-generic.h"
 #include "priv_syswrap-linux.h"
+#include "priv_syswrap-main.h"
 #include "priv_syswrap-xen.h"
 
 // Run a thread from beginning to end and return the thread's
@@ -1272,9 +1273,18 @@ POST(sys_get_robust_list)
    POST_MEM_WRITE(ARG3, sizeof(struct vki_size_t *));
 }
 
+struct pselect_sized_sigset {
+    const vki_sigset_t *ss;
+    vki_size_t ss_len;
+};
+struct pselect_adjusted_sigset {
+    struct pselect_sized_sigset ss; /* The actual syscall arg */
+    vki_sigset_t adjusted_ss;
+};
+
 PRE(sys_pselect6)
 {
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
    PRINT("sys_pselect6 ( %ld, %#lx, %#lx, %#lx, %#lx, %#lx )",
          SARG1, ARG2, ARG3, ARG4, ARG5, ARG6);
    PRE_REG_READ6(long, "pselect6",
@@ -1293,15 +1303,41 @@ PRE(sys_pselect6)
 		     ARG4, ARG1/8 /* __FD_SETSIZE/8 */ );
    if (ARG5 != 0)
       PRE_MEM_READ( "pselect6(timeout)", ARG5, sizeof(struct vki_timeval) );
-   if (ARG6 != 0)
-      PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(void *)+sizeof(vki_size_t) );
+   if (ARG6 != 0) {
+      const struct pselect_sized_sigset *pss =
+          (struct pselect_sized_sigset *)ARG6;
+      PRE_MEM_READ( "pselect6(sig)", ARG6, sizeof(*pss) );
+      if (!ML_(safe_to_deref)(pss, sizeof(*pss))) {
+         ARG6 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         struct pselect_adjusted_sigset *pas;
+         pas = VG_(malloc)("syswrap.pselect6.1", sizeof(*pas));
+         ARG6 = (Addr)pas;
+         pas->ss.ss = (void *)1;
+         pas->ss.ss_len = pss->ss_len;
+         if (pss->ss_len == sizeof(*pss->ss)) {
+            PRE_MEM_READ("pselect6(sig->ss)", (Addr)pss->ss, pss->ss_len);
+            if (ML_(safe_to_deref)(pss->ss, sizeof(*pss->ss))) {
+               pas->adjusted_ss = *pss->ss;
+               pas->ss.ss = &pas->adjusted_ss;
+               VG_(sanitize_client_sigmask)(&pas->adjusted_ss);
+            }
+         }
+      }
+   }
+}
+POST(sys_pselect6)
+{
+   if (ARG6 != 0 && ARG6 != 1) {
+       VG_(free)((struct pselect_adjusted_sigset *)ARG6);
+   }
 }
 
 PRE(sys_ppoll)
 {
    UInt i;
    struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
    PRINT("sys_ppoll ( %#lx, %lu, %#lx, %#lx, %lu )\n", ARG1,ARG2,ARG3,ARG4,ARG5);
    PRE_REG_READ5(long, "ppoll",
                  struct vki_pollfd *, ufds, unsigned int, nfds,
@@ -1319,18 +1355,33 @@ PRE(sys_ppoll)
 
    if (ARG3)
       PRE_MEM_READ( "ppoll(tsp)", ARG3, sizeof(struct vki_timespec) );
-   if (ARG4)
-      PRE_MEM_READ( "ppoll(sigmask)", ARG4, sizeof(vki_sigset_t) );
+   if (ARG4 != 0 && sizeof(vki_sigset_t) == ARG5) {
+      const vki_sigset_t *guest_sigmask = (vki_sigset_t *)ARG4;
+      PRE_MEM_READ( "ppoll(sigmask)", ARG4, ARG5);
+      if (!ML_(safe_to_deref)(guest_sigmask, sizeof(*guest_sigmask))) {
+         ARG4 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         vki_sigset_t *vg_sigmask =
+             VG_(malloc)("syswrap.ppoll.1", sizeof(*vg_sigmask));
+         ARG4 = (Addr)vg_sigmask;
+         *vg_sigmask = *guest_sigmask;
+         VG_(sanitize_client_sigmask)(vg_sigmask);
+      }
+   }
 }
 
