]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 02af58a)
fuzz: avoid a couple of NULL pointer dereferences
authorFrantisek Sumsal <frantisek@sumsal.cz>
Sat, 20 May 2023 18:13:20 +0000 (20:13 +0200)
committerFrantisek Sumsal <frantisek@sumsal.cz>
Sat, 20 May 2023 21:08:51 +0000 (23:08 +0200)
In case one of the allocations fails.

For example:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==17==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb352a476e5 bp 0x7ffe45154850 sp 0x7ffe45154008 T0)
==17==The signal is caused by a READ memory access.
==17==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7fb352a476e5  (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #1 0x435878 in __interceptor_strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x4de1e4 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-calendarspec.c:20:21
    #3 0x4deea8 in NaloFuzzerTestOneInput (/build/fuzz-calendarspec+0x4deea8)
    #4 0x4fde33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #5 0x4fd61a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #6 0x4fece9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #7 0x4ff9b5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #8 0x4eed1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #9 0x4ef5e8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
    #10 0x4df105 in main (/build/fuzz-calendarspec+0x4df105)
    #11 0x7fb3528e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x41f80d in _start (/build/fuzz-calendarspec+0x41f80d)

Found by Nallocfuzz.

src/fuzz/fuzz-calendarspec.c patch | blob | blame | history
src/fuzz/fuzz-time-util.c patch | blob | blame | history

diff --git a/src/fuzz/fuzz-calendarspec.c b/src/fuzz/fuzz-calendarspec.c
index ea027b8f66e7b2d8d8d554893f645734a46b4bfd..573a48a48b47e79b25b725919d70d1955069a430 100644 (file)
--- a/src/fuzz/fuzz-calendarspec.c
+++ b/src/fuzz/fuzz-calendarspec.c
@@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         if (!getenv("SYSTEMD_LOG_LEVEL"))
                 log_set_max_level(LOG_CRIT);
 
-        str = memdup_suffix0(data, size);
+        assert_se(str = memdup_suffix0(data, size));
 
         size_t l1 = strlen(str);
         const char* usecs = l1 < size ? str + l1 + 1 : "";
diff --git a/src/fuzz/fuzz-time-util.c b/src/fuzz/fuzz-time-util.c
index f1c95ae09b8306a4989a070e6be9f5e5b0466098..8e6cb8553b8d2edc7525c229997ea4d74f12b7e8 100644 (file)
--- a/src/fuzz/fuzz-time-util.c
+++ b/src/fuzz/fuzz-time-util.c
@@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         if (!getenv("SYSTEMD_LOG_LEVEL"))
                 log_set_max_level(LOG_CRIT);
 
-        str = memdup_suffix0(data, size);
+        assert_se(str = memdup_suffix0(data, size));
 
         (void) parse_timestamp(str, &usec);
         (void) parse_sec(str, &usec);
Unnamed repository; edit this file 'description' to name the repository.