tcpci/usb_pd_fuzz: Avoid using unitialized data in payload

Found with MSAN fuzzer: usb_pd_protocol.c may use payload data
that is not initialized.

Fix the test by copying over the whole payload, which is what
tcpci.c's version does.

Also, in tcpci.c, clear cached_messages head before using
get_message_raw to fill it up, to make sure that we do not
accidentally use older data in the queue.

BRANCH=none
BUG=chromium:963076
TEST=make TEST_MSAN=y host-usb_pd_fuzz -j
     MSAN_OPTIONS=log_path=stderr:exitcode=0 \
        build/host/usb_pd_fuzz/usb_pd_fuzz.exe \
        clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824

Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1610163
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/fuzz/usb_pd_fuzz.c b/fuzz/usb_pd_fuzz.c
index ead94e9fac..01f0568e8a 100644
--- a/fuzz/usb_pd_fuzz.c
+++ b/fuzz/usb_pd_fuzz.c
@@ -88,7 +88,11 @@ int tcpm_dequeue_message(const int port, uint32_t *const payload,
 
 	*header = m->header;
 
-	memcpy(payload, m->payload, m->cnt - 3);
+	/*
+	 * This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the
+	 * whole payload to destination.
+	 */
+	memcpy(payload, m->payload, sizeof(m->payload));
 
 	pending--;
 	return EC_SUCCESS;