 POST(sys_ppoll)
 {
-   if (RES > 0) {
+   vg_assert(SUCCESS || FAILURE);
+   if (SUCCESS && (RES >= 0)) {
       UInt i;
       struct vki_pollfd* ufds = (struct vki_pollfd *)ARG1;
       for (i = 0; i < ARG2; i++)
 	 POST_MEM_WRITE( (Addr)(&ufds[i].revents), sizeof(ufds[i].revents) );
    }
+   if (ARG4 != 0 && ARG5 == sizeof(vki_sigset_t) && ARG4 != 1) {
+      VG_(free)((vki_sigset_t *) ARG4);
+   }
 }
 
 
diff --git a/coregrind/m_syswrap/syswrap-main.c b/coregrind/m_syswrap/syswrap-main.c
index 054891f..d854194 100644
--- a/coregrind/m_syswrap/syswrap-main.c
+++ b/coregrind/m_syswrap/syswrap-main.c
@@ -1657,7 +1657,7 @@ static const SyscallTableEntry* get_syscall_entry ( Int syscallno )
 /* Add and remove signals from mask so that we end up telling the
    kernel the state we actually want rather than what the client
    wants. */
-static void sanitize_client_sigmask(vki_sigset_t *mask)
+void VG_(sanitize_client_sigmask)(vki_sigset_t *mask)
 {
    VG_(sigdelset)(mask, VKI_SIGKILL);
    VG_(sigdelset)(mask, VKI_SIGSTOP);
@@ -1979,7 +1979,7 @@ void VG_(client_syscall) ( ThreadId tid, UInt trc )
          PRINT(" --> [async] ... \n");
 
          mask = tst->sig_mask;
-         sanitize_client_sigmask(&mask);
+         VG_(sanitize_client_sigmask)(&mask);
 
          /* Gack.  More impedance matching.  Copy the possibly
             modified syscall args back into the guest state. */
diff --git a/coregrind/m_syswrap/syswrap-mips64-linux.c b/coregrind/m_syswrap/syswrap-mips64-linux.c
index 12d147d..7c5fbdb 100644
--- a/coregrind/m_syswrap/syswrap-mips64-linux.c
+++ b/coregrind/m_syswrap/syswrap-mips64-linux.c
@@ -889,7 +889,7 @@ static SyscallTableEntry syscall_main_table[] = {
    LINX_ (__NR_readlinkat, sys_readlinkat),
    LINX_ (__NR_fchmodat, sys_fchmodat),
    LINX_ (__NR_faccessat, sys_faccessat),
-   LINX_ (__NR_pselect6, sys_pselect6),
+   LINXY (__NR_pselect6, sys_pselect6),
    LINXY (__NR_ppoll, sys_ppoll),
    PLAX_ (__NR_unshare, sys_unshare),
    PLAX_ (__NR_splice, sys_splice),
diff --git a/coregrind/m_syswrap/syswrap-ppc32-linux.c b/coregrind/m_syswrap/syswrap-ppc32-linux.c
index 9ceaa15..379fcb3 100644
--- a/coregrind/m_syswrap/syswrap-ppc32-linux.c
+++ b/coregrind/m_syswrap/syswrap-ppc32-linux.c
@@ -1194,7 +1194,7 @@ static SyscallTableEntry syscall_table[] = {
    PLAXY(__NR_spu_run,            sys_spu_run),               // 278
    PLAX_(__NR_spu_create,         sys_spu_create),            // 279
 
-   LINX_(__NR_pselect6,          sys_pselect6),          // 280
+   LINXY(__NR_pselect6,          sys_pselect6),          // 280
    LINXY(__NR_ppoll,             sys_ppoll),             // 281
 
    LINXY(__NR_openat,            sys_openat),            // 286
diff --git a/coregrind/m_syswrap/syswrap-ppc64-linux.c b/coregrind/m_syswrap/syswrap-ppc64-linux.c
index 15b8979..77668c7 100644
--- a/coregrind/m_syswrap/syswrap-ppc64-linux.c
+++ b/coregrind/m_syswrap/syswrap-ppc64-linux.c
@@ -1110,7 +1110,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_inotify_add_watch,  sys_inotify_add_watch), // 276
    LINX_(__NR_inotify_rm_watch,   sys_inotify_rm_watch),  // 277
 
