From f88989e7518b97c83afc93497f97e33d9d4c12f4 Mon Sep 17 00:00:00 2001 From: Nicolas Boichat Date: Wed, 15 May 2019 13:07:35 +0800 Subject: tcpci/usb_pd_fuzz: Avoid using unitialized data in payload Found with MSAN fuzzer: usb_pd_protocol.c may use payload data that is not initialized. Fix the test by copying over the whole payload, which is what tcpci.c's version does. Also, in tcpci.c, clear cached_messages head before using get_message_raw to fill it up, to make sure that we do not accidentally use older data in the queue. BRANCH=none BUG=chromium:963076 TEST=make TEST_MSAN=y host-usb_pd_fuzz -j MSAN_OPTIONS=log_path=stderr:exitcode=0 \ build/host/usb_pd_fuzz/usb_pd_fuzz.exe \ clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824 Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea Signed-off-by: Nicolas Boichat Reviewed-on: https://chromium-review.googlesource.com/1610163 Reviewed-by: Daisuke Nojiri Reviewed-by: Aaron Durbin --- fuzz/usb_pd_fuzz.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'fuzz/usb_pd_fuzz.c') diff --git a/fuzz/usb_pd_fuzz.c b/fuzz/usb_pd_fuzz.c index ead94e9fac..01f0568e8a 100644 --- a/fuzz/usb_pd_fuzz.c +++ b/fuzz/usb_pd_fuzz.c @@ -88,7 +88,11 @@ int tcpm_dequeue_message(const int port, uint32_t *const payload, *header = m->header; - memcpy(payload, m->payload, m->cnt - 3); + /* + * This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the + * whole payload to destination. + */ + memcpy(payload, m->payload, sizeof(m->payload)); pending--; return EC_SUCCESS; -- cgit v1.2.1