From a1e0d1f360b7d4a3f4da12958574bb6f0d6dde61 Mon Sep 17 00:00:00 2001
From: Laura Abbott <lauraa@codeaurora.org>
Date: Wed, 26 Feb 2014 11:16:30 -0800
Subject: [PATCH] linux-ramdump-parser-v2: Fix bugs found by 'fuzzing'

A recent build has generated multiple badly corrupted dumps. Fix
all the errors found by the unintentional fuzzing.

Change-Id: I0854bee4558d31037f51ed2ea941eb58997607c8
---
 linux-ramdump-parser-v2/parsers/debug_image.py  |  6 ++++++
 linux-ramdump-parser-v2/parsers/irqstate.py     | 12 +++++++++++-
 linux-ramdump-parser-v2/parsers/pagetracking.py |  4 ++--
 linux-ramdump-parser-v2/parsers/rtb.py          |  4 +++-
 linux-ramdump-parser-v2/ramdump.py              |  5 ++++-
 5 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/linux-ramdump-parser-v2/parsers/debug_image.py b/linux-ramdump-parser-v2/parsers/debug_image.py
index 6e3df41..3354c7f 100644
--- a/linux-ramdump-parser-v2/parsers/debug_image.py
+++ b/linux-ramdump-parser-v2/parsers/debug_image.py
@@ -156,7 +156,13 @@ class DebugImage(RamParser):
             mem_dump_data + dump_table_ptr_offset)
 
         version = self.ramdump.read_word(dump_table + version_offset)
+        if version is None:
+            print_out_str('Version is bogus! Can\'t parse debug image')
+            return
         num_entries = self.ramdump.read_word(dump_table + num_entries_offset)
+        if num_entries is None or num_entries > 100:
+            print_out_str('num_entries is bogus! Can\'t parse debug image')
+            return
 
         print_out_str('\nDebug image version: {0}.{1} Number of entries {2}'.format(
             version >> 20, version & 0xFFFFF, num_entries))
diff --git a/linux-ramdump-parser-v2/parsers/irqstate.py b/linux-ramdump-parser-v2/parsers/irqstate.py
index e5a4bc4..9f48090 100644
--- a/linux-ramdump-parser-v2/parsers/irqstate.py
+++ b/linux-ramdump-parser-v2/parsers/irqstate.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
+# Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 and
@@ -92,6 +92,9 @@ class IrqParse(RamParser):
         node_addr = ram_dump.read_word(root_addr + rnode_offset) & 0xfffffffe
         height = ram_dump.read_word(node_addr + rnode_height_offset)
 
+        if height > len(height_to_maxindex):
+            return None
+
         if index > height_to_maxindex[height]:
             return None
 
@@ -126,6 +129,10 @@ class IrqParse(RamParser):
 
         print_out_str(
             '{0:4} {1} {2:30} {3:10}'.format('IRQ', cpu_str, 'Name', 'Chip'))
+
+        if nr_irqs > 50000:
+            return
+
         for i in range(0, nr_irqs):
             irq_desc = self.radix_tree_lookup_element(
                 ram_dump, irq_desc_tree, i)
@@ -137,6 +144,9 @@ class IrqParse(RamParser):
             kstat_irqs_addr = ram_dump.read_word(irq_desc + kstat_irqs_offset)
             irq_stats_str = ''
 
+            if kstat_irqs_addr is None:
+                break
+
             for j in ram_dump.iter_cpus():
                 irq_statsn = ram_dump.read_word(kstat_irqs_addr, cpu=j)
                 irq_stats_str = irq_stats_str + \
diff --git a/linux-ramdump-parser-v2/parsers/pagetracking.py b/linux-ramdump-parser-v2/parsers/pagetracking.py
index f18a27b..f444830 100644
--- a/linux-ramdump-parser-v2/parsers/pagetracking.py
+++ b/linux-ramdump-parser-v2/parsers/pagetracking.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012, The Linux Foundation. All rights reserved.
+# Copyright (c) 2012,2014 The Linux Foundation. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 and
@@ -11,7 +11,7 @@
 
 from print_out import print_out_str
 from parser_util import register_parser, RamParser
-
+from mm import pfn_to_page
 
 @register_parser('--print-pagetracking', 'print page tracking information (if available)')
 class PageTracking(RamParser):
diff --git a/linux-ramdump-parser-v2/parsers/rtb.py b/linux-ramdump-parser-v2/parsers/rtb.py
index f2517f1..c06ad65 100644
--- a/linux-ramdump-parser-v2/parsers/rtb.py
+++ b/linux-ramdump-parser-v2/parsers/rtb.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
+# Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 and
@@ -155,6 +155,8 @@ class RTB(RamParser):
             while True:
                 ptr = rtb_read_ptr + next_entry * rtb_entry_size
                 stamp = self.ramdump.read_word(ptr + rtb_idx_offset)
+                if stamp is None:
+                    break
                 rtb_out.write('{0:x} '.format(stamp).encode('ascii', 'ignore'))
                 item = self.ramdump.read_byte(ptr + rtb_logtype_offset)
                 item = item & 0x7F
diff --git a/linux-ramdump-parser-v2/ramdump.py b/linux-ramdump-parser-v2/ramdump.py
index bedd21f..63a3845 100644
--- a/linux-ramdump-parser-v2/ramdump.py
+++ b/linux-ramdump-parser-v2/ramdump.py
@@ -392,7 +392,10 @@ class RamDump():
             self.ramdump = ramdump
             i = 0
             for addr in range(start, end, 8):
-                (a, b) = ramdump.read_string(addr, '<II')
+                r = ramdump.read_string(addr, '<II')
+                if r is None:
+                    break
+                (a, b) = r
                 self.unwind_table.append((a, b, start + 8 * i))
                 i += 1
 
-- 
GitLab