Make mctp-req generic #6
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jk-ozlabs
requested changes
Oct 31, 2022
There was a problem hiding this comment.
Looks good: a couple of fixups mentioned in the code though.
I think we should simplify the user interface for this a little - I'd suggest making the data argument mandatory (sending sequential bytes was handy while bringing up the kernel interface, but now that's done, it's no longer very useful). That means we could drop the len argument too (since we can calculate that from the data argument). I'm also fine with making the type argument mandatory too - assuming PLDM is a bit strange (again, this was from the kernel bringup, where we just needed an arbitrary type value).
Then, we would no longer need the conditional code in the mctp_req() function that re-uses the rxbuf, and just always use separate buffers for tx & rx.
leiyu-bytedance
force-pushed
the
dev-mctp-req-generic
branch
from
88d0816 to
985df80
Compare
|
Added a new commit to install the systemd units. |
That would be better as a separate PR. |
|
@leiyu-bytedance just wanted to check-in on this - anything pending from your side? |
|
Oh, we totally missed this. |
The usage description is missing the `data` argument, add it and an example of how it is used. Signed-off-by: Lei YU <[email protected]>
The mctp-req was acting like a echo client that sends and receive the
same data.
Change the code to make it a generic sender and receiver, so that user
could use it to send all types of data and prints the received data.
* Add a `type` argument to specify the mctp type, default to 1 (PLDM).
* Remove the code that expects the same len and data for sent and
received data.
* Add print of the received data.
Tested: Get UUID of an endpoint:
$ mctp-req eid 9 type 0 data 80:03
req: sending to (net 1, eid 9), type 0, len 2
req: message from (net 1, eid 9) type 0 len 19
data:
0x00 0x03 0x00 0x7e 0x92 0x05 0xfc 0x01 0xc2 0xeb 0x11 0x80 0x00 0xb8
0xce 0xf6 0xae 0xcd 0x16
Signed-off-by: Lei YU <[email protected]>
leiyu-bytedance
force-pushed
the
dev-mctp-req-generic
branch
from
b2ccdf2 to
93f45c9
Compare
|
|
@leiyu-bytedance The new branch lost some requested change above, you may want to review them again. |
amboar
added a commit
to amboar/mctp
that referenced
this pull request
Apr 15, 2025
Avoids a heap UAF caught by ASAN:
==179005==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000000c38 at pc 0x55dfaa7fa308 bp 0x7ffe10264420 sp 0x7ffe10264418
READ of size 8 at 0x61f000000c38 thread T0
#0 0x55dfaa7fa307 in peer_endpoint_recover ../src/mctpd.c:2570
CodeConstruct#1 0x7f9a43dadae3 (/lib/x86_64-linux-gnu/libsystemd.so.0+0x78ae3)
CodeConstruct#2 0x7f9a43dade04 in sd_event_dispatch (/lib/x86_64-linux-gnu/libsystemd.so.0+0x78e04)
CodeConstruct#3 0x7f9a43daf2e7 in sd_event_run (/lib/x86_64-linux-gnu/libsystemd.so.0+0x7a2e7)
CodeConstruct#4 0x7f9a43daf506 in sd_event_loop (/lib/x86_64-linux-gnu/libsystemd.so.0+0x7a506)
CodeConstruct#5 0x55dfaa80a609 in main ../src/mctpd.c:4547
CodeConstruct#6 0x7f9a42c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
CodeConstruct#7 0x7f9a42c46304 in __libc_start_main_impl ../csu/libc-start.c:360
CodeConstruct#8 0x55dfaa7e38d0 in _start (mctp/build/test-mctpd+0x688d0)
0x61f000000c38 is located 3000 bytes inside of 3040-byte region [0x61f000000080,0x61f000000c60)
freed by thread T0 here:
#0 0x7f9a436b78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
CodeConstruct#1 0x55dfaa7ef028 in add_peer ../src/mctpd.c:1419
CodeConstruct#2 0x55dfaa7f1587 in endpoint_assign_eid ../src/mctpd.c:1601
CodeConstruct#3 0x55dfaa7f55a0 in method_setup_endpoint ../src/mctpd.c:2038
CodeConstruct#4 0x7f9a43d650ad (/lib/x86_64-linux-gnu/libsystemd.so.0+0x300ad)
previously allocated by thread T0 here:
#0 0x7f9a436b78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
CodeConstruct#1 0x55dfaa7ef028 in add_peer ../src/mctpd.c:1419
CodeConstruct#2 0x55dfaa805741 in add_local_eid ../src/mctpd.c:4052
CodeConstruct#3 0x55dfaa80627f in add_interface_local ../src/mctpd.c:4114
CodeConstruct#4 0x55dfaa806ffa in setup_nets ../src/mctpd.c:4200
CodeConstruct#5 0x55dfaa80a380 in main ../src/mctpd.c:4525
CodeConstruct#6 0x7f9a42c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free ../src/mctpd.c:2570 in peer_endpoint_recover
Shadow bytes around the buggy address:
0x0c3e7fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3e7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3e7fff8180: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==179005==ABORTING
Signed-off-by: Andrew Jeffery <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.