{"id":13383,"url":"https://patchwork.libcamera.org/api/1.1/patches/13383/?format=json","web_url":"https://patchwork.libcamera.org/patch/13383/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/1.1/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210818083842.31778-2-umang.jain@ideasonboard.com>","date":"2021-08-18T08:38:41","name":"[libcamera-devel,1/2] libcamera: ipc_unixsocket: Do not run memcpy with null arguments","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"6348c85b15be78b9fc0b4156efa78dc58b8dc6ae","submitter":{"id":86,"url":"https://patchwork.libcamera.org/api/1.1/people/86/?format=json","name":"Umang Jain","email":"umang.jain@ideasonboard.com"},"delegate":{"id":12,"url":"https://patchwork.libcamera.org/api/1.1/users/12/?format=json","username":"uajain","first_name":"Umang","last_name":"Jain","email":"umang.jain@ideasonboard.com"},"mbox":"https://patchwork.libcamera.org/patch/13383/mbox/","series":[{"id":2368,"url":"https://patchwork.libcamera.org/api/1.1/series/2368/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=2368","date":"2021-08-18T08:38:40","name":"IPC: Avoid memcpy() call with nullptr","version":1,"mbox":"https://patchwork.libcamera.org/series/2368/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/13383/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/13383/checks/","tags":{},"headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 67E7ABD87D\n\tfor <parsemail@patchwork.libcamera.org>;\n\tWed, 18 Aug 2021 08:38:59 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 2F1C0688A5;\n\tWed, 18 Aug 2021 10:38:59 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 409106025E\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 18 Aug 2021 10:38:57 +0200 (CEST)","from perceval.ideasonboard.com (unknown [103.238.109.15])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 165E1466;\n\tWed, 18 Aug 2021 10:38:55 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"nUqXwWP1\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1629275936;\n\tbh=0pheC3fLkmQCzWsPfV94NwSHbOcRsOaDk77jjC7WHVo=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=nUqXwWP1v/mP6TJQy2tPAcepF4QPXZ/GFnykjWYzjforetuFN25FCaCLtMnbyjKme\n\t8jXah0ypeFB4bWZ29qTbSfDhazyDg6s6Vutjht7wja4vaF5ACAav+fJuGdHKNt3eM7\n\t6iv4/6KNiJcrBG2spwIS2y9tbW1JWQyUy39uPrxI=","From":"Umang Jain <umang.jain@ideasonboard.com>","To":"libcamera-devel@lists.libcamera.org","Date":"Wed, 18 Aug 2021 14:08:41 +0530","Message-Id":"<20210818083842.31778-2-umang.jain@ideasonboard.com>","X-Mailer":"git-send-email 2.31.1","In-Reply-To":"<20210818083842.31778-1-umang.jain@ideasonboard.com>","References":"<20210818083842.31778-1-umang.jain@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not run\n\tmemcpy with null arguments","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"},"content":"In IPCUnixSocket, a payload can be sent/received with empty fd vector,\nwhich leads to passing a nullptr in memcpy() in both sendData()\nand recvData(). Add a null check for fd vector's data pointer\nto avoid invoking memcpy() with nullptr.\n\nThe issue is noticed by running a test manually testing the vimc\nIPA code paths in isolated mode. It is only noticed when the test\nis compiled with -Db_sanitize=address,undefined meson built-in option.\n\nipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null\nipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null\n\nSigned-off-by: Umang Jain <umang.jain@ideasonboard.com>\n---\n src/libcamera/ipc_unixsocket.cpp | 6 ++++--\n 1 file changed, 4 insertions(+), 2 deletions(-)","diff":"diff --git a/src/libcamera/ipc_unixsocket.cpp b/src/libcamera/ipc_unixsocket.cpp\nindex a4ab1a5f..7188cf29 100644\n--- a/src/libcamera/ipc_unixsocket.cpp\n+++ b/src/libcamera/ipc_unixsocket.cpp\n@@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length,\n \tmsg.msg_control = cmsg;\n \tmsg.msg_controllen = cmsg->cmsg_len;\n \tmsg.msg_flags = 0;\n-\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n+\tif (fds)\n+\t\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n \n \tif (sendmsg(fd_, &msg, 0) < 0) {\n \t\tint ret = -errno;\n@@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length,\n \t\treturn ret;\n \t}\n \n-\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n+\tif (fds)\n+\t\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n \n \treturn 0;\n }\n","prefixes":["libcamera-devel","1/2"]}