Xen project Mailing List

Re: [PATCH v1 3/3] xen/libfdt: fix UBSAN null pointer in fdt_property()

To: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: "Orzel, Michal" <michal.orzel@xxxxxxx>

Date: Tue, 19 May 2026 10:49:03 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=gmail.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CdU8KP8Law14UPZzsFBMa2+++QIUhEUyVlkbL0ovslo=; b=vx2wHWIX+mDk4EIcKIqKlU1tT5XCzTCoOmZXx26mRr4Fscy74BBA8PvFOUA0757L7BOacIcMrW0ULLfa7VeakxxwQNAKxiQojA4sBF/Xe1moEhA5HjtcpzbAV+5+lw70BitNLjaVnLCtN4rzc0urUeKcRtgdazq6AgvDiUVJD1sAW1LxbvXa0tQRrbXKZ1xHpTUZ4AlwGsGrc0mW5A3OkqdbzGbf6kRGUpDee2T+9ZnUV2uVfbjKuYxZpwQoyTMGnHCl95Cy1nq1n+3oZuA0zqpYwDeXApDldlqp+J0Ko5H5KTExptGnQscyfg3ZlbqsxCwYk44zgR83s5n200osGQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PVKRwKmOFPhXuLGpza/qy0F6MOK7wYyk9WXxy+54iULRfOEiMcGR6Q0kqgVwFOhsxWWVmLirn0JjzL5SGh6ALSwMc7GNHa3lgdy9i1OlbJHR9B2OP85GNTPl6pQ1WAJiDkGdFNjVZYMKwU2MJuy2RI6rcuDp1MirzS5le9rl9AO9yciT/mWnbpb5zDtlcmEUX6D18XCGQTpp6KPui3/bRY8ldhOUAFIqdbi7Y16bx33KZVoHGSednA/FVaEUbiDZDpsvQYHTDIYPct24r3vfLKvUsj1pMZfs6hL/LMIqjz7IXyJek7fiJbTliLG3bB4VCwk8bqHennATn1/uTYJ0Kg==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Cc: Baptiste Le Duc <baptiste.le-duc@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>

Delivery-date: Tue, 19 May 2026 08:49:19 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Oleksii, We treat libfdt as external library and we don't accept any edits here prior to first sending a fix to libfdt and then cherry-picking a patch (in fact, afacit we then do the libfdt version update). ~Michal On 19-May-26 10:39, Oleksii Kurochko wrote: > fdt_property() unconditionally calls memcpy(ptr, val, len) even when > len is zero and val is NULL. This is a legitimate calling convention > for adding empty FDT properties such as "interrupt-controller", which > carry no payload. > > In Xen, memcpy() maps to __builtin_memcpy(). The compiler treats > __builtin_memcpy as nonnull on its pointer arguments, so UBSAN fires > before it can observe that len is zero: > UBSAN: Undefined behaviour in common/libfdt/fdt_sw.c:333:2 > null pointer passed as argument 2, declared with nonnull > attribute > > Guard the memcpy() with a check on len so it is skipped entirely when > there is no payload to copy, bringing the code in line with the > nonnull contract. > > Fixes: f0ea06558068 ("libfdt: add version 1.3.0") > Signed-off-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> > Reviewed-by: Baptiste Le Duc <baptiste.le-duc@xxxxxxxxxx> > --- > xen/common/libfdt/fdt_sw.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/xen/common/libfdt/fdt_sw.c b/xen/common/libfdt/fdt_sw.c > index 4c569ee7eb0d..96d4cf571319 100644 > --- a/xen/common/libfdt/fdt_sw.c > +++ b/xen/common/libfdt/fdt_sw.c > @@ -330,7 +330,8 @@ int fdt_property(void *fdt, const char *name, const void > *val, int len) > ret = fdt_property_placeholder(fdt, name, len, &ptr); > if (ret) > return ret; > - memcpy(ptr, val, len); > + if (len) > + memcpy(ptr, val, len); > return 0; > } >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.