tcpci/usb_pd_fuzz: Avoid using unitialized data in payload
Found with MSAN fuzzer: usb_pd_protocol.c may use payload data that is not initialized. Fix the test by copying over the whole payload, which is what tcpci.c's version does. Also, in tcpci.c, clear cached_messages head before using get_message_raw to fill it up, to make sure that we do not accidentally use older data in the queue. BRANCH=none BUG=chromium:963076 TEST=make TEST_MSAN=y host-usb_pd_fuzz -j MSAN_OPTIONS=log_path=stderr:exitcode=0 \ build/host/usb_pd_fuzz/usb_pd_fuzz.exe \ clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824 Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1610163 Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This commit is contained in:
parent
2c321f4ab8
commit
f88989e751
|
@ -451,6 +451,8 @@ int tcpm_enqueue_message(const int port)
|
|||
return EC_ERROR_OVERFLOW;
|
||||
}
|
||||
|
||||
/* Blank any old message, just in case. */
|
||||
memset(head, 0, sizeof(*head));
|
||||
/* Call the raw driver without caching */
|
||||
rv = tcpc_config[port].drv->get_message_raw(port, head->payload,
|
||||
&head->header);
|
||||
|
|
|
@ -88,7 +88,11 @@ int tcpm_dequeue_message(const int port, uint32_t *const payload,
|
|||
|
||||
*header = m->header;
|
||||
|
||||
memcpy(payload, m->payload, m->cnt - 3);
|
||||
/*
|
||||
* This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the
|
||||
* whole payload to destination.
|
||||
*/
|
||||
memcpy(payload, m->payload, sizeof(m->payload));
|
||||
|
||||
pending--;
|
||||
return EC_SUCCESS;
|
||||
|
|
Loading…
Reference in New Issue