This is an automated email from Gerrit.
"zapb <d...@zapb.de>" just uploaded a new patch set to Gerrit, which you can
find at https://review.openocd.org/c/openocd/+/7543
-- gerrit
commit 117b5a8f843a1dc1531c4613cded21a6bf9f02c3
Author: Marc Schink <d...@zapb.de>
Date: Sun Mar 19 11:48:37 2023 +0100
arget/arm_adi_v5: Fix integer underflow and segfault
When reading from memory fails, the current code returns to the caller
the successfully read data. However, this code fails if the memory
address at which the read operation failed is not aligned with the size
of the requested data.
For example, the caller requests 16 bytes (count=4, size=4) from address
0x08000000. Now, if the read fails at address 0x08000006, the current
code tries to provide the six bytes that was successfully read. Since
the code to unpack the DRW buffer assumes that the data size is aligned,
an integer underflow of 'nbytes' occurs which finally result in a
segmentation fault due to invalid memory reads.
Fix this integer underflow by aligning 'nbytes' to the size of the
requested data. For the example given above, the code only provides the
4 bytes that were successfully read.
Change-Id: If7bbc346957ec550e5b7f207b1b5a23d9cbc9c0f
Signed-off-by: Marc Schink <d...@zapb.de>
diff --git a/src/target/arm_adi_v5.c b/src/target/arm_adi_v5.c
index da5da3197d..95b9f4b023 100644
--- a/src/target/arm_adi_v5.c
+++ b/src/target/arm_adi_v5.c
@@ -569,7 +569,7 @@ static int mem_ap_read(struct adiv5_ap *ap, uint8_t
*buffer, uint32_t size, uint
/* TAR is incremented after failed transfer on some
devices (eg Cortex-M4) */
LOG_ERROR("Failed to read memory at " TARGET_ADDR_FMT,
tar);
if (nbytes > tar - address)
- nbytes = tar - address;
+ nbytes = ALIGN_DOWN(tar - address, size);
} else {
LOG_ERROR("Failed to read memory and, additionally,
failed to find out where");
nbytes = 0;
--
