Skip to content

fix(freertos): Limit idle task name length copy operation and ensure null-termination of the idle task name string #1203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aggarg merged 6 commits into from
Dec 20, 2024
Merged

fix(freertos): Limit idle task name length copy operation and ensure null-termination of the idle task name string #1203

aggarg merged 6 commits into from
Dec 20, 2024

Conversation

@sudeep-mohanty
Copy link
Contributor

@sudeep-mohanty sudeep-mohanty commented Dec 6, 2024
edited
Loading

This PR:
- Limits the idle task name length copy operation to prevent Out-of-bounds memory access warnings from static code analyzers.
- Fixes a bug where in the idle task name could be non null-terminated string for SMP configuration.

Description

  • In the function prvCreateIdleTasks(), we have the operation -
       for( xIdleTaskNameIndex = ( BaseType_t ) 0; xIdleTaskNameIndex < ( BaseType_t ) configMAX_TASK_NAME_LEN; xIdleTaskNameIndex++ )
       {
          cIdleName[ xIdleTaskNameIndex ] = configIDLE_TASK_NAME[ xIdleTaskNameIndex ];
  
          /* Don't copy all configMAX_TASK_NAME_LEN if the string is shorter than
           * configMAX_TASK_NAME_LEN characters just in case the memory after the
           * string is not accessible (extremely unlikely). */
          if( cIdleName[ xIdleTaskNameIndex ] == ( char ) 0x00 )
          {
             break;
          }
          else
          {
             mtCOVERAGE_TEST_MARKER();
          }     
       }
  • Static code analyzers could flag this copy operation as an Out-of-bounds memory access because they see configIDLE_TASK_NAME as an array of 5 bytes (I, D, L, E, \0) but the loop running for configMAX_TASK_NAME_LEN iterations which could be more than 5.
  • They also do not assume that a \0 character is present in the configIDLE_TASK_NAME array and hence can not predict that the loop will break before an Out-of-bounds memory access is made.
  • Therefore, this PR limits the copy operation to the minimum of either configIDLE_TASK_NAME or configMAX_TASK_NAME_LEN. This ensures that the copy operation runs for exactly the required number of iterations to copy the idle task name, 5 by default.
  • The PR also fixes a bug with null-termination of the IDLE task name if strlen(configIDLE_TASK_NAME) = configMAX_TASK_NAME_LEN - 1 when SMP configuration is enabled. The current code would append the core ID to the task name and in the process overwrites the null terminator. It then exists the loop as there is no more space to add a null terminator.

Test Steps

  • Run a static code analysis of tasks.c on a tool like Coverity.

Checklist:

  • I have tested my changes. No regression in existing tests.

Related Issue

None

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sudeep-mohanty sudeep-mohanty requested a review from a team as a code owner December 6, 2024 05:27
@sudeep-mohanty sudeep-mohanty force-pushed the fix/idle_task_name_len branch 3 times, most recently from fdaaa9e to 7eedbf7 Compare December 6, 2024 06:29
jasonpcarroll
jasonpcarroll reviewed Dec 6, 2024
View reviewed changes
Copy link
Contributor

@jasonpcarroll jasonpcarroll left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing this means you no longer need the logic within the for loop that limits how many characters are copied into the buffer. you might as well remove that logic as well. Also, since you are already using strlen why not just replace all of this code with strncpy? https://cplusplus.com/reference/cstring/strncpy/ with n set to to the max length?

@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 9, 2024

@jasonpcarroll I've removed the break-ing logic inside the loop and updated it to use standard string operations.

On a second note, just discovered that there is a potential problem in handling the null-termination of the IDLE task name in case of SMP configuration. The current logic would not null-terminate the idle task array if strlen(configIDLE_TASK_NAME) = configMAX_TASK_NAME_LEN - 1. The logic would append the xCoreID, in the process overwriting the null character and then not adding a null-character any more.

I've updated the logic to use strncat instead.

@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 9, 2024

Quality Gate Failed Quality Gate failed

Failed conditions 1 Security Hotspot

See analysis details on SonarQube Cloud

@jasonpcarroll Looks like I would need an additional review on SonarQube for using strncpy. Thanks.

@sudeep-mohanty sudeep-mohanty force-pushed the fix/idle_task_name_len branch 3 times, most recently from 910d17a to b17ebab Compare December 9, 2024 06:33
@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 16, 2024

@jasonpcarroll Could you let me know if this PR is reviewable as is or do I need to make some changes for the checks to pass. Thanks.

@aggarg
Copy link
Member

aggarg commented Dec 17, 2024

We try to avoid snprintf class of functions because it might bloat the code size and use a lot of stack. Only stats formatting functions use snprintf which is more of a debugging aid. I'd like to avoid snprintf or string manipulation functions for IDLE task name which is also a debugging aid. What do you think about the following patch - suggestion.patch?

@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 18, 2024

Thanks for the inputs @aggarg! I've incorporated your suggestions but since it did not address the out-of-bound mem copy operation warnings flagged by static code analyzers, I have added a fix for it as well. PTAL. Thanks.

