Yu Watanabe [Tue, 10 May 2022 14:05:04 +0000 (23:05 +0900)]
sd-device: always translate sysname to sysfs filename
Previously, in sd_device_new_from_subsystem_sysname(), '/' in sysname
was replaced '!' for several limited subsystems. This was based on a wrong
assumption that no sysname in e.g. driver subsystem does not contain '!'.
And the assumption is actually wrong, and trigger issue #23327.
In device_set_sysname_and_sysnum() we unconditionally replace '!' in the
filename. Hence, the translation in sd_device_new_from_subsystem_sysname()
must be also done unconditionally.
Yu Watanabe [Thu, 30 Dec 2021 19:30:43 +0000 (04:30 +0900)]
fuzzers: add input size limits, always configure limits in two ways
Without the size limits, oss-fuzz creates huge samples that time out. Usually
this is because some of our code has bad algorithmic complexity. For data like
configuration samples we don't need to care about this: non-rogue configs are
rarely more than a few items, and a bit of a slowdown with a few hundred items
is acceptable. This wouldn't be OK for processing of untrusted data though.
We need to set the limit in two ways: through .options and in the code. The
first because it nicely allows libFuzzer to avoid wasting time, and the second
because fuzzers like hongfuzz and afl don't support .options.
While at it, let's fix an off-by-one (65535 is the largest offset for a
power-of-two size, but we're checking the size here).
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
There are memory leaks there https://github.com/bus1/dbus-broker/issues/289
and it crashes from time to time
https://github.com/matusmarhefka/dfuzzer/issues/20#issuecomment-1114097840
so let's just skip it by analogy with dbus-daemon to avoid
reports that have nothing to do with systemd itself.
It's kind of a part of https://github.com/systemd/systemd/pull/22547
Luca Boccassi [Wed, 11 May 2022 14:19:58 +0000 (15:19 +0100)]
man: improve VtableExample
The methods published by the example have a reply in the signature, but
the code was not sending any, so the client gets stuck waiting for a
response that doesn't arrive. Echo back the input string.
Update the object path to follow what would be the canonical format.
Request a service name on the bus, so that the code can be dropped in a
service and it can be dbus-activatable. It also makes it easier to see
on busctl list.
Luca Boccassi [Wed, 11 May 2022 11:24:10 +0000 (12:24 +0100)]
test: ignore LXC filesystem when checking for writable locations
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
logind: fix crash in logind on user-specified message string
This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:
<action id="org.freedesktop.login1.set-wall-message">
<description gettext-domain="systemd">Set a wall message</description>
<message gettext-domain="systemd">Authentication is required to set a wall message</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
https://oss-fuzz.com/testcase-detail/5680508182331392 has the
first timeout with 811kb of input. As in the other cases, the code
is known to be slow with lots of repeated entries and we're fine with
that.
shared/json: add helper to ref first, unref second
This normally wouldn't happen, but if some of those places were called
with lhs and rhs being the same object, we could unref the last ref first,
and then try to take the ref again. It's easier to be safe, and with the
helper we save some lines too.
shared/calendarspec: fix formatting of entries which collapse to a star
We canonicalize repeats that cover the whole range: "0:0:0/1" → "0:0:*". But
we'd also do "0:0:0/1,0" → "0:0:*,0", which we then refuse to parse. Thus,
first go throug the whole chain, and print a '*' and nothing else if any of the
components covers the whole range.
shared/calendarspec: fix printing of second ranges which start with 0
0..3 is not the same as 0..infinity, we need to check both ends of the range.
This logic was added in 3215e35c405278491f55fb486d349f132e93f516, and back then
the field was called .value. .stop was added later and apparently wasn't taken
into account here.
fuzz-calendarspec: increase coverage by calculating occurences
Coverage data shows that we didn't test calendar_spec_next_usec() and
associated functions at all.
The input samples so far were only used until the first NUL. We take advantage
of that by using the part until the second NUL as the starting timestamp,
retaining backwards compatibility for how the first part is used.
calendar_spec_from_string() already calls calendar_spec_normalize(), so
there is no point in calling it from the fuzzer. Once that's removed, there's
just one internal caller and it can be made static.
It has been shown that the autosuspend delay for this device enacted
by modem manager will race with suspend and cause system suspend
failures.
This occurred in ChromiumOS on a chromebook, but there is no reason
it won't happen in regular notebooks with the same WWAN. To avoid
the failure delay autosuspend to a frequency longer than the polling
rate used by modem manager.
tree-wide: drop de-constifying casts for strv iteration
When the the iterator variable is declared automatically, it "inherits" the
const/non-const status from the argument. We don't need to cast a const
table to non-const. If we had a programming error and tried to modify the
string, the compiler could now catch this.
It seems that we try to create a new file, which fails with -ENOSPC, and we
later fail when reading a file with ENODATA. journal_file_open() will return
-ENODATA if the file is too short or if journal_file_verify_header() fails.
We'll unlink a file we newly created if we fail to initialize it immediately
after creation. I'm not sure if the file we fail to open is the one we newly
created and e.g. failed to create the arena and such, or if it's the file we
were trying to rotate away from. Either way, I think we should be OK with
with a non-fully-initialized journal file.
Failed to create rotated journal: No space left on device
Failed to write entry of 2 bytes: No space left on device
sd_journal_open_files(["/tmp/fuzz-journal-remote.vELRpI.journal"]) failed: No data available
Assertion 'IN_SET(r, -ENOMEM, -EMFILE, -ENFILE)' failed at src/journal-remote/fuzz-journal-remote.c:70, function int LLVMFuzzerTestOneInput(const uint8_t *, size_t)(). Aborting.
oss-fuzz reports timeouts which are created by appending to a very long strv.
The code is indeed not very efficient, but it's designed for normal
command-line use, where we don't expect more than a dozen of entries. The fact
that it is slow with ~100k entries is not particularly interesting.
In the future we could rework the code to have better algorithmic complexity.
But let's at least stop oss-fuzz from wasting more time on such examples.
(My first approach was to set max_len in .options, but apparently this doesn't
work for hongfuzz and and AFL.)
shared/bootspec: also export boot_config_load_type1()
The reallocation of memory and counter incrementation is moved from
the only caller to the function. This way the callers can remain oblivious
of the BootConfig internals.
projects / thirdparty / systemd.git / log
