zephyr: fix overflow and overlap checks in memcpy_s

tmleman · kv2019i · commit 7d11802b0c53 · 2025-01-09T10:57:02.000+02:00
This patch addresses an issue in the `memcpy_s` function within the Zephyr RTOS string header. The issue was identified during IPC3 fuzz testing with UndefinedBehaviorSanitizer enabled. Changes include: - Adding `stdint.h` for `uintptr_t` type. - Adding checks to prevent overflow in pointer arithmetic. - Adjusting overlap checks to avoid overflow. These changes ensure that the `memcpy_s` function correctly handles edge cases, preventing undefined behavior due to pointer arithmetic overflow and memory overlap. Fixes thesofproject#9768 Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
diff --git a/zephyr/include/rtos/string.h b/zephyr/include/rtos/string.h
@@ -8,6 +8,7 @@
 
 /* Zephyr uses a C library so lets use it */
 #include <string.h>
+#include <stdint.h>
 #include <stddef.h>
 #include <errno.h>
 
@@ -40,11 +41,19 @@ static inline int memcpy_s(void *dest, size_t dest_size,
 	if (!dest || !src)
 		return -EINVAL;
 
-	if ((dest >= src && (char *)dest < ((char *)src + count)) ||
-	    (src >= dest && (char *)src < ((char *)dest + dest_size)))
+	if (count > dest_size)
 		return -EINVAL;
 
-	if (count > dest_size)
+	uintptr_t dest_addr = (uintptr_t)dest;
+	uintptr_t src_addr = (uintptr_t)src;
+
+	/* Check for overflow in pointer arithmetic */
+	if ((dest_addr + dest_size < dest_addr) || (src_addr + count < src_addr))
+		return -EINVAL;
+
+	/* Check for overlap without causing overflow */
+	if ((dest_addr >= src_addr && dest_addr < src_addr + count) ||
+	    (src_addr >= dest_addr && src_addr < dest_addr + dest_size))
 		return -EINVAL;
 
 	memcpy(dest, src, count);