@sudeep-mohanty sudeep-mohanty changed the title fix(freertos): Limit idle task name length copy operation fix(freertos): Limit idle task name length copy operation and ensure null-termination of the idle task name string Dec 18, 2024
@sudeep-mohanty
fix(freertos): Limit idle task name copy operation and ensure null te…
47d9407 
…rmination

This commit:
- Limits the idle task name length copy operation to prevent
  Out-of-bounds memory access warnings from static code analyzers.
- Fixes a bug where in the idle task name could be non null-terminated
  string for SMP configuration.

Signed-off-by: Sudeep Mohanty <[email protected]>
@sudeep-mohanty sudeep-mohanty mentioned this pull request Dec 19, 2024
Merged
1 task
@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 19, 2024

Updated corresponding unit test in FreeRTOS PR #1314.

aggarg added a commit to aggarg/FreeRTOS that referenced this pull request Dec 19, 2024
@aggarg
Fix coverage tests for Kernel PR 1203
30d2a9c 
PR Link - FreeRTOS/FreeRTOS-Kernel#1203.

Signed-off-by: Gaurav Aggarwal <[email protected]>
@aggarg aggarg mentioned this pull request Dec 19, 2024
Merged
2 tasks
@aggarg
Use strlen instead of sizeof.
8dc4c83 
This allows using pointer to string for configIDLE_TASK_NAME. Coverage
tests do that.

Signed-off-by: Gaurav Aggarwal <[email protected]>
aggarg added a commit to FreeRTOS/FreeRTOS that referenced this pull request Dec 20, 2024
@aggarg
Fix coverage tests for Kernel PR 1203 (#1315)
93ba585 
Fix coverage tests for Kernel PR 1203

PR Link - FreeRTOS/FreeRTOS-Kernel#1203.

Signed-off-by: Gaurav Aggarwal <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 20, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aggarg aggarg merged commit f31787d into FreeRTOS:main Dec 20, 2024
17 checks passed
@sudeep-mohanty
Copy link
Contributor Author

sudeep-mohanty commented Dec 21, 2024

Thank you for helping merge the PR, @aggarg!

kstribrnAmzn added a commit to kstribrnAmzn/FreeRTOS-Kernel that referenced this pull request Jan 21, 2025
@kstribrnAmzn
fix: SA violation fixes and simplification for idle task length restr…
759e0bf 
…ictions

This change:
* Removes the dependency on strings.h for the prvCreateIdleTask function
* Resolves several static analysis violations reported by tools like Parasoft

Builds off of - FreeRTOS#1203
@kstribrnAmzn kstribrnAmzn mentioned this pull request Jan 21, 2025
Merged
2 tasks
aggarg pushed a commit that referenced this pull request Jan 28, 2025
@kstribrnAmzn
fix: SA violation fixes and simplification for idle task length restr…
f94bc89 
…ictions (#1227)

fix: SA violation fixes and simplification for idle task length restrictions

This change:
* Removes the dependency on strings.h for the prvCreateIdleTask function
* Resolves several static analysis violations reported by tools like Parasoft

Builds off of - #1203
moninom1 pushed a commit to moninom1/FreeRTOS-Kernel that referenced this pull request Sep 30, 2025
@watsk @kar-rahul-aws @aggarg
[WIN32-MingW Demo] Modify project setting files to resolve compiler e…
2b499ab 
…rrors on Eclipse (FreeRTOS#1203)

* Exclude unnecessary directories from build.
1. "FreeRTOS/Source/example"
2. "FreeRTOS+Trace Recorder/extras"
3. "FreeRTOS+Trace Recorder/kernelports/BareMetal"
4. "FreeRTOS+Trace Recorder/kernelports/ESP-IDF_FreeRTOS"
5. "FreeRTOS+Trace Recorder/kernelports/ThreadX"
6. "FreeRTOS+Trace Recorder/kernelports/Zephyr"

1 is applied to both of "Debug" configuration and "Debug_CodeCoverage" configuration.
Others are applied to only "Debug" configuration because those directories are already excluded from build on "Debug_Coverage" configuration.

* Include path setting is modified.
1.Directory name is modified.("Include" -> "include")
2.New path is added.(FreeRTOS+Trace Recorder/kernelports/FreeRTOS/include)
These modifications are needed to build "Debug" configuration. They are not needed for "Debug_CodeCoverage" configuration because these paths are not used. But these modifications are applied to both of "Debug" configuration and "Debug_CodeCoverage" configuration because of future potential risk.

* [WIN32-MingW Demo] Replace "Exclude from Build" by "Resource Filter".

"Resource Filter" is better than "Exclude from Build" because "Resource Filter" makes excluded directories invisible on Eclipse GUI. But some directories are still "Exclude from Build" because they should be excluded only on "Debug_CodeCoverage" configuration. "Resource Filter" cannot be specified to each configuration separately.

* Code review suggestions

Signed-off-by: Gaurav Aggarwal <[email protected]>

---------

Signed-off-by: Gaurav Aggarwal <[email protected]>
Co-authored-by: Rahul Kar <[email protected]>
Co-authored-by: Gaurav Aggarwal <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aggarg aggarg aggarg approved these changes

+2 more reviewers

@jasonpcarroll jasonpcarroll jasonpcarroll left review comments

@kar-rahul-aws kar-rahul-aws kar-rahul-aws approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sudeep-mohanty @aggarg @jasonpcarroll @kar-rahul-aws