From: Zbigniew Jędrzejewski-Szmek Date: Fri, 9 Mar 2018 21:02:02 +0000 (+0100) Subject: Add fuzzer for unit file parser X-Git-Tag: v239~552^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ec7a02ea542c21ca1f734dd5766213426b26153a;p=thirdparty%2Fsystemd.git Add fuzzer for unit file parser --- diff --git a/src/fuzz/fuzz-unit-file.c b/src/fuzz/fuzz-unit-file.c new file mode 100644 index 00000000000..87e0b10f008 --- /dev/null +++ b/src/fuzz/fuzz-unit-file.c @@ -0,0 +1,54 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ + +#include "conf-parser.h" +#include "fd-util.h" +#include "fileio.h" +#include "fuzz.h" +#include "install.h" +#include "load-fragment.h" +#include "string-util.h" +#include "unit.h" + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + _cleanup_free_ char *out = NULL; /* out should be freed after g */ + size_t out_size; + _cleanup_fclose_ FILE *f = NULL, *g = NULL; + _cleanup_free_ char *p = NULL; + UnitType t; + _cleanup_(manager_freep) Manager *m = NULL; + Unit *u; + const char *name; + + if (size == 0) + return 0; + + f = fmemopen((char*) data, size, "re"); + assert_se(f); + + if (read_line(f, LINE_MAX, &p) < 0) + return 0; + + t = unit_type_from_string(p); + if (t < 0) + return 0; + + if (!unit_vtable[t]->load) + return 0; + + assert_se(manager_new(UNIT_FILE_SYSTEM, MANAGER_TEST_RUN_MINIMAL, &m) >= 0); + + name = strjoina("a.", unit_type_to_string(t)); + assert_se(unit_new_for_name(m, unit_vtable[t]->object_size, name, &u) >= 0); + + (void) config_parse(name, name, f, + UNIT_VTABLE(u)->sections, + config_item_perf_lookup, load_fragment_gperf_lookup, + CONFIG_PARSE_ALLOW_INCLUDE, u); + + g = open_memstream(&out, &out_size); + assert_se(g); + + unit_dump(u, g, ""); + + return 0; +} diff --git a/src/fuzz/meson.build b/src/fuzz/meson.build index 09a8c8a11da..796c28e4291 100644 --- a/src/fuzz/meson.build +++ b/src/fuzz/meson.build @@ -22,9 +22,14 @@ fuzzers += [ [libgcrypt, libgpg_error, libm]], - [['src/fuzz/fuzz-dhcp-server.c', - ], + + [['src/fuzz/fuzz-dhcp-server.c'], [libsystemd_network, libshared], - []] + []], + + [['src/fuzz/fuzz-unit-file.c'], + [libcore, + libshared], + [libmount]], ] diff --git "a/test/fuzz-corpus/unit-file/dev-mapper-fedora_krowka\\x2dswap.swap" "b/test/fuzz-corpus/unit-file/dev-mapper-fedora_krowka\\x2dswap.swap" new file mode 100644 index 00000000000..2886021b1a8 --- /dev/null +++ "b/test/fuzz-corpus/unit-file/dev-mapper-fedora_krowka\\x2dswap.swap" @@ -0,0 +1,10 @@ +swap +[Unit] +SourcePath=/etc/fstab +Documentation=man:fstab(5) man:systemd-fstab-generator(8) + +[Swap] +What=/dev/mapper/fedora_krowka-swap +Options=defaults,x-systemd.device-timeout=0 +Priority=11 +TimeoutSec=123h 5min 2y diff --git a/test/fuzz-corpus/unit-file/empty.scope b/test/fuzz-corpus/unit-file/empty.scope new file mode 100644 index 00000000000..8df7245f62d --- /dev/null +++ b/test/fuzz-corpus/unit-file/empty.scope @@ -0,0 +1,2 @@ +scope +[Scope] diff --git a/test/fuzz-corpus/unit-file/machine.slice b/test/fuzz-corpus/unit-file/machine.slice new file mode 100644 index 00000000000..bf8c6bfc3ec --- /dev/null +++ b/test/fuzz-corpus/unit-file/machine.slice @@ -0,0 +1,14 @@ +slice +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Virtual Machine and Container Slice +Documentation=man:systemd.special(7) +Before=slices.target diff --git a/test/fuzz-corpus/unit-file/proc-sys-fs-binfmt_misc.automount b/test/fuzz-corpus/unit-file/proc-sys-fs-binfmt_misc.automount new file mode 100644 index 00000000000..777a123ef41 --- /dev/null +++ b/test/fuzz-corpus/unit-file/proc-sys-fs-binfmt_misc.automount @@ -0,0 +1,21 @@ +automount +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Arbitrary Executable File Formats File System Automount Point +Documentation=https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +DefaultDependencies=no +Before=sysinit.target +ConditionPathExists=/proc/sys/fs/binfmt_misc/ +ConditionPathIsReadWrite=/proc/sys/ + +[Automount] +Where=/proc/sys/fs/binfmt_misc diff --git a/test/fuzz-corpus/unit-file/syslog.socket b/test/fuzz-corpus/unit-file/syslog.socket new file mode 100644 index 00000000000..3d28a261f5e --- /dev/null +++ b/test/fuzz-corpus/unit-file/syslog.socket @@ -0,0 +1,117 @@ +socket +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Syslog Socket +Documentation=man:systemd.special(7) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/syslog +DefaultDependencies=no +Before=sockets.target + +# Don't allow logging until the very end +Conflicts=shutdown.target +Before=shutdown.target + +# Don't try to activate syslog.service if sysinit.target has failed. +Conflicts=emergency.service +Before=emergency.service + +[Socket] +ListenDatagram=/run/systemd/journal/syslog +SocketMode=0666 +PassCredentials=yes +PassSecurity=yes +ReceiveBuffer=8M + +# The default syslog implementation should make syslog.service a +# symlink to itself, so that this socket activates the right actual +# syslog service. +# +# Examples: +# +# /etc/systemd/system/syslog.service -> /lib/systemd/system/rsyslog.service +# /etc/systemd/system/syslog.service -> /lib/systemd/system/syslog-ng.service +# +# Best way to achieve that is by adding this to your unit file +# (i.e. to rsyslog.service or syslog-ng.service): +# +# [Install] +# Alias=syslog.service +# +# See https://www.freedesktop.org/wiki/Software/systemd/syslog for details. + +[Socket] +ListenStream=1.2.3.4:1234 +ListenDatagram=1.2.3.4:1234 +ListenSequentialPacket=1.2.3.4:1234 +ListenFIFO= +ListenSpecial= +ListenNetlink= +ListenMessageQueue= +ListenUSBFunction= +SocketProtocol=udplite +SocketProtocol=sctp +SocketProtocol= +BindIPv6Only=false +Backlog=33 +BindToDevice=eth0 +SocketUser=daemon +SocketGroup=nobody +SocketMode=0111 +DirectoryMode=0555 +Accept=true +Accept=false +Writable=true +MaxConnections=11 +MaxConnectionsPerSource=12 +KeepAlive=yes +KeepAliveTimeSec=12345 +KeepAliveIntervalSec=12345 +KeepAliveProbes=12345 +NoDelay=true +Priority=0 +DeferAcceptSec=1 +ReceiveBuffer=1G +SendBuffer=1G +IPTOS=low-delay +IPTOS=throughput +IPTOS=reliability +IPTOS=low-cost +IPTOS= +IPTTL=7 +Mark=123 +ReusePort=true +SmackLabel=smack-label +SmackLabelIPIn=smack-label +SmackLabelIPOut=no idea what to put here +SELinuxContextFromNet=true +PipeSize=11111 +MessageQueueMaxMessages=200 +MessageQueueMessageSize=200 +FreeBind=false +Transparent=true +Broadcast=true +PassCredentials=true +PassSecurity=true +TCPCongestion=westwood +TCPCongestion=veno +TCPCongestion=cubic +TCPCongestion=lp +ExecStartPre=/bin/true "arg ' ' " +ExecStartPost=-!!/bin/false +ExecStopPre=/bin/true +ExecStopPost=-!!/bin/false +TimeoutSec=2343 +Symlinks=a b c d e +Symlinks= +Symlinks=/a /b /c /d /e +FileDescriptorName=name +TriggerLimitIntervalSec=2343 +TriggerLimitBurst=234 diff --git a/test/fuzz-corpus/unit-file/systemd-ask-password-console.path b/test/fuzz-corpus/unit-file/systemd-ask-password-console.path new file mode 100644 index 00000000000..3e12c752de3 --- /dev/null +++ b/test/fuzz-corpus/unit-file/systemd-ask-password-console.path @@ -0,0 +1,22 @@ +path +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Dispatch Password Requests to Console Directory Watch +Documentation=man:systemd-ask-password-console.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=plymouth-start.service +Before=paths.target shutdown.target cryptsetup.target +ConditionPathExists=!/run/plymouth/pid + +[Path] +DirectoryNotEmpty=/run/systemd/ask-password +MakeDirectory=yes diff --git a/test/fuzz-corpus/unit-file/systemd-machined.service b/test/fuzz-corpus/unit-file/systemd-machined.service new file mode 100644 index 00000000000..448f062ecf6 --- /dev/null +++ b/test/fuzz-corpus/unit-file/systemd-machined.service @@ -0,0 +1,34 @@ +service +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Virtual Machine and Container Registration Service +Documentation=man:systemd-machined.service(8) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/machined +Wants=machine.slice +After=machine.slice +RequiresMountsFor=/var/lib/machines + +[Service] +ExecStart=/usr/lib/systemd/systemd-machined +BusName=org.freedesktop.machine1 +WatchdogSec=3min +CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any + +# Note that machined cannot be placed in a mount namespace, since it +# needs access to the host's mount namespace in order to implement the +# "machinectl bind" operation. diff --git a/test/fuzz-corpus/unit-file/systemd-resolved.service b/test/fuzz-corpus/unit-file/systemd-resolved.service new file mode 100644 index 00000000000..0854c5f841f --- /dev/null +++ b/test/fuzz-corpus/unit-file/systemd-resolved.service @@ -0,0 +1,50 @@ +service +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Network Name Resolution +Documentation=man:systemd-resolved.service(8) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/resolved +Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers +Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients +DefaultDependencies=no +After=systemd-sysusers.service systemd-networkd.service +Before=network.target nss-lookup.target shutdown.target +Conflicts=shutdown.target +Wants=nss-lookup.target + +[Service] +Type=notify +Restart=always +RestartSec=0 +ExecStart=!!/usr/lib/systemd/systemd-resolved +WatchdogSec=3min +User=systemd-resolve +CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap +SystemCallArchitectures=native +LockPersonality=yes +RuntimeDirectory=systemd/resolve +RuntimeDirectoryPreserve=yes + +[Install] +WantedBy=multi-user.target +Alias=dbus-org.freedesktop.resolve1.service diff --git a/test/fuzz-corpus/unit-file/systemd-tmpfiles-clean.timer b/test/fuzz-corpus/unit-file/systemd-tmpfiles-clean.timer new file mode 100644 index 00000000000..7db361cd69b --- /dev/null +++ b/test/fuzz-corpus/unit-file/systemd-tmpfiles-clean.timer @@ -0,0 +1,40 @@ +timer +# SPDX-License-Identifier: LGPL-2.1+ +[Unit] +Description=Daily Cleanup of Temporary Directories +Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) + +[Timer] +OnBootSec=15min +OnUnitActiveSec=1d +OnBootSec=1s +OnStartupSec=234 +OnUnitActiveSec=2y +OnUnitInactiveSec=23434 +OnCalendar=minutely +OnCalendar=*-*-* *:*:00 +OnCalendar=hourly +OnCalendar=*-*-* *:00:00 +OnCalendar=daily +OnCalendar=*-*-* 00:00:00 +OnCalendar=monthly +OnCalendar=*-*-01 00:00:00 +OnCalendar=weekly +OnCalendar=Mon *-*-* 00:00:00 +OnCalendar=yearly +OnCalendar=*-01-01 00:00:00 +OnCalendar=quarterly +OnCalendar=*-01,04,07,10-01 00:00:00 +OnCalendar=semiannually +OnCalendar=*-01,07-01 00:00:00 +OnCalendar=Fri 2012-11-23 11:12:13 + +Persistent=true +AccuracySec=24h +RandomizedDelaySec=234234234 + +Persistent=no +Unit=foo.service + +WakeSystem=false +RemainAfterElapse=true diff --git a/test/fuzz-corpus/unit-file/timers.target b/test/fuzz-corpus/unit-file/timers.target new file mode 100644 index 00000000000..171226c6809 --- /dev/null +++ b/test/fuzz-corpus/unit-file/timers.target @@ -0,0 +1,16 @@ +target +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Timers +Documentation=man:systemd.special(7) + +DefaultDependencies=no +Conflicts=shutdown.target diff --git a/test/fuzz-corpus/unit-file/var-lib-machines.mount b/test/fuzz-corpus/unit-file/var-lib-machines.mount new file mode 100644 index 00000000000..9c257d1191b --- /dev/null +++ b/test/fuzz-corpus/unit-file/var-lib-machines.mount @@ -0,0 +1,19 @@ +mount +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Virtual Machine and Container Storage +ConditionPathExists=/var/lib/machines.raw + +[Mount] +What=/var/lib/machines.raw +Where=/var/lib/machines +Type=btrfs +Options=loop