]> git.ipfire.org Git - thirdparty/util-linux.git/commit
projects / thirdparty / util-linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: db85c0e) | patch
tests: add a fuzzer for mnt_table_parse_stream
authorEvgeny Vereshchagin <evvers@ya.ru>
Sat, 11 Apr 2020 13:25:26 +0000 (13:25 +0000)
committerEvgeny Vereshchagin <evvers@ya.ru>
Thu, 6 Aug 2020 12:33:11 +0000 (12:33 +0000)
commitccdc47b7f57b323633d49e416117cfdd3f80f9ad
tree1605f435da9dfb6dcd6d3fec71a436101a85c7f1tree | snapshot
parentdb85c0eb8934d17280e7068ee5b5a1be955e647ccommit | diff
tests: add a fuzzer for mnt_table_parse_stream

The fuzzer is supposed to cover `mnt_table_parse_stream`, which is
used by systemd to parse /proc/self/mountinfo. The systemd project
has run into memory leaks there at least twice:

https://github.com/systemd/systemd/pull/12252#issuecomment-482804040
https://github.com/systemd/systemd/issues/8504

so it seems to be a good idea to continuously fuzz that particular
function.

The patch can be tested locally by installing clang and running
./tools/oss-fuzz.sh. Currently the fuzzer is failing with
```
=================================================================
==96638==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 216 byte(s) in 1 object(s) allocated from:
    #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77)
    #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25
    #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9
    #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8
    #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16
    #5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88)
    #6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0)
    #7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270)
    #8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617)
    #9 0x43adbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb)
    #10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46)
    #11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s).
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
```

Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible
to turn on CIFuzz to make sure the fuzz target can be built and run for some time
without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
configure.ac diff | blob | blame | history
libmount/src/Makemodule.am diff | blob | blame | history
libmount/src/fuzz.c [new file with mode: 0644] blob
tools/oss-fuzz.sh [new file with mode: 0755] blob
Unnamed repository; edit this file 'description' to name the repository.