From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Fri, 16 Mar 2018 11:02:54 +0000 (+0100)
Subject: fuzz: add test case for oss-fuzz #6897 and a work-around
X-Git-Tag: v239~538^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1c56d501098f5559c7b97b693dd9be0a01bdfdc9;p=thirdparty%2Fsystemd.git

fuzz: add test case for oss-fuzz #6897 and a work-around

The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.

The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.
---

diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index c0962f288f3..68ff8ff5a90 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -1977,6 +1977,14 @@ int cg_slice_to_path(const char *unit, char **ret) {
                 _cleanup_free_ char *escaped = NULL;
                 char n[dash - p + sizeof(".slice")];
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+                /* msan doesn't instrument stpncpy, so it thinks
+                 * n is later used unitialized:
+                 * https://github.com/google/sanitizers/issues/926
+                 */
+                zero(n);
+#endif
+
                 /* Don't allow trailing or double dashes */
                 if (IN_SET(dash[1], 0, '-'))
                         return -EINVAL;
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
new file mode 100644
index 00000000000..742fd9bfebd
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=%H.slice
+TemporaryFileSystem=%c
\ No newline at end of file
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
new file mode 100644
index 00000000000..126678e76c0
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=abc-def.slice
+TemporaryFileSystem=%c
diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build
index c1ea229a245..d36a3574e67 100644
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@@ -35,4 +35,6 @@ fuzz_regression_tests = '''
         fuzz-unit-file/oss-fuzz-6917
         fuzz-unit-file/oss-fuzz-6892
         fuzz-unit-file/oss-fuzz-6908
+        fuzz-unit-file/oss-fuzz-6897
+        fuzz-unit-file/oss-fuzz-6897-evverx
 '''.split()