-   LINX_(__NR_pselect6,          sys_pselect6),           // 280
+   LINXY(__NR_pselect6,          sys_pselect6),           // 280
    LINXY(__NR_ppoll,             sys_ppoll),              // 281
 
    LINXY(__NR_openat,            sys_openat),             // 286
diff --git a/coregrind/m_syswrap/syswrap-s390x-linux.c b/coregrind/m_syswrap/syswrap-s390x-linux.c
index 0513789..107a569 100644
--- a/coregrind/m_syswrap/syswrap-s390x-linux.c
+++ b/coregrind/m_syswrap/syswrap-s390x-linux.c
@@ -992,7 +992,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_fchmodat,  sys_fchmodat),                               // 299
 
    LINX_(__NR_faccessat,  sys_faccessat),                             // 300
-   LINX_(__NR_pselect6, sys_pselect6),                                // 301
+   LINXY(__NR_pselect6, sys_pselect6),                                // 301
    LINXY(__NR_ppoll, sys_ppoll),                                      // 302
    LINX_(__NR_unshare, sys_unshare),                                  // 303
    LINX_(__NR_set_robust_list,  sys_set_robust_list),                 // 304
diff --git a/coregrind/m_syswrap/syswrap-solaris.c b/coregrind/m_syswrap/syswrap-solaris.c
index 7ac876f..a307f6c 100644
--- a/coregrind/m_syswrap/syswrap-solaris.c
+++ b/coregrind/m_syswrap/syswrap-solaris.c
@@ -71,6 +71,7 @@
 
 #include "priv_types_n_macros.h"
 #include "priv_syswrap-generic.h"
+#include "priv_syswrap-main.h"
 #include "priv_syswrap-solaris.h"
 
 /* Return the number of non-dead and daemon threads.
@@ -7327,7 +7328,7 @@ PRE(sys_pollsys)
    UWord i;
    struct vki_pollfd *ufds = (struct vki_pollfd *)ARG1;
 
-   *flags |= SfMayBlock;
+   *flags |= SfMayBlock | SfPostOnFail;
 
    PRINT("sys_pollsys ( %#lx, %lu, %#lx, %#lx )", ARG1, ARG2, ARG3, ARG4);
    PRE_REG_READ4(long, "poll", pollfd_t *, fds, vki_nfds_t, nfds,
@@ -7343,18 +7344,37 @@ PRE(sys_pollsys)
 
    if (ARG3)
       PRE_MEM_READ("poll(timeout)", ARG3, sizeof(vki_timespec_t));
-   if (ARG4)
+
+   if (ARG4) {
       PRE_MEM_READ("poll(set)", ARG4, sizeof(vki_sigset_t));
+
+      const vki_sigset_t *guest_sigmask = (vki_sigset_t *) ARG4;
+      if (!ML_(safe_to_deref)(guest_sigmask, sizeof(vki_sigset_t))) {
+         ARG4 = 1; /* Something recognisable to POST() hook. */
+      } else {
+         vki_sigset_t *vg_sigmask =
+            VG_(malloc)("syswrap.pollsys.1", sizeof(vki_sigset_t));
+         ARG4 = (Addr) vg_sigmask;
+         *vg_sigmask = *guest_sigmask;
+         VG_(sanitize_client_sigmask)(vg_sigmask);
+      }
+   }
 }
 
 POST(sys_pollsys)
 {
-   if (RES >= 0) {
+   vg_assert(SUCCESS || FAILURE);
+
+   if (SUCCESS && (RES >= 0)) {
       UWord i;
       vki_pollfd_t *ufds = (vki_pollfd_t*)ARG1;
       for (i = 0; i < ARG2; i++)
          POST_FIELD_WRITE(ufds[i].revents);
    }
+
+   if ((ARG4 != 0) && (ARG4 != 1)) {
+      VG_(free)((vki_sigset_t *) ARG4);
+   }
 }
 
