Merge tag '2026-04-30.1' into push-2026-04-30.1

Change-Id: I0add21a13e6daeb7b270ca74dc44d5f897fe61f0

Author: rdementi

src/pcm-sensor-server.cpp

@@ -1224,16 +1224,20 @@ class basic_socketbuf : public std::basic_streambuf<CharT> {
     }
 
     virtual int_type overflow( int_type ch ) override {
-        // send data in buffer and reset it
+        // Flush buffer first - when overflow() is called, pptr() == epptr() (buffer is full)
+        // Writing to pptr() before flushing would write past the end of outputBuffer_
+        int_type bytesWritten = writeToSocket();
+        if ( traits_type::eof() == bytesWritten ) {
+            return traits_type::eof();
+        }
+        // Reset put area pointers to start of buffer after successful flush
+        Base::setp( outputBuffer_, outputBuffer_ + SIZE );
+        // Now safe to write new character at pptr() (start of empty buffer)
         if ( traits_type::eof() != ch ) {
-            *Base::pptr() = ch;
+            *Base::pptr() = traits_type::to_char_type(ch);
             Base::pbump(1);
         }
-        int_type bytesWritten = 0;
-        if ( traits_type::eof() == (bytesWritten = writeToSocket()) ) {
-            return traits_type::eof();
-        }
-        return bytesWritten; // Anything but traits_type::eof() to signal ok.
+        return traits_type::not_eof( ch );
     }
 
     virtual int_type underflow() override {

src/utils.h

@@ -702,7 +702,7 @@ inline bool readOldValueHelper(const std::pair<int64,int64> & bits, T & value, c
         {
             return false;
         }
-        value = insertBits(old_value, value, bits.first, bits.second - bits.first + 1);
+        value = insertBits(old_value, value, bits.first, static_cast<uint64>(bits.second - bits.first + 1));
     }
     return true;
 }
@@ -715,7 +715,7 @@ inline void extractBitsPrintHelper(const std::pair<int64,int64> & bits, T & valu
     {
         std::cout << "bits "<< std::dec << bits.first << ":" << bits.second << " ";
         if (!dec) std::cout << std::hex << std::showbase;
-        value = extract_bits(value, bits.first, bits.second);
+        value = extract_bits(value, static_cast<uint32>(bits.first), static_cast<uint32>(bits.second));
     }
     std::cout << "value " << value;
 }

tests/test.sh

@@ -220,7 +220,72 @@ if [ "$?" -ne "0" ]; then
 fi
 
 # TODO add more tests
-# e.g for ./pcm-sensor-server, ./pcm-sensor, ...
+# e.g for ./pcm-sensor, ...
+
+echo Testing pcm-sensor-server
+# Pick an unused high port to avoid collisions with the default one.
+SENSOR_PORT=19738
+./pcm-sensor-server -p $SENSOR_PORT -silent &
+SENSOR_PID=$!
+
+# Wait for the server to start accepting connections (up to ~20s).
+SENSOR_READY=0
+for i in $(seq 1 40); do
+    if ! kill -0 $SENSOR_PID 2>/dev/null; then
+        echo "pcm-sensor-server exited unexpectedly during startup"
+        exit 1
+    fi
+    if curl -s -o /dev/null -f "http://127.0.0.1:${SENSOR_PORT}/metrics"; then
+        SENSOR_READY=1
+        break
+    fi
+    sleep 0.5
+done
+
+if [ "$SENSOR_READY" -ne "1" ]; then
+    echo "Error: pcm-sensor-server did not become ready on port $SENSOR_PORT"
+    kill $SENSOR_PID 2>/dev/null
+    wait $SENSOR_PID 2>/dev/null
+    exit 1
+fi
+
+echo "  Query /metrics endpoint with curl"
+METRICS_OUT=$(curl -s -f "http://127.0.0.1:${SENSOR_PORT}/metrics")
+CURL_RC=$?
+if [ "$CURL_RC" -ne "0" ] || [ -z "$METRICS_OUT" ]; then
+    echo "Error in pcm-sensor-server: /metrics request failed or returned empty body"
+    kill $SENSOR_PID 2>/dev/null
+    wait $SENSOR_PID 2>/dev/null
+    exit 1
+fi
+# Prometheus exposition format lines start with '#' (HELP/TYPE) or a metric name.
+if ! echo "$METRICS_OUT" | grep -q '^#'; then
+    echo "Error in pcm-sensor-server: /metrics response does not look like Prometheus output"
+    kill $SENSOR_PID 2>/dev/null
+    wait $SENSOR_PID 2>/dev/null
+    exit 1
+fi
+
+echo "  Query /dashboard endpoint with curl"
+curl -s -f -o /dev/null "http://127.0.0.1:${SENSOR_PORT}/dashboard"
+if [ "$?" -ne "0" ]; then
+    echo "Error in pcm-sensor-server: /dashboard request failed"
+    kill $SENSOR_PID 2>/dev/null
+    wait $SENSOR_PID 2>/dev/null
+    exit 1
+fi
+
+echo "  Query unknown endpoint, expect HTTP 404"
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://127.0.0.1:${SENSOR_PORT}/does-not-exist")
+if [ "$HTTP_CODE" != "404" ]; then
+    echo "Error in pcm-sensor-server: expected 404 for unknown endpoint, got $HTTP_CODE"
+    kill $SENSOR_PID 2>/dev/null
+    wait $SENSOR_PID 2>/dev/null
+    exit 1
+fi
+
+kill $SENSOR_PID 2>/dev/null
+wait $SENSOR_PID 2>/dev/null
 
