[thirdparty/systemd.git] / src / fuzz / fuzz-varlink.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <unistd.h>

#include "errno-util.h"
#include "fd-util.h"
#include "fuzz.h"
#include "hexdecoct.h"
#include "io-util.h"
#include "varlink.h"
#include "log.h"

static FILE *null = NULL;

static int method_something(Varlink *v, JsonVariant *p, VarlinkMethodFlags flags, void *userdata) {
        json_variant_dump(p, JSON_FORMAT_NEWLINE|JSON_FORMAT_PRETTY, null, NULL);
        return 0;
}

static int reply_callback(Varlink *v, JsonVariant *p, const char *error_id, VarlinkReplyFlags flags, void *userdata) {
        json_variant_dump(p, JSON_FORMAT_NEWLINE|JSON_FORMAT_PRETTY, null, NULL);
        return 0;
}

static int io_callback(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
        struct iovec *iov = ASSERT_PTR(userdata);
        bool write_eof = false, read_eof = false;

        assert(s);
        assert(fd >= 0);

        if ((revents & (EPOLLOUT|EPOLLHUP|EPOLLERR)) && iov->iov_len > 0) {
                ssize_t n;

                /* never write more than 143 bytes a time, to make broken up recv()s on the other side more
                 * likely, and thus test some additional code paths. */
                n = send(fd, iov->iov_base, MIN(iov->iov_len, 143U), MSG_NOSIGNAL|MSG_DONTWAIT);
                if (n < 0) {
                        if (ERRNO_IS_DISCONNECT(errno))
                                write_eof = true;
                        else
                                assert_se(errno == EAGAIN);
                } else
                        IOVEC_INCREMENT(iov, 1, n);
        }

        if (revents & EPOLLIN) {
                char c[137];
                ssize_t n;

                n = recv(fd, c, sizeof(c), MSG_DONTWAIT);
                if (n < 0) {
                        if (ERRNO_IS_DISCONNECT(errno))
                                read_eof = true;
                        else
                                assert_se(errno == EAGAIN);
                } else if (n == 0)
                        read_eof = true;
                else
                        hexdump(null, c, (size_t) n);
        }

        /* After we wrote everything we could turn off EPOLLOUT. And if we reached read EOF too turn off the
         * whole thing. */
        if (write_eof || iov->iov_len == 0) {

                if (read_eof)
                        assert_se(sd_event_source_set_enabled(s, SD_EVENT_OFF) >= 0);
                else
                        assert_se(sd_event_source_set_io_events(s, EPOLLIN) >= 0);
        }

        return 0;
}

static int idle_callback(sd_event_source *s, void *userdata) {
        assert(s);

        /* Called as idle callback when there's nothing else to do anymore */
        sd_event_exit(sd_event_source_get_event(s), 0);
        return 0;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        struct iovec server_iov = IOVEC_MAKE((void*) data, size), client_iov = IOVEC_MAKE((void*) data, size);
        /* Important: the declaration order matters here! we want that the fds are closed on return after the
         * event sources, hence we declare the fds first, the event sources second */
        _cleanup_close_pair_ int server_pair[2] = { -1, -1 }, client_pair[2] = { -1, -1 };
        _cleanup_(sd_event_source_unrefp) sd_event_source *idle_event_source = NULL,
                *server_event_source = NULL, *client_event_source = NULL;
        _cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
        _cleanup_(varlink_flush_close_unrefp) Varlink *c = NULL;
        _cleanup_(sd_event_unrefp) sd_event *e = NULL;

        log_set_max_level(LOG_CRIT);
        log_parse_environment();

        assert_se(null = fopen("/dev/null", "we"));

        assert_se(sd_event_default(&e) >= 0);

        /* Test one: write the data as method call to a server */
        assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, server_pair) >= 0);
        assert_se(varlink_server_new(&s, 0) >= 0);
        assert_se(varlink_server_set_description(s, "myserver") >= 0);
        assert_se(varlink_server_attach_event(s, e, 0) >= 0);
        assert_se(varlink_server_add_connection(s, server_pair[0], NULL) >= 0);
        TAKE_FD(server_pair[0]);
        assert_se(varlink_server_bind_method(s, "io.test.DoSomething", method_something) >= 0);
        assert_se(sd_event_add_io(e, &server_event_source, server_pair[1], EPOLLIN|EPOLLOUT, io_callback, &server_iov) >= 0);

        /* Test two: write the data as method response to a client */
        assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, client_pair) >= 0);
        assert_se(varlink_connect_fd(&c, client_pair[0]) >= 0);
        TAKE_FD(client_pair[0]);
        assert_se(varlink_set_description(c, "myclient") >= 0);
        assert_se(varlink_attach_event(c, e, 0) >= 0);
        assert_se(varlink_bind_reply(c, reply_callback) >= 0);
        assert_se(varlink_invoke(c, "io.test.DoSomething", NULL) >= 0);
        assert_se(sd_event_add_io(e, &client_event_source, client_pair[1], EPOLLIN|EPOLLOUT, io_callback, &client_iov) >= 0);

        assert_se(sd_event_add_defer(e, &idle_event_source, idle_callback, NULL) >= 0);
        assert_se(sd_event_source_set_priority(idle_event_source, SD_EVENT_PRIORITY_IDLE) >= 0);

        assert_se(sd_event_loop(e) >= 0);

        null = safe_fclose(null);