 PRE(sys_labelsys)
diff --git a/coregrind/m_syswrap/syswrap-tilegx-linux.c b/coregrind/m_syswrap/syswrap-tilegx-linux.c
index aceceb4..4845f79 100644
--- a/coregrind/m_syswrap/syswrap-tilegx-linux.c
+++ b/coregrind/m_syswrap/syswrap-tilegx-linux.c
@@ -1202,7 +1202,7 @@ static SyscallTableEntry syscall_table[] = {
   LINXY(__NR_preadv,            sys_preadv),               // 69
   LINX_(__NR_pwritev,           sys_pwritev),              // 70
   LINXY(__NR_sendfile,          sys_sendfile),             // 71
-  LINX_(__NR_pselect6,          sys_pselect6),             // 72
+  LINXY(__NR_pselect6,          sys_pselect6),             // 72
   LINXY(__NR_ppoll,             sys_ppoll),                // 73
   LINXY(__NR_signalfd4,         sys_signalfd4),            // 74
   LINX_(__NR_splice,            sys_splice),               // 75
diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c
index 3c80e6a..f1f97d7 100644
--- a/coregrind/m_syswrap/syswrap-x86-linux.c
+++ b/coregrind/m_syswrap/syswrap-x86-linux.c
@@ -1766,7 +1766,7 @@ static SyscallTableEntry syscall_table[] = {
    LINX_(__NR_readlinkat,	 sys_readlinkat),       // 305
    LINX_(__NR_fchmodat,		 sys_fchmodat),         // 306
    LINX_(__NR_faccessat,	 sys_faccessat),        // 307
-   LINX_(__NR_pselect6,		 sys_pselect6),         // 308
+   LINXY(__NR_pselect6,		 sys_pselect6),         // 308
    LINXY(__NR_ppoll,		 sys_ppoll),            // 309
 
