Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix out-of-bound read when passing CharSpan to printf #15796

Merged
merged 1 commit into from
Mar 4, 2022
Merged

Fix out-of-bound read when passing CharSpan to printf #15796

merged 1 commit into from
Mar 4, 2022

Conversation

arkq
Copy link
Contributor

@arkq arkq commented Mar 3, 2022

Problem

The CharSpan object is not a C-style string - it is not terminated with null byte. When using such object with printf-like functions we have to make sure that the length of the string will be passed as well (using "%.*s" syntax). Otherwise, we might face out-of-bound reads which is a security threat.

Change overview

  • added "%.*s" syntax in places where CharSpan::data() is used

Testing

Together with PR #15412 :

./scripts/tests/run_test_suite.py \
   --target-glob "DL_UsersAndCredentials" \
   --chip-tool out/examples/chip-tool/chip-tool \
  run \
    --all-clusters-app out/examples/all-clusters-app/chip-all-clusters-app \
    --tv-app out/examples/tv-app/chip-tv-app \
    --door-lock-app out/linux-x64-door-lock-no-ble-tsan/chip-door-lock-app

@arkq
Fix out-of-bound read when passing CharSpan to printf
6c05e69 
The CharSpan object is not a C-style string - it is not terminated
with null byte. When using such object with printf-like functions
we have to make sure that the length of the string will be passed
as well (using "%.*s" syntax). Otherwise, we might face out-of-bound
reads which is a security threat.
@github-actions
Copy link

github-actions bot commented Mar 3, 2022
edited
Loading

PR #15796: Size comparison from 8895bdb to 6c05e69

Increases above 0.2%:

