id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2570	memcpy from NULL during startup	kenballus@…		"{{{memcpy}}}ing to or from {{{NULL}}} is undefined behavior, even when the copy is of size 0.

Nginx executes a {{{memcpy}}} from {{{NULL}}} during startup with the default configuration. This can be reproduced very easily as follows:

0. Build and install Nginx with GCC 12.2.0 on x86_64 Linux using the default configuration.
1. Run Nginx under gdb, setting the appropriate breakpoints:
{{{#!sh
gdb -ex 'b ngx_pstrdup' -ex 'r' -ex 'c' -ex 'c' -ex 'b memcpy' -ex 'c' -ex 'print $rsi' /usr/local/nginx/sbin/nginx
}}}
2. Observe that the second argument to {{{memcpy}}} is {{{NULL}}}:
{{{
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <LINK OMITTED>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type ""show copying"" and ""show warranty"" for details.
This GDB was configured as ""x86_64-linux-gnu"".
Type ""show configuration"" for configuration details.
For bug reporting instructions, please see:
<LINK OMITTED>.
Find the GDB manual and other documentation resources online at:
    <LINK OMITTED>.

For help, type ""help"".
Type ""apropos word"" to search for commands related to ""word""...
Reading symbols from /usr/local/nginx/sbin/nginx...
Breakpoint 1 at 0x1ea6c: file src/core/ngx_string.c, line 76.
Starting program: /usr/local/nginx/sbin/nginx
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library ""/lib/x86_64-linux-gnu/libthread_db.so.1"".

Breakpoint 1, ngx_pstrdup (pool=pool@entry=0x55c897c5e4d0, src=src@entry=0x7ffcbb97b358)
    at src/core/ngx_string.c:76
76	{
Continuing.

Breakpoint 1, ngx_pstrdup (pool=pool@entry=0x55c897c5e4d0, src=src@entry=0x7ffcbb97b368)
    at src/core/ngx_string.c:76
76	{
Continuing.

Breakpoint 1, ngx_pstrdup (pool=pool@entry=0x55c897c5e4d0, src=src@entry=0x7ffcbb97b348)
    at src/core/ngx_string.c:76
76	{
Breakpoint 2 at 0x7f3413660cc0: memcpy. (4 locations)
Continuing.

Breakpoint 2.3, __memcpy_avx_unaligned_erms ()
    at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:264
264	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
$1 = 0
}}}

This was found with UBSan. I have tested it both on the development branch, as well as 1.22.1, and the issue is present in both."	defect	closed	minor		nginx-core		wontfix			Linux bfd92496df4c 6.1.63-1-lts #1 SMP PREEMPT_DYNAMIC Mon, 20 Nov 2023 12:45:57 +0000 x86_64 GNU/Linux	"nginx version: nginx/1.25.4
built by gcc 12.2.0 (Debian 12.2.0-14)
configure arguments:"