kernel: fix buffer overflow from incorrect K_MSGQ_DEFINE definition Without these parentheses, specifying a q_max_msgs of e.g. `MY_DEFAULT_QUEUESIZE+1` would result in a buffer of size (1 element + MY_DEFAULT_QUEUESIZE bytes). This would then lead to an unbounded buffer overflow because the queue never reaches the exact (offset by MY_DEFAULT_QUEUESIZE bytes) `buffer_end` and just keeps writing. Additionally, add asserts to make sure this can't happen again. Signed-off-by: Armin Brauns <armin.brauns@embedded-solutions.at>

commit: 0bc342fbbd27fbe2b368ef1de92cbe9deadfc935 [log] [tgz]
author: Armin Brauns <armin.brauns@embedded-solutions.at> Mon May 08 11:12:06 2023 +0000
committer: Anas Nashif <anas.nashif@intel.com> Fri May 12 13:39:10 2023 -0400
tree: 4ae103efb0176d38e916590b94e289e57670ebf2
parent: 7b3db7c15d1d9ef0c41bbd80357751ade691cfa4 [diff] [blame]
diff --git a/kernel/msg_q.c b/kernel/msg_q.c
index 6b68f7a..1179612 100644
--- a/kernel/msg_q.c
+++ b/kernel/msg_q.c

@@ -141,6 +141,8 @@
 			return 0;
 		} else {
 			/* put message in queue */
+			__ASSERT_NO_MSG(msgq->write_ptr >= msgq->buffer_start &&
+					msgq->write_ptr < msgq->buffer_end);
 			(void)memcpy(msgq->write_ptr, data, msgq->msg_size);
 			msgq->write_ptr += msgq->msg_size;
 			if (msgq->write_ptr == msgq->buffer_end) {
@@ -230,6 +232,8 @@
 			SYS_PORT_TRACING_OBJ_FUNC_BLOCKING(k_msgq, get, msgq, timeout);
 
 			/* add thread's message to queue */
+			__ASSERT_NO_MSG(msgq->write_ptr >= msgq->buffer_start &&
+					msgq->write_ptr < msgq->buffer_end);
 			(void)memcpy(msgq->write_ptr, pending_thread->base.swap_data,
 			       msgq->msg_size);
 			msgq->write_ptr += msgq->msg_size;
commit	0bc342fbbd27fbe2b368ef1de92cbe9deadfc935	[log] [tgz]
author	Armin Brauns <armin.brauns@embedded-solutions.at>	Mon May 08 11:12:06 2023 +0000
committer	Anas Nashif <anas.nashif@intel.com>	Fri May 12 13:39:10 2023 -0400
tree	4ae103efb0176d38e916590b94e289e57670ebf2
parent	7b3db7c15d1d9ef0c41bbd80357751ade691cfa4 [diff] [blame]