search

RT-Thread / rt-thread

RT-Thread is an open source IoT Real-Time Operating System (RTOS).
https://www.rt-thread.io
Apache License 2.0
10.52k stars 5.03k forks source link

[Bug] Pointer error or buffer error in rt_vsnprintf function #9409

Open LecterChu opened 2 months ago

LecterChu commented 2 months ago

RT-Thread Version

5.2.0 commit 2f559906d6202c27142237ab4b1d893034a5b7c3

Hardware Type/Architectures

VEXPRESS_A9

Develop Toolchain

GCC

Hi, I'm encountering an unexpected rt_kprintf error.

Steps to reproduce

1.Build RT-Thread 2.Use the following command to start the kernel with QEMU:

qemu-system-arm \
    -M vexpress-a9 \
    -smp 2 \
    -m 4096M \
    -kernel /path/to/rt-thread/bsp/qemu-vexpress-a9/rtthread.bin \
    -drive if=sd,file=/path/to/rt-thread/bsp/qemu-vexpress-a9/sd.bin,format=raw \
    -nographic \
    -semihosting \

Source code location

/root/rtthread/rt-thread/src/klibc/kstdio.c : 344

        for (; *fmt ; ++fmt)
        {
            if (*fmt != '%')
            {
                if (str < end)
                {
                    *str = *fmt;
                }

344:             ++ str;
                continue;
            }

            /* process flags */
           flags = 0;

Test case

syz_thread_safe_delete (0x0)

long syz_thread_safe_delete(volatile int thread_id) {
    rt_thread_t thread = (rt_thread_t)thread_id;

    if (thread == RT_NULL || rt_thread_find(thread) == RT_NULL) {
        rt_kprintf("Thread does not exist or already deleted.\n");
        return -2; // Thread does not exist
    }

    if (rt_thread_self() == thread) {
        rt_kprintf("Cannot delete a thread from itself.\n");
        return -3; // Trying to delete self
    }

    rt_err_t result = rt_thread_delete(thread);
    if (result == RT_EOK) {
        rt_kprintf("Thread deleted successfully\n");
        return 0;  // Success
    } else {
        rt_kprintf("Failed to delete thread, error: %d\n", result);
        return -1; // Error
    }
}

Backtrace upon hitting the bug

#executing syz_thread_safe_delete (0x0)
2024/09/04 14:41:13 Syscall execution is ok
2024/09/04 14:41:13 qemu run inst merger err: execution timed out
2024/09/04 14:41:13 Received stop signal, requires feedback = true
2024/09/04 14:41:13 running diagnose
2024/09/04 14:41:13 VM-0 failed reading regs: dial tcp 127.0.0.1:35751: connect: connection refused
2024/09/04 14:41:13 VM-0 failed reading regs: dial tcp 127.0.0.1:35751: connect: connection refused
2024/09/04 14:41:14 Stack frames at BUG: unexpected stop:
2024/09/04 14:41:14 Level: 0: 1611238748, /root/kcov.c : __sanitizer_cov_trace_pc : 71 : 
2024/09/04 14:41:14 Level: 1: 1611457940, /root/rtthread/rt-thread/src/klibc/kstdio.c : rt_vsnprintf : 344 : 
2024/09/04 14:41:14 Level: 2: 1611467024, /root/rtthread/rt-thread/src/kservice.c : rt_kprintf : 343 : 
2024/09/04 14:41:14 Level: 3: 1611212732, /root/rtthread/rt-thread/bsp/qemu-vexpress-a9/applications/common_freertos.h : syz_thread_safe_delete : 50 :

It appears to be a pointer error in the ‘++str’ operation, likely caused by buf being uninitialized or pointing to an invalid memory location, resulting in improper string manipulation or buffer overflow.

Other additional context

No response

mysterywolf commented 2 months ago

Thanks Could you try to submit PR to fix this? Welcome PR~

LecterChu commented 2 months ago

Thanks Could you try to submit PR to fix this? Welcome PR~ Thank you for your response. I will do my best to look into it and see if I can contribute a PR soon.