Xen project Mailing List

Re: [PATCH v1 3/3] xen/libfdt: fix UBSAN null pointer in fdt_property()

To: "Orzel, Michal" <michal.orzel@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Date: Tue, 19 May 2026 11:16:55 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:In-Reply-To:From:Content-Language:References:Cc:To:Subject:User-Agent:MIME-Version:Date:Message-ID"

Cc: Baptiste Le Duc <baptiste.le-duc@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>

Delivery-date: Tue, 19 May 2026 09:17:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Michal, On 5/19/26 10:49 AM, Orzel, Michal wrote:

Hi Oleksii,

We treat libfdt as external library and we don't accept any edits here prior to
first sending a fix to libfdt and then cherry-picking a patch (in fact, afacit
we then do the libfdt version update).

Thanks for clarifying that. Just to be sure I don't confuse something. According to the commit ...: commit ad9cf6bde5b90d4c1e5a79a2803e98d6344c27d7 Author: Vikram Garhwal <fnu.vikram@xxxxxxxxxx> Date: Thu Nov 11 23:27:20 2021 -0800 Update libfdt to v1.6.1

Update libfdt to v1.6.1 of libfdt taken from

git://github.com/dgibson/dtc.

This update is done to support device tree overlays. ... I have to send this patch to git://github.com/dgibson/dtc, right? ~ Oleksii

On 19-May-26 10:39, Oleksii Kurochko wrote:

fdt_property() unconditionally calls memcpy(ptr, val, len) even when
len is zero and val is NULL.  This is a legitimate calling convention
for adding empty FDT properties such as "interrupt-controller", which
carry no payload.

In Xen, memcpy() maps to __builtin_memcpy(). The compiler treats
__builtin_memcpy as nonnull on its pointer arguments, so UBSAN fires
before it can observe that len is zero:
   UBSAN: Undefined behaviour in common/libfdt/fdt_sw.c:333:2
          null pointer passed as argument 2, declared with nonnull
          attribute

Guard the memcpy() with a check on len so it is skipped entirely when
there is no payload to copy, bringing the code in line with the
nonnull contract.

Fixes: f0ea06558068 ("libfdt: add version 1.3.0")
Signed-off-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
Reviewed-by: Baptiste Le Duc <baptiste.le-duc@xxxxxxxxxx>
---
  xen/common/libfdt/fdt_sw.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/common/libfdt/fdt_sw.c b/xen/common/libfdt/fdt_sw.c
index 4c569ee7eb0d..96d4cf571319 100644
--- a/xen/common/libfdt/fdt_sw.c
+++ b/xen/common/libfdt/fdt_sw.c
@@ -330,7 +330,8 @@ int fdt_property(void *fdt, const char *name, const void 
*val, int len)
        ret = fdt_property_placeholder(fdt, name, len, &ptr);
        if (ret)
                return ret;
-       memcpy(ptr, val, len);
+       if (len)
+               memcpy(ptr, val, len);
        return 0;
  }

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.