From 6cfdde4b91447633275f6c7a169de1bbac0ba1a0 Mon Sep 17 00:00:00 2001
From: Joshua Peraza <jperaza@chromium.org>
Date: Wed, 22 Mar 2017 16:12:05 -0700
Subject: [PATCH] Sanity check frame pointer while stackwalking

BUG=

Change-Id: Ib9b0fd5ba7f829f8be8cf856ab371c6540279ee5
Reviewed-on: https://chromium-review.googlesource.com/458526
Reviewed-by: Ivan Penkov <ivanpe@chromium.org>
---
 src/processor/stackwalker_amd64.cc          | 6 ++++++
 src/processor/stackwalker_amd64_unittest.cc | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/processor/stackwalker_amd64.cc b/src/processor/stackwalker_amd64.cc
index 440724a1..d1333248 100644
--- a/src/processor/stackwalker_amd64.cc
+++ b/src/processor/stackwalker_amd64.cc
@@ -215,6 +215,12 @@ StackFrameAMD64* StackwalkerAMD64::GetCallerByFramePointerRecovery(
       return NULL;
     }
 
+    // Sanity check that resulting rbp is still inside stack memory.
+    uint64_t unused;
+    if (!memory_->GetMemoryAtAddress(caller_rbp, &unused)) {
+      return NULL;
+    }
+
     StackFrameAMD64* frame = new StackFrameAMD64();
     frame->trust = StackFrame::FRAME_TRUST_FP;
     frame->context = last_frame->context;
diff --git a/src/processor/stackwalker_amd64_unittest.cc b/src/processor/stackwalker_amd64_unittest.cc
index 935bef86..70fba11b 100644
--- a/src/processor/stackwalker_amd64_unittest.cc
+++ b/src/processor/stackwalker_amd64_unittest.cc
@@ -690,7 +690,8 @@ TEST_F(GetCallerFrame, CallerPushedRBP) {
     // frame 1
     .Mark(&frame1_sp)
     .Append(32, 0)                      // body of frame1
-    .Mark(&frame1_rbp);                 // end of stack
+    .Mark(&frame1_rbp)                  // end of stack
+    .D64(0);
   RegionFromSection();
 
   raw_context.rip = 0x00007400c0000200ULL;