From: Simon Glass <sjg@chromium.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [RESEND PATCH] core: ofnode: Add ofnode_get_addr_size_index
Date: Tue, 13 Aug 2019 03:33:45 -0600 [thread overview]
Message-ID: <CAPnjgZ2Trg0OPkG9HVZi2JOwehHkr52sm6o53zGHk8Awbw1Qvg@mail.gmail.com> (raw)
In-Reply-To: <20190709193804.GA6202@x230>
Hi Keethy,
On Tue, 9 Jul 2019 at 13:38, Eugeniu Rosca <roscaeugeniu@gmail.com> wrote:
>
> Hi All,
>
> On Wed, Apr 24, 2019 at 05:19:53PM +0530, Keerthy wrote:
> > Add ofnode_get_addr_size_index function to fetch the address
> > and size of the reg space based on index.
> >
> > Signed-off-by: Keerthy <j-keerthy@ti.com>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > ---
> >
> > Previous discussion can be found here:
> >
> > * https://patchwork.ozlabs.org/patch/999659/
> >
> > drivers/core/ofnode.c | 13 ++++++++++---
> > include/dm/ofnode.h | 14 ++++++++++++++
> > 2 files changed, 24 insertions(+), 3 deletions(-)
>
> jFYI/FWIW, this patch, present in U-Boot/master as commit [1], revives
> the issue fixed in [2]. More precisely, when compiling the sandbox
> U-Boot with -fsanitize=address and linking it against -lasan,
> the following backtrace pops up during boot [3].
>
> [1] https://gitlab.denx.de/u-boot/u-boot/commit/e679d03b08fb
> ("core: ofnode: Add ofnode_get_addr_size_index")
> [2] https://gitlab.denx.de/u-boot/u-boot/commit/9bfacf249b10
> ("core: ofnode: Fix ASAN-reported stack-buffer-overflow in of_get_address")
> [3] The same issue as fixed in [2], now reproduced on v2019.07
>
> ==5996==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc65f869a0 at pc 0x564834c6cd89 bp 0x7ffc65f867b0 sp 0x7ffc65f867a0
> WRITE of size 8 at 0x7ffc65f869a0 thread T0
> #0 0x564834c6cd88 in of_get_address drivers/core/of_addr.c:154
> #1 0x564834c74fac in ofnode_get_addr_size_index drivers/core/ofnode.c:262
> #2 0x564834c75232 in ofnode_get_addr_index drivers/core/ofnode.c:290
> #3 0x564834d35a4f in sb_eth_ofdata_to_platdata drivers/net/sandbox.c:422
> #4 0x564834c5ad22 in device_probe drivers/core/device.c:407
> #5 0x564834f2f1c4 in eth_initialize net/eth-uclass.c:399
> #6 0x564834bf9c34 in initr_net common/board_r.c:565
> #7 0x564834bfa580 in initcall_run_list include/initcall.h:38
> #8 0x564834bfa580 in board_init_r common/board_r.c:867
> #9 0x564834b8156d in main arch/sandbox/cpu/start.c:362
> #10 0x7f2fe7912b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
> #11 0x564834b85b29 in _start (/srv/R/u-boot-master/u-boot+0x792b29)
>
> Address 0x7ffc65f869a0 is located in stack of thread T0 at offset 32 in frame
> #0 0x564834c751c4 in ofnode_get_addr_index drivers/core/ofnode.c:287
>
> This frame has 1 object(s):
> [32, 36) 'size' (line 288) <== Memory access@offset 32 partially overflows this variable
> HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow drivers/core/of_addr.c:154 in of_get_address
> Shadow bytes around the buggy address:
> 0x10000cbe8ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x10000cbe8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x10000cbe8d00: 00 00 f1 f1 f1 f1 04 f2 04 f2 04 f3 f3 f3 00 00
> 0x10000cbe8d10: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
> 0x10000cbe8d20: 04 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
> =>0x10000cbe8d30: f1 f1 f1 f1[04]f3 f3 f3 00 00 00 00 00 00 00 00
> 0x10000cbe8d40: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
> 0x10000cbe8d50: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x10000cbe8d60: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
> 0x10000cbe8d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x10000cbe8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==5996==ABORTING
>
Can you please take a look?
Regards,
Simon
next prev parent reply other threads:[~2019-08-13 9:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 11:49 [U-Boot] [RESEND PATCH] core: ofnode: Add ofnode_get_addr_size_index Keerthy
2019-04-24 23:59 ` Simon Glass
2019-05-22 13:21 ` Simon Glass
2019-07-09 19:38 ` Eugeniu Rosca
2019-08-13 9:33 ` Simon Glass [this message]
2019-08-13 9:55 ` Keerthy
2019-08-14 8:23 ` Keerthy
2019-08-14 9:47 ` Eugeniu Rosca
2019-08-14 10:18 ` Keerthy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPnjgZ2Trg0OPkG9HVZi2JOwehHkr52sm6o53zGHk8Awbw1Qvg@mail.gmail.com \
--to=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.