From 690ed3bbe5048336e59ed0bbbcd950621933c232 Mon Sep 17 00:00:00 2001 From: Dmitry Ilyin <6576495+widgetii@users.noreply.github.com> Date: Thu, 18 Jun 2026 16:06:09 +0300 Subject: [PATCH] hal/hisi: fix strcpy-param-overlap in get_hisi_sdk (UB, caught by ASAN) get_hisi_sdk() reformats the /proc/umap/sys version line into " ()". line_from_file() returns the *greedy* capture of `Version: \[(.+)\]`, so on a typical Hisilicon line such as [SYS] Version: [Hi3516CV500_MPP_V2.0.2.1 B030 Release], Build Time[May 28 2020, 11:04:35] buf ends up spanning BOTH brackets. The code overwrites the first ']' with " (" and then splices the build time in via strcpy(ptr, build + 1) -- but build+1 and ptr alias the same buffer, so that is an overlapping copy. strcpy() with overlapping ranges is undefined behaviour; it only happens to produce the right string on glibc because the copy direction reads before it writes. AddressSanitizer aborts on it (strcpy-param-overlap), and a different libc/arch could silently corrupt the string. Use memmove(), which is well-defined for overlap and yields the identical " ()" result. Found by running an ASAN-instrumented build on a live Hi3516CV500 (glibc) camera; after the fix the full run completes ASAN-clean with sdk: "Hi3516CV500_MPP_V2.0.2.1 B030 Release (May 28 2020, 11:04:35)". Co-Authored-By: Claude Opus 4.8 (1M context) --- src/hal/hisi/hal_hisi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/hal/hisi/hal_hisi.c b/src/hal/hisi/hal_hisi.c index 1a2038c..058ab33 100644 --- a/src/hal/hisi/hal_hisi.c +++ b/src/hal/hisi/hal_hisi.c @@ -474,7 +474,12 @@ static void get_hisi_sdk(cJSON *j_inner) { return; *ptr++ = ' '; *ptr++ = '('; - strcpy(ptr, build + 1); + /* build+1 and ptr alias the same buffer (the bracketed build + * time sits after the ']' we just overwrote), so this is an + * overlapping copy: strcpy() is UB here (ASAN: strcpy-param- + * overlap), memmove() is well-defined and yields the same + * " ()" string. */ + memmove(ptr, build + 1, strlen(build + 1) + 1); strcat(ptr, ")"); ADD_PARAM("sdk", buf); }