[OpenOCD-devel] [PATCH]: dbebf94 target/cortex_m: support up to 10 comparitors & avoid undefined behavior when more than 10 are supported

Wed, 07 Mar 2018 08:45:38 -0800 

This is an automated email from Gerrit.

Cody Schafer (open...@codyps.com) just uploaded a new patch set to Gerrit, 
which you can find at http://openocd.zylin.com/4458

-- gerrit

commit dbebf944e4920bc4aa53e7de9506617b3e3abc26
Author: Cody P Schafer <open...@codyps.com>
Date:   Wed Mar 7 11:31:35 2018 -0500

    target/cortex_m: support up to 10 comparitors & avoid undefined behavior 
when more than 10 are supported
    
    On a stm32f767zi chip (on a nucleo-767zi board) I've been seeing crashes
    with address sanitizer enabled due to it's (apparent) 10 present
    comparitors.
    
    In non-address sanitizer builds, this would likely cause some random
    memory to be written to in some cases.
    
    I've included the address sanitizer output of a build without this
    commit (but with a few extra debug prints).
    
    To support the specific chip, I've increased the DWT comparitor limit to
    10 (we may just want to dynamically allocate these) and added a check to
    limit our supported DWT comparitors in case this number gets bumped
    again.
    
    ```
    $ openocd -f board/st_nucleo_f7.cfg
    Open On-Chip Debugger 0.10.0+dev-00324-g0b1ddb8b-dirty (2018-03-07-10:22)
    Licensed under GNU GPL v2
    For bug reports, read
            http://openocd.org/doc/doxygen/bugs.html
    WARNING: interface/stlink-v2-1.cfg is deprecated, please switch to 
interface/stlink.cfg
    src/jtag/hla/hla_tcl.c:49:2: runtime error: null pointer passed as argument 
2, which is declared to never be null
    Info : The selected transport took over low-level target control. The 
results might differ compared to plain JTAG/SWD
    adapter speed: 2000 kHz
    adapter_nsrst_delay: 100
    srst_only separate srst_nogate srst_open_drain connect_deassert_srst
    srst_only separate srst_nogate srst_open_drain connect_deassert_srst
    Info : Listening on port 6666 for tcl connections
    Info : Listening on port 4444 for telnet connections
    Info : Unable to match requested speed 2000 kHz, using 1800 kHz
    Info : Unable to match requested speed 2000 kHz, using 1800 kHz
    Info : clock speed 1800 kHz
    Info : STLINK v2 JTAG v28 API v2 SWIM v18 VID 0x0483 PID 0x374B
    Info : using stlink api v2
    Info : Target voltage: 3.253861
    Info : DWT_CTRL: 2690580480
    Info : DWT comparitors: 10
    Info : addreg 0x563fb0fe7ec0, 18446744073709551612, 18446744073709551615, 
18446744073709551615
    Info : addreg 0x563fb0fe7ed8, 18446744073709551613, 18446744073709551615, 0
    Info : addreg 0x563fb0fe7f20, 0, 0, 0
    Info : addreg 0x563fb0fe7f38, 1, 0, 1
    Info : addreg 0x563fb0fe7f50, 2, 0, 2
    Info : addreg 0x563fb0fe7f68, 3, 1, 0
    Info : addreg 0x563fb0fe7f80, 4, 1, 1
    Info : addreg 0x563fb0fe7f98, 5, 1, 2
    Info : addreg 0x563fb0fe7fb0, 6, 2, 0
    Info : addreg 0x563fb0fe7fc8, 7, 2, 1
    Info : addreg 0x563fb0fe7fe0, 8, 2, 2
    Info : addreg 0x563fb0fe7ff8, 9, 3, 0
    Info : addreg 0x563fb0fe8010, 10, 3, 1
    Info : addreg 0x563fb0fe8028, 11, 3, 2
    Info : addreg 0x563fb0fe8040, 12, 4, 0
    =================================================================
    ==14485==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x563fb0fe8040 at pc 0x563fb01c5fc4 bp 0x7fff17aadb30 sp 0x7fff17aadb20
    READ of size 4 at 0x563fb0fe8040 thread T0
        #0 0x563fb01c5fc3 in cortex_m_dwt_addreg src/target/cortex_m.c:1874
        #1 0x563fb01c6e03 in cortex_m_dwt_setup src/target/cortex_m.c:1935
        #2 0x563fb01c975f in cortex_m_examine src/target/cortex_m.c:2140
        #3 0x563fafe64ee1 in target_examine_one src/target/target.c:704
        #4 0x563fafe651c7 in target_examine src/target/target.c:746
        #5 0x563fafd73d7c in handle_init_command src/openocd.c:154
        #6 0x563faff04e73 in run_command src/helper/command.c:623
        #7 0x563faff01670 in script_command_run src/helper/command.c:208
        #8 0x563faff0184c in script_command src/helper/command.c:223
        #9 0x563fb0426559 in JimInvokeCommand 
/home/cody/d/openocd-code/jimtcl/jim.c:10364
    
