Chris Solomon

Bug Report: In MQX 4.1 change of size of bool can cause stack corruption

Discussion created by Chris Solomon on Sep 24, 2014
Latest reply on Oct 3, 2014 by Radek Sestak

HI,

I have been tracking down an issue causing unpredictable crashes - bus faults, mem manage faults, hard faults & usage faults.

After 3 days debugging with profiling tools and debuggers we have finally tracked the problem down:

In MQX 4.0.x a boolean type was an alias of an unsigned long  (32bits).

In MQX 4.1.x a bool is a C99 standard type, and is guaranteed to be 8 bits on all platforms.

 

The specific issue that I have found is that in _io_fstatus a bool (result) is created on the stack, and then a pointer to this bool is passed into the IOCTL for the device in question.

In _io_cdc_serial_ioctl the pointer is cast to an _mqx_int * (32 bit) and then the address is set to true or false, which wipes 3 bytes of stack above the bool.

 

The fix is simple in this case (changes to io_fstat.c):

@@ -50,7 +50,7 @@
    )
{ /* Body */
    IO_DEVICE_STRUCT_PTR   dev_ptr;
-   bool                result;
+   uint32_t               result;

#if MQX_CHECK_ERRORS
    if (file_ptr == NULL) {
@@ -64,7 +64,7 @@
       dev_ptr = file_ptr->DEV_PTR;
       if (dev_ptr->IO_IOCTL != NULL) {  
          (*dev_ptr->IO_IOCTL)(file_ptr, IO_IOCTL_CHAR_AVAIL, &result);
-         return(result);
+         return (bool)(result);
       } /* Endif */
    } /* Endif */
    return (FALSE);

 

 

I haven't completed my review of all the other places where bools are used, but this could be a problem in other places as well.

 

Chris

Outcomes