sched/misc: fix potential out-of-bounds access in coredump stack emission#18450
Open
anchao wants to merge 1 commit intoapache:masterfrom
Open
sched/misc: fix potential out-of-bounds access in coredump stack emission#18450anchao wants to merge 1 commit intoapache:masterfrom
anchao wants to merge 1 commit intoapache:masterfrom
Conversation
…sion The elf_emit_tcb_stack() function in coredump.c was calculating the stackbuffer length and emitting the stack data without validating whether thecalculated buffer range (buf + len) exceeds the actual bounds of the TCB'sstack memory region (stack_base_ptr + adj_stack_size). This could lead to out-of-bounds memory access when the calculated stacklength is larger than the available stack space, potentially causing memorycorruption, crashes, or incorrect core dump generation. This fix adds a bounds check: 1. Compares the end of the intended stack buffer (buf + len) against the upper limit of the TCB's stack (stack_base_ptr + adj_stack_size). 2. If the buffer would exceed the stack bounds, truncates the length to fit within the valid stack memory range. The change ensures safe memory access during core dump generation,preventing out-of-bounds reads and improving the robustness of the coredumpfeature. Signed-off-by: chao an <anchao.archer@bytedance.com>
github-actions
bot
added
Area: OS Components
| @@ -429,6 +429,13 @@ static void elf_emit_tcb_stack(FAR struct elf_dumpinfo_s *cinfo, | |||
| len = ALIGN_UP(len + (buf - sp), PROGRAM_ALIGNMENT); | |||
Contributor
There was a problem hiding this comment.
should we align sp up and len down directly
Contributor
Author
There was a problem hiding this comment.
Aligning sp up might lose some important information; checking the length using stack size might be more accurate.
simbit18
requested review from
GUIDINGLI,
acassis,
jerpelea,
linguini1,
michallenc,
raiden00pl and
wangchdo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sched/misc: fix potential out-of-bounds access in coredump stack emission
The elf_emit_tcb_stack() function in coredump.c was calculating the stackbuffer length
and emitting the stack data without validating whether thecalculated buffer range
(buf + len) exceeds the actual bounds of the TCB'sstack memory region (stack_base_ptr + adj_stack_size).
This could lead to out-of-bounds memory access when the calculated stacklength is larger
than the available stack space, potentially causing memorycorruption, crashes, or incorrect
core dump generation.
This fix adds a bounds check:
upper limit of the TCB's stack (stack_base_ptr + adj_stack_size).
within the valid stack memory range.
The change ensures safe memory access during core dump generation,preventing out-of-bounds
reads and improving the robustness of the coredumpfeature.
Signed-off-by: chao an anchao.archer@bytedance.com
Impact
N/A
Testing
sim/nsh, ostest
sabre-6quad/coredump