    LINX_(__NR_unshare,		 sys_unshare),          // 310
diff --git a/none/tests/Makefile.am b/none/tests/Makefile.am
index 7eb2bf8..5d8e942 100644
--- a/none/tests/Makefile.am
+++ b/none/tests/Makefile.am
@@ -142,12 +142,14 @@ EXTRA_DIST = \
 	nestedfns.stderr.exp nestedfns.stdout.exp nestedfns.vgtest \
 	nodir.stderr.exp nodir.vgtest \
 	pending.stdout.exp pending.stderr.exp pending.vgtest \
+	ppoll_alarm.stdout.exp ppoll_alarm.stderr.exp ppoll_alarm.vgtest \
 	procfs-linux.stderr.exp-with-readlinkat \
 	procfs-linux.stderr.exp-without-readlinkat \
 	procfs-linux.vgtest \
 	procfs-non-linux.vgtest \
 	procfs-non-linux.stderr.exp-with-readlinkat \
 	procfs-non-linux.stderr.exp-without-readlinkat \
+	pselect_alarm.stdout.exp pselect_alarm.stderr.exp pselect_alarm.vgtest \
 	pth_atfork1.stderr.exp pth_atfork1.stdout.exp pth_atfork1.vgtest \
 	pth_blockedsig.stderr.exp \
 	pth_blockedsig.stdout.exp pth_blockedsig.vgtest \
@@ -215,7 +217,9 @@ check_PROGRAMS = \
 	mmap_fcntl_bug \
 	munmap_exe map_unaligned map_unmap mq \
 	pending \
+	ppoll_alarm \
 	procfs-cmdline-exe \
+	pselect_alarm \
 	pth_atfork1 pth_blockedsig pth_cancel1 pth_cancel2 pth_cvsimple \
 	pth_empty pth_exit pth_exit2 pth_mutexspeed pth_once pth_rwlock \
 	pth_stackalign \
@@ -289,6 +293,8 @@ libvexmultiarch_test_LDADD = \
 	../../VEX/libvexmultiarch-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a \
 	../../VEX/libvex-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a @LIB_UBSAN@
 libvexmultiarch_test_SOURCES = libvex_test.c
+ppoll_alarm_LDADD	= -lpthread
+pselect_alarm_LDADD	= -lpthread
 pth_atfork1_LDADD	= -lpthread
 pth_blockedsig_LDADD	= -lpthread
 pth_cancel1_CFLAGS	= $(AM_CFLAGS) -Wno-shadow
diff --git a/none/tests/ppoll_alarm.c b/none/tests/ppoll_alarm.c
new file mode 100644
index 0000000..1b1794b
--- /dev/null
+++ b/none/tests/ppoll_alarm.c
@@ -0,0 +1,55 @@
+/* Tries to exploit bug in ppoll mask handling:
+   https://bugs.kde.org/show_bug.cgi?id=359871
+   where client program was able to successfully block VG_SIGVGKILL. */
+
+#define _GNU_SOURCE /* for ppoll */
+#include <poll.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+    pthread_mutex_lock(&mutex);
+    ready = 1;
+    pthread_cond_signal(&cond);
+    pthread_mutex_unlock(&mutex);
+
+    sigset_t ss;
+    sigfillset(&ss);
+    while (1) {
+        struct timespec ts = {10000, 0};
+        ppoll(NULL, 0, &ts, &ss);
+    }
+
+    return NULL;
+}
+
+int
+main()
+{
+    pthread_t thr;
+    int ret = pthread_create(&thr, NULL, mythr, NULL);
+    if (ret != 0) {
+        fprintf(stderr, "pthread_create failed\n");
+        return 1;
+    }
+
+    pthread_mutex_lock(&mutex);
+    while (ready == 0) {
+        pthread_cond_wait(&cond, &mutex);
+    }
+    pthread_mutex_unlock(&mutex);
+
+    alarm(1); /* Unhandled SIGALRM should cause exit. */
+    while (1)
+        sleep(1);
+
+    return 0;
+}
diff --git a/none/tests/ppoll_alarm.stderr.exp b/none/tests/ppoll_alarm.stderr.exp
new file mode 100644
index 0000000..e69de29
diff --git a/none/tests/ppoll_alarm.stdout.exp b/none/tests/ppoll_alarm.stdout.exp
new file mode 100644
index 0000000..e69de29
diff --git a/none/tests/ppoll_alarm.vgtest b/none/tests/ppoll_alarm.vgtest
new file mode 100644
index 0000000..b1309d3
--- /dev/null
+++ b/none/tests/ppoll_alarm.vgtest
@@ -0,0 +1,3 @@
+prog: ppoll_alarm
+vgopts: -q
+stderr_filter: filter_stderr
diff --git a/none/tests/pselect_alarm.c b/none/tests/pselect_alarm.c
new file mode 100644
index 0000000..7a68ec0
--- /dev/null
+++ b/none/tests/pselect_alarm.c
@@ -0,0 +1,61 @@
+/* Tries to exploit bug in pselect mask handling:
+   https://bugs.kde.org/show_bug.cgi?id=359871
+   where client program was able to successfully block VG_SIGVGKILL. */
+
+#include <sys/select.h>
+#include <assert.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int ready = 0;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+
+static void *
+mythr(void *ignore)
+{
+    pthread_mutex_lock(&mutex);
+    ready = 1;
+    pthread_cond_signal(&cond);
+    pthread_mutex_unlock(&mutex);
+
+    sigset_t ss;
+    sigfillset(&ss);
+    while (1) {
+        struct timespec ts = {10000, 0};
+        pselect(0, NULL, NULL, NULL, &ts, &ss);
+    }
+
+    return NULL;
+}
+
+int
+main()
+{
+    pthread_t thr;
+    int ret = pthread_create(&thr, NULL, mythr, NULL);
+    if (ret != 0) {
+        fprintf(stderr, "pthread_create failed\n");
+        return 1;
+    }
+
+    pthread_mutex_lock(&mutex);
+    while (ready == 0) {
+        pthread_cond_wait(&cond, &mutex);
+    }
+    pthread_mutex_unlock(&mutex);
+
+#if defined(VGO_linux)
+    assert(pselect(0, NULL, NULL, NULL, NULL, (sigset_t *)12) == -1);
+    assert(errno == EFAULT);
+#endif
+
+    alarm(1); /* Unhandled SIGALRM should cause exit. */
+    while (1)
+        sleep(1);
+
+    return 0;
+}
diff --git a/none/tests/pselect_alarm.stderr.exp b/none/tests/pselect_alarm.stderr.exp
new file mode 100644
index 0000000..e69de29
diff --git a/none/tests/pselect_alarm.stdout.exp b/none/tests/pselect_alarm.stdout.exp
new file mode 100644
index 0000000..e69de29
diff --git a/none/tests/pselect_alarm.vgtest b/none/tests/pselect_alarm.vgtest
new file mode 100644
index 0000000..84cc674
--- /dev/null
+++ b/none/tests/pselect_alarm.vgtest
@@ -0,0 +1,3 @@
+prog: pselect_alarm
+vgopts: -q
+stderr_filter: filter_stderr
diff --git a/tests/filter_stderr_basic b/tests/filter_stderr_basic
index 472cd8f..4b6e480 100755
--- a/tests/filter_stderr_basic
+++ b/tests/filter_stderr_basic
@@ -46,7 +46,7 @@ sed "/warning: line info addresses out of order/d" |
 # of the bash process. Newer bash versions redirect such messages properly.
 # Suppress any redirected abnormal termination messages. You can find the
 # complete list of messages in the bash source file siglist.c.
-perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error)( \(core dumped\))?$/' |
+perl -n -e 'print if !/^(Segmentation fault|Alarm clock|Aborted|Bus error|Killed)( \(core dumped\))?$/' |
 
