Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix crash in NamedPipeCommands.cpp caused by stack-buffer-underflow #36465

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix crash in NamedPipeCommands.cpp caused by stack-buffer-underflow #36465

wants to merge 2 commits into from
+8 −5

Conversation

BoB13-Matter
Copy link
Contributor

Description

  • Running the chip-all-clusters-app example can result in a stack-buffer-underflow error when handling named pipes in NamedPipeCommands.cpp. The underflow occurs at NamedPipeCommands.cpp:85 by writing to readbuf[readBytes - 1] without checking if readBytes is zero. This leads to accessing memory out of bounds and can potentially crash the application.

Changes

  • Added a condition to verify readBytes is greater than zero before writing to readbuf[readBytes - 1]. This prevents stack-buffer-underflow by ensuring the code only accesses valid indices within readbuf.

Reproducing

To reproduce:

$ '' > /tmp/chip_all_clusters_fifo_12142

Expected error message before the fix:

../../examples/all-clusters-app/linux/third_party/connectedhomeip/examples/platform/linux/NamedPipeCommands.cpp:85:9: runtime error: index -1 out of bounds for type 'char[256]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../examples/all-clusters-app/linux/third_party/connectedhomeip/examples/platform/linux/NamedPipeCommands.cpp:85:9 
=================================================================
==12142==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7d0ff8f0901f at pc 0x6217ac4c01cf bp 0x7d0ff9fffad0 sp 0x7d0ff9fffac8
WRITE of size 1 at 0x7d0ff8f0901f thread T2
    #0 0x6217ac4c01ce  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x13171ce) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #1 0x6217ac2aee1c  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1105e1c) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #2 0x6217ac214016  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x106b016) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #3 0x6217ac2a87cf  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x10ff7cf) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #4 0x6217ac2abe06  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1102e06) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #5 0x6217ac2ace68  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1103e68) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)

Address 0x7d0ff8f0901f is located in stack of thread T2 at offset 31 in frame
    #0 0x6217ac4bfb87  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1316b87) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
  
  This frame has 1 object(s):
    [32, 288) 'readbuf' (line 71) <== Memory access at offset 31 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
    #0 0x6217ac2897b1  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x10e07b1) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #1 0x6217ac4bf152  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1316152) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #2 0x6217ac47a9f0  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x12d19f0) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #3 0x6217ac488e89  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x12dfe89) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #4 0x6217ac2dd243  (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x1134243) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda)
    #5 0x7d0ffea29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)

SUMMARY: AddressSanitizer: stack-buffer-underflow (/home/beom/Desktop/connectedhomeip/out/linux-x64-all-clusters-asan-ubsan-clang/chip-all-clusters-app+0x13171ce) (BuildId: bad9472b693d466f1f24620bf834cbc228a1cfda) 
Shadow bytes around the buggy address:
  0x7d0ff8f08d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f08e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f08e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f08f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f08f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7d0ff8f09000: f1 f1 f1[f1]00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f09080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f09100: 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x7d0ff8f09180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f09200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7d0ff8f09280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12142==ABORTING

