Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack overflow in esp_log_buffer_hexdump_internal when targeting linux 64 bit (IDFGH-12312) #13347

Closed
3 tasks done
matthew-8925 opened this issue Mar 10, 2024 · 4 comments
Closed
3 tasks done

Stack overflow in esp_log_buffer_hexdump_internal when targeting linux 64 bit (IDFGH-12312) #13347

matthew-8925 opened this issue Mar 10, 2024 · 4 comments
Assignees
@0xjakob
Labels
Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Type: Bug bugs in IDF

Comments

@matthew-8925
Copy link

matthew-8925 commented Mar 10, 2024
edited

Answers checklist.

  • I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
  • I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
  • I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

v5.2 / master

Espressif SoC revision.

Linux

Operating System used.

Linux

How did you build your project?

Command line with idf.py

If you are using Windows, please specify command line type.

None

Development Kit.

N/A

Power Supply used.

USB

What is the expected behavior?

When using idf.py --preview set-target linux and running code on Linux that uses ESP_LOG_BUFFER_HEXDUMP it should print without crashing.

What is the actual behavior?

When using idf.py --preview set-target linux and running on Linux on code useing ESP_LOG_BUFFER_HEXDUMP then a stack overflow is detected and the program exits.

The cause is the data buffer passed to ESP_LOG_BUFFER_HEXDUMP contains bytes with the top bit set.
That seems to be signed extended into a -64- 32 bit word when compiled for Linux and sprintf prints 8 chars instead of the expected 2.

esp-idf/components/log/log_buffers.c

Line 129 in 60a2bf6

ptr_hd += sprintf(ptr_hd, " %02x", ptr_line[i]);

Replacing the line with this resolved the issue.
ptr_hd += sprintf(ptr_hd, " %02x", (unsigned char)ptr_line[i]);

Steps to reproduce.

#include <esp_log.h>
void example(){
  char temp[16] = {0};
  temp[2] = temp[1] = 0xFF;
  ESP_LOG_BUFFER_HEXDUMP("TAG", temp, 16, ESP_LOG_WARN);
}

The 0xFF gets sign extended and prints as ffffffff in ESP_LOG_BUFFER_HEXDUMP. That exceeds the expected line length, smashing stack variables.

Debug Logs.

$ uname -sp
Linux x86_64
$ ./build/test.elf
W (19511609) TAG: 0x7fdb2fa75bd0   00 ffffffff ffffffff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*** stack smashing detected ***: terminated

More Information.

No response
@matthew-8925 matthew-8925 added the Type: Bug bugs in IDF label Mar 10, 2024
@espressif-bot espressif-bot added the Status: Opened Issue is new label Mar 10, 2024
@github-actions github-actions bot changed the title Stack overflow in esp_log_buffer_hexdump_internal when targeting linux 64 bit Stack overflow in esp_log_buffer_hexdump_internal when targeting linux 64 bit (IDFGH-12312) Mar 10, 2024
@matthew-8925
Copy link
Author

matthew-8925 commented Mar 10, 2024
edited

One more fix is needed for Linux targets, the pointer is now 64 bits so extra space is needed in hd_buffer for printing %p

esp-idf/components/log/log_buffers.c

Line 123 in 60a2bf6

ptr_hd += sprintf(ptr_hd, "%p ", buffer);

Something like this would fix it ?
char hd_buffer[2 + sizeof(void *) * 2 + 3 + BYTES_PER_LINE * 3 + 3 + BYTES_PER_LINE + 1 + 1];

@0xjakob
Copy link
Collaborator

0xjakob commented Mar 11, 2024

@matthew-8925 Thanks for pointing this out! We'll take a look at this.

@espressif-bot espressif-bot added Status: Reviewing Issue is being reviewed and removed Status: Opened Issue is new labels Mar 11, 2024
@matthew-8925
Copy link
Author

And a similar issue here raised by AddressSanitizer

esp-idf/components/log/log_buffers.c

Line 52 in 60a2bf6

sprintf(hex_buffer + 3 * i, "%02x ", ptr_line[i]);

Fix that worked for me is
sprintf(hex_buffer + 3 * i, "%02x ", (unsigned char)ptr_line[i]);

@0xjakob
Copy link
Collaborator

0xjakob commented Mar 12, 2024

@matthew-8925 Correct, we've added this as well in a fix that should be available on master soon.

@espressif-bot espressif-bot added Status: Done Issue is done internally Resolution: NA Issue resolution is unavailable and removed Status: Reviewing Issue is being reviewed labels Mar 12, 2024
espressif-bot pushed a commit that referenced this issue Mar 26, 2024
@0xjakob
fix(log): Fixed incorrect argument type in hexdump log functions
9c82da9 
Closes #13347
Thanks @matthew-8925
espressif-bot pushed a commit that referenced this issue Apr 12, 2024
@0xjakob
fix(log): Fixed incorrect argument type in hexdump log functions
4652a99 
Closes #13347
Thanks @matthew-8925
espressif-bot pushed a commit that referenced this issue Apr 12, 2024
@0xjakob
fix(log): Fixed incorrect argument type in hexdump log functions
5dbe8d3 
Closes #13347
Thanks @matthew-8925
espressif-bot pushed a commit that referenced this issue May 21, 2024
@0xjakob
fix(log): Fixed incorrect argument type in hexdump log functions
cb71476 
Closes #13347
Thanks @matthew-8925
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xjakob 0xjakob

Labels
Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Type: Bug bugs in IDF
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xjakob @espressif-bot @matthew-8925