        return 0;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
d7684675 LP	2
	3	#include <unistd.h>
	4
	5	#include "errno-util.h"
	6	#include "fd-util.h"
	7	#include "fuzz.h"
	8	#include "hexdecoct.h"
	9	#include "io-util.h"
	10	#include "varlink.h"
	11	#include "log.h"
	12
	13	static FILE *null = NULL;
	14
	15	static int method_something(Varlink v, JsonVariant p, VarlinkMethodFlags flags, void *userdata) {
	16	json_variant_dump(p, JSON_FORMAT_NEWLINE\|JSON_FORMAT_PRETTY, null, NULL);
	17	return 0;
	18	}
	19
	20	static int reply_callback(Varlink v, JsonVariant p, const char error_id, VarlinkReplyFlags flags, void userdata) {
	21	json_variant_dump(p, JSON_FORMAT_NEWLINE\|JSON_FORMAT_PRETTY, null, NULL);
	22	return 0;
	23	}
	24
	25	static int io_callback(sd_event_source s, int fd, uint32_t revents, void userdata) {
99534007	26	struct iovec *iov = ASSERT_PTR(userdata);
d7684675 LP	27	bool write_eof = false, read_eof = false;
	28
	29	assert(s);
	30	assert(fd >= 0);
d7684675 LP	31
	32	if ((revents & (EPOLLOUT\|EPOLLHUP\|EPOLLERR)) && iov->iov_len > 0) {
	33	ssize_t n;
	34
	35	/* never write more than 143 bytes a time, to make broken up recv()s on the other side more
	36	* likely, and thus test some additional code paths. */
	37	n = send(fd, iov->iov_base, MIN(iov->iov_len, 143U), MSG_NOSIGNAL\|MSG_DONTWAIT);
	38	if (n < 0) {
	39	if (ERRNO_IS_DISCONNECT(errno))
	40	write_eof = true;
	41	else
	42	assert_se(errno == EAGAIN);
	43	} else
	44	IOVEC_INCREMENT(iov, 1, n);
	45	}
	46
	47	if (revents & EPOLLIN) {
	48	char c[137];
	49	ssize_t n;
	50
	51	n = recv(fd, c, sizeof(c), MSG_DONTWAIT);
	52	if (n < 0) {
	53	if (ERRNO_IS_DISCONNECT(errno))
	54	read_eof = true;
	55	else
	56	assert_se(errno == EAGAIN);
	57	} else if (n == 0)
	58	read_eof = true;
	59	else
	60	hexdump(null, c, (size_t) n);
	61	}
	62
	63	/* After we wrote everything we could turn off EPOLLOUT. And if we reached read EOF too turn off the
	64	* whole thing. */
	65	if (write_eof \|\| iov->iov_len == 0) {
	66
	67	if (read_eof)
	68	assert_se(sd_event_source_set_enabled(s, SD_EVENT_OFF) >= 0);
	69	else
	70	assert_se(sd_event_source_set_io_events(s, EPOLLIN) >= 0);
	71	}
	72
	73	return 0;
	74	}
	75
	76	static int idle_callback(sd_event_source s, void userdata) {
	77	assert(s);
	78
	79	/* Called as idle callback when there's nothing else to do anymore */
	80	sd_event_exit(sd_event_source_get_event(s), 0);
	81	return 0;
	82	}
	83
	84	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	85	struct iovec server_iov = IOVEC_MAKE((void) data, size), client_iov = IOVEC_MAKE((void) data, size);
	86	/* Important: the declaration order matters here! we want that the fds are closed on return after the
	87	* event sources, hence we declare the fds first, the event sources second */
	88	_cleanup_close_pair_ int server_pair[2] = { -1, -1 }, client_pair[2] = { -1, -1 };
	89	_cleanup_(sd_event_source_unrefp) sd_event_source *idle_event_source = NULL,
	90	server_event_source = NULL, client_event_source = NULL;
	91	_cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
	92	_cleanup_(varlink_flush_close_unrefp) Varlink *c = NULL;
	93	_cleanup_(sd_event_unrefp) sd_event *e = NULL;
	94
95	log_set_max_level(LOG_CRIT);
96	log_parse_environment();
97
98	assert_se(null = fopen("/dev/null", "we"));
99
100	assert_se(sd_event_default(&e) >= 0);
101
102	/* Test one: write the data as method call to a server */
103	assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, server_pair) >= 0);
104	assert_se(varlink_server_new(&s, 0) >= 0);
105	assert_se(varlink_server_set_description(s, "myserver") >= 0);
106	assert_se(varlink_server_attach_event(s, e, 0) >= 0);
107	assert_se(varlink_server_add_connection(s, server_pair[0], NULL) >= 0);
108	TAKE_FD(server_pair[0]);
109	assert_se(varlink_server_bind_method(s, "io.test.DoSomething", method_something) >= 0);
110	assert_se(sd_event_add_io(e, &server_event_source, server_pair[1], EPOLLIN\|EPOLLOUT, io_callback, &server_iov) >= 0);
111
112	/* Test two: write the data as method response to a client */
113	assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, client_pair) >= 0);
114	assert_se(varlink_connect_fd(&c, client_pair[0]) >= 0);
115	TAKE_FD(client_pair[0]);
116	assert_se(varlink_set_description(c, "myclient") >= 0);
117	assert_se(varlink_attach_event(c, e, 0) >= 0);
118	assert_se(varlink_bind_reply(c, reply_callback) >= 0);
119	assert_se(varlink_invoke(c, "io.test.DoSomething", NULL) >= 0);
120	assert_se(sd_event_add_io(e, &client_event_source, client_pair[1], EPOLLIN\|EPOLLOUT, io_callback, &client_iov) >= 0);
121
122	assert_se(sd_event_add_defer(e, &idle_event_source, idle_callback, NULL) >= 0);
123	assert_se(sd_event_source_set_priority(idle_event_source, SD_EVENT_PRIORITY_IDLE) >= 0);
124
125	assert_se(sd_event_loop(e) >= 0);
126
127	null = safe_fclose(null);
128
129	return 0;
130	}