@semanticdiff-com SemanticDiff.com
Copy link

Review changes with  SemanticDiff

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 12, 2024
edited
Loading

PR #36465: Size comparison from aba2383 to db94b60

Full report (68 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
platform target config section aba2383 db94b60 change % change
bl602 lighting-app bl602+mfd+littlefs+rpc FLASH 1349446 1349448 2 0.0
RAM 104080 104080 0 0.0
bl702 lighting-app bl702+eth FLASH 649346 649346 0 0.0
RAM 25313 25313 0 0.0
bl702+wifi FLASH 826926 826926 0 0.0
RAM 14053 14053 0 0.0
bl706+mfd+rpc+littlefs FLASH 1055122 1055124 2 0.0
RAM 23893 23893 0 0.0
bl702l lighting-app bl702l+mfd+littlefs FLASH 976484 976486 2 0.0
RAM 16556 16556 0 0.0
cc13x4_26x4 lighting-app LP_EM_CC1354P10_6 FLASH 837852 837852 0 0.0
RAM 123632 123632 0 0.0
lock-ftd LP_EM_CC1354P10_6 FLASH 823768 823768 0 0.0
RAM 125520 125520 0 0.0
pump-app LP_EM_CC1354P10_6 FLASH 770492 770492 0 0.0
RAM 113988 113988 0 0.0
pump-controller-app LP_EM_CC1354P10_6 FLASH 754704 754704 0 0.0
RAM 114196 114196 0 0.0
cc32xx air-purifier CC3235SF_LAUNCHXL FLASH 625930 625930 0 0.0
RAM 205784 205784 0 0.0
lock CC3235SF_LAUNCHXL FLASH 667242 667242 0 0.0
RAM 205936 205936 0 0.0
cyw30739 light CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 679489 679489 0 0.0
RAM 78692 78692 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 699341 699341 0 0.0
RAM 81324 81324 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 699341 699341 0 0.0
RAM 81324 81324 0 0.0
CYW930739M2EVB-02 unknown 2040 2040 0 0.0
FLASH 656277 656277 0 0.0
RAM 73760 73760 0 0.0
light-switch CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 616345 616345 0 0.0
RAM 71644 71644 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 635973 635973 0 0.0
RAM 74196 74196 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 635973 635973 0 0.0
RAM 74196 74196 0 0.0
lock CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 635801 635801 0 0.0
RAM 74692 74692 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 655517 655517 0 0.0
RAM 77244 77244 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 655517 655517 0 0.0
RAM 77244 77244 0 0.0
thermostat CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 611197 611197 0 0.0
RAM 68780 68780 0 0.0
CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 631049 631049 0 0.0
RAM 71412 71412 0 0.0
CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 631049 631049 0 0.0
RAM 71412 71412 0 0.0
efr32 lock-app BRD4187C FLASH 927596 927596 0 0.0
RAM 160164 160164 0 0.0
BRD4338a FLASH 743712 743712 0 0.0
RAM 233296 233296 0 0.0
window-app BRD4187C FLASH 1018816 1018808 -8 -0.0
RAM 128264 128264 0 0.0
esp32 all-clusters-app c3devkit DRAM 95336 95336 0 0.0
FLASH 1540460 1540460 0 0.0
IRAM 82542 82542 0 0.0
m5stack DRAM 116264 116264 0 0.0
FLASH 1549306 1549306 0 0.0
IRAM 117039 117039 0 0.0
linux air-purifier-app debug unknown 4712 4712 0 0.0
FLASH 2699169 2699169 0 0.0
RAM 129696 129696 0 0.0
all-clusters-app debug unknown 5552 5552 0 0.0
FLASH 5992866 5992876 10 0.0
RAM 524000 524000 0 0.0
all-clusters-minimal-app debug unknown 5448 5448 0 0.0
FLASH 5328474 5328474 0 0.0
RAM 242512 242512 0 0.0
bridge-app debug unknown 5432 5432 0 0.0
FLASH 4671244 4671244 0 0.0
RAM 218432 218432 0 0.0
chip-tool debug unknown 5984 5984 0 0.0
