A use-after-free problem occurs when there are multiple remotes in the list `g_rpmsg` and the matching remote is not the last item in the list.
Log
# Export the device "/dev/LOCAL_DEV" to remote "REMOTE_CPU"
ap> testdev -d 2 -c "REMOTE_CPU" -l "/dev/LOCAL_DEV"
[ap] kasan_report: kasan detected a read access error, address at 0x3c3d4740,size is 4, return address: 0x2c33620f
[ap] kasan_show_memory: Shadow bytes around the buggy address:
[ap] kasan_show_memory: 0x3c3d46f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4700: aa aa aa aa cc cc cc cc cc cc cc cc cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4710: 40 47 3d 3c ed 61 33 2c 00 00 00 00 00 00 00 00
[ap] kasan_show_memory: 0x3c3d4720: 00 00 00 00 00 00 00 00 00 00 00 00 cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4730: 55 55 55 55 38 00 00 00 02 2c 00 00 cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4740:[00 00 00 00]66 e0 42 3c cc cc cc cc cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4750: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4760: aa aa aa aa 38 00 00 00 01 2c 00 00 cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4770: 50 57 44 3d 2f 00 cc cc cc cc cc cc cc cc cc cc
[ap] kasan_show_memory: 0x3c3d4780: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[ap] dump_assert_info: Current Version: NuttX ****** ***** *** 12.3.0 **********-***** *** ** 2024 **:**:** arm
[ap] dump_assert_info: Assertion failed panic: at file: kasan/hook.c:187 task: testdev process: testdev 0x2ca20495
$ addr2line -fe nuttx/nuttx 0x2c33620f
rpmsgdev_server_created
/workspace/nuttx/drivers/misc/rpmsgdev_server.c:529
# Line 529 => strcmp()
Signed-off-by: wangjianyu3 <wangjianyu3@xiaomi.com>
Rpmsg dev server always open the real char device with nonblock mode,
so let client try to read/wrtie the read device every read/write
operation.
Signed-off-by: Bowen Wang <wangbowen6@xiaomi.com>
misc/rpmsgblk.c:616:29: warning: implicit declaration of function ‘rpmsg_virtio_get_buffer_size’; did you mean ‘rpmsg_get_rx_buffer_size’? [-Wimplicit-function-declaration]
616 | if (MAX(msglen, rsplen) > rpmsg_virtio_get_buffer_size(priv->ept.rdev))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| rpmsg_get_rx_buffer_size
Signed-off-by: Yongrong Wang <wangyongrong@xiaomi.com>
x86_64 uses 4-5G virtual addresses, we need to convert them into physical addresses and pass them to qemu, otherwise qemu will fail to map
Signed-off-by: liwenxiang1 <liwenxiang1@xiaomi.com>
when multiple processes call poll and a event occured,
all the processes are waked up. it should wake up one
process based on pipe->id
Signed-off-by: zhanghu5 <zhanghu5@xiaomi.com>
There is no need to call rwb->rhreloade() when nblocks is 0,
and some platform(eg: BES) has the limit that the parameter
of len in pltatform flash read function cant't be 0.
issue:
in rwb_wrflush():
memmove(rwb->wrbuffer + padblocks * rwb->blocksize,
rwb->wrbuffer, rwb->wrnblocks * rwb->blocksize);
when the offest from rwb->wrblockstart to startblock plus rwb->wrnblocks is greater
than rwb->wralignblocks, it will be causing memory overflow since rwb->wrbuffer is
allocated rwb.wrmaxblock(rwb.wralignblocks) blocks.
fix:
Let us ensure that the wrblockstart in rwbuffer must be aligned according to
wralignblocks after writing, so there is no need to perform memmove when flushing
Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
when the offest from rwb->wrblockstart to startblock
plus rwb->wrnblocks is greater than rwb->wralignblocks,
it will be causing memory overflow since rwb->wrbuffer is
allocated rwb.wrmaxblock(rwb.wralignblocks) blocks.
Use private naming to avoid conflicts with user applications
In file included from libuv/src/unix/internal.h:25,
from libuv/src/unix/udp.c:23:
libuv/src/uv-common.h:57: warning: "container_of" redefined
57 | #define container_of(ptr, type, member) \
|
In file included from nuttx/include/nuttx/list.h:47,
from nuttx/include/nuttx/tls.h:40,
from nuttx/include/nuttx/sched.h:48,
from nuttx/include/nuttx/arch.h:87,
from nuttx/include/nuttx/userspace.h:35,
from nuttx/include/nuttx/mm/mm.h:30,
from nuttx/include/nuttx/kmalloc.h:34,
from nuttx/include/nuttx/lib/lib.h:31,
from nuttx/include/stdio.h:35,
from apps/system/libuv/libuv/include/uv.h:59,
from libuv/src/unix/udp.c:22:
nuttx/include/nuttx/nuttx.h:48: note: this is the location of the previous definition
48 | #define container_of(ptr, type, member) \
|
Signed-off-by: chao an <anchao@lixiang.com>
The driver's main purpose is to support the porting of the open source
component optee_client (https://github.com/OP-TEE/optee_client) to nttux.
The basic function of the driver module is to convert the REE application layer data and send it to the TEE through rpmsg.
The main functions include
1 driver registration.
we need to register a device driver(/dev/tee0) through optee_register function.
2 open the driver
3 ioctl the driver
The ioctl command passes different parameters and commands, and interacts with the TEE through rpmsg.
4 close the driver
Signed-off-by: hujun5 <hujun5@xiaomi.com>
It may cause out_of_bounds when two side have different configuartion
on NAME_MAX and FS_LARGEFILE(affects size of blkcnt_t)
Signed-off-by: liaoao <liaoao@xiaomi.com>
it may cause use after free if server has removed block device before calling
its operations,such as:
server: rm /dev/testrpmsgblk
client: ls /dev/testrpmsgblk
Signed-off-by: liaoao <liaoao@xiaomi.com>
dongjiuzhu1