Open katgiadla opened 7 months ago
I did some debugging of this, the problem seems to be related to userspace memory address validation.
test_26_recvmsg_invalid
test sets some presumably invalid addresses in the struct msghdr
provided to the recvmsg()
call and expects that z_vrfy_zsock_recvmsg()
will catch that, but it doesn't seem to be the case on nRF platforms.
K_SYSCALL_MEMORY_READ()
called from k_usermode_alloc_from_copy()
does not report that address provided (0x01
) is not ok to copy from, which ends up with memcpy()
from that address. nrf9160dk_nrf9160_ns
crashes while doing memcpy()
, same issue on nrf9160dk_nrf9160
but it does not end up in crash.
@rlubos please check the priority
@anangl please take a look at @rlubos's description of the issue to see if you can figure out what is wrong here.
Hi
I'm been facing an issue in our Matter over wifi enablement since the recvmsg implementation in zephyr.
On Matter side, there is a function that calls recvmsg
to populate a msghdr
.
Then, it iterates through this struct to process control messages cmsghdr
, using CMSG macros.
The exit condition is the pointer to the control header to be null, but this never happens and the device is stuck indefinitely.
I'm wondering if this issue is related, as @rlubos says the msghdr is somehow corrupted ?
Here is a dump of data for both control header and message header:
Pointer to the matter code: https://github.com/project-chip/connectedhomeip/blob/master/src/inet/UDPEndPointImplSockets.cpp#L643
This is where the device is stuck.
Previously, on Matter side, we where using a custom implementation of recvmsg which ignored the control header, so the for loop was never exercised. See: https://github.com/project-chip/connectedhomeip/blob/master/src/inet/ZephyrSocket.h#L34
after some investigation on my side, it seems recvmsg
doesn't fulfill all requirements described in linux manpage.
I opened a dedicated issue: https://github.com/zephyrproject-rtos/zephyr/issues/68352
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.
Describe the bug The tests:
net.socket.udp
net.socket.udp.preempt
net.socket.udp.ipv6_fragment
net.socket.udp.pktinfo
fail.
Observed for:
nrf5340dk_nrf5340_cpuapp_ns
nrf9160dk_nrf9160_ns
To Reproduce Steps to reproduce the behavior:
nrf9160dk_nrf9160
connected./scripts/twister -T tests/net/socket/udp -p nrf9160dk_nrf9160_ns --device-testing --device-serial /dev/ttyACM0 -v --inline-logs
Expected behavior Valid console output
Impact Not clear
Logs and console output
Environment (please complete the following information):