FLASH 12872238 12872238 0 0.0
RAM 584466 584466 0 0.0
chip-tool-ipv6only arm64 unknown 21400 21400 0 0.0
FLASH 11002768 11002768 0 0.0
RAM 635368 635368 0 0.0
fabric-admin debug unknown 5808 5808 0 0.0
FLASH 11277331 11277331 0 0.0
RAM 584818 584818 0 0.0
fabric-bridge-app debug unknown 4688 4688 0 0.0
FLASH 4495514 4495514 0 0.0
RAM 205408 205408 0 0.0
fabric-sync debug unknown 4896 4896 0 0.0
FLASH 5309989 5309989 0 0.0
RAM 466920 466920 0 0.0
lighting-app debug+rpc+ui unknown 6096 6096 0 0.0
FLASH 5607169 5607185 16 0.0
RAM 228600 228600 0 0.0
lock-app debug unknown 5368 5368 0 0.0
FLASH 4720718 4720728 10 0.0
RAM 204600 204600 0 0.0
ota-provider-app debug unknown 4744 4744 0 0.0
FLASH 4346150 4346150 0 0.0
RAM 198272 198272 0 0.0
ota-requestor-app debug unknown 4680 4680 0 0.0
FLASH 4484552 4484552 0 0.0
RAM 202856 202856 0 0.0
shell debug unknown 4240 4240 0 0.0
FLASH 3011565 3011565 0 0.0
RAM 160344 160344 0 0.0
thermostat-no-ble arm64 unknown 9464 9464 0 0.0
FLASH 4090256 4090256 0 0.0
RAM 242984 242984 0 0.0
tv-app debug unknown 5664 5664 0 0.0
FLASH 5943941 5943941 0 0.0
RAM 596368 596368 0 0.0
tv-casting-app debug unknown 5232 5232 0 0.0
FLASH 11079677 11079677 0 0.0
RAM 694568 694568 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 FLASH 915332 915332 0 0.0
RAM 143289 143289 0 0.0
nrf7002dk_nrf5340_cpuapp FLASH 887596 887596 0 0.0
RAM 141476 141476 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 FLASH 847588 847588 0 0.0
RAM 142197 142197 0 0.0
nxp contact k32w0+release FLASH 584128 584128 0 0.0
RAM 71048 71048 0 0.0
mcxw71+release FLASH 598664 598664 0 0.0
RAM 63144 63144 0 0.0
light k32w0+release FLASH 611172 611172 0 0.0
RAM 70440 70440 0 0.0
k32w1+release FLASH 684976 684976 0 0.0
RAM 48776 48776 0 0.0
lock mcxw71+release FLASH 748512 748512 0 0.0
RAM 67300 67300 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 FLASH 1642980 1642980 0 0.0
RAM 212064 212064 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 FLASH 1550196 1550196 0 0.0
RAM 208864 208864 0 0.0
light cy8ckit_062s2_43012 FLASH 1466620 1466620 0 0.0
RAM 200848 200848 0 0.0
lock cy8ckit_062s2_43012 FLASH 1464796 1464796 0 0.0
RAM 225208 225208 0 0.0
qpg lighting-app qpg6105+debug FLASH 662144 662144 0 0.0
RAM 105384 105384 0 0.0
lock-app qpg6105+debug FLASH 620244 620244 0 0.0
RAM 99836 99836 0 0.0
stm32 light STM32WB5MM-DK FLASH 482944 482944 0 0.0
RAM 144848 144848 0 0.0
telink bridge-app tlsr9258a FLASH 684686 684686 0 0.0
RAM 91536 91536 0 0.0
contact-sensor-app tlsr9528a_retention FLASH 622694 622694 0 0.0
RAM 50472 50472 0 0.0
light-switch-app-ota-compress-lzma-shell-factory-data tlsr9528a FLASH 710624 710624 0 0.0
RAM 73812 73812 0 0.0
lighting-app-ota-factory-data tlsr9118bdk40d FLASH 628992 628992 0 0.0
RAM 145392 145392 0 0.0
lighting-app-ota-rpc-factory-data-4mb tlsr9518adk80d FLASH 814880 814880 0 0.0
RAM 100012 100012 0 0.0
tizen all-clusters-app arm unknown 4956 4956 0 0.0
FLASH 1722680 1722680 0 0.0
RAM 90660 90660 0 0.0
chip-tool-ubsan arm unknown 10832 10832 0 0.0
FLASH 18006302 18006302 0 0.0
RAM 7857036 7857036 0 0.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@andy31415 andy31415 andy31415 approved these changes

Assignees
No one assigned
Labels
examples linux platform review - pending
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BoB13-Matter @andy31415