diff mbox series

opcodes: Fix null pointer dereference vulnerability in pv_dup function

Message ID 20260327073626.532887-1-pengxu@kylinos.cn
State New
Headers
Series opcodes: Fix null pointer dereference vulnerability in pv_dup function |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_binutils_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_binutils_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_binutils_check--master-aarch64 success Test passed
linaro-tcwg-bot/tcwg_binutils_check--master-arm success Test passed

Commit Message

pengxu@kylinos.cn March 27, 2026, 7:36 a.m. UTC 
  In opcodes/opc2c.c file, in the pv_dup() function, directly calling memcpy after malloc poses potential memory safety issues, with the following specific defects:

No check for malloc return value:
malloc may fail and return NULL. Calling memcpy on a NULL pointer results in undefined behavior (typically a segmentation fault).
A check for rv == NULL should be added:
	if (rv == NULL)
	  return NULL; 

---
 opcodes/opc2c.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jan Beulich March 27, 2026, 7:54 a.m. UTC | #1 
On 27.03.2026 08:36, pengxu@kylinos.cn wrote:
> 
>    In opcodes/opc2c.c file, in the pv_dup() function, directly calling memcpy after malloc poses potential memory safety issues, with the following specific defects:
> 
> No check for malloc return value:
> malloc may fail and return NULL. Calling memcpy on a NULL pointer results in undefined behavior (typically a segmentation fault).
> A check for rv == NULL should be added:
> 	if (rv == NULL)
> 	  return NULL; 

First: If you say "vulnerability" in the title, you'd need to explain what's
vulnerable here. Checking return values of allocation functions is wanted,
yes, but not doing so is not always a vulnerability. Aiui opc2c is a utility
used when building binutils, not in the targeted environments.

Next, I think it would be nice if you addressed similar issues elsewhere in
the same file at the same time. See e.g. safe_fgets().

Further, what use is it to add a check in pv_dup(), when its caller then
still blindly dereferences the NULL it may get back?

Finally a formal (legal) aspect: Unless you have a copyright assignment in
place, we'd need you to sign-off on your change.

Jan
diff mbox series

Patch

diff --git a/opcodes/opc2c.c b/opcodes/opc2c.c
index 5e5fba67add..f66877fbcc4 100644
--- a/opcodes/opc2c.c
+++ b/opcodes/opc2c.c
@@ -462,6 +462,8 @@  pv_dup (char * p, char * ep)
 {
   int n = ep - p;
   char *rv = (char *) malloc (n + 1);
+  if (rv == NULL)
+    return NULL;
 
   memcpy (rv, p, n);
   rv[n] = 0;