 # Similar as above, but for ksh on Solaris/illumos.
 perl -n -e 'print if !/^(Memory fault|Killed) $/' |
Only in valgrind-3.11.0: autom4te.cache
diff -ru valgrind-3.11.0.orig/none/tests/Makefile.in valgrind-3.11.0/none/tests/Makefile.in
--- valgrind-3.11.0.orig/none/tests/Makefile.in	2016-03-09 20:07:53.451112914 +0100
+++ valgrind-3.11.0/none/tests/Makefile.in	2016-03-09 20:09:44.281584703 +0100
@@ -151,7 +151,8 @@
 	libvexmultiarch_test$(EXEEXT) manythreads$(EXEEXT) \
 	mmap_fcntl_bug$(EXEEXT) munmap_exe$(EXEEXT) \
 	map_unaligned$(EXEEXT) map_unmap$(EXEEXT) mq$(EXEEXT) \
-	pending$(EXEEXT) procfs-cmdline-exe$(EXEEXT) \
+	pending$(EXEEXT) ppoll_alarm$(EXEEXT) \
+	procfs-cmdline-exe$(EXEEXT) pselect_alarm$(EXEEXT) \
 	pth_atfork1$(EXEEXT) pth_blockedsig$(EXEEXT) \
 	pth_cancel1$(EXEEXT) pth_cancel2$(EXEEXT) \
 	pth_cvsimple$(EXEEXT) pth_empty$(EXEEXT) pth_exit$(EXEEXT) \
@@ -329,12 +330,18 @@
 pending_SOURCES = pending.c
 pending_OBJECTS = pending.$(OBJEXT)
 pending_LDADD = $(LDADD)
+ppoll_alarm_SOURCES = ppoll_alarm.c
+ppoll_alarm_OBJECTS = ppoll_alarm.$(OBJEXT)
+ppoll_alarm_DEPENDENCIES =
 process_vm_readv_writev_SOURCES = process_vm_readv_writev.c
 process_vm_readv_writev_OBJECTS = process_vm_readv_writev.$(OBJEXT)
 process_vm_readv_writev_LDADD = $(LDADD)
 procfs_cmdline_exe_SOURCES = procfs-cmdline-exe.c
 procfs_cmdline_exe_OBJECTS = procfs-cmdline-exe.$(OBJEXT)
 procfs_cmdline_exe_LDADD = $(LDADD)
+pselect_alarm_SOURCES = pselect_alarm.c
+pselect_alarm_OBJECTS = pselect_alarm.$(OBJEXT)
+pselect_alarm_DEPENDENCIES =
 pth_atfork1_SOURCES = pth_atfork1.c
 pth_atfork1_OBJECTS = pth_atfork1.$(OBJEXT)
 pth_atfork1_DEPENDENCIES =
@@ -527,18 +534,18 @@
 	$(gxx304_SOURCES) ifunc.c ioctl_moans.c libvex_test.c \
 	$(libvexmultiarch_test_SOURCES) manythreads.c map_unaligned.c \
 	map_unmap.c mmap_fcntl_bug.c mq.c munmap_exe.c nestedfns.c \
-	pending.c process_vm_readv_writev.c procfs-cmdline-exe.c \
-	pth_atfork1.c pth_blockedsig.c pth_cancel1.c pth_cancel2.c \
-	pth_cvsimple.c pth_empty.c pth_exit.c pth_exit2.c \
-	pth_mutexspeed.c pth_once.c pth_rwlock.c pth_stackalign.c \
-	rcrl.c readline1.c require-text-symbol.c res_search.c resolv.c \
-	rlimit64_nofile.c rlimit_nofile.c selfrun.c sem.c semlimit.c \
-	sha1_test.c shortpush.c shorts.c sigstackgrowth.c \
-	stackgrowth.c syscall-restart1.c syscall-restart2.c syslog.c \
-	system.c thread-exits.c threaded-fork.c threadederrno.c \
-	timestamp.c $(tls_SOURCES) $(tls_so_SOURCES) \
-	$(tls2_so_SOURCES) unit_debuglog.c \
-	$(valgrind_cpp_test_SOURCES) vgprintf.c
+	pending.c ppoll_alarm.c process_vm_readv_writev.c \
+	procfs-cmdline-exe.c pselect_alarm.c pth_atfork1.c \
+	pth_blockedsig.c pth_cancel1.c pth_cancel2.c pth_cvsimple.c \
+	pth_empty.c pth_exit.c pth_exit2.c pth_mutexspeed.c pth_once.c \
+	pth_rwlock.c pth_stackalign.c rcrl.c readline1.c \
+	require-text-symbol.c res_search.c resolv.c rlimit64_nofile.c \
+	rlimit_nofile.c selfrun.c sem.c semlimit.c sha1_test.c \
+	shortpush.c shorts.c sigstackgrowth.c stackgrowth.c \
