[BUG] IPC3: Runtime error due to unsigned offset overflow in string.h during fuzz testing #9768

tmleman · 2025-01-08T12:31:54Z

Describe the bug
A runtime error occurs due to an addition of an unsigned offset that results in an overflow. This was detected using UndefinedBehaviorSanitizer during IPC3 fuzz testing.
Note that this issue does not cover the null pointer dereference, which has been reported previously: #9742.

To Reproduce

Run fuzz testing with the provided corpus.
Observe the segmentation fault in the logs.

Reproduction Rate
The issue occurs consistently during fuzz testing.

Expected behavior
The fuzz testing should complete without causing a runtime error.

Impact
This issue is a showstopper as it prevents the completion of fuzz testing and affects the stability of the IPC3 configuration.

Environment

Branch name and commit hash.
- SOF: 7650d0a
Name of the platform(s) on which the bug is observed.
- Platform: native_sim
System and Tool Versions:
- Operating System: Ubuntu 22.04
- Kernel Version: 6.5.0-25-generic
- CMake Version: 3.22.1
- Python Version: 3.10.12 (used within a virtual environment)
- West Version: 1.2.0
- Toolchain: LLVM (Clang/ld)
- DTC Version: 1.6.1
- Clang Version: 14.0.0
- Clang++ Version: 14.0.0
- GNU LD Version: 2.38

Screenshots or console output

INFO: Running with entropic power schedule (0xFF, 100).
INFO:    29455 files found in ./ipc3_corpus
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 29455 min: 1b max: 510b total: 2367995b rss: 32Mb
/home/tmleman/work/repos/thesofproject/sof/zephyr/include/rtos/string.h:43:50: runtime error: addition of unsigned offset to 0x088fbb24 overflowed to 0x088fbb23
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/tmleman/work/repos/thesofproject/sof/zephyr/include/rtos/string.h:43:50 in
/home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c:308:2: runtime error: member access within null pointer of type 'struct list_item'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c:308:2 in
/home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c:308:2: runtime error: load of null pointer of type 'struct list_item *'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c:308:2 in
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==432370==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000000 (pc 0x080e38a0 bp 0xeb9fcfd8 sp 0xeb9fcfb0 T432404)
==432370==The signal is caused by a READ memory access.
==432370==Hint: address points to the zero page.
    #0 0x80e38a0 in ipc_comp_free /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c in ipc_comp_free
==432370==ABORTING
MS: 2 InsertRepeatedBytes-InsertByte-; base unit: b4f43ebcf03f40281d674b9e826e0d9be4f3ed4f
0x0,0x0,0x0,0x26,0x0,0xff,0x60,0x87,0x0,0x0,0x2,0x30,0x0,0x53,0x53,0x0,0xff,0x0,0x53,0x0,0x0,0x20,0x30,0x53,0x53,0x5b,0x53,0x53,0x51,0x0,0x0,0x1,0x50,0x53,0x53,0x53,0x0,0x0,0x1,0x30,0x0,0x0,0x0,0x2,0xff,0xff,0xff,0xff,0x2,0xff,0x19,0xff,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x24,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\000\000\000&\000\377`\207\000\000\0020\000SS\000\377\000S\000\000 0SS[SSQ\000\000\001PSSS\000\000\0010\000\000\000\002\377\377\377\377\002\377\031\377\000\000\000\000\000\000\000\000\000$\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
artifact_prefix='./findings/ipc3_2025-01-08_undefined/'; Test unit written to ./findings/ipc3_2025-01-08_undefined/crash-6eb29353a782085538e848200ca661280437a13b
Base64: AAAAJgD/YIcAAAIwAFNTAP8AUwAAIDBTU1tTU1EAAAFQU1NTAAABMAAAAAL/////Av8Z/wAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

The text was updated successfully, but these errors were encountered:

This patch addresses an issue in the `memcpy_s` function within the Zephyr RTOS string header. The issue was identified during IPC3 fuzz testing with UndefinedBehaviorSanitizer enabled. Changes include: - Adding `stdint.h` for `uintptr_t` type. - Adding checks to prevent overflow in pointer arithmetic. - Adjusting overlap checks to avoid overflow. These changes ensure that the `memcpy_s` function correctly handles edge cases, preventing undefined behavior due to pointer arithmetic overflow and memory overlap. Fixes thesofproject#9768 Signed-off-by: Tomasz Leman <[email protected]>

This patch addresses an issue in the `memcpy_s` function within the Zephyr RTOS string header. The issue was identified during IPC3 fuzz testing with UndefinedBehaviorSanitizer enabled. Changes include: - Adding `stdint.h` for `uintptr_t` type. - Adding checks to prevent overflow in pointer arithmetic. - Adjusting overlap checks to avoid overflow. These changes ensure that the `memcpy_s` function correctly handles edge cases, preventing undefined behavior due to pointer arithmetic overflow and memory overlap. Fixes thesofproject#9768 Signed-off-by: Tomasz Leman <[email protected]> (cherry picked from commit 7d11802) Signed-off-by: Kai Vehmanen <[email protected]>

This patch addresses an issue in the `memcpy_s` function within the Zephyr RTOS string header. The issue was identified during IPC3 fuzz testing with UndefinedBehaviorSanitizer enabled. Changes include: - Adding `stdint.h` for `uintptr_t` type. - Adding checks to prevent overflow in pointer arithmetic. - Adjusting overlap checks to avoid overflow. These changes ensure that the `memcpy_s` function correctly handles edge cases, preventing undefined behavior due to pointer arithmetic overflow and memory overlap. Fixes #9768 Signed-off-by: Tomasz Leman <[email protected]> (cherry picked from commit 7d11802) Signed-off-by: Kai Vehmanen <[email protected]>

tmleman added bug Something isn't working as expected P2 Critical bugs or normal features IPC3 labels Jan 8, 2025

tmleman self-assigned this Jan 8, 2025

This was referenced Jan 8, 2025

zephyr: fix overflow and overlap checks in memcpy_s #9769

Merged

[BUG] Segmentation Fault in ipc_comp_free during IPC3 Fuzz Testing #9742

Open

kv2019i closed this as completed in #9769 Jan 9, 2025

kv2019i closed this as completed in 7d11802 Jan 9, 2025

kv2019i mentioned this issue Jan 9, 2025

[stable-v2.12] zephyr: fix overflow and overlap checks in memcpy_s #9771

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] IPC3: Runtime error due to unsigned offset overflow in string.h during fuzz testing #9768

[BUG] IPC3: Runtime error due to unsigned offset overflow in string.h during fuzz testing #9768

tmleman commented Jan 8, 2025

[BUG] IPC3: Runtime error due to unsigned offset overflow in string.h during fuzz testing #9768

[BUG] IPC3: Runtime error due to unsigned offset overflow in string.h during fuzz testing #9768

Comments

tmleman commented Jan 8, 2025