platform target config section 8895bdb 6c05e69 change % change
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1040115 1076803 36688 3.5
bss 125828 127944 2116 1.7
rodata 135820 141772 5952 4.4
text 701220 729656 28436 4.1
Increases (7 builds for esp32, linux, nrfconnect, p6)
platform target config section 8895bdb 6c05e69 change % change
esp32 all-clusters-app c3devkit (read only) 953150 953162 12 0.0
(read/write) 1392866 1392882 16 0.0
.flash.rodata 197048 197064 16 0.0
.flash.text 953150 953162 12 0.0
m5stack (read only) 1008323 1008347 24 0.0
(read/write) 459980 459988 8 0.0
.flash.rodata 225880 225888 8 0.0
.flash.text 1002939 1002963 24 0.0
linux all-clusters-app debug (read only) 2403217 2403313 96 0.0
.text 2035378 2035474 96 0.0
door-lock-app debug (read only) 1943769 1943881 112 0.0
.rodata 173692 173724 32 0.0
.text 1621618 1621698 80 0.0
shell debug (read only) 2371721 2371801 80 0.0
.text 2010146 2010226 80 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1040115 1076803 36688 3.5
bss 125828 127944 2116 1.7
rodata 135820 141772 5952 4.4
text 701220 729656 28436 4.1
p6 all-clusters-app default (read/write) 2489552 2489584 32 0.0
.text 1447816 1447848 32 0.0
Full report (31 builds for cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, qpg, telink)
platform target config section 8895bdb 6c05e69 change % change
cyw30739 light cyw930739m2evb_01 (read/write) 600618 600618 0 0.0
.app_xip_area 505392 505392 0 0.0
.bss 77908 77908 0 0.0
.data 660 660 0 0.0
.rodata 0 0 0 0.0
.text 0 0 0 0.0
lock cyw930739m2evb_01 (read/write) 558614 558614 0 0.0
.app_xip_area 464924 464924 0 0.0
.bss 76412 76412 0 0.0
.data 624 624 0 0.0
.rodata 0 0 0 0.0
.text 0 0 0 0.0
ota-requestor cyw930739m2evb_01 (read/write) 579394 579394 0 0.0
.app_xip_area 476008 476008 0 0.0
.bss 85780 85780 0 0.0
.data 568 568 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
efr32 lighting-app BRD4161A (read only) 917996 917996 0 0.0
(read/write) 128936 128936 0 0.0
.bss 126880 126880 0 0.0
.data 2056 2056 0 0.0
.text 917988 917988 0 0.0
BRD4161A+rpc (read only) 948072 948072 0 0.0
(read/write) 145880 145880 0 0.0
.bss 143656 143656 0 0.0
.data 2220 2220 0 0.0
.text 948064 948064 0 0.0
lock-app BRD4161A+wf200 (read only) 987676 987676 0 0.0
(read/write) 120432 120432 0 0.0
.bss 118500 118500 0 0.0
.data 1932 1932 0 0.0
.text 987668 987668 0 0.0
window-app BRD4161A (read only) 852396 852396 0 0.0
(read/write) 126908 126908 0 0.0
.bss 124984 124984 0 0.0
.data 1924 1924 0 0.0
.text 852388 852388 0 0.0
esp32 all-clusters-app c3devkit (read only) 953150 953162 12 0.0
(read/write) 1392866 1392882 16 0.0
.dram0.bss 62664 62664 0 0.0
.dram0.data 14236 14236 0 0.0
.flash.rodata 197048 197064 16 0.0
.flash.text 953150 953162 12 0.0
.iram0.text 62016 62016 0 0.0
m5stack (read only) 1008323 1008347 24 0.0
(read/write) 459980 459988 8 0.0
.dram0.bss 68184 68184 0 0.0
.dram0.data 34080 34080 0 0.0
.flash.rodata 225880 225888 8 0.0
.flash.text 1002939 1002963 24 0.0
.iram0.text 123107 123107 0 0.0
k32w light k32w061+release (read/write) 693200 693200 0 0.0
.bss 77808 77808 0 0.0
.data 1932 1932 0 0.0
.text 607660 607660 0 0.0
lock k32w061+release (read/write) 696200 696200 0 0.0
.bss 77744 77744 0 0.0
.data 1972 1972 0 0.0
.text 610684 610684 0 0.0
linux all-clusters-app debug (read only) 2403217 2403313 96 0.0
(read/write) 144824 144824 0 0.0
.bss 59328 59328 0 0.0
.data 1392 1392 0 0.0
.data.rel.ro 78392 78392 0 0.0
.dynamic 592 592 0 0.0
.got 4160 4160 0 0.0
.init 27 27 0 0.0
.init_array 912 912 0 0.0
.rodata 205093 205093 0 0.0
.text 2035378 2035474 96 0.0
bridge-app debug+rpc (read only) 1728717 1728717 0 0.0
(read/write) 92784 92784 0 0.0
.bss 47624 47624 0 0.0
.data 2048 2048 0 0.0
.data.rel.ro 38040 38040 0 0.0
.dynamic 592 592 0 0.0
.got 3912 3912 0 0.0
.init 27 27 0 0.0
.init_array 544 544 0 0.0
.rodata 141652 141652 0 0.0
.text 1471285 1471285 0 0.0
chip-tool debug (read only) 9354333 9354333 0 0.0
(read/write) 287880 287880 0 0.0
.bss 25408 25408 0 0.0
.data 1136 1136 0 0.0
.data.rel.ro 255328 255328 0 0.0
.dynamic 608 608 0 0.0
.got 4760 4760 0 0.0
.init 27 27 0 0.0
.init_array 608 608 0 0.0
.rodata 497173 497173 0 0.0
.text 8236149 8236149 0 0.0
chip-tool-ipv6only arm64 (read only) 9042340 9042340 0 0.0
(read/write) 401521 401521 0 0.0
.bss 43745 43745 0 0.0
.data 1192 1192 0 0.0
.data.rel.ro 300984 300984 0 0.0
.dynamic 560 560 0 0.0
.got 51816 51816 0 0.0
.init 24 24 0 0.0
.init_array 192 192 0 0.0
.rodata 472940 472940 0 0.0
.text 7691060 7691060 0 0.0
door-lock-app debug (read only) 1943769 1943881 112 0.0
(read/write) 119232 119232 0 0.0
.bss 50624 50624 0 0.0
.data 1056 1056 0 0.0
.data.rel.ro 62168 62168 0 0.0
.dynamic 592 592 0 0.0
.got 4096 4096 0 0.0
.init 27 27 0 0.0
.init_array 664 664 0 0.0
.rodata 173692 173724 32 0.0
.text 1621618 1621698 80 0.0
lighting-app debug+rpc (read only) 2079633 2079633 0 0.0
(read/write) 124624 124624 0 0.0
.bss 51552 51552 0 0.0
.data 1472 1472 0 0.0
.data.rel.ro 66120 66120 0 0.0
.dynamic 608 608 0 0.0
.got 4128 4128 0 0.0
.init 27 27 0 0.0
.init_array 712 712 0 0.0
.rodata 166492 166492 0 0.0
.text 1757714 1757714 0 0.0
ota-provider-app debug (read only) 1876081 1876081 0 0.0
(read/write) 114864 114864 0 0.0
.bss 50432 50432 0 0.0
.data 1352 1352 0 0.0
.data.rel.ro 57448 57448 0 0.0
.dynamic 608 608 0 0.0
.got 4352 4352 0 0.0
.init 27 27 0 0.0
.init_array 616 616 0 0.0
.rodata 158931 158931 0 0.0
.text 1566610 1566610 0 0.0
ota-requestor-app debug (read only) 1887817 1887817 0 0.0
(read/write) 117176 117176 0 0.0
.bss 51584 51584 0 0.0
.data 1480 1480 0 0.0
.data.rel.ro 58696 58696 0 0.0
.dynamic 592 592 0 0.0
.got 4152 4152 0 0.0
.init 27 27 0 0.0
.init_array 624 624 0 0.0
.rodata 152868 152868 0 0.0
.text 1586114 1586114 0 0.0
shell debug (read only) 2371721 2371801 80 0.0
(read/write) 147248 147248 0 0.0
.bss 67624 67624 0 0.0
.data 864 864 0 0.0
.data.rel.ro 73112 73112 0 0.0
.dynamic 592 592 0 0.0
.got 4144 4144 0 0.0
.init 27 27 0 0.0
.init_array 896 896 0 0.0
.rodata 205042 205042 0 0.0
.text 2010146 2010226 80 0.0
thermostat-no-ble arm64 (read only) 2169572 2169572 0 0.0
(read/write) 148625 148625 0 0.0
.bss 65345 65345 0 0.0
.data 1072 1072 0 0.0
.data.rel.ro 75032 75032 0 0.0
.dynamic 560 560 0 0.0
.got 4216 4216 0 0.0
.init 24 24 0 0.0
.init_array 352 352 0 0.0
.rodata 132996 132996 0 0.0
.text 1818352 1818352 0 0.0
tv-app debug (read only) 2609409 2609409 0 0.0
(read/write) 250840 250840 0 0.0
.bss 168096 168096 0 0.0
.data 3200 3200 0 0.0
.data.rel.ro 73512 73512 0 0.0
.dynamic 592 592 0 0.0
.got 4528 4528 0 0.0
.init 27 27 0 0.0
.init_array 880 880 0 0.0
.rodata 199197 199197 0 0.0
.text 2236546 2236546 0 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2350996 2350996 0 0.0
.bss 187156 187156 0 0.0
.data 5784 5784 0 0.0
.text 1313596 1313596 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1040115 1076803 36688 3.5
bss 125828 127944 2116 1.7
rodata 135820 141772 5952 4.4
text 701220 729656 28436 4.1
p6 all-clusters-app default (read/write) 2489552 2489584 32 0.0
.bss 118736 118736 0 0.0
.data 2696 2696 0 0.0
.text 1447816 1447848 32 0.0
light-app default (read/write) 2396728 2396728 0 0.0
.bss 113048 113048 0 0.0
.data 2544 2544 0 0.0
.text 1354992 1354992 0 0.0
lock-app default (read/write) 2360240 2360240 0 0.0
.bss 112792 112792 0 0.0
.data 2504 2504 0 0.0
.text 1318504 1318504 0 0.0
qpg lighting-app qpg6105+debug (read only) 602284 602284 0 0.0
(read/write) 146936 146936 0 0.0
.bss 91192 91192 0 0.0
.data 1132 1132 0 0.0
.text 596964 596964 0 0.0
lock-app qpg6105+debug (read only) 567984 567984 0 0.0
(read/write) 146936 146936 0 0.0
.bss 91200 91200 0 0.0
.data 1084 1084 0 0.0
.text 562664 562664 0 0.0
persistent-storage-app qpg6105+debug (read only) 99520 99520 0 0.0
(read/write) 146940 146940 0 0.0
.bss 24004 24004 0 0.0
.data 176 176 0 0.0
.text 94200 94200 0 0.0
telink lighting-app tlsr9518adk80d (read/write) 884222 884222 0 0.0
bss 86408 86408 0 0.0
noinit 37160 37160 0 0.0
text 625174 625174 0 0.0

