[{"id":18922,"web_url":"https://patchwork.libcamera.org/comment/18922/","msgid":"<YR05YwEOigLXgmr0@pendragon.ideasonboard.com>","date":"2021-08-18T16:46:27","subject":"Re: [libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not\n\trun memcpy with null arguments","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Umang,\n\nThank you for the patch.\n\nOn Wed, Aug 18, 2021 at 02:08:41PM +0530, Umang Jain wrote:\n> In IPCUnixSocket, a payload can be sent/received with empty fd vector,\n> which leads to passing a nullptr in memcpy() in both sendData()\n> and recvData(). Add a null check for fd vector's data pointer\n> to avoid invoking memcpy() with nullptr.\n> \n> The issue is noticed by running a test manually testing the vimc\n> IPA code paths in isolated mode. It is only noticed when the test\n> is compiled with -Db_sanitize=address,undefined meson built-in option.\n> \n> ipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null\n> ipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null\n> \n> Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>\n\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n\n> ---\n>  src/libcamera/ipc_unixsocket.cpp | 6 ++++--\n>  1 file changed, 4 insertions(+), 2 deletions(-)\n> \n> diff --git a/src/libcamera/ipc_unixsocket.cpp b/src/libcamera/ipc_unixsocket.cpp\n> index a4ab1a5f..7188cf29 100644\n> --- a/src/libcamera/ipc_unixsocket.cpp\n> +++ b/src/libcamera/ipc_unixsocket.cpp\n> @@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length,\n>  \tmsg.msg_control = cmsg;\n>  \tmsg.msg_controllen = cmsg->cmsg_len;\n>  \tmsg.msg_flags = 0;\n> -\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n> +\tif (fds)\n> +\t\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n>  \n>  \tif (sendmsg(fd_, &msg, 0) < 0) {\n>  \t\tint ret = -errno;\n> @@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length,\n>  \t\treturn ret;\n>  \t}\n>  \n> -\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n> +\tif (fds)\n> +\t\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n>  \n>  \treturn 0;\n>  }","headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 16633BD87C\n\tfor <parsemail@patchwork.libcamera.org>;\n\tWed, 18 Aug 2021 16:46:38 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 9645D68890;\n\tWed, 18 Aug 2021 18:46:37 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 7AE3A6888A\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 18 Aug 2021 18:46:35 +0200 (CEST)","from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi\n\t[62.78.145.57])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id E4741EE;\n\tWed, 18 Aug 2021 18:46:34 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"o2/n2oVr\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1629305195;\n\tbh=dT6fsvw4v+FifljJRpjpdJBL1VdjuE1BUbrXnVdV4oQ=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=o2/n2oVr+p7Uy5i/nOR75QGxOrPcbv6biNIYueMFbivbIJIUlIsMe71iF5q+S4sgV\n\tAsApA2ghZwPJOqfKX0Dt3S3TQKMgVReaImQ97QR6lU+CXwSNhJ/HMJuISPnjqvXb04\n\tQ0DQLHOVqKL6PiQ927I6DSqumuKyWAsDz5fpSz/I=","Date":"Wed, 18 Aug 2021 19:46:27 +0300","From":"Laurent Pinchart <laurent.pinchart@ideasonboard.com>","To":"Umang Jain <umang.jain@ideasonboard.com>","Message-ID":"<YR05YwEOigLXgmr0@pendragon.ideasonboard.com>","References":"<20210818083842.31778-1-umang.jain@ideasonboard.com>\n\t<20210818083842.31778-2-umang.jain@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20210818083842.31778-2-umang.jain@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not\n\trun memcpy with null arguments","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Cc":"libcamera-devel@lists.libcamera.org","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"}},{"id":18942,"web_url":"https://patchwork.libcamera.org/comment/18942/","msgid":"<20210819073809.GN1733965@pyrite.rasen.tech>","date":"2021-08-19T07:38:09","subject":"Re: [libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not\n\trun memcpy with null arguments","submitter":{"id":17,"url":"https://patchwork.libcamera.org/api/people/17/","name":"Paul Elder","email":"paul.elder@ideasonboard.com"},"content":"Hi Umang,\n\nOn Wed, Aug 18, 2021 at 02:08:41PM +0530, Umang Jain wrote:\n> In IPCUnixSocket, a payload can be sent/received with empty fd vector,\n> which leads to passing a nullptr in memcpy() in both sendData()\n> and recvData(). Add a null check for fd vector's data pointer\n> to avoid invoking memcpy() with nullptr.\n> \n> The issue is noticed by running a test manually testing the vimc\n> IPA code paths in isolated mode. It is only noticed when the test\n> is compiled with -Db_sanitize=address,undefined meson built-in option.\n> \n> ipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null\n> ipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null\n> \n> Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>\n\nReviewed-by: Paul Elder <paul.elder@ideasonboard.com>\n\n> ---\n>  src/libcamera/ipc_unixsocket.cpp | 6 ++++--\n>  1 file changed, 4 insertions(+), 2 deletions(-)\n> \n> diff --git a/src/libcamera/ipc_unixsocket.cpp b/src/libcamera/ipc_unixsocket.cpp\n> index a4ab1a5f..7188cf29 100644\n> --- a/src/libcamera/ipc_unixsocket.cpp\n> +++ b/src/libcamera/ipc_unixsocket.cpp\n> @@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length,\n>  \tmsg.msg_control = cmsg;\n>  \tmsg.msg_controllen = cmsg->cmsg_len;\n>  \tmsg.msg_flags = 0;\n> -\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n> +\tif (fds)\n> +\t\tmemcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));\n>  \n>  \tif (sendmsg(fd_, &msg, 0) < 0) {\n>  \t\tint ret = -errno;\n> @@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length,\n>  \t\treturn ret;\n>  \t}\n>  \n> -\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n> +\tif (fds)\n> +\t\tmemcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));\n>  \n>  \treturn 0;\n>  }\n> -- \n> 2.31.0\n>","headers":{"Return-Path":"<libcamera-devel-bounces@lists.libcamera.org>","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 338E6BD87D\n\tfor <parsemail@patchwork.libcamera.org>;\n\tThu, 19 Aug 2021 07:38:20 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 7E50F68895;\n\tThu, 19 Aug 2021 09:38:19 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 981866888E\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tThu, 19 Aug 2021 09:38:17 +0200 (CEST)","from pyrite.rasen.tech (unknown\n\t[IPv6:2400:4051:61:600:2c71:1b79:d06d:5032])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 0BE732A8;\n\tThu, 19 Aug 2021 09:38:15 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"e1On1iqR\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1629358697;\n\tbh=AQ+HwkcgsM74lrEhvQ0yzZNMWL5hICj4YtUlGNnidy8=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=e1On1iqRtj2Hqlk3LzggXUks9lazk4GlHjUQRU2+LU+KtHbnMZVe20OAg4ypkzhic\n\tNfm3JakN7cTmbPJy5+I8gs+kBOUhqcblYLVtgRYJami6eKlG0KoRZz5JzXRRhnc3Eq\n\tdHyNu8vQIepNgEATVA9UL3WZeenoUsZFcQXqVrys=","Date":"Thu, 19 Aug 2021 16:38:09 +0900","From":"paul.elder@ideasonboard.com","To":"Umang Jain <umang.jain@ideasonboard.com>","Message-ID":"<20210819073809.GN1733965@pyrite.rasen.tech>","References":"<20210818083842.31778-1-umang.jain@ideasonboard.com>\n\t<20210818083842.31778-2-umang.jain@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20210818083842.31778-2-umang.jain@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not\n\trun memcpy with null arguments","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","Cc":"libcamera-devel@lists.libcamera.org","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>"}}]