jtag/mpsse: fix SIGSEGV for use after free 17/6417/3
authorAntonio Borneo <borneo.antonio@gmail.com>
Mon, 9 Aug 2021 13:03:37 +0000 (15:03 +0200)
committerAntonio Borneo <borneo.antonio@gmail.com>
Sat, 14 Aug 2021 12:31:27 +0000 (13:31 +0100)
By pressing CTRL-C on a running openocd with FTDI adapter, it's
possible to generate a segmentation fault that with valgrind is
dumped as a SIGABRT:

^CError: libusb_handle_events() failed with LIBUSB_ERROR_INTERRUPTED
==16594== Invalid read of size 8
==16594==    at 0x48B2472: libusb_submit_transfer
==16594==    by 0x48B4B0F: libusb_control_transfer
==16594==    by 0x1A6B9D: mpsse_purge (mpsse.c:428)
==16594==    by 0x1A7B96: mpsse_flush (mpsse.c:953)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Address 0x6158568 is 72 bytes inside a block of size 216 free'd
==16594==    at 0x484118B: free (vg_replace_malloc.c:755)
==16594==    by 0x1A7B88: mpsse_flush (mpsse.c:950)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Block was alloc'd at
==16594==    at 0x48435FF: calloc (vg_replace_malloc.c:1117)
==16594==    by 0x48B2259: libusb_alloc_transfer
==16594==    by 0x1A7A26: mpsse_flush (mpsse.c:880)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594== Process terminating with default action of signal 6 (SIGABRT):
dumping core
...
Aborted (core dumped)

The error is in mpsse_flush() that, following valgrind dump:
- allocates the buffer at line mpsse.c:880
  read_transfer = libusb_alloc_transfer(0);
- frees the buffer at line mpsse.c:950
  libusb_free_transfer(read_transfer);
- still pretends to use the freed buffer at line mpsse.c:953
  mpsse_purge(ctx);

Move the call to mpsse_purge() right before freeing the buffer.

Change-Id: I47c71ec8c283f4b037fdd7cd72ca2e877cd3a851
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Reviewed-on: http://openocd.zylin.com/6417
Tested-by: jenkins
src/jtag/drivers/mpsse.c

index 4e64fdbbfaaac0b7ec57ecaa5dec99c14894a54c..0e3d2be0e0d778b1d06af6320a9fe6039bda5113 100644 (file)
@@ -945,12 +945,12 @@ error_check:
                retval = ERROR_OK;
        }
 
+       if (retval != ERROR_OK)
+               mpsse_purge(ctx);
+
        libusb_free_transfer(write_transfer);
        if (read_transfer)
                libusb_free_transfer(read_transfer);
 
-       if (retval != ERROR_OK)
-               mpsse_purge(ctx);
-
        return retval;
 }

Linking to existing account procedure

If you already have an account and want to add another login method you MUST first sign in with your existing account and then change URL to read https://review.openocd.org/login/?link to get to this page again but this time it'll work for linking. Thank you.

SSH host keys fingerprints

1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=..              |
|+o..   .         |
|*.o   . .        |
|+B . . .         |
|Bo. = o S        |
|Oo.+ + =         |
|oB=.* = . o      |
| =+=.+   + E     |
|. .=o   . o      |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)