@bzbarsky-apple bzbarsky-apple merged commit 0b58f58 into project-chip:master Mar 4, 2022
@arkq arkq mentioned this pull request Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woody-apple woody-apple woody-apple approved these changes

@andy31415 andy31415 andy31415 approved these changes

@anush-apple anush-apple Awaiting requested review from anush-apple

@austinh0 austinh0 Awaiting requested review from austinh0

@balducci-apple balducci-apple Awaiting requested review from balducci-apple

@Byungjoo-Lee Byungjoo-Lee Awaiting requested review from Byungjoo-Lee

@bzbarsky-apple bzbarsky-apple Awaiting requested review from bzbarsky-apple

@carol-apple carol-apple Awaiting requested review from carol-apple

@cecille cecille Awaiting requested review from cecille

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@emargolis emargolis Awaiting requested review from emargolis

@erjiaqing erjiaqing Awaiting requested review from erjiaqing

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@harimau-qirex harimau-qirex Awaiting requested review from harimau-qirex

@hawk248 hawk248 Awaiting requested review from hawk248

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@isiu-apple isiu-apple Awaiting requested review from isiu-apple

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@kpschoedel kpschoedel Awaiting requested review from kpschoedel

@lazarkov lazarkov Awaiting requested review from lazarkov

@LuDuda LuDuda Awaiting requested review from LuDuda

@mlepage-google mlepage-google Awaiting requested review from mlepage-google

@msandstedt msandstedt Awaiting requested review from msandstedt

@mspang mspang Awaiting requested review from mspang

@sagar-apple sagar-apple Awaiting requested review from sagar-apple

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tcarmelveilleux tcarmelveilleux Awaiting requested review from tcarmelveilleux

@tecimovic tecimovic Awaiting requested review from tecimovic

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@wbschiller wbschiller Awaiting requested review from wbschiller

@xylophone21 xylophone21 Awaiting requested review from xylophone21

Assignees
No one assigned
Labels
app examples review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arkq @andy31415 @woody-apple @bzbarsky-apple