This is an automated email from Gerrit. Cody Schafer (open...@codyps.com) just uploaded a new patch set to Gerrit, which you can find at http://openocd.zylin.com/4458
-- gerrit commit dbebf944e4920bc4aa53e7de9506617b3e3abc26 Author: Cody P Schafer <open...@codyps.com> Date: Wed Mar 7 11:31:35 2018 -0500 target/cortex_m: support up to 10 comparitors & avoid undefined behavior when more than 10 are supported On a stm32f767zi chip (on a nucleo-767zi board) I've been seeing crashes with address sanitizer enabled due to it's (apparent) 10 present comparitors. In non-address sanitizer builds, this would likely cause some random memory to be written to in some cases. I've included the address sanitizer output of a build without this commit (but with a few extra debug prints). To support the specific chip, I've increased the DWT comparitor limit to 10 (we may just want to dynamically allocate these) and added a check to limit our supported DWT comparitors in case this number gets bumped again. ``` $ openocd -f board/st_nucleo_f7.cfg Open On-Chip Debugger 0.10.0+dev-00324-g0b1ddb8b-dirty (2018-03-07-10:22) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html WARNING: interface/stlink-v2-1.cfg is deprecated, please switch to interface/stlink.cfg src/jtag/hla/hla_tcl.c:49:2: runtime error: null pointer passed as argument 2, which is declared to never be null Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD adapter speed: 2000 kHz adapter_nsrst_delay: 100 srst_only separate srst_nogate srst_open_drain connect_deassert_srst srst_only separate srst_nogate srst_open_drain connect_deassert_srst Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : Unable to match requested speed 2000 kHz, using 1800 kHz Info : Unable to match requested speed 2000 kHz, using 1800 kHz Info : clock speed 1800 kHz Info : STLINK v2 JTAG v28 API v2 SWIM v18 VID 0x0483 PID 0x374B Info : using stlink api v2 Info : Target voltage: 3.253861 Info : DWT_CTRL: 2690580480 Info : DWT comparitors: 10 Info : addreg 0x563fb0fe7ec0, 18446744073709551612, 18446744073709551615, 18446744073709551615 Info : addreg 0x563fb0fe7ed8, 18446744073709551613, 18446744073709551615, 0 Info : addreg 0x563fb0fe7f20, 0, 0, 0 Info : addreg 0x563fb0fe7f38, 1, 0, 1 Info : addreg 0x563fb0fe7f50, 2, 0, 2 Info : addreg 0x563fb0fe7f68, 3, 1, 0 Info : addreg 0x563fb0fe7f80, 4, 1, 1 Info : addreg 0x563fb0fe7f98, 5, 1, 2 Info : addreg 0x563fb0fe7fb0, 6, 2, 0 Info : addreg 0x563fb0fe7fc8, 7, 2, 1 Info : addreg 0x563fb0fe7fe0, 8, 2, 2 Info : addreg 0x563fb0fe7ff8, 9, 3, 0 Info : addreg 0x563fb0fe8010, 10, 3, 1 Info : addreg 0x563fb0fe8028, 11, 3, 2 Info : addreg 0x563fb0fe8040, 12, 4, 0 ================================================================= ==14485==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563fb0fe8040 at pc 0x563fb01c5fc4 bp 0x7fff17aadb30 sp 0x7fff17aadb20 READ of size 4 at 0x563fb0fe8040 thread T0 #0 0x563fb01c5fc3 in cortex_m_dwt_addreg src/target/cortex_m.c:1874 #1 0x563fb01c6e03 in cortex_m_dwt_setup src/target/cortex_m.c:1935 #2 0x563fb01c975f in cortex_m_examine src/target/cortex_m.c:2140 #3 0x563fafe64ee1 in target_examine_one src/target/target.c:704 #4 0x563fafe651c7 in target_examine src/target/target.c:746 #5 0x563fafd73d7c in handle_init_command src/openocd.c:154 #6 0x563faff04e73 in run_command src/helper/command.c:623 #7 0x563faff01670 in script_command_run src/helper/command.c:208 #8 0x563faff0184c in script_command src/helper/command.c:223 #9 0x563fb0426559 in JimInvokeCommand /home/cody/d/openocd-code/jimtcl/jim.c:10364 0x563fb0fe8040 is located 0 bytes to the right of global variable 'dwt_comp' defined in 'src/target/cortex_m.c:1848:23' (0x563fb0fe7f20) of size 288 0x563fb0fe8040 is located 32 bytes to the left of global variable '*.Lubsan_data441' defined in 'src/target/cortex_m.c' (0x563fb0fe8060) of size 40 SUMMARY: AddressSanitizer: global-buffer-overflow src/target/cortex_m.c:1874 in cortex_m_dwt_addreg Shadow bytes around the buggy address: 0x0ac8761f4fb0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0ac8761f4fc0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ac8761f4fd0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 0x0ac8761f4fe0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ac8761f4ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ac8761f5000: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00 0x0ac8761f5010: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 0x0ac8761f5020: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0ac8761f5030: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ac8761f5040: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 0x0ac8761f5050: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==14485==ABORTING ``` Change-Id: I2b7d599eb326236dbc93f74b350c442c9a502c4b Signed-off-by: Cody P Schafer <open...@codyps.com> diff --git a/src/target/cortex_m.c b/src/target/cortex_m.c index 79af632..4958f9f 100644 --- a/src/target/cortex_m.c +++ b/src/target/cortex_m.c @@ -1854,6 +1854,13 @@ static struct dwt_reg dwt_comp[] = { DWT_COMPARATOR(1), DWT_COMPARATOR(2), DWT_COMPARATOR(3), + DWT_COMPARATOR(4), + DWT_COMPARATOR(5), + DWT_COMPARATOR(6), + DWT_COMPARATOR(7), + DWT_COMPARATOR(8), + DWT_COMPARATOR(9), + DWT_COMPARATOR(10), #undef DWT_COMPARATOR }; @@ -1887,15 +1894,24 @@ void cortex_m_dwt_setup(struct cortex_m_common *cm, struct target *target) int reg, i; target_read_u32(target, DWT_CTRL, &dwtcr); + LOG_INFO("DWT_CTRL: %" PRIu32, dwtcr); if (!dwtcr) { LOG_DEBUG("no DWT"); return; } cm->dwt_num_comp = (dwtcr >> 28) & 0xF; + + if ((size_t)cm->dwt_num_comp > (ARRAY_SIZE(dwt_comp) / 3)) { + LOG_WARNING("Target supports %" PRIu32 " dwt comparitors, but openocd only supports up to %zu, limiting", + cm->dwt_num_comp, ARRAY_SIZE(dwt_comp)/3); + cm->dwt_num_comp = ARRAY_SIZE(dwt_comp)/3; + } + cm->dwt_comp_available = cm->dwt_num_comp; cm->dwt_comparator_list = calloc(cm->dwt_num_comp, sizeof(struct cortex_m_dwt_comparator)); + if (!cm->dwt_comparator_list) { fail0: cm->dwt_num_comp = 0; -- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenOCD-devel mailing list OpenOCD-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openocd-devel