imi415
/
openocd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

jtag/mpsse: fix SIGSEGV for use after free 

By pressing CTRL-C on a running openocd with FTDI adapter, it's
possible to generate a segmentation fault that with valgrind is
dumped as a SIGABRT:

^CError: libusb_handle_events() failed with LIBUSB_ERROR_INTERRUPTED
==16594== Invalid read of size 8
==16594==    at 0x48B2472: libusb_submit_transfer
==16594==    by 0x48B4B0F: libusb_control_transfer
==16594==    by 0x1A6B9D: mpsse_purge (mpsse.c:428)
==16594==    by 0x1A7B96: mpsse_flush (mpsse.c:953)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Address 0x6158568 is 72 bytes inside a block of size 216 free'd
==16594==    at 0x484118B: free (vg_replace_malloc.c:755)
==16594==    by 0x1A7B88: mpsse_flush (mpsse.c:950)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594==  Block was alloc'd at
==16594==    at 0x48435FF: calloc (vg_replace_malloc.c:1117)
==16594==    by 0x48B2259: libusb_alloc_transfer
==16594==    by 0x1A7A26: mpsse_flush (mpsse.c:880)
==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
...
==16594== Process terminating with default action of signal 6 (SIGABRT):
	dumping core
...
Aborted (core dumped)

The error is in mpsse_flush() that, following valgrind dump:
- allocates the buffer at line mpsse.c:880
  read_transfer = libusb_alloc_transfer(0);
- frees the buffer at line mpsse.c:950
  libusb_free_transfer(read_transfer);
- still pretends to use the freed buffer at line mpsse.c:953
  mpsse_purge(ctx);

Move the call to mpsse_purge() right before freeing the buffer.

Change-Id: I47c71ec8c283f4b037fdd7cd72ca2e877cd3a851
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Reviewed-on: http://openocd.zylin.com/6417
Tested-by: jenkins
This commit is contained in:
Antonio Borneo 2021-08-09 15:03:37 +02:00
parent 3ce70962d1
commit a555434c50
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/jtag/drivers/mpsse.c
View File

@ -945,12 +945,12 @@ error_check:
retval = ERROR_OK;
}
if (retval != ERROR_OK)
mpsse_purge(ctx);
libusb_free_transfer(write_transfer);
if (read_transfer)
libusb_free_transfer(read_transfer);
if (retval != ERROR_OK)
mpsse_purge(ctx);
return retval;
}