fix: add bounds check before memcpy in esp_foc_tuner.c#43
fix: add bounds check before memcpy in esp_foc_tuner.c#43orbisai0security wants to merge 33 commits into
Conversation
tuner_studio_target wires SCOPE 6-11; sdkconfig 12 channel buffer. GUI: rolling readouts+plots, disabled in demo or when the link is down; reconnect rebinds the shared SCOPE stream. Made-with: Cursor
That used to contain the refactor for fixed point Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Without the control loop, the capture ring never completed and the scope daemon could block on the first notifier wait; the tuner now pumps batches in the idle pre-align state. Also includes SCOPE v1/bridge hardening, Kconfig, espfoc Studio codec/GUI, and scope_sample module with tests. Made-with: Cursor
Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Align espFoC Studio (GUI, protocol, transports, demo tooling) with the Q16 firmware API and tuner-target builds. Consolidate DC-link/SVPWM scaling, sensored ISR hot path, and observers under the Q16 math path; retire legacy IQ31-facing tests and headers. Documentation and changelog reflect the Studio-focused tuning workflow. Made-with: Cursor
Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Update the tests to reflect new changes in the radians API Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
And group them by subject, also adds the esp_foc_stop API allowing to teardown a tunning motor controller Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
to use normalized vectors instead of absolutee voltage values. Also fixes the voltage limitation overflow bug. Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Removes the auto tuner method on the target, and makes the controls to be bypassable and add the forward gain.
To facilitate the espfoc bring-up into a new board.
It will replaced with a unified approach and path in espfoc.
To make the control pipeline more visible and defragment the control strategy related files. Also pushes all os things used by espfoc into the OSAL
and the minimal example.
And unify the sample into a tunable application Signed-off-by: Felipe Neves <ryukokki.felipe@gmail.com>
Replaces the delta-counts velocity biquad with esp_foc_estimator_q16 in the ISR; the slow loop only publishes encoder samples. Drops legacy scope CSV, remaps 14 scope channels, and makes ESP32-C6 the reference CI target.
Drop esp_adc dependency so current sense uses adc_hal, per-target DMA fragments, init-time cali LUT, and software-triggered 2-channel patterns.
Expose link-layer attach for dummy axes without FOC loops so Studio can drive open-loop Vq, read shunt currents, and scope the response.
ETM+MCPWM trigger on supported targets, max ADC clock, encoder char example on link layer, and guard efuse calib include for esp32 CI.
Curve/line fitting coefficients now match ESP-IDF per chip, S2/S3 range extension feeds the LUT build, and QEMU tests no longer hang on stack overflow.
Enables full FOC stack testing on QEMU and axis_tuning on C6 by replacing inverter, shunt ADC, and encoder with a PMSM plant and chip-specific tick backends.
Float RK4 with sinf/cosf at PWM rate is too costly on ESP32-C6; keep float only in init/config and run Park/Clarke, integration, and saturation in Q16.
Rename espfoc_studio to espfoc_tool, add four-view shell with USB scan, offline navigation, OpenGL plots by default, and drop the generic scope tab.
…onnect. Config pairs tuning with live-vs-editor NVS RMW; Current owns motor model; restore serial reconnect on transport loss; refine Material-style chrome.
Add doc/TUNING.md with views, scope map, and espfocctl reference; align README and changelog; enable python_tests job; fix stale host unit tests for v2 link.
Two-page layout replaces four-tab Config/Current/Control/States; shared dark theme, flash Read/Write/Patch, and docs match the shipping workflow.
Run tick/ISR paths from IRAM, publish plant wake only via FromISR, and make inverter callback storage visible to the tick ISR.
ESP32-C6 and similar targets expose CDC over the built-in USJ controller; route CONFIG_ESP_FOC_BRIDGE_USBCDC there while S2/S3/P4 keep TinyUSB. Default axis_tuning on C6 to this path for higher throughput on the devkit USB port.
esp_foc_create_runner always pinned to core 1 for priority >= 0, which asserts on ESP32-C6 and other one-core chips when FITL or the axis slow/outer loops start.
uLipe
left a comment
uLipe
left a comment
There was a problem hiding this comment.
Thank you for your contribution, please revisit the test and make it runnable as any other test cases do.
and add it to the CI.
done. However, there are merge conflicts. |
|
Thank you, you need to do a rebase to the latest main, I just merged the refactor of the debug tool this could be the cause |
|
The remote branch has diverged; it already had commits at different SHAs (the remote was rebased at some point). The remote tip d9bd39b is a different SHA from our local 36b07ac, even though both carry the same commit message. This will require a force push to resolve. This is a destructive operation; it will overwrite the remote branch with the local version. Shall I proceed with git push --force-with-lease? |
|
I see your commits seem to be bisectable, so you can also reset your local branch, based on latest main, cherry pick the two new commits and resolve the conflicts. Does it sound reasonable for you? I think this is less prone to destruction ( main has just became green today 😄 ) |
Automated security fix generated by OrbisAI Security
The memcpy operations in the GUI link protocol copy data into fixed-size buffers without validating that the length parameters (resp_len, payload_len) do not exceed the available space in the destination buffers
Rewrites the bounds-check test in the Unity framework used by the rest of the test suite so it runs under QEMU via the existing CI unit_tests job. Removes the broken libcheck-based file that used a wrong framework and logically dead assertions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
orbisai0security
force-pushed
the
fix-buffer-overflow-cmd-len-bounds-check
branch
from
36b07ac to
3da2f33
Compare
I followed these steps: Cherry-pick the three commits in order I could push cleanly, but there are still merge conflicts. |
|
Now you need to fix the conflicts manually and then push again |
|
Ohh I see now, esp_foc_tuner module was removed, it does not exist anymore, it was replaced by a calobration API and a scope tool. So the fix unfortunately does not apply anymore. |
|
since tuner has been removed this fix does not apply anymore. |
|
Thanks, that makes sense. Since esp_foc_tuner has been removed and replaced by the calibration/scope tooling, I’ll close this line of work and re-audit the new link/calibration/scope protocol code instead. If I find the same unchecked-length pattern in the replacement path, I’ll open a fresh, minimal PR against the current main with only the relevant fix and a runnable Unity/CI test. |
2 participants
Summary
Fix critical severity security issue in
source/gui_link/esp_foc_tuner.c.Vulnerability
V-001source/gui_link/esp_foc_tuner.c:488Description: The memcpy operations in the GUI link protocol copy data into fixed-size buffers without validating that the length parameters (resp_len, payload_len) do not exceed the available space in the destination buffers. An attacker who can send data via the USB/serial tuning interface can provide oversized payloads that overflow the app[] and out[] buffers, potentially achieving arbitrary code execution on the embedded motor controller.
Evidence
Exploitation scenario: An attacker with physical access to the USB/serial port sends a crafted tuning command with resp_len set larger than sizeof(app)-2.
Scanner confirmation: multi_agent_ai rule
V-001flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Changes
source/gui_link/esp_foc_tuner.cVerification
Security Invariant
Regression test
This test guards against regressions — it's useful independent of the code change above.
Automated security fix by OrbisAI Security