[OpenOCD-commit] Main OpenOCD repository branch, master, updated. v0.11.0-304-ga555434c5

[OpenOCD-Gerrit <ope...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Main OpenOCD repository".

The branch, master has been updated
       via  a555434c50544410ab6f8915f1e2a829cc6e6de2 (commit)
       via  3ce70962d144406adb58a34f892dc370df9d5475 (commit)
       via  48282fbce06fbcf490d857ec9da8c4d603f379c2 (commit)
      from  020e46d1868a0b936a4e5b53c4d75706bb524618 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a555434c50544410ab6f8915f1e2a829cc6e6de2
Author: Antonio Borneo <bor...@gm...>
Date:   Mon Aug 9 15:03:37 2021 +0200

    jtag/mpsse: fix SIGSEGV for use after free
    
    By pressing CTRL-C on a running openocd with FTDI adapter, it's
    possible to generate a segmentation fault that with valgrind is
    dumped as a SIGABRT:
    
    ^CError: libusb_handle_events() failed with LIBUSB_ERROR_INTERRUPTED
    ==16594== Invalid read of size 8
    ==16594==    at 0x48B2472: libusb_submit_transfer
    ==16594==    by 0x48B4B0F: libusb_control_transfer
    ==16594==    by 0x1A6B9D: mpsse_purge (mpsse.c:428)
    ==16594==    by 0x1A7B96: mpsse_flush (mpsse.c:953)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594==  Address 0x6158568 is 72 bytes inside a block of size 216 free'd
    ==16594==    at 0x484118B: free (vg_replace_malloc.c:755)
    ==16594==    by 0x1A7B88: mpsse_flush (mpsse.c:950)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594==  Block was alloc'd at
    ==16594==    at 0x48435FF: calloc (vg_replace_malloc.c:1117)
    ==16594==    by 0x48B2259: libusb_alloc_transfer
    ==16594==    by 0x1A7A26: mpsse_flush (mpsse.c:880)
    ==16594==    by 0x19BA5B: ftdi_execute_queue (ftdi.c:654)
    ...
    ==16594== Process terminating with default action of signal 6 (SIGABRT):
            dumping core
    ...
    Aborted (core dumped)
    
    The error is in mpsse_flush() that, following valgrind dump:
    - allocates the buffer at line mpsse.c:880
      read_transfer = libusb_alloc_transfer(0);
    - frees the buffer at line mpsse.c:950
      libusb_free_transfer(read_transfer);
    - still pretends to use the freed buffer at line mpsse.c:953
      mpsse_purge(ctx);
    
    Move the call to mpsse_purge() right before freeing the buffer.
    
    Change-Id: I47c71ec8c283f4b037fdd7cd72ca2e877cd3a851
    Signed-off-by: Antonio Borneo <bor...@gm...>
    Reviewed-on: http://openocd.zylin.com/6417
    Tested-by: jenkins

diff --git a/src/jtag/drivers/mpsse.c b/src/jtag/drivers/mpsse.c
index 4e64fdbbf..0e3d2be0e 100644
--- a/src/jtag/drivers/mpsse.c
+++ b/src/jtag/drivers/mpsse.c
@@ -945,12 +945,12 @@ error_check:
 		retval = ERROR_OK;
 	}
 
+	if (retval != ERROR_OK)
+		mpsse_purge(ctx);
+
 	libusb_free_transfer(write_transfer);
 	if (read_transfer)
 		libusb_free_transfer(read_transfer);
 
-	if (retval != ERROR_OK)
-		mpsse_purge(ctx);
-
 	return retval;
 }

commit 3ce70962d144406adb58a34f892dc370df9d5475
Author: Antonio Borneo <bor...@gm...>
Date:   Thu Aug 5 00:37:32 2021 +0200

    arm_adi_v5: use macro DP_APSEL_MAX in place of magic number
    
    Commit 11019a824d02 ("adi_v5: enforce check on AP number value")
    introduces the macro DP_APSEL_MAX and use it in place of hardcoded
    magic numbers for the upper limit of AP selection value.
    
    Fix one more place where the macro should be used.
    
    Change-Id: I6c57f72405c69bbb40924221309d95dfeb5f7540
    Signed-off-by: Antonio Borneo <bor...@gm...>
    Fixes: 11019a824d02 ("adi_v5: enforce check on AP number value")
    Reviewed-on: http://openocd.zylin.com/6415
    Reviewed-by: Tomas Vanek <va...@fb...>
    Tested-by: jenkins
    Reviewed-by: Tarek BOCHKATI <tar...@gm...>

diff --git a/src/target/arm_adi_v5.c b/src/target/arm_adi_v5.c
index 2bb11b25e..0c4b80ca1 100644
--- a/src/target/arm_adi_v5.c
+++ b/src/target/arm_adi_v5.c
@@ -648,7 +648,7 @@ void dap_invalidate_cache(struct adiv5_dap *dap)
 	dap->last_read = NULL;
 
 	int i;
-	for (i = 0; i <= 255; i++) {
+	for (i = 0; i <= DP_APSEL_MAX; i++) {
 		/* force csw and tar write on the next mem-ap access */
 		dap->ap[i].tar_valid = false;
 		dap->ap[i].csw_value = 0;

commit 48282fbce06fbcf490d857ec9da8c4d603f379c2
Author: Antonio Borneo <bor...@gm...>
Date:   Thu Aug 5 00:22:06 2021 +0200

    openocd: fix cleanup order: cti before dap
    
    cti access is based on dap.
    During cleanup, drop cti before dropping dap to guarantee that cti
    can still access its dap.
    
    Change-Id: I40c7f67d4d4a32f53802c0ce7668a5321a05893c
    Signed-off-by: Antonio Borneo <bor...@gm...>
    Reviewed-on: http://openocd.zylin.com/6414
    Tested-by: jenkins
    Reviewed-by: Tarek BOCHKATI <tar...@gm...>

diff --git a/src/openocd.c b/src/openocd.c
index 2c9466624..b4571b464 100644
--- a/src/openocd.c
+++ b/src/openocd.c
@@ -364,8 +364,8 @@ int openocd_main(int argc, char *argv[])
 	help_del_all_commands(cmd_ctx);
 
 	/* free all DAP and CTI objects */
-	dap_cleanup_all();
 	arm_cti_cleanup_all();
+	dap_cleanup_all();
 
 	adapter_quit();
 

-----------------------------------------------------------------------

Summary of changes:
 src/jtag/drivers/mpsse.c | 6 +++---
 src/openocd.c            | 2 +-
 src/target/arm_adi_v5.c  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
Main OpenOCD repository