From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 20 May 2023 18:13:20 +0000 (+0200)
Subject: fuzz: avoid a couple of NULL pointer dereferences
X-Git-Tag: v254-rc1~430^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b6f7b104c04a9fde46358692ae0eb487785f200;p=thirdparty%2Fsystemd.git

fuzz: avoid a couple of NULL pointer dereferences

In case one of the allocations fails.

For example:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==17==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb352a476e5 bp 0x7ffe45154850 sp 0x7ffe45154008 T0)
==17==The signal is caused by a READ memory access.
==17==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7fb352a476e5  (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #1 0x435878 in __interceptor_strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0x4de1e4 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-calendarspec.c:20:21
    #3 0x4deea8 in NaloFuzzerTestOneInput (/build/fuzz-calendarspec+0x4deea8)
    #4 0x4fde33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #5 0x4fd61a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #6 0x4fece9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #7 0x4ff9b5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #8 0x4eed1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #9 0x4ef5e8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
    #10 0x4df105 in main (/build/fuzz-calendarspec+0x4df105)
    #11 0x7fb3528e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x41f80d in _start (/build/fuzz-calendarspec+0x41f80d)

Found by Nallocfuzz.
---

diff --git a/src/fuzz/fuzz-calendarspec.c b/src/fuzz/fuzz-calendarspec.c
index ea027b8f66e..573a48a48b4 100644
--- a/src/fuzz/fuzz-calendarspec.c
+++ b/src/fuzz/fuzz-calendarspec.c
@@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         if (!getenv("SYSTEMD_LOG_LEVEL"))
                 log_set_max_level(LOG_CRIT);
 
-        str = memdup_suffix0(data, size);
+        assert_se(str = memdup_suffix0(data, size));
 
         size_t l1 = strlen(str);
         const char* usecs = l1 < size ? str + l1 + 1 : "";
diff --git a/src/fuzz/fuzz-time-util.c b/src/fuzz/fuzz-time-util.c
index f1c95ae09b8..8e6cb8553b8 100644
--- a/src/fuzz/fuzz-time-util.c
+++ b/src/fuzz/fuzz-time-util.c
@@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         if (!getenv("SYSTEMD_LOG_LEVEL"))
                 log_set_max_level(LOG_CRIT);
 
-        str = memdup_suffix0(data, size);
+        assert_se(str = memdup_suffix0(data, size));
 
         (void) parse_timestamp(str, &usec);
         (void) parse_sec(str, &usec);