arch/stackframe: fix heap buffer overflow #1234
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ASAN trace:
...
==32087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4502120 at pc 0x56673ca3 bp 0xff9b6a08 sp 0xff9b69f8
WRITE of size 1 at 0xf4502120 thread T0
#0 0x56673ca2 in strcpy string/lib_strcpy.c:64
0xf4502120 is located 0 bytes to the right of 8224-byte region [0xf4500100,0xf4502120)
allocated by thread T0 here:
#0 0xf7a60f54 in malloc (/usr/lib32/libasan.so.4+0xe5f54)
#1 0x5667725d in up_create_stack sim/up_createstack.c:135
#2 0x56657ed8 in nxthread_create task/task_create.c:125
#3 0x566580bb in kthread_create task/task_create.c:297
#4 0x5665935f in work_start_highpri wqueue/kwork_hpthread.c:149
#5 0x56656f31 in nx_workqueues init/nx_bringup.c:181
#6 0x56656fc6 in nx_bringup init/nx_bringup.c:436
apache#7 0x56656e95 in nx_start init/nx_start.c:809
apache#8 0x566548d4 in main sim/up_head.c:95
apache#9 0xf763ae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
CALLSTACK:
apache#8 0xf79de7a5 in __asan_report_store1 () from /usr/lib32/libasan.so.4
apache#9 0x565fd4d7 in strcpy (dest=0xf4a02121 "", src=0xf5c00895 "k") at string/lib_strcpy.c:64
apache#10 0x565e4eb2 in nxtask_setup_stackargs (tcb=0xf5c00810, argv=0x0) at task/task_setup.c:570
apache#11 0x565e50ff in nxtask_setup_arguments (tcb=0xf5c00810, name=0x5679e580 "hpwork", argv=0x0) at task/task_setup.c:714
apache#12 0x565e414e in nxthread_create (name=0x5679e580 "hpwork", ttype=2 '\002', priority=224, stack=0x0, stack_size=8192, entry=0x565e54e1 <work_hpthread>, argv=0x0) at task/task_create.c:143
apache#13 0x565e42e3 in kthread_create (name=0x5679e580 "hpwork", priority=224, stack_size=8192, entry=0x565e54e1 <work_hpthread>, argv=0x0) at task/task_create.c:297
apache#14 0x565e5557 in work_start_highpri () at wqueue/kwork_hpthread.c:149
apache#15 0x565e3e32 in nx_workqueues () at init/nx_bringup.c:181
apache#16 0x565e3ec7 in nx_bringup () at init/nx_bringup.c:436
apache#17 0x565e3d96 in nx_start () at init/nx_start.c:809
apache#18 0x565e3195 in main (argc=1, argv=0xffe6b954, envp=0xffe6b95c) at sim/up_head.c:95
Change-Id: I096f7952aae67d055daa737e967242eb217ef8ac
Signed-off-by: chao.an <[email protected]>
Signed-off-by: chao.an <[email protected]>
This was referenced Sep 26, 2024
This was referenced Nov 26, 2024
This was referenced Dec 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
arch/stackframe: fix heap buffer overflow
ASAN trace:
...
==32087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4502120 at pc 0x56673ca3 bp 0xff9b6a08 sp 0xff9b69f8
WRITE of size 1 at 0xf4502120 thread T0
#0 0x56673ca2 in strcpy string/lib_strcpy.c:64
0xf4502120 is located 0 bytes to the right of 8224-byte region [0xf4500100,0xf4502120)
allocated by thread T0 here:
#0 0xf7a60f54 in malloc (/usr/lib32/libasan.so.4+0xe5f54)
#1 0x5667725d in up_create_stack sim/up_createstack.c:135
#2 0x56657ed8 in nxthread_create task/task_create.c:125
#3 0x566580bb in kthread_create task/task_create.c:297
#4 0x5665935f in work_start_highpri wqueue/kwork_hpthread.c:149
#5 0x56656f31 in nx_workqueues init/nx_bringup.c:181
#6 0x56656fc6 in nx_bringup init/nx_bringup.c:436
#7 0x56656e95 in nx_start init/nx_start.c:809
#8 0x566548d4 in main sim/up_head.c:95
#9 0xf763ae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
CALLSTACK:
#8 0xf79de7a5 in __asan_report_store1 () from /usr/lib32/libasan.so.4
#9 0x565fd4d7 in strcpy (dest=0xf4a02121 "", src=0xf5c00895 "k") at string/lib_strcpy.c:64
#10 0x565e4eb2 in nxtask_setup_stackargs (tcb=0xf5c00810, argv=0x0) at task/task_setup.c:570
#11 0x565e50ff in nxtask_setup_arguments (tcb=0xf5c00810, name=0x5679e580 "hpwork", argv=0x0) at task/task_setup.c:714
#12 0x565e414e in nxthread_create (name=0x5679e580 "hpwork", ttype=2 '\002', priority=224, stack=0x0, stack_size=8192, entry=0x565e54e1 <work_hpthread>, argv=0x0) at task/task_create.c:143
#13 0x565e42e3 in kthread_create (name=0x5679e580 "hpwork", priority=224, stack_size=8192, entry=0x565e54e1 <work_hpthread>, argv=0x0) at task/task_create.c:297
#14 0x565e5557 in work_start_highpri () at wqueue/kwork_hpthread.c:149
#15 0x565e3e32 in nx_workqueues () at init/nx_bringup.c:181
#16 0x565e3ec7 in nx_bringup () at init/nx_bringup.c:436
#17 0x565e3d96 in nx_start () at init/nx_start.c:809
#18 0x565e3195 in main (argc=1, argv=0xffe6b954, envp=0xffe6b95c) at sim/up_head.c:95