On Sat, Feb 26, 2022 at 06:11:30PM +0000, Ariadne Conill wrote:
> While investigating a sporadic crash issue relating to variable substitution
> in
> Alpine Linux, we managed to get a reliable crash when building BusyBox with
> ASan,
> due to the source and destination overlapping for mempcpy, which resulted in
> sporadic data corruption outside ASan.
>
> Per POSIX, memcpy is not allowed to overlap source and destination, as mempcpy
> is a GNU-specific extension to mempcpy, the same semantics can be assumed.
> Accordingly, we use memmove instead, which does not have this limitation.
>
> Signed-off-by: Ariadne Conill <aria...@dereferenced.org>
> ---
> shell/ash.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/shell/ash.c b/shell/ash.c
> index adb0f223a..6f256d4c3 100644
> --- a/shell/ash.c
> +++ b/shell/ash.c
> @@ -7187,7 +7187,7 @@ subevalvar(char *start, char *str, int strloc,
> len = orig_len - pos;
>
> if (!quotes) {
> - loc = mempcpy(startp, startp + pos, len);
> + loc = memmove(startp, startp + pos, len);
> } else {
> for (vstr = startp; pos != 0; pos--) {
> if ((unsigned char)*vstr == CTLESC)
> --
> 2.35.1
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
Looks like the returned pointer isn't the same between the two functions;
shouldn't it be `loc = memmove(...) + len` instead ?
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