 echo Testing urltest
 ./tests/urltest

tests/utests/CMakeLists.txt

@@ -17,6 +17,7 @@ endif()
 file(GLOB LSPCI_TEST_FILES lspci-utest.cpp ${CMAKE_SOURCE_DIR}/src/lspci.cpp)
 file(GLOB PCM_IIO_TEST_FILES pcm-iio-utest.cpp ${CMAKE_SOURCE_DIR}/src/pcm-iio-pmu.cpp ${CMAKE_SOURCE_DIR}/src/pcm-iio-topology.cpp)
 file(GLOB READ_NUMBER_TEST_FILES read-number-utest.cpp)
+file(GLOB PCM_SENSOR_SERVER_OVERFLOW_TEST_FILES pcm-sensor-server-overflow-utest.cpp)
 
 if(APPLE)
     set(LIBS PcmMsr Threads::Threads PCM_STATIC)
@@ -27,6 +28,7 @@ endif()
 add_executable(lspci-utest ${LSPCI_TEST_FILES})
 add_executable(pcm-iio-utest ${PCM_IIO_TEST_FILES})
 add_executable(read-number-utest ${READ_NUMBER_TEST_FILES})
+add_executable(pcm-sensor-server-overflow-utest ${PCM_SENSOR_SERVER_OVERFLOW_TEST_FILES})
 
 configure_file(
     ${CMAKE_SOURCE_DIR}/src/opCode-6-174.txt
@@ -55,7 +57,15 @@ target_link_libraries(
     ${LIBS}
 )
 
+target_link_libraries(
+    pcm-sensor-server-overflow-utest
+    GTest::gtest_main
+    GTest::gmock_main
+    ${LIBS}
+)
+
 include(GoogleTest)
 gtest_discover_tests(lspci-utest)
 gtest_discover_tests(pcm-iio-utest)
 gtest_discover_tests(read-number-utest)
+gtest_discover_tests(pcm-sensor-server-overflow-utest)