+	syscall-restart1.c syscall-restart2.c syslog.c system.c \
+	thread-exits.c threaded-fork.c threadederrno.c timestamp.c \
+	$(tls_SOURCES) $(tls_so_SOURCES) $(tls2_so_SOURCES) \
+	unit_debuglog.c $(valgrind_cpp_test_SOURCES) vgprintf.c
 DIST_SOURCES = ansi.c args.c async-sigs.c bitfield1.c bug129866.c \
 	bug234814.c closeall.c $(coolo_sigaction_SOURCES) \
 	coolo_strlen.c discard.c exec-sigmask.c execve.c faultstatus.c \
@@ -548,18 +555,18 @@
 	$(gxx304_SOURCES) ifunc.c ioctl_moans.c libvex_test.c \
 	$(libvexmultiarch_test_SOURCES) manythreads.c map_unaligned.c \
 	map_unmap.c mmap_fcntl_bug.c mq.c munmap_exe.c nestedfns.c \
-	pending.c process_vm_readv_writev.c procfs-cmdline-exe.c \
-	pth_atfork1.c pth_blockedsig.c pth_cancel1.c pth_cancel2.c \
-	pth_cvsimple.c pth_empty.c pth_exit.c pth_exit2.c \
-	pth_mutexspeed.c pth_once.c pth_rwlock.c pth_stackalign.c \
-	rcrl.c readline1.c require-text-symbol.c res_search.c resolv.c \
-	rlimit64_nofile.c rlimit_nofile.c selfrun.c sem.c semlimit.c \
-	sha1_test.c shortpush.c shorts.c sigstackgrowth.c \
-	stackgrowth.c syscall-restart1.c syscall-restart2.c syslog.c \
-	system.c thread-exits.c threaded-fork.c threadederrno.c \
-	timestamp.c $(tls_SOURCES) $(tls_so_SOURCES) \
-	$(tls2_so_SOURCES) unit_debuglog.c \
-	$(valgrind_cpp_test_SOURCES) vgprintf.c
+	pending.c ppoll_alarm.c process_vm_readv_writev.c \
+	procfs-cmdline-exe.c pselect_alarm.c pth_atfork1.c \
+	pth_blockedsig.c pth_cancel1.c pth_cancel2.c pth_cvsimple.c \
+	pth_empty.c pth_exit.c pth_exit2.c pth_mutexspeed.c pth_once.c \
+	pth_rwlock.c pth_stackalign.c rcrl.c readline1.c \
+	require-text-symbol.c res_search.c resolv.c rlimit64_nofile.c \
+	rlimit_nofile.c selfrun.c sem.c semlimit.c sha1_test.c \
+	shortpush.c shorts.c sigstackgrowth.c stackgrowth.c \
+	syscall-restart1.c syscall-restart2.c syslog.c system.c \
+	thread-exits.c threaded-fork.c threadederrno.c timestamp.c \
+	$(tls_SOURCES) $(tls_so_SOURCES) $(tls2_so_SOURCES) \
+	unit_debuglog.c $(valgrind_cpp_test_SOURCES) vgprintf.c
 RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
 	ctags-recursive dvi-recursive html-recursive info-recursive \
 	install-data-recursive install-dvi-recursive \
@@ -1072,12 +1079,14 @@
 	nestedfns.stderr.exp nestedfns.stdout.exp nestedfns.vgtest \
 	nodir.stderr.exp nodir.vgtest \
 	pending.stdout.exp pending.stderr.exp pending.vgtest \
+	ppoll_alarm.stdout.exp ppoll_alarm.stderr.exp ppoll_alarm.vgtest \
 	procfs-linux.stderr.exp-with-readlinkat \
 	procfs-linux.stderr.exp-without-readlinkat \
 	procfs-linux.vgtest \
 	procfs-non-linux.vgtest \
 	procfs-non-linux.stderr.exp-with-readlinkat \
 	procfs-non-linux.stderr.exp-without-readlinkat \
+	pselect_alarm.stdout.exp pselect_alarm.stderr.exp pselect_alarm.vgtest \
 	pth_atfork1.stderr.exp pth_atfork1.stdout.exp pth_atfork1.vgtest \
 	pth_blockedsig.stderr.exp \
 	pth_blockedsig.stdout.exp pth_blockedsig.vgtest \
@@ -1152,6 +1161,8 @@
 	../../VEX/libvex-@VGCONF_ARCH_PRI@-@VGCONF_OS@.a @LIB_UBSAN@
 
