Skip to content

include: cbprintf: Fix call to memcpy with null pointer #92108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

include: cbprintf: Fix call to memcpy with null pointer #92108

merged 1 commit into from
Jun 26, 2025

Conversation

@tpambor
Copy link
Contributor

@tpambor tpambor commented Jun 24, 2025

cbprintf_package_convert may invoke z_cbprintf_cpy with a null pointer to buf and zero length to indicate a flush operation.

zephyr/lib/os/cbprintf_packaged.c

Lines 1166 to 1167 in f2c37c4

/* Empty call (can be interpreted as flushing) */
(void)cb(NULL, 0, ctx);

This triggers an error from the undefined behavior sanitizer due to memcpy being called with a null src:

zephyr/include/zephyr/sys/cbprintf.h:536:45: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x8186fa9 in z_cbprintf_cpy zephyr/include/zephyr/sys/cbprintf.h:536:2
    #1 0x816bd79 in cbprintf_package_convert zephyr/lib/os/cbprintf_packaged.c:1167:8
    #2 0x81865c7 in cbprintf_package_copy zephyr/include/zephyr/sys/cbprintf.h:586:9
    #3 0x81865c7 in z_impl_z_log_msg_static_create zephyr/subsys/logging/log_msg.c:323:10
<snip>

SUMMARY: UndefinedBehaviorSanitizer: invalid-null-argument zephyr/include/zephyr/sys/cbprintf.h:536:45

Passing a null pointer as source to memcpy is undefined behavior according to the C standard.

The behavior is undefined if either dest or src is an invalid or null pointer.

This PR adds a fix by exiting early in z_cbprintf_cpy when length is zero.

@github-actions github-actions bot requested review from dcpleung and nordic-krch June 24, 2025 13:38
@tpambor
include: cbprintf: Fix call to memcpy with null pointer
3dec396 
cbprintf_package_convert may invoke z_cbprintf_cpy with a null pointer
to buf and zero length to indicate a flush operation. This triggers
an error from the undefined behavior sanitizer due to memcpy being called
with a null src, which is undefined behavior according to the C standard.

This is avoided by exiting early in z_cbprintf_cpy when length is zero.

Signed-off-by: Tim Pambor <tim.pambor@codewrights.de>
@tpambor tpambor force-pushed the fix-z_cbprintf_cpy branch from edbc949 to 3dec396 Compare June 24, 2025 13:42
@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@danieldegrasse danieldegrasse merged commit 542ea03 into zephyrproject-rtos:main Jun 26, 2025
26 checks passed
@ghost ghost mentioned this pull request Jul 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nordic-krch nordic-krch nordic-krch approved these changes

@dcpleung dcpleung Awaiting requested review from dcpleung

+1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

@nordic-krch nordic-krch

Labels

area: Formatting Output

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tpambor @nordic-krch @danieldegrasse