Yu Watanabe [Thu, 30 Dec 2021 19:30:43 +0000 (04:30 +0900)]
fuzzers: add input size limits, always configure limits in two ways
Without the size limits, oss-fuzz creates huge samples that time out. Usually
this is because some of our code has bad algorithmic complexity. For data like
configuration samples we don't need to care about this: non-rogue configs are
rarely more than a few items, and a bit of a slowdown with a few hundred items
is acceptable. This wouldn't be OK for processing of untrusted data though.
We need to set the limit in two ways: through .options and in the code. The
first because it nicely allows libFuzzer to avoid wasting time, and the second
because fuzzers like hongfuzz and afl don't support .options.
While at it, let's fix an off-by-one (65535 is the largest offset for a
power-of-two size, but we're checking the size here).
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
There are memory leaks there https://github.com/bus1/dbus-broker/issues/289
and it crashes from time to time
https://github.com/matusmarhefka/dfuzzer/issues/20#issuecomment-1114097840
so let's just skip it by analogy with dbus-daemon to avoid
reports that have nothing to do with systemd itself.
It's kind of a part of https://github.com/systemd/systemd/pull/22547
Luca Boccassi [Wed, 11 May 2022 14:19:58 +0000 (15:19 +0100)]
man: improve VtableExample
The methods published by the example have a reply in the signature, but
the code was not sending any, so the client gets stuck waiting for a
response that doesn't arrive. Echo back the input string.
Update the object path to follow what would be the canonical format.
Request a service name on the bus, so that the code can be dropped in a
service and it can be dbus-activatable. It also makes it easier to see
on busctl list.
Luca Boccassi [Wed, 11 May 2022 11:24:10 +0000 (12:24 +0100)]
test: ignore LXC filesystem when checking for writable locations
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
logind: fix crash in logind on user-specified message string
This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:
<action id="org.freedesktop.login1.set-wall-message">
<description gettext-domain="systemd">Set a wall message</description>
<message gettext-domain="systemd">Authentication is required to set a wall message</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
https://oss-fuzz.com/testcase-detail/5680508182331392 has the
first timeout with 811kb of input. As in the other cases, the code
is known to be slow with lots of repeated entries and we're fine with
that.
shared/json: add helper to ref first, unref second
This normally wouldn't happen, but if some of those places were called
with lhs and rhs being the same object, we could unref the last ref first,
and then try to take the ref again. It's easier to be safe, and with the
helper we save some lines too.
shared/calendarspec: fix formatting of entries which collapse to a star
We canonicalize repeats that cover the whole range: "0:0:0/1" → "0:0:*". But
we'd also do "0:0:0/1,0" → "0:0:*,0", which we then refuse to parse. Thus,
first go throug the whole chain, and print a '*' and nothing else if any of the
components covers the whole range.
shared/calendarspec: fix printing of second ranges which start with 0
0..3 is not the same as 0..infinity, we need to check both ends of the range.
This logic was added in 3215e35c405278491f55fb486d349f132e93f516, and back then
the field was called .value. .stop was added later and apparently wasn't taken
into account here.
fuzz-calendarspec: increase coverage by calculating occurences
Coverage data shows that we didn't test calendar_spec_next_usec() and
associated functions at all.
The input samples so far were only used until the first NUL. We take advantage
of that by using the part until the second NUL as the starting timestamp,
retaining backwards compatibility for how the first part is used.
calendar_spec_from_string() already calls calendar_spec_normalize(), so
there is no point in calling it from the fuzzer. Once that's removed, there's
just one internal caller and it can be made static.
It has been shown that the autosuspend delay for this device enacted
by modem manager will race with suspend and cause system suspend
failures.
This occurred in ChromiumOS on a chromebook, but there is no reason
it won't happen in regular notebooks with the same WWAN. To avoid
the failure delay autosuspend to a frequency longer than the polling
rate used by modem manager.
tree-wide: drop de-constifying casts for strv iteration
When the the iterator variable is declared automatically, it "inherits" the
const/non-const status from the argument. We don't need to cast a const
table to non-const. If we had a programming error and tried to modify the
string, the compiler could now catch this.
It seems that we try to create a new file, which fails with -ENOSPC, and we
later fail when reading a file with ENODATA. journal_file_open() will return
-ENODATA if the file is too short or if journal_file_verify_header() fails.
We'll unlink a file we newly created if we fail to initialize it immediately
after creation. I'm not sure if the file we fail to open is the one we newly
created and e.g. failed to create the arena and such, or if it's the file we
were trying to rotate away from. Either way, I think we should be OK with
with a non-fully-initialized journal file.
Failed to create rotated journal: No space left on device
Failed to write entry of 2 bytes: No space left on device
sd_journal_open_files(["/tmp/fuzz-journal-remote.vELRpI.journal"]) failed: No data available
Assertion 'IN_SET(r, -ENOMEM, -EMFILE, -ENFILE)' failed at src/journal-remote/fuzz-journal-remote.c:70, function int LLVMFuzzerTestOneInput(const uint8_t *, size_t)(). Aborting.
oss-fuzz reports timeouts which are created by appending to a very long strv.
The code is indeed not very efficient, but it's designed for normal
command-line use, where we don't expect more than a dozen of entries. The fact
that it is slow with ~100k entries is not particularly interesting.
In the future we could rework the code to have better algorithmic complexity.
But let's at least stop oss-fuzz from wasting more time on such examples.
(My first approach was to set max_len in .options, but apparently this doesn't
work for hongfuzz and and AFL.)
shared/bootspec: also export boot_config_load_type1()
The reallocation of memory and counter incrementation is moved from
the only caller to the function. This way the callers can remain oblivious
of the BootConfig internals.
Daan De Meyer [Sat, 7 May 2022 13:18:32 +0000 (15:18 +0200)]
core/device: Log if we fail to open a device
We also shorten the logic by getting rid of the validate_node()
function. An extra check is added to verify we're dealing with
a device before calling sd_device_new_from_devname() since that
will return -EINVAL if anything other than a device is passed.
Daan De Meyer [Sat, 7 May 2022 12:57:52 +0000 (14:57 +0200)]
core/device: Add sysfs argument to device_process_new()
Instead of retrieving the new sysfs path in device_process_new(),
let's pass the syspath we retrieved earlier to device_process_new()
similar to how we do for other functions in core/device.c.
Alex Henrie [Fri, 6 May 2022 20:01:53 +0000 (14:01 -0600)]
network: clarify the relationship between RA flags and DHCPv6 modes
In the documentation, using the term "managed" for both the RA flag and
the DHCPv6 mode is confusing because the mode is referred to as
"solicit" both in the official DHCPv6 documentation (see RFC 8415) and
in the WithoutRA option.
Furthermore, calling the other RA flag "other information" or "other
address configuration" is confusing because its official name is simply
"other configuration" (see RFC 4861 and RFC 5175) and it isn't used to
assign IP addresses.
Rewrite the documentation for DHCPv6Client and WithoutRA to make it
clear that getting the "managed" RA flag triggers the same kind of DHCP
request as WithoutRA=solicit, whereas getting the "other configuration"
RA flag triggers the same kind of DHCP request as
WithoutRA=information-request.
projects / thirdparty / systemd.git / log