tests/utests/pcm-sensor-server-overflow-utest.cpp

@@ -0,0 +1,149 @@
+// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2009-2025, Intel Corporation
+
+// Regression test for the out-of-bounds write in
+// basic_socketbuf::overflow() (src/pcm-sensor-server.cpp, lines 1226-1237).
+//
+// The vulnerable overflow() writes the incoming character into *pptr()
+// *before* flushing the full put-area to the socket. When the put area is
+// full, pptr() == epptr(), i.e. it points one past the end of outputBuffer_,
+// which is the first byte of the adjacent inputBuffer_. This test drives the
+// real basic_socketbuf template through a socketpair, fills the put area to
+// the brim, triggers overflow(), and verifies that inputBuffer_[0] is not
+// corrupted.
+//
+// With the bug in place the assertion on inputBuffer_[0] fails (and, when the
+// binary is built with AddressSanitizer via -DPCM_NO_ASAN=OFF, the underlying
+// intra-object OOB write / OOB read in send() is also detected). Once
+// overflow() is fixed to flush first and then store the character into the
+// emptied buffer, the test passes.
+
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <atomic>
+#include <cstring>
+#include <memory>
+#include <thread>
+#include <vector>
+
+// Pull the real basic_socketbuf template out of pcm-sensor-server.cpp without
+// bringing in its main(). The same mechanism is already used by
+// tests/pcm-sensor-server-fuzz.cpp.
+#define UNIT_TEST 1
+#include "../../src/pcm-sensor-server.cpp"
+#undef UNIT_TEST
+
+#include <gtest/gtest.h>
+
+namespace {
+
+// SIZE matches the instantiation used by basic_socketstream::buf_type
+// (see pcm-sensor-server.cpp line 1363).
+constexpr std::size_t kSocketBufSize = 16385;
+
+// Subclass that exposes the protected buffer members so the test can inspect
+// inputBuffer_[0] after triggering overflow().
+class ProbeSocketBuf : public basic_socketbuf<kSocketBufSize, char> {
+public:
+    using basic_socketbuf<kSocketBufSize, char>::inputBuffer_;
+    using basic_socketbuf<kSocketBufSize, char>::outputBuffer_;
+};
+
+// Drain the peer end of a socketpair in a background thread so that the
+// server-side send() inside writeToSocket() never blocks, regardless of what
+// the kernel's default socket buffer sizes happen to be on the CI runner.
+class SocketDrainer {
+    SocketDrainer & operator = (const SocketDrainer &) = delete;
+    SocketDrainer(const SocketDrainer &) = delete;
+public:
+    explicit SocketDrainer(int fd) : fd_(fd), stop_(false) {
+        thread_ = std::thread([this]() {
+            char buf[4096];
+            while (!stop_.load()) {
+                ssize_t n = ::recv(fd_, buf, sizeof(buf), 0);
+                if (n <= 0) {
+                    break;
+                }
+                received_.insert(received_.end(), buf, buf + n);
+            }
+        });
+    }
+
+    ~SocketDrainer() {
+        stop_.store(true);
+        if (fd_ >= 0) {
+            ::shutdown(fd_, SHUT_RDWR);
+        }
+        if (thread_.joinable()) {
+            thread_.join();
+        }
+        if (fd_ >= 0) {
+            ::close(fd_);
+            fd_ = -1;
+        }
+    }
+
+    const std::vector<char>& data() const { return received_; }
+
+private:
+    int fd_;
+    std::atomic<bool> stop_;
+    std::thread thread_;
+    std::vector<char> received_;
+};
+
+} // namespace
+
+TEST(PcmSensorServerOverflowTest, OverflowDoesNotWritePastOutputBuffer)
+{
+    int sv[2];
+    ASSERT_EQ(0, ::socketpair(AF_UNIX, SOCK_STREAM, 0, sv))
+        << "socketpair failed: " << std::strerror(errno);
+
+    // Peer drains whatever the socketbuf sends.
+    SocketDrainer drainer(sv[1]);
+
+    auto buf = std::make_unique<ProbeSocketBuf>();
+    buf->setSocket(sv[0]);
+
+    // Plant a distinctive sentinel in inputBuffer_[0]. With the vulnerable
+    // overflow(), this byte is the one clobbered by "*pptr() = ch" when the
+    // put area is full.
+    constexpr unsigned char kSentinel = 0xAA;
+    constexpr unsigned char kOverflowChar = 0x5A; // 'Z'
+    static_assert(kSentinel != kOverflowChar,
+                  "sentinel and overflow byte must differ to detect the OOB write");
+    buf->inputBuffer_[0] = static_cast<char>(kSentinel);
+
+    // Fill the put area completely. After exactly SIZE sputc() calls,
+    // pptr() == epptr() but overflow() has not yet been invoked.
+    for (std::size_t i = 0; i < kSocketBufSize; ++i) {
+        ASSERT_NE(std::char_traits<char>::eof(), buf->sputc('X'))
+            << "sputc failed while filling the put area at index " << i;
+    }
+
+    // The next sputc() must trigger overflow(kOverflowChar). With the
+    // vulnerable implementation this is where *pptr() = ch writes past the
+    // end of outputBuffer_ and into inputBuffer_[0].
+    ASSERT_NE(std::char_traits<char>::eof(),
+              buf->sputc(static_cast<char>(kOverflowChar)))
+        << "sputc returned eof when triggering overflow()";
+
+    // After overflow() returns, the put area should have been flushed to the
+    // socket and the sentinel in inputBuffer_[0] must still be intact.
+    EXPECT_EQ(kSentinel, static_cast<unsigned char>(buf->inputBuffer_[0]))
+        << "basic_socketbuf::overflow() corrupted inputBuffer_[0]: "
+        << "wrote ch=0x" << std::hex << static_cast<int>(kOverflowChar)
+        << " past the end of outputBuffer_ (SIZE=" << std::dec
+        << kSocketBufSize << "). See pcm-sensor-server.cpp "
+        << "basic_socketbuf::overflow() (lines 1226-1237): the character "
+        << "must be stored only *after* the full put-area has been flushed "
+        << "and the put pointers reset.";
+
+    // Release the socket before the buf destructor runs sync(); this keeps
+    // the test output stable regardless of whether the drainer has already
+    // exited. Resetting buf closes sv[0].
+    buf.reset();
+    // sv[1] is closed by the drainer's shutdown.
+}