 libvexmultiarch_test_SOURCES = libvex_test.c
+ppoll_alarm_LDADD = -lpthread
+pselect_alarm_LDADD = -lpthread
 pth_atfork1_LDADD = -lpthread
 pth_blockedsig_LDADD = -lpthread
 pth_cancel1_CFLAGS = $(AM_CFLAGS) -Wno-shadow
@@ -1390,6 +1401,10 @@
 	@rm -f pending$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(pending_OBJECTS) $(pending_LDADD) $(LIBS)
 
+ppoll_alarm$(EXEEXT): $(ppoll_alarm_OBJECTS) $(ppoll_alarm_DEPENDENCIES) $(EXTRA_ppoll_alarm_DEPENDENCIES) 
+	@rm -f ppoll_alarm$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(ppoll_alarm_OBJECTS) $(ppoll_alarm_LDADD) $(LIBS)
+
 process_vm_readv_writev$(EXEEXT): $(process_vm_readv_writev_OBJECTS) $(process_vm_readv_writev_DEPENDENCIES) $(EXTRA_process_vm_readv_writev_DEPENDENCIES) 
 	@rm -f process_vm_readv_writev$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(process_vm_readv_writev_OBJECTS) $(process_vm_readv_writev_LDADD) $(LIBS)
@@ -1398,6 +1413,10 @@
 	@rm -f procfs-cmdline-exe$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(procfs_cmdline_exe_OBJECTS) $(procfs_cmdline_exe_LDADD) $(LIBS)
 
+pselect_alarm$(EXEEXT): $(pselect_alarm_OBJECTS) $(pselect_alarm_DEPENDENCIES) $(EXTRA_pselect_alarm_DEPENDENCIES) 
+	@rm -f pselect_alarm$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(pselect_alarm_OBJECTS) $(pselect_alarm_LDADD) $(LIBS)
+
 pth_atfork1$(EXEEXT): $(pth_atfork1_OBJECTS) $(pth_atfork1_DEPENDENCIES) $(EXTRA_pth_atfork1_DEPENDENCIES) 
 	@rm -f pth_atfork1$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(pth_atfork1_OBJECTS) $(pth_atfork1_LDADD) $(LIBS)
@@ -1607,8 +1626,10 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/munmap_exe.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nestedfns-nestedfns.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pending.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ppoll_alarm.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_vm_readv_writev.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/procfs-cmdline-exe.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pselect_alarm.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pth_atfork1.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pth_blockedsig.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pth_cancel1-pth_cancel1.Po@am__quote@