Short Description
In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c
Impact
There's no error handling in case lcnt >= XT_NUM_CLIB_LOCKS. The program will continue and the tx_mutex_create() will eventually corrupt memory by writing outside the bounds of the static xclib_locks array. See the marked line below:
#ifdef TX_THREAD_SAFE_CLIB /* this file is only needed if using C lib */
...
#if XSHAL_CLIB == XTHAL_CLIB_XCLIB
...
static TX_MUTEX xclib_locks[XT_NUM_CLIB_LOCKS];
static uint32_t lcnt;
...
/**************************************************************************/
/* _Mtxinit - initialize a lock. Called once for each lock. */
/**************************************************************************/
void
_Mtxinit (_Rmtx * mtx)
{
TX_MUTEX * lock;
if (lcnt >= XT_NUM_CLIB_LOCKS) { // VULN: empty if() body
/* Fatal error */
}
lock = &(xclib_locks[lcnt]);
lcnt++;
/* See notes for newlib case below. */
#ifdef THREADX_TESTSUITE
tx_mutex_create (lock, "Clib lock", 0);
#else
tx_mutex_create (lock, "Clib lock", TX_INHERIT);
#endif
*mtx = lock;
}Patches
Patch available 39f3c86
Workarounds
Assure that the mutex count never reaches the limit.
References
In Progress
0xdea Reporter
Short Description
In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c
Impact
There's no error handling in case
lcnt>=XT_NUM_CLIB_LOCKS. The program will continue and thetx_mutex_create()will eventually corrupt memory by writing outside the bounds of the staticxclib_locksarray. See the marked line below:Patches
Patch available 39f3c86
Workarounds
Assure that the mutex count never reaches the limit.
References
In Progress