Copying memory seems to be unreliable.

Question

Copying memory seems to be unreliable.

Closed this issue 2 years ago · 5 comments

I'm facing a bizarre issue with copying memory. Currently this version of GPIO driver code won't print the name of an entry on error. After removing the function property from emmc FDT node, the string is being recognized as empty. However, if we place a breakpoint a breakpoint on bcm2835_gpio.c:114 and hit it, the name gets printed as it should. The FDT_getprop function is what's used to retrieve the name string. After placing klog calls inside it, it looks like buf does not contain a copy of prop after calling memcpy. Weirdly enough, hitting a breakpoint, seems to synchronize memory somehow and this effect is gone.

I'm guessing this might be related to the recent bump of QEMU, or defaulting to Clang.

Answer 1 · 2022-07-25T06:24:07.000Z

@mohrcore could you provide step-by-step scenario?

./lunch --something
b file:line
c
p var
-> what you see
-> what should be seen

Answer 2 · 2022-07-25T09:08:48.000Z

Have you run your code with KASAN enabled? How exactly can we reproduce the bug?

Answer 3 · 2022-07-25T09:32:13.000Z

@pj1031999

@mohrcore could you provide step-by-step scenario?
./lunch --something
b file:line
c
p var
-> what you see
-> what should be seen

Sure.

First, you need to remove line no. 65 from sys/dts/rpi3.dts. This will cause the node to become an invalid GPIO configuration entry and will trigger the code inside the block that starts in sys/drv/bcm2835_gpio.c:113.

Compile mimiker with default config for Raspberry Pi 3:

make BOARD=rpi3

Launch mimiker with

./launch -b rpi3 -d init=/bin/ksh

In gdb continue, then pause and check klog.

(gdb) c
^C
(gdb) klog

The expected klog output should contain the following line:

Warning: GPIO FDT entry "emmc" with no `function` property

Instead we get

Warning: GPIO FDT entry "" with no `function` property

However, if we place a breakpoint on line sys/drv/bcm2835.cL114, we can print the entry name that's about to be printed to klog and see that now it contains "emmc". After progressing with next we can check the klog and indeed it prints the expected string.

(gdb) b bcm2835_gpio.c:114
(gdb) c
# We should hit the breakpoint now!
(gdb) print entry_name
(gdb) n
(gdb) klog

Answer 4 · 2022-07-25T10:03:25.000Z

@cahirwpz I'm having some trouble compiling mimiker with KASAN enabled.
I'm doing

make distclean
make BOARD=rpi3 KASAN=1

make complains about no rules for building include/machine/cdefs.h that's required by kasan_quar.o.

I'll try later on a fresh copy of the repo and see whether it helps.

Answer 5 · 2022-07-25T17:08:44.000Z

@mohrcore you allocate memory for name, copy that name into buffer, pass pointer to klog and free that buffer. I guess that later other call to kmalloc returns that memory and it's zeroed so as a result you see empty string.

So... use-after-free :)