ARM-software/CMSIS_5

Array access out of bounds in __cmsis_start()

zhusbj opened this issue · 2 comments

zhusbj commented

CMSIS_5/CMSIS/Core/Include/cmsis_gcc.h

Lines 152 to 154 in 5126318

for(uint32_t i=0u; i<pTable->wlen; ++i) {
pTable->dest[i] = pTable->src[i];
}

pTable->dest and pTable->src are uint32_t types but pTable->wlen is the array size in bytes.
They are not matched and would cause array access out of bounds.

JonatanAntoni commented

Hi @zhusbj,

I think this is a misunderstanding of what the code is doing.

These for-loops are basically mem copies where pTable->src is pointing to the source, pTable->dest is pointing to the target, and pTable->wlen is giving the amount of 32-bit memory words to be copied.

The values of pTable are Linker generated and of course must match the memory layout. A mistake in the Linker script (which provides wrong values) may cause memory corruption or faults.

Does this make sense to you?

Cheers,
Jonatan

zhusbj commented

Hi Jonatan,

Sorry I used the older code CMSIS v5.6.0, where the .copy.table was defined as below.
.copy.table :
{
. = ALIGN(4);
copy_table_start = .;
LONG (__etext)
LONG (data_start)
LONG (data_end - data_start)
copy_table_end = .;
} > FLASH

Now I checked the latest version and found it has been fixed by LONG ((data_end - data_start) / 4).
It is no problem now. Thanks for you explanation.

B.R.
Shaobo Zhu