From patchwork Wed Aug 18 08:38:41 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Umang Jain <umang.jain@ideasonboard.com>
X-Patchwork-Id: 13383
X-Patchwork-Delegate: umang.jain@ideasonboard.com
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 67E7ABD87D
	for <parsemail@patchwork.libcamera.org>;
	Wed, 18 Aug 2021 08:38:59 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id 2F1C0688A5;
	Wed, 18 Aug 2021 10:38:59 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com
	header.b="nUqXwWP1"; dkim-atps=neutral
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 409106025E
	for <libcamera-devel@lists.libcamera.org>;
	Wed, 18 Aug 2021 10:38:57 +0200 (CEST)
Received: from perceval.ideasonboard.com (unknown [103.238.109.15])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 165E1466;
	Wed, 18 Aug 2021 10:38:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1629275936;
	bh=0pheC3fLkmQCzWsPfV94NwSHbOcRsOaDk77jjC7WHVo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=nUqXwWP1v/mP6TJQy2tPAcepF4QPXZ/GFnykjWYzjforetuFN25FCaCLtMnbyjKme
	8jXah0ypeFB4bWZ29qTbSfDhazyDg6s6Vutjht7wja4vaF5ACAav+fJuGdHKNt3eM7
	6iv4/6KNiJcrBG2spwIS2y9tbW1JWQyUy39uPrxI=
From: Umang Jain <umang.jain@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Wed, 18 Aug 2021 14:08:41 +0530
Message-Id: <20210818083842.31778-2-umang.jain@ideasonboard.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210818083842.31778-1-umang.jain@ideasonboard.com>
References: <20210818083842.31778-1-umang.jain@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 1/2] libcamera: ipc_unixsocket: Do not run
	memcpy with null arguments
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

In IPCUnixSocket, a payload can be sent/received with empty fd vector,
which leads to passing a nullptr in memcpy() in both sendData()
and recvData(). Add a null check for fd vector's data pointer
to avoid invoking memcpy() with nullptr.

The issue is noticed by running a test manually testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.

ipc_unixsocket.cpp:268:8: runtime error: null pointer passed as argument 2, which is declared to never be null
ipc_unixsocket.cpp:312:8: runtime error: null pointer passed as argument 1, which is declared to never be null

Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/libcamera/ipc_unixsocket.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/libcamera/ipc_unixsocket.cpp b/src/libcamera/ipc_unixsocket.cpp
index a4ab1a5f..7188cf29 100644
--- a/src/libcamera/ipc_unixsocket.cpp
+++ b/src/libcamera/ipc_unixsocket.cpp
@@ -260,7 +260,8 @@ int IPCUnixSocket::sendData(const void *buffer, size_t length,
 	msg.msg_control = cmsg;
 	msg.msg_controllen = cmsg->cmsg_len;
 	msg.msg_flags = 0;
-	memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));
+	if (fds)
+		memcpy(CMSG_DATA(cmsg), fds, num * sizeof(uint32_t));
 
 	if (sendmsg(fd_, &msg, 0) < 0) {
 		int ret = -errno;
@@ -304,7 +305,8 @@ int IPCUnixSocket::recvData(void *buffer, size_t length,
 		return ret;
 	}
 
-	memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));
+	if (fds)
+		memcpy(fds, CMSG_DATA(cmsg), num * sizeof(uint32_t));
 
 	return 0;
 }

From patchwork Wed Aug 18 08:38:42 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Umang Jain <umang.jain@ideasonboard.com>
X-Patchwork-Id: 13384
X-Patchwork-Delegate: umang.jain@ideasonboard.com
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 33648BD87D
	for <parsemail@patchwork.libcamera.org>;
	Wed, 18 Aug 2021 08:39:01 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id D7E2B688C4;
	Wed, 18 Aug 2021 10:39:00 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com
	header.b="kphFd4oB"; dkim-atps=neutral
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[213.167.242.64])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 73F11688AC
	for <libcamera-devel@lists.libcamera.org>;
	Wed, 18 Aug 2021 10:38:59 +0200 (CEST)
Received: from perceval.ideasonboard.com (unknown [103.238.109.15])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 39E20466;
	Wed, 18 Aug 2021 10:38:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1629275939;
	bh=KOZ/2piKmCeDrnoJICc6zkjky2vArconfJG3xXP1FOI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=kphFd4oBxH/FiDmvnE8TZ4NGzbJwekOdbkKK/Waz3UXkehRVZXxrXOZu/dYRNo6f2
	9ehraoZpQ0eL0i6lqDtWbkWM77yUw9lZ+Wncyovvy63XpkhwEIssZuAASxXALJRT7q
	9+TptQEFRlt1GgaThuzuTeWYNttTpGhc2LsFVC/o=
From: Umang Jain <umang.jain@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Wed, 18 Aug 2021 14:08:42 +0530
Message-Id: <20210818083842.31778-3-umang.jain@ideasonboard.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210818083842.31778-1-umang.jain@ideasonboard.com>
References: <20210818083842.31778-1-umang.jain@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 2/2] libcamera: ipc_pipe: Do not run
	memcpy with null arguments
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

IPCMessage::payload() converts the IPCMessage into an IPCUnixSocket
payload. However, if IPCMessage is constructor with one of the
following constructors -

	IPCMessage::IPCMessage(),
        IPCMessage::IPCMessage(uint32_t cmd)
        IPCMessage::IPCMessage(const Header &header)

The data_ vector of IPCMessage is empty and uninitialised. In that
case, IPCMessage::payload will try to memcpy() empty data_ vector
which can lead to invoking memcpy() with nullptr. Add a non-empty
data_ vector check to avoid it.

The issue is noticed by running a test manually, testing the vimc
IPA code paths in isolated mode. It is only noticed when the test
is compiled with -Db_sanitize=address,undefined meson built-in option.

ipc_pipe.cpp:110:8: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/libcamera/ipc_pipe.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/libcamera/ipc_pipe.cpp b/src/libcamera/ipc_pipe.cpp
index 28e20e03..c8761320 100644
--- a/src/libcamera/ipc_pipe.cpp
+++ b/src/libcamera/ipc_pipe.cpp
@@ -102,8 +102,11 @@ IPCUnixSocket::Payload IPCMessage::payload() const
 
 	memcpy(payload.data.data(), &header_, sizeof(Header));
 
-	/* \todo Make this work without copy */
-	memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+	if (data_.size() > 0) {
+		/* \todo Make this work without copy */
+		memcpy(payload.data.data() + sizeof(Header), data_.data(), data_.size());
+	}
+
 	payload.fds = fds_;
 
 	return payload;