    0x563fb0fe8040 is located 0 bytes to the right of global variable 
'dwt_comp' defined in 'src/target/cortex_m.c:1848:23' (0x563fb0fe7f20) of size 
288
    0x563fb0fe8040 is located 32 bytes to the left of global variable 
'*.Lubsan_data441' defined in 'src/target/cortex_m.c' (0x563fb0fe8060) of size 
40
    SUMMARY: AddressSanitizer: global-buffer-overflow 
src/target/cortex_m.c:1874 in cortex_m_dwt_addreg
    Shadow bytes around the buggy address:
      0x0ac8761f4fb0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
      0x0ac8761f4fc0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x0ac8761f4fd0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
      0x0ac8761f4fe0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ac8761f4ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ac8761f5000: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
      0x0ac8761f5010: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
      0x0ac8761f5020: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
      0x0ac8761f5030: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x0ac8761f5040: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
      0x0ac8761f5050: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14485==ABORTING
    ```
    
    Change-Id: I2b7d599eb326236dbc93f74b350c442c9a502c4b
    Signed-off-by: Cody P Schafer <open...@codyps.com>

diff --git a/src/target/cortex_m.c b/src/target/cortex_m.c
index 79af632..4958f9f 100644
--- a/src/target/cortex_m.c
+++ b/src/target/cortex_m.c
@@ -1854,6 +1854,13 @@ static struct dwt_reg dwt_comp[] = {
        DWT_COMPARATOR(1),
        DWT_COMPARATOR(2),
        DWT_COMPARATOR(3),
+       DWT_COMPARATOR(4),
+       DWT_COMPARATOR(5),
+       DWT_COMPARATOR(6),
+       DWT_COMPARATOR(7),
+       DWT_COMPARATOR(8),
+       DWT_COMPARATOR(9),
+       DWT_COMPARATOR(10),
 #undef DWT_COMPARATOR
 };
 
@@ -1887,15 +1894,24 @@ void cortex_m_dwt_setup(struct cortex_m_common *cm, 
struct target *target)
        int reg, i;
 
        target_read_u32(target, DWT_CTRL, &dwtcr);
+       LOG_INFO("DWT_CTRL: %" PRIu32, dwtcr);
        if (!dwtcr) {
                LOG_DEBUG("no DWT");
                return;
        }
 
        cm->dwt_num_comp = (dwtcr >> 28) & 0xF;
+
+       if ((size_t)cm->dwt_num_comp > (ARRAY_SIZE(dwt_comp) / 3)) {
+               LOG_WARNING("Target supports %" PRIu32 " dwt comparitors, but 
openocd only supports up to %zu, limiting",
+                               cm->dwt_num_comp, ARRAY_SIZE(dwt_comp)/3);
+               cm->dwt_num_comp = ARRAY_SIZE(dwt_comp)/3;
+       }
+
        cm->dwt_comp_available = cm->dwt_num_comp;
        cm->dwt_comparator_list = calloc(cm->dwt_num_comp,
                        sizeof(struct cortex_m_dwt_comparator));
+
        if (!cm->dwt_comparator_list) {
 fail0:
                cm->dwt_num_comp = 0;

-- 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenOCD-devel mailing list
OpenOCD-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openocd-devel

Reply via email to