QNX: Fix in trace buffer dump during recovery
authorBuddy Liong <buddy.budiono@ti.com>
Tue, 19 May 2015 14:11:23 +0000 (09:11 -0500)
committerAngela Stegmaier <angelabaker@ti.com>
Thu, 17 Sep 2015 19:15:43 +0000 (14:15 -0500)
During the recovery, in deinit_ipc(), the IPC resource manager will
try to dump the remote core trace information to a file. There is a
possibility that the trace buffer may have become corrupted as a result
of the crash on the remote core and that the write index, which resides
in the trace buffer, has become corrupted as well. In this situation,
there is a potential that the trace dump code will read beyond the mapped
buffer for the TRACE BUF memory, causing the system to crash and be
unable to recover. At this point a system restart is required to
recover the system.

There should be a check to make sure that the trace dump code is not
indexing beyond the end of the trace buffer.

Signed-off-by: Buddy Liong <buddy.budiono@ti.com>
Signed-off-by: Angela Stegmaier <angelabaker@ti.com>
qnx/src/ipc3x_dev/ti/syslink/build/Qnx/resmgr/syslink_main.c

index 388bea3378cbceaf610b9136761ca9120442d3fe..11a8bd07a3bf325ea1c158a721157d44c4a34cdf 100644 (file)
@@ -1504,7 +1504,7 @@ int deinit_ipc(ipc_dev_t * dev, ipc_firmware_info * firmware,
                                 fprintf(log, "%c",
                                     *(char *)((uint32_t)proc_traces[id].va + i));
                             }
                                 fprintf(log, "%c",
                                     *(char *)((uint32_t)proc_traces[id].va + i));
                             }
-                            for (i = 0; i < *proc_traces[id].widx; i++) {
+                            for (i = 0; (i < *proc_traces[id].widx) && (i < proc_traces[id].len - 8); i++) {
                                 fprintf(log, "%c",
                                     *(char *)((uint32_t)proc_traces[id].va + i));
                             }
                                 fprintf(log, "%c",
                                     *(char *)((uint32_t)proc_traces[id].va + i));
                             }