From: Sebastiaan de Schaetzen Date: Tue, 27 Jul 2021 13:06:57 +0000 (+0200) Subject: rtos/riot: fix out-of-bounds writes when target is corrupted X-Git-Tag: v0.12.0-rc1~561 X-Git-Url: https://review.openocd.org/gitweb?p=openocd.git;a=commitdiff_plain;h=013a0e88d2a6e4626987e9fbe056ee1d40026933 rtos/riot: fix out-of-bounds writes when target is corrupted This protects against out-of-bounds writes when the memory of RIOT's scheduler is corrupted. This memory can be corrupted because of: - Programming errors - The scheduler not yet having been initialised - An incorrect symbol file being used during debugging. This error can result in OpenOCD segfaulting. Valgrind was used to find the approximate location of the error. Change-Id: I60e7d7c245b8c4e38f4c98cb0c0347a9b5ec3177 Signed-off-by: Sebastiaan de Schaetzen Reviewed-on: https://review.openocd.org/c/openocd/+/6381 Tested-by: jenkins Reviewed-by: Antonio Borneo --- diff --git a/src/rtos/riot.c b/src/rtos/riot.c index 1d53da2b02..8a3874202f 100644 --- a/src/rtos/riot.c +++ b/src/rtos/riot.c @@ -118,7 +118,7 @@ const struct rtos_type riot_rtos = { static int riot_update_threads(struct rtos *rtos) { int retval; - unsigned int tasks_found = 0; + int tasks_found = 0; const struct riot_params *param; if (!rtos) @@ -170,7 +170,6 @@ static int riot_update_threads(struct rtos *rtos) riot_symbol_list[RIOT_NUM_THREADS].name); return retval; } - rtos->thread_count = thread_count; /* read the maximum number of threads */ uint8_t max_threads = 0; @@ -182,6 +181,11 @@ static int riot_update_threads(struct rtos *rtos) riot_symbol_list[RIOT_MAX_THREADS].name); return retval; } + if (thread_count > max_threads) { + LOG_ERROR("Thread count is invalid"); + return ERROR_FAIL; + } + rtos->thread_count = thread_count; /* Base address of thread array */ uint32_t threads_base = rtos->symbols[RIOT_THREADS_BASE].address; @@ -211,6 +215,9 @@ static int riot_update_threads(struct rtos *rtos) char buffer[32]; for (unsigned int i = 0; i < max_threads; i++) { + if (tasks_found == rtos->thread_count) + break; + /* get pointer to tcb_t */ uint32_t tcb_pointer = 0; retval = target_read_u32(rtos->target,