You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been toying with a fuzzer that generates SPI commands in #18929, which discovered a segfault produced by a PAGE_PROGRAM command with a payload_byte_count. I converted this input to a unit test, patched it onto the master branch, and verified it still produces the segfault in #19131.
$ ./bazelisk.sh test --config=asan --test_output=streamed //sw/device/silicon_creator/rom:bootstrap_unittest[...]AddressSanitizer:DEADLYSIGNAL===================================================================12==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f29cfdfc03b bp 0x7ffc950a5ae0 sp 0x7ffc950a5a60 T0)==12==The signal is caused by a READ memory access.==12==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used. #0 0x7f29cfdfc03b in bootstrap_page_program sw/device/silicon_creator/rom/bootstrap.c:176 #1 0x7f29cfdfc99e in bootstrap_handle_program sw/device/silicon_creator/rom/bootstrap.c:316 #2 0x7f29cfdfce84 in bootstrap sw/device/silicon_creator/rom/bootstrap.c:386 #3 0x561998b6049b in TestBody sw/device/silicon_creator/rom/bootstrap_unittest.cc:703 #4 0x7f29cfbd6feb in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) external/googletest/googletest/src/gtest.cc:2607 #5 0x7f29cfbca77d in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) external/googletest/googletest/src/gtest.cc:2643 #6 0x7f29cfb88ccb in testing::Test::Run() external/googletest/googletest/src/gtest.cc:2682 #7 0x7f29cfb8a287 in testing::TestInfo::Run() external/googletest/googletest/src/gtest.cc:2861 #8 0x7f29cfb8b3de in testing::TestSuite::Run() external/googletest/googletest/src/gtest.cc:3015 #9 0x7f29cfbb1370 in testing::internal::UnitTestImpl::RunAllTests() external/googletest/googletest/src/gtest.cc:5855 #10 0x7f29cfbda0a9 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) external/googletest/googletest/src/gtest.cc:2607 #11 0x7f29cfbcd124 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) external/googletest/googletest/src/gtest.cc:2643 #12 0x7f29cfbadec7 in testing::UnitTest::Run() external/googletest/googletest/src/gtest.cc:5438 #13 0x7f29cfd37c75 in RUN_ALL_TESTS() external/googletest/googletest/include/gtest/gtest.h:2490 #14 0x7f29cfd37b52 in main external/googletest/googlemock/src/gmock_main.cc:70 #15 0x7f29cf229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #16 0x7f29cf229e3f in __libc_start_main_impl ../csu/libc-start.c:392 #17 0x561998b47f14 in _start (/home/dan_zerorisc_com/.cache/bazel/_bazel_dan/e8b9a1cec6d6126ab719828a176ad974/execroot/lowrisc_opentitan/bazel-out/k8-fastbuild/bin/sw/device/silicon_creator/rom/bootstrap_unittest+0x62f14)
The text was updated successfully, but these errors were encountered:
Per our chat offline, this is not a real concern. The SPI device driver will never generate values larger than 256, and the lowest value that can trigger this behavior is 257.
Before closing this issue, I'll add a comment to clarify the range of spi_device_cmd_t::payload_byte_count. I'll also update my fuzzer to stay within that range when it generates spi_device_cmd_t values.
dmcardle
added a commit
to dmcardle/opentitan
that referenced
this issue
Jul 6, 2023
Description
I have been toying with a fuzzer that generates SPI commands in #18929, which discovered a segfault produced by a PAGE_PROGRAM command with a
payload_byte_count
. I converted this input to a unit test, patched it onto the master branch, and verified it still produces the segfault in #19131.It looks like we're not properly bounds-checking in
bootstrap_page_program()
.The text was updated successfully, but these errors were encountered: