From: Frantisek Sumsal Date: Tue, 23 May 2023 07:55:17 +0000 (+0200) Subject: json: correctly handle magic strings when parsing variant strv X-Git-Tag: v254-rc1~408 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=909eb4c01de03a32c915a2267166501dca5b78f6;p=thirdparty%2Fsystemd.git json: correctly handle magic strings when parsing variant strv We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz. --- diff --git a/src/shared/json.c b/src/shared/json.c index 904b26f9867..73050b55c85 100644 --- a/src/shared/json.c +++ b/src/shared/json.c @@ -2187,7 +2187,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) { if (!json_variant_is_array(v)) return -EINVAL; - sensitive = v->sensitive; + sensitive = json_variant_is_sensitive(v); size_t n = json_variant_elements(v); l = new(char*, n+1); @@ -2198,7 +2198,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) { JsonVariant *e; assert_se(e = json_variant_by_index(v, i)); - sensitive = sensitive || e->sensitive; + sensitive = sensitive || json_variant_is_sensitive(e); if (!json_variant_is_string(e)) { l[i] = NULL; diff --git a/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string new file mode 100644 index 00000000000..675bed05057 --- /dev/null +++ b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string @@ -0,0 +1 @@ +{"ociVersion":"1.0.0","process":{"args":[]}} diff --git a/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2 b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2 new file mode 100644 index 00000000000..fb1269b9c8e --- /dev/null +++ b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2 @@ -0,0 +1 @@ +{"ociVersion":"1.0.0","process":{"args":[""]}} \ No newline at end of file