Buffer overflow while using CONFIG_NEWLIB_LIBC and not able to use math.h in my application

My application requires mathematical calculation based on double and float. For this I have included <math.h> in the header files.

FYI : I am using NCS 2.2.0

Also included -

CONFIG_NEWLIB_LIBC=y
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_BT_HCI_TX_STACK_SIZE=4096
CONFIG_BT_RX_STACK_SIZE=4096
CONFIG_IDLE_STACK_SIZE=4096
CONFIG_MPU_ALLOW_FLASH_WRITE=n
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=8192
CONFIG_MPSL_WORK_STACK_SIZE=8192
CONFIG_ISR_STACK_SIZE=8192
CONFIG_CBPRINTF_FP_SUPPORT=y
CONFIG_FPU=y
CONFIG_USERSPACE=y
CONFIG_NEWLIB_LIBC_ALIGNED_HEAP_SIZE=8192

But I getting consistent reset because of the buffer flow and seeing Faulting instruction address (r15/pc): 0x00025eee , which I can trace back using addr2line to

zephyr/lib/libc/newlib/libc-hooks.c:471 which is below part :

/* This function gets called if static buffer overflow detection is enabled
 * on stdlib side (Newlib here), in case such an overflow is detected. Newlib
 * provides an implementation not suitable for us, so we override it here.
 */
__weak FUNC_NORETURN void __chk_fail(void)
{
	static const char chk_fail_msg[] = "* buffer overflow detected *\n";
	_write(2, chk_fail_msg, sizeof(chk_fail_msg) - 1);
	k_oops();
	CODE_UNREACHABLE;
}

Please help in resolving this so that my algo can work properly.

double res = 9724/1024 is resulting in 0 , but if I change my definition to -
int32_t res = 9724/1024 is resulting in 9, which is correct result.

Parents
  • Hi,

    Which function in your program is crashing the program?

    What is the error log from your application?

    Regards,
    Sigurd Hellesvik

  • UH FINGERINT not matching [00:00:00.009,002] <inf> sdc_hci_driver: hci_driver_open: SoftDevice Controller build revision:
                                             6d 90 41 2a 38 e8 ad 17  29 a5 03 38 39 27 d7 85 |m.A*8... )..89'..
                                             1f 85 d8 e1                                      |....             
    [00:00:00.011,596] <inf> bt_hci_core: hci_vs_init: HW Platform: Nordic Semiconductor (0x0002)
    [00:00:00.011,627] <inf> bt_hci_core: hci_vs_init: HW Variant: nRF52x (0x0002)
    [00:00:00.011,657] <inf> bt_hci_core: hci_vs_init: Firmware: Standard Bluetooth controller (0x00) Version 109.16784 Build 2917677098
    [00:00:00.012,878] <inf> bt_hci_core: bt_dev_show_info: Identity: C6:1A:B1:61:97:10 (random)
    [00:00:00.012,908] <inf> bt_hci_core: bt_dev_show_info: HCI: version 5.3 (0x0c) revision 0x11fa, manufacturer 0x0059
    [00:00:00.012,939] <inf> bt_hci_core: bt_dev_show_info: LMP: version 5.3 (0x0c) subver 0x11fa
    [00:00:00.013,244] <err> os: esf_dump: r0/a1:  0x00000003  r1/a2:  0x00000000  r2/a3:  0x20002e98
    [00:00:00.013,244] <err> os: esf_dump: r3/a4:  0x2001c47c r12/ip:  0x0000000a r14/lr:  0x00034891
    [00:00:00.013,275] <err> os: esf_dump:  xpsr:  0x61000000
    [00:00:00.013,275] <err> os: esf_dump: s[ 0]:  0x00000000  s[ 1]:  0x00000000  s[ 2]:  0x00000000  s[ 3]:  0x00000000
    [00:00:00.013,305] <err> os: esf_dump: s[ 4]:  0x00000000  s[ 5]:  0x00000000  s[ 6]:  0x00000000  s[ 7]:  0x00000000
    *** Booting Zephyr OS build v3.2.99-ncs1 ***
    [00:00:00.013,336] <err> os: esf_dump: s[ 8]:  0x00000000  s[ 9]:  0x00000000  s[10]:  0x00000000  s[11]:  0x00000000
    [00:00:00.013,336] <err> os: esf_dump: s[12]:  0x00000000  s[13]:  0x00000000  s[14]:  0x00000000  s[15]:  0x00000000
    [00:00:00.013,366] <err> os: esf_dump: fpscr:  0x00000001
    [00:00:00.013,366] <err> os: esf_dump: Faulting instruction address (r15/pc): 0x00024dc6
    [00:00:00.013,427] <err> os: z_fatal_error: >>> ZEPHYR FATAL ERROR 3: Kernel oops on CPU 0
    [00:00:00.013,458] <err> os: z_fatal_error: Current thread: 0x20002e98 (unknown)
    [00:00:00.819,702] <err> fatal_error: k_sys_fatal_error_handler: Resetting system
    *** Booting Zephyr OS build v3.2* buffer overflow detected *

    This is the error log

  • When positing logs, it is a lot more tidy if you use Insert->Code. It also makes the logs easier to read.

