The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.
The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.
_cleanup_free_ char *escaped = NULL;
char n[dash - p + sizeof(".slice")];
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ /* msan doesn't instrument stpncpy, so it thinks
+ * n is later used unitialized:
+ * https://github.com/google/sanitizers/issues/926
+ */
+ zero(n);
+#endif
+
/* Don't allow trailing or double dashes */
if (IN_SET(dash[1], 0, '-'))
return -EINVAL;
--- /dev/null
+service
+[Service]
+Slice=%H.slice
+TemporaryFileSystem=%c
\ No newline at end of file
--- /dev/null
+service
+[Service]
+Slice=abc-def.slice
+TemporaryFileSystem=%c
fuzz-unit-file/oss-fuzz-6917
fuzz-unit-file/oss-fuzz-6892
fuzz-unit-file/oss-fuzz-6908
+ fuzz-unit-file/oss-fuzz-6897
+ fuzz-unit-file/oss-fuzz-6897-evverx
'''.split()