[PATCH]: 129d0db jtag/mpsse: fix SIGSEGV for use after free

Mon, 09 Aug 2021 06:25:17 -0700 

This is an automated email from Gerrit.

Antonio Borneo ([email protected]) just uploaded a new patch set to 
Gerrit, which you can find at http://openocd.zylin.com/6417

-- gerrit

commit 129d0db2c409f6880adb8f0dd8ec101b8b18fddf
Author: Antonio Borneo <[email protected]>
Date:   Mon Aug 9 15:03:37 2021 +0200

    jtag/mpsse: fix SIGSEGV for use after free
    
    By pressing CTRL-C on a running openocd with FTDI adapter, it's
    possible to generate a segmentation fault that with valgind is
    dumped as a SIGABRT:
    
    ^CError: libusb_handle_events() failed with LIBUSB_ERROR_INTERRUPTED
    ==16594== Invalid read of size 8
    ==16594==    at 0x48B2472: libusb_submit_transfer
    ==16594==    by 0x48B4B0F: libusb_control_transfer
    ==16594==    by 0x1A6B9D: mpsse_purge (mpsse.c:428)
    ==16594==    by 0x1A7B96: mpsse_flush (mpsse.c:953)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594==  Address 0x6158568 is 72 bytes inside a block of size 216 free'd
    ==16594==    at 0x484118B: free (vg_replace_malloc.c:755)
    ==16594==    by 0x1A7B88: mpsse_flush (mpsse.c:950)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594==  Block was alloc'd at
    ==16594==    at 0x48435FF: calloc (vg_replace_malloc.c:1117)
    ==16594==    by 0x48B2259: libusb_alloc_transfer
    ==16594==    by 0x1A7A26: mpsse_flush (mpsse.c:880)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594== Process terminating with default action of signal 6 (SIGABRT):
        dumping core
    ...
    Aborted (core dumped)
    
    The error is in mpsse_flush() that, following valgrind dump:
    - allocates the buffer at line mpsse.c:880
      read_transfer = libusb_alloc_transfer(0);
    - frees the buffer at line mpsse.c:950
      libusb_free_transfer(read_transfer);
    - still pretends to use the freed buffer at line mpsse.c:953
      mpsse_purge(ctx);
    
    Move the call to mpsse_purge() right before freeing the buffer.
    
    Change-Id: I47c71ec8c283f4b037fdd7cd72ca2e877cd3a851
    Signed-off-by: Antonio Borneo <[email protected]>

diff --git a/src/jtag/drivers/mpsse.c b/src/jtag/drivers/mpsse.c
index 4e64fdb..0e3d2be 100644
--- a/src/jtag/drivers/mpsse.c
+++ b/src/jtag/drivers/mpsse.c
@@ -945,12 +945,12 @@ error_check:
                retval = ERROR_OK;
        }
 
+       if (retval != ERROR_OK)
+               mpsse_purge(ctx);
+
        libusb_free_transfer(write_transfer);
        if (read_transfer)
                libusb_free_transfer(read_transfer);
 
-       if (retval != ERROR_OK)
-               mpsse_purge(ctx);
-
        return retval;
 }

--

Reply via email to