-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DebugWire flash read causes heap corruption on LP64 hosts #107
Comments
Updated #90. |
Crash reporter excerpt:
|
Diagnostics printed to terminal, which I wasn't able to capture by redirection:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Target is an ATmega328P (Arduino Uno) connected to Atmel-ICE (also observed with AVR Dragon). Host is a MacBook Air M2 running macOS Ventura (also observed with an Intel MacBook Pro on an older OS).
Reading from flash via DebugWire can cause heap corruption on LP64 hosts, due to a confluence of errors. If the address would be a negative host
int
(typically0x80000000
or greater),chunksize
can get inappropriately reduced, leading to a very extended loop due to underflow/wraparound ofnumBytes
. This eventually causes host heap corruption as the loop attempts to write beyond the end of the flash cache.This demo required a patched avarice instrumented to show the intermediate values involved in the erroneous calculations. I used
netcat
to talk to avarice, because my previous reproducer was an older GDB plus an older version of avarice that didn't send memory maps (and thus allowed GDB to read from "negative" addresses).It's possible that a future GDB bug or newer target memory maps might allow this to happen.
It looped, continuing for over a hundred iterations. Eventually, this ended with:
remote.cc
callshexToInt
with a signedint addr
as the destination. It then callsjtagRead
, which takes anunsigned long
as the address. This causes sign extension while converting a negative number tounsigned long
. Thechunksize
adjustment calculations injtag3rw.cc
then increasechunksize
beyondnumBytes
, leading to the integer underflow/wraparound and buffer overflow.I have a patch in #90 that needs to be cleaned up and duplicated in
jtag3rw.cc
. (I created it when I first ran across this bug with AVR Dragon.)Full log:
overflow.txt
The text was updated successfully, but these errors were encountered: