{"id":13384,"url":"https://patchwork.libcamera.org/api/patches/13384/?format=json","web_url":"https://patchwork.libcamera.org/patch/13384/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20210818083842.31778-3-umang.jain@ideasonboard.com>","date":"2021-08-18T08:38:42","name":"[libcamera-devel,2/2] libcamera: ipc_pipe: Do not run memcpy with null arguments","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"71da12f55c2903ba7a008f574497d515a7e3e545","submitter":{"id":86,"url":"https://patchwork.libcamera.org/api/people/86/?format=json","name":"Umang Jain","email":"umang.jain@ideasonboard.com"},"delegate":{"id":12,"url":"https://patchwork.libcamera.org/api/users/12/?format=json","username":"uajain","first_name":"Umang","last_name":"Jain","email":"umang.jain@ideasonboard.com"},"mbox":"https://patchwork.libcamera.org/patch/13384/mbox/","series":[{"id":2368,"url":"https://patchwork.libcamera.org/api/series/2368/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=2368","date":"2021-08-18T08:38:40","name":"IPC: Avoid memcpy() call with nullptr","version":1,"mbox":"https://patchwork.libcamera.org/series/2368/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/13384/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/13384/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 33648BD87D\n\tfor ;\n\tWed, 18 Aug 2021 08:39:01 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id D7E2B688C4;\n\tWed, 18 Aug 2021 10:39:00 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 73F11688AC\n\tfor ;\n\tWed, 18 Aug 2021 10:38:59 +0200 (CEST)","from perceval.ideasonboard.com (unknown [103.238.109.15])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 39E20466;\n\tWed, 18 Aug 2021 10:38:58 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"kphFd4oB\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1629275939;\n\tbh=KOZ/2piKmCeDrnoJICc6zkjky2vArconfJG3xXP1FOI=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=kphFd4oBxH/FiDmvnE8TZ4NGzbJwekOdbkKK/Waz3UXkehRVZXxrXOZu/dYRNo6f2\n\t9ehraoZpQ0eL0i6lqDtWbkWM77yUw9lZ+Wncyovvy63XpkhwEIssZuAASxXALJRT7q\n\t9+TptQEFRlt1GgaThuzuTeWYNttTpGhc2LsFVC/o=","From":"Umang Jain ","To":"libcamera-devel@lists.libcamera.org","Date":"Wed, 18 Aug 2021 14:08:42 +0530","Message-Id":"<20210818083842.31778-3-umang.jain@ideasonboard.com>","X-Mailer":"git-send-email 2.31.1","In-Reply-To":"<20210818083842.31778-1-umang.jain@ideasonboard.com>","References":"<20210818083842.31778-1-umang.jain@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 2/2] libcamera: ipc_pipe: Do not run\n\tmemcpy with null arguments","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "},"content":"IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket\npayload. However, if IPCMessage is constructor with one of the\nfollowing constructors -\n\n\tIPCMessage::IPCMessage(),\n IPCMessage::IPCMessage(uint32_t cmd)\n IPCMessage::IPCMessage(const Header &header)\n\nThe data_ vector of IPCMessage is empty and uninitialised. In that\ncase, IPCMessage::payload will try to memcpy() empty data_ vector\nwhich can lead to invoking memcpy() with nullptr. Add a non-empty\ndata_ vector check to avoid it.\n\nThe issue is noticed by running a test manually, testing the vimc\nIPA code paths in isolated mode. It is only noticed when the test\nis compiled with -Db_sanitize=address,undefined meson built-in option.\n\nipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null\n\nSigned-off-by: Umang Jain \n---\n src/libcamera/ipc_pipe.cpp | 7 +++++--\n 1 file changed, 5 insertions(+), 2 deletions(-)","diff":"diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp\nindex 28e20e03..c8761320 100644\n--- a/src/libcamera/ipc_pipe.cpp\n+++ b/src/libcamera/ipc_pipe.cpp\n@@ -102,8 +102,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const\n \n \tmemcpy(payload.data.data(), &header_, sizeof(Header));\n \n-\t/* \\todo Make this work without copy */\n-\tmemcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());\n+\tif (data_.size() > 0) {\n+\t\t/* \\todo Make this work without copy */\n+\t\tmemcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());\n+\t}\n+\n \tpayload.fds = fds_;\n \n \treturn payload;\n","prefixes":["libcamera-devel","2/2"]}