projects / platform / upstream / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 10062bb)
fuzz: add test case for oss-fuzz #6897 and a work-around
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Fri, 16 Mar 2018 11:02:54 +0000 (12:02 +0100)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 17 Mar 2018 08:48:22 +0000 (09:48 +0100)
The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.

The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.

src/basic/cgroup-util.c patch | blob | history
test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897 [new file with mode: 0644] patch | blob
test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx [new file with mode: 0644] patch | blob
test/fuzz-regressions/meson.build patch | blob | history

diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index c0962f2..68ff8ff 100644 (file)
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -1977,6 +1977,14 @@ int cg_slice_to_path(const char *unit, char **ret) {
                 _cleanup_free_ char *escaped = NULL;
                 char n[dash - p + sizeof(".slice")];
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+                /* msan doesn't instrument stpncpy, so it thinks
+                 * n is later used unitialized:
+                 * https://github.com/google/sanitizers/issues/926
+                 */
+                zero(n);
+#endif
+
                 /* Don't allow trailing or double dashes */
                 if (IN_SET(dash[1], 0, '-'))
                         return -EINVAL;
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
new file mode 100644 (file)
index 0000000..742fd9b
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=%H.slice
+TemporaryFileSystem=%c
\ No newline at end of file
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
new file mode 100644 (file)
index 0000000..126678e
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=abc-def.slice
+TemporaryFileSystem=%c
diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build
index c1ea229..d36a357 100644 (file)
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@@ -35,4 +35,6 @@ fuzz_regression_tests = '''
         fuzz-unit-file/oss-fuzz-6917
         fuzz-unit-file/oss-fuzz-6892
         fuzz-unit-file/oss-fuzz-6908
+        fuzz-unit-file/oss-fuzz-6897
+        fuzz-unit-file/oss-fuzz-6897-evverx
 '''.split()
Domain: System / System Framework;