diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2019-05-15 13:07:35 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-05-16 09:04:26 -0700 |
commit | f88989e7518b97c83afc93497f97e33d9d4c12f4 (patch) | |
tree | aff241c15d12ee97b0f08f3e90ec5597608804a8 /fuzz | |
parent | 2c321f4ab89d2ec171f7b3c463893fa5051479fe (diff) | |
download | chrome-ec-f88989e7518b97c83afc93497f97e33d9d4c12f4.tar.gz |
tcpci/usb_pd_fuzz: Avoid using unitialized data in payload
Found with MSAN fuzzer: usb_pd_protocol.c may use payload data
that is not initialized.
Fix the test by copying over the whole payload, which is what
tcpci.c's version does.
Also, in tcpci.c, clear cached_messages head before using
get_message_raw to fill it up, to make sure that we do not
accidentally use older data in the queue.
BRANCH=none
BUG=chromium:963076
TEST=make TEST_MSAN=y host-usb_pd_fuzz -j
MSAN_OPTIONS=log_path=stderr:exitcode=0 \
build/host/usb_pd_fuzz/usb_pd_fuzz.exe \
clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824
Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1610163
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/usb_pd_fuzz.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/fuzz/usb_pd_fuzz.c b/fuzz/usb_pd_fuzz.c index ead94e9fac..01f0568e8a 100644 --- a/fuzz/usb_pd_fuzz.c +++ b/fuzz/usb_pd_fuzz.c @@ -88,7 +88,11 @@ int tcpm_dequeue_message(const int port, uint32_t *const payload, *header = m->header; - memcpy(payload, m->payload, m->cnt - 3); + /* + * This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the + * whole payload to destination. + */ + memcpy(payload, m->payload, sizeof(m->payload)); pending--; return EC_SUCCESS; |