Merge branch '2022-04-29-fuzzing-and-asan-fixes'
To quote the author:
I've been experimenting with ASAN on sandbox and turned up a few issues
that are fixed in this series.
Basic ASAN was easy to turn on, but integrating with dlmalloc was
messier and fairly intrusive. Even when I had it working, there was only
a small redzone between allocations which limits the usefulness.
I saw another series on the list by Sean Anderson to enable valgrind
which was finding a different set of issues, though there was one
overlap that Sean is fixing with
"[PATCH] IOMUX: Fix access past end of console_devices".
With these issues fixed, I was able to run the dm tests without any ASAN
issues. There are a couple of leaks reported at the end, but that's for
another day.
diff --git a/cmd/acpi.c b/cmd/acpi.c
index c543f1e..0e473b4 100644
--- a/cmd/acpi.c
+++ b/cmd/acpi.c
@@ -178,7 +178,7 @@
printf("Table name '%s' must be four characters\n", name);
return CMD_RET_FAILURE;
}
- str_to_upper(name, sig, -1);
+ str_to_upper(name, sig, ACPI_NAME_LEN);
ret = dump_table_name(sig);
if (ret) {
printf("Table '%.*s' not found\n", ACPI_NAME_LEN, sig);
diff --git a/doc/develop/tests_sandbox.rst b/doc/develop/tests_sandbox.rst
index 84608dc..40cf8ec 100644
--- a/doc/develop/tests_sandbox.rst
+++ b/doc/develop/tests_sandbox.rst
@@ -103,7 +103,7 @@
You can easily use gdb on these tests, without needing --gdbserver::
- $ gdb u-boot --args -T -c "ut dm gpio"
+ $ gdb --args u-boot -T -c "ut dm gpio"
...
(gdb) break dm_test_gpio
Breakpoint 1 at 0x1415bd: file test/dm/gpio.c, line 37.
diff --git a/drivers/power/acpi_pmc/pmc_emul.c b/drivers/power/acpi_pmc/pmc_emul.c
index a61eb5b..8015031 100644
--- a/drivers/power/acpi_pmc/pmc_emul.c
+++ b/drivers/power/acpi_pmc/pmc_emul.c
@@ -37,6 +37,7 @@
{ 0, 0 },
{ 0, 0 },
{ PCI_BASE_ADDRESS_SPACE_IO, 256 },
+ { 0, 0 },
};
struct pmc_emul_priv {
diff --git a/drivers/sound/sound.c b/drivers/sound/sound.c
index b0eab23..041dfdc 100644
--- a/drivers/sound/sound.c
+++ b/drivers/sound/sound.c
@@ -25,13 +25,11 @@
int i, j;
for (i = 0; size && i < half; i++) {
- size -= 2;
- for (j = 0; j < channels; j++)
+ for (j = 0; size && j < channels; j++, size -= 2)
*data++ = amplitude;
}
for (i = 0; size && i < period - half; i++) {
- size -= 2;
- for (j = 0; j < channels; j++)
+ for (j = 0; size && j < channels; j++, size -= 2)
*data++ = -amplitude;
}
}
diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c
index edabc1b3..cc80f67 100644
--- a/drivers/usb/emul/sandbox_flash.c
+++ b/drivers/usb/emul/sandbox_flash.c
@@ -345,6 +345,8 @@
} else {
if (priv->alloc_len && len > priv->alloc_len)
len = priv->alloc_len;
+ if (len > sizeof(priv->buff))
+ len = sizeof(priv->buff);
memcpy(buff, priv->buff, len);
priv->phase = PHASE_STATUS;
}
diff --git a/drivers/usb/emul/usb-emul-uclass.c b/drivers/usb/emul/usb-emul-uclass.c
index 05f6d3d..b31dc95 100644
--- a/drivers/usb/emul/usb-emul-uclass.c
+++ b/drivers/usb/emul/usb-emul-uclass.c
@@ -15,13 +15,12 @@
static int copy_to_unicode(char *buff, int length, const char *str)
{
int ptr;
- int i;
if (length < 2)
return 0;
buff[1] = USB_DT_STRING;
- for (ptr = 2, i = 0; ptr + 1 < length && *str; i++, ptr += 2) {
- buff[ptr] = str[i];
+ for (ptr = 2; ptr + 1 < length && *str; str++, ptr += 2) {
+ buff[ptr] = *str;
buff[ptr + 1] = 0;
}
buff[0] = ptr;
diff --git a/test/dm/devres.c b/test/dm/devres.c
index 4f959d1..524114c 100644
--- a/test/dm/devres.c
+++ b/test/dm/devres.c
@@ -178,11 +178,8 @@
ut_asserteq(1, stats.allocs);
ut_asserteq(TEST_DEVRES_SIZE, stats.total_size);
- /* Unbinding removes the other. Note this access a freed pointer */
+ /* Unbinding removes the other. */
device_unbind(dev);
- devres_get_stats(dev, &stats);
- ut_asserteq(0, stats.allocs);
- ut_asserteq(0, stats.total_size);
return 0;
}
diff --git a/test/dm/regmap.c b/test/dm/regmap.c
index 04bb164..8560f2a 100644
--- a/test/dm/regmap.c
+++ b/test/dm/regmap.c
@@ -286,8 +286,7 @@
static int dm_test_devm_regmap(struct unit_test_state *uts)
{
int i = 0;
- u16 val;
- void *valp = &val;
+ uint val;
u16 pattern[REGMAP_TEST_BUF_SZ];
u16 *buffer;
struct udevice *dev;
@@ -311,7 +310,7 @@
ut_assertok(regmap_write(priv->cfg_regmap, i, pattern[i]));
}
for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
- ut_assertok(regmap_read(priv->cfg_regmap, i, valp));
+ ut_assertok(regmap_read(priv->cfg_regmap, i, &val));
ut_asserteq(val, buffer[i]);
ut_asserteq(val, pattern[i]);
}
@@ -319,9 +318,9 @@
ut_asserteq(-ERANGE, regmap_write(priv->cfg_regmap, REGMAP_TEST_BUF_SZ,
val));
ut_asserteq(-ERANGE, regmap_read(priv->cfg_regmap, REGMAP_TEST_BUF_SZ,
- valp));
+ &val));
ut_asserteq(-ERANGE, regmap_write(priv->cfg_regmap, -1, val));
- ut_asserteq(-ERANGE, regmap_read(priv->cfg_regmap, -1, valp));
+ ut_asserteq(-ERANGE, regmap_read(priv->cfg_regmap, -1, &val));
return 0;
}