buffer overrun in rtems_rfs_bitmap_create_search()

Joel Sherrill joel at rtems.org
Mon Jun 4 20:08:58 UTC 2018 

On Mon, Jun 4, 2018 at 2:27 PM, Walter Lee <waltl at google.com> wrote:

> Hi Gedare.  Thanks for the response.  I am using a snapshot of RTEMS
> provided by a third party, based on commit #821acce on master.  The
> bug should still be there on the tip of master and on 4.11 (and
> probably 4.10 also, but that version seems to be missing another
> patch).
>

Any idea which patch or ticket that was? I am curious whether it was
a bug or improvement and there are two patches to apply to 4.11.


>
> I've updated the patch to master, and also added a test.
>

Thank you!  Helps long term to make sure we don't get a regression.

--joel


>
> Thanks,
>
> Walter
> On Mon, Jun 4, 2018 at 9:55 AM Gedare Bloom <gedare at rtems.org> wrote:
> >
> > Hello Walter,
> >
> > Thank you for the bug report and patch. The patch is outdated, what
> > version of RTEMS are you using? I think the problem also affects the
> > master branch, but we need a ticket for each affected open branch.
> >
> > The fix looks OK to me, but I'd like Chris Johns to approve it. I
> > assigned the ticket to him.
> >
> > Gedare
> >
> > On Wed, May 30, 2018 at 1:24 PM, Walter Lee <waltl at google.com> wrote:
> > > Hi.  I am encountering a buffer overrun in
> > > rtems_rfs_bitmap_create_search().  It seems that whenever the bitmap
> > > uses the last bit of its search_map (i.e. (control->size + 31) % 32 ==
> > > 32)), the loop will write to the word one beyond the end of
> > > search_map.
> > >
> > > I filed a bug at https://devel.rtems.org/ticket/3439, with a patch
> > > that fixes the problem.
> > >
> > > Please let me know if I'm missing something, and if not what I need to
> > > do to get this fixed.
> > >
> > > Thanks,
> > >
> > > Walter
> > > _______________________________________________
> > > devel mailing list
> > > devel at rtems.org
> > > http://lists.rtems.org/mailman/listinfo/devel
> _______________________________________________
> devel mailing list
> devel at rtems.org
> http://lists.rtems.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20180604/5be975ba/attachment.html>

More information about the devel mailing list