[PATCH]: dbdf50e rtos/riot: fix out-of-bounds writes when target is corrupted

Tue, 27 Jul 2021 06:17:06 -0700 

This is an automated email from Gerrit.

Sebastiaan de Schaetzen ([email protected]) just uploaded a new 
patch set to Gerrit, which you can find at http://openocd.zylin.com/6381

-- gerrit

commit dbdf50e86f5467befddee50d3b8a390539561350
Author: Sebastiaan de Schaetzen <[email protected]>
Date:   Tue Jul 27 15:06:57 2021 +0200

    rtos/riot: fix out-of-bounds writes when target is corrupted
    
    This protects against out-of-bounds writes when the memory
    of RIOT's scheduler is corrupted.
    This memory can be corrupted because of:
     - Programming errors
     - The scheduler not yet having been initialised
     - An incorrect symbol file being used during debugging.
    
    This error can result in OpenOCD segfaulting. Valgrind was
    used to find the approximate location of the error.
    
    Change-Id: I60e7d7c245b8c4e38f4c98cb0c0347a9b5ec3177
    Signed-off-by: Sebastiaan de Schaetzen <[email protected]>

diff --git a/src/rtos/riot.c b/src/rtos/riot.c
index fb5d1b2..57e24d8 100644
--- a/src/rtos/riot.c
+++ b/src/rtos/riot.c
@@ -118,7 +118,7 @@ const struct rtos_type riot_rtos = {
 static int riot_update_threads(struct rtos *rtos)
 {
        int retval;
-       unsigned int tasks_found = 0;
+       int tasks_found = 0;
        const struct riot_params *param;
 
        if (!rtos)
@@ -170,7 +170,6 @@ static int riot_update_threads(struct rtos *rtos)
                        riot_symbol_list[RIOT_NUM_THREADS]);
                return retval;
        }
-       rtos->thread_count = thread_count;
 
        /* read the maximum number of threads */
        uint8_t max_threads = 0;
@@ -182,6 +181,12 @@ static int riot_update_threads(struct rtos *rtos)
                        riot_symbol_list[RIOT_MAX_THREADS]);
                return retval;
        }
+       rtos->thread_count = thread_count;
+       if (rtos->thread_count > max_threads)
+       {
+               LOG_ERROR("Thread count is invalid");
+               return ERROR_FAIL;
+       }
 
        /* Base address of thread array */
        uint32_t threads_base = rtos->symbols[RIOT_THREADS_BASE].address;
@@ -211,6 +216,10 @@ static int riot_update_threads(struct rtos *rtos)
        char buffer[32];
 
        for (unsigned int i = 0; i < max_threads; i++) {
+               if (tasks_found == rtos->thread_count) {
+                       break;
+               }
+
                /* get pointer to tcb_t */
                uint32_t tcb_pointer = 0;
                retval = target_read_u32(rtos->target,

--

Reply via email to