[Toybox] memcpy overlap in ps

enh enh at google.com
Mon Oct 3 17:22:34 PDT 2016


from the AOSP gerrit (fixing internal bug 30074257). i've been meaning
to look at this more closely for a couple of months, but haven't found
the time. i too wasn't sure whether switching to memmove was actually
the fix or just papering over a real problem...

Evgenii Stepanov has uploaded a new change for review.

( https://googleplex-android-review.git.corp.google.com/1504922 )


Change subject: Replace one memcpy with memmove.
......................................................................

Replace one memcpy with memmove.

ASan says that memcpy in ps.c:767 may have overlapping input and
output buffers.

AddressSanitizer: memcpy-param-overlap: memory ranges
[0x005579b8494b,0x005579b84953) and [0x005579b8494a, 0x005579b84952)
overlap
    #0 0x7cdfb3d7cf in __asan_memcpy [asan_rtl] (discriminator 55)
    #1 0x5579b4baa3 in get_ps external/toybox/toys/posix/ps.c:767
    #2 0x5579aeef2b in dirtree_handle_callback external/toybox/lib/dirtree.c:111
    #3 0x5579aef0b7 in dirtree_recurse external/toybox/lib/dirtree.c:154
    #4 0x5579aeefbf in dirtree_handle_callback external/toybox/lib/dirtree.c:114
    #5 0x5579b48217 in ps_main external/toybox/toys/posix/ps.c:1219
    #6 0x5579afb887 in toy_exec external/toybox/main.c:153 (discriminator 1)
    #7 0x5579afae2b in toybox_main external/toybox/main.c:166 (discriminator 1)
    #8 0x5579afba23 in main external/toybox/main.c:225

This does look intentional, so replacing memcpy with memmove. I'm not
a 100% sure this is right though (not even 80%).

Test: "adb shell ps" in a SANITIZE_TARGET=address build

Change-Id: I7b1d8a251feaf8c4b7261a4bbb21bf742cdc3ff0
---
M toys/posix/ps.c
1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/toys/posix/ps.c b/toys/posix/ps.c
index 011a43e..5871f4c 100644
--- a/toys/posix/ps.c
+++ b/toys/posix/ps.c
@@ -764,7 +764,7 @@
           }
         }
         if (i<len) len = i;
-        memcpy(buf, s, len);
+        memmove(buf, s, len);
         buf[len] = 0;
       }


More information about the Toybox mailing list