    Gaurav said:
    [00:00:00.013,458] <err> os: z_fatal_error: Current thread: 0x20002e98 (unknown)

    Try to set CONFIG_THREAD_NAME, and we should see which  thread caused the error instead of "unknown"

    Sigurd Hellesvik said:
    Which function in your program is crashing the program?

    Did you find the answer to my previous question?

Reply
  • When positing logs, it is a lot more tidy if you use Insert->Code. It also makes the logs easier to read.

    Gaurav said:
    [00:00:00.013,458] <err> os: z_fatal_error: Current thread: 0x20002e98 (unknown)

    Try to set CONFIG_THREAD_NAME, and we should see which  thread caused the error instead of "unknown"

    Sigurd Hellesvik said:
    Which function in your program is crashing the program?

    Did you find the answer to my previous question?

Children
  • Hi  

    Ill surely keep that in mind while posting error logs in future.

    UH FINGERINT not matching [00:00:00.009,094] <inf> sdc_hci_driver: hci_driver_open: SoftDevice Controller build revision: 
    00>                                          6d 90 41 2a 38 e8 ad 17  29 a5 03 38 39 27 d7 85 |m.A*8... )..89'..
    00>                                          1f 85 d8 e1                                      |....             
    00> [00:00:00.011,657] <inf> bt_hci_core: hci_vs_init: HW Platform: Nordic Semiconductor (0x0002)
    00> [00:00:00.011,688] <inf> bt_hci_core: hci_vs_init: HW Variant: nRF52x (0x0002)
    00> [00:00:00.011,718] <inf> bt_hci_core: hci_vs_init: Firmware: Standard Bluetooth controller (0x00) Version 109.16784 Build 2917677098
    00> [00:00:00.012,908] <inf> bt_hci_core: bt_dev_show_info: Identity: C6:1A:B1:61:97:10 (random)
    00> [00:00:00.012,939] <inf> bt_hci_core: bt_dev_show_info: HCI: version 5.3 (0x0c) revision 0x11fa, manufacturer 0x0059
    00> [00:00:00.012,969] <inf> bt_hci_core: bt_dev_show_info: LMP: version 5.3 (0x0c) subver 0x11fa
    00> [00:00:00.013,275] <err> os: esf_dump: r0/a1:  0x00000003  r1/a2:  0x00000000  r2/a3:  0x20002f98
    00> [00:00:00.013,275] <err> os: esf_dump: r3/a4:  0x2001c57c r12/ip:  0x0000000a r14/lr:  0x000348cd
    00> [00:00:00.013,305] <err> os: esf_dump:  xpsr:  0x61000000
    00> [00:00:00.013,305] <err> os: esf_dump: s[ 0]:  0x00000000  s[ 1]:  0x00000000  s[ 2]:  0x00000000  s[ 3]:  0x00000000
    00> [00:00:00.013,336] <err> os: esf_dump: s[ 4]:  0x00000000  s[ 5]:  0x00000000  s[ 6]:  0x00000000  s[ 7]:  0x00000000
    00> *** Booting Zephyr OS build v3.2.99-ncs1 ***
    00> [00:00:00.013,366] <err> os: esf_dump: s[ 8]:  0x00000000  s[ 9]:  0x00000000  s[10]:  0x00000000  s[11]:  0x00000000
    00> [00:00:00.013,397] <err> os: esf_dump: s[12]:  0x00000000  s[13]:  0x00000000  s[14]:  0x00000000  s[15]:  0x00000000
    00> [00:00:00.013,397] <err> os: esf_dump: fpscr:  0x00000001
    00> [00:00:00.013,427] <err> os: esf_dump: Faulting instruction address (r15/pc): 0x00024dba
    00> [00:00:00.013,458] <err> os: z_fatal_error: >>> ZEPHYR FATAL ERROR 3: Kernel oops on CPU 0
    00> [00:00:00.013,488] <err> os: z_fatal_error: Current thread: 0x20002f98 (main)
    00> [00:00:00.818,511] <err> fatal_error: k_sys_fatal_error_handler: Resetting system
    00> *** Booting Zephyr OS build v3.2* buffer overflow detected *
    00> .99-ncs1 *flash written ---reading "" to flash.--- 8 messages dropped ---

    While going through the main function line by line, I found that the line with -

    sprintf(my_name, "UH_%02X%02X%02X%02X%02X%02X", mac_address.a.val[5], mac_address.a.val[4], mac_address.a.val[3], mac_address.a.val[2], mac_address.a.val[1], mac_address.a.val[0]);

    was the main culprit here in crashing.

  •  

    I have taken care of the issue here and we can close this ticket.

Related