From 1eb73422f29bccf0ec68eda4fd9e8d8795cc5d80 Mon Sep 17 00:00:00 2001 From: Susant Sahani Date: Fri, 22 May 2020 11:55:44 +0200 Subject: [PATCH 1/2] network: Fix crash when SendOption= is invalid ``` p11-kit-0.23.20-1.fc32.x86_64 pam-1.3.1-26.fc33.x86_64 xz-libs-5.2.5-1.fc33.x86_64 zlib-1.2.11-21.fc32.x86_64 (gdb) bt lvalue=0x560e10 "SendOption", ltype=2, rvalue=0x560e1b "11:string", data=0x561e20, userdata=0x561cd0) at ../src/network/networkd-dhcp-common.c:580 table=0x4392e0 , section=0x560ef0 "DHCPv4", section_line=14, lvalue=0x560e10 "SendOption", rvalue=0x560e1b "11:string", flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:132 lookup=0x7ffff7d2f76d , table=0x4392e0 , flags=CONFIG_PARSE_WARN, section=0x7fffffffc9f8, section_line=0x7fffffffc9a0, section_ignored=0x7fffffffc99d, l=0x560e10 "SendOption", userdata=0x561cd0) at ../src/shared/conf-parser.c:270 lookup=0x7ffff7d2f76d , table=0x4392e0 , flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:395 lookup=0x7ffff7d2f76d , table=0x4392e0 , flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:452 dropin_dirname=0x7fffffffcbd0 "veth99.network.d", sections=0x4f3a18 "Match", lookup=0x7ffff7d2f76d , table=0x4392e0 , flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:511 (gdb) q A debugging session is active. Inferior 1 [process 118718] will be killed. ``` ``` $ printf '[DHCPv4]\nSendOption=1:uint8' >crash $ ./out/fuzz-network-parser ./crash INFO: Seed: 1158717610 INFO: Loaded 2 modules (199728 inline 8-bit counters): 136668 [0x7faf3e91a930, 0x7faf3e93bf0c), 63060 [0xadf190, 0xaee7e4), INFO: Loaded 2 PC tables (199728 PCs): 136668 [0x7faf3e93bf10,0x7faf3eb51cd0), 63060 [0xaee7e8,0xbe4d28), ./out/fuzz-network-parser: Running 1 inputs 1 time(s) each. Running: ./crash Assertion 's' failed at src/basic/parse-util.c:458, function int safe_atou8(const char *, uint8_t *)(). Aborting. ==5588== ERROR: libFuzzer: deadly signal #0 0x51811e in __sanitizer_print_stack_trace (/home/vagrant/systemd/out/fuzz-network-parser+0x51811e) #1 0x46b921 in fuzzer::PrintStackTrace() (/home/vagrant/systemd/out/fuzz-network-parser+0x46b921) #2 0x44ded6 in fuzzer::Fuzzer::CrashCallback() (.part.0) (/home/vagrant/systemd/out/fuzz-network-parser+0x44ded6) #3 0x44df9d in fuzzer::Fuzzer::StaticCrashSignalCallback() (/home/vagrant/systemd/out/fuzz-network-parser+0x44df9d) #4 0x7faf3d6d7b1f (/lib64/libpthread.so.0+0x14b1f) #5 0x7faf3d3c2624 in raise (/lib64/libc.so.6+0x3c624) #6 0x7faf3d3ab8d8 in abort (/lib64/libc.so.6+0x258d8) #7 0x7faf3e12593a in log_assert_failed_realm /home/vagrant/systemd/build/../src/basic/log.c:819:9 #8 0x7faf3e140ce1 in safe_atou8 /home/vagrant/systemd/build/../src/basic/parse-util.c:458:9 #9 0x68089c in config_parse_dhcp_send_option /home/vagrant/systemd/build/../src/network/networkd-dhcp-common.c:517:21 #10 0x7faf3debed4e in next_assignment /home/vagrant/systemd/build/../src/shared/conf-parser.c:132:32 #11 0x7faf3deb7783 in parse_line /home/vagrant/systemd/build/../src/shared/conf-parser.c:270:16 #12 0x7faf3deb606c in config_parse /home/vagrant/systemd/build/../src/shared/conf-parser.c:395:21 #13 0x7faf3deb85ee in config_parse_many_files /home/vagrant/systemd/build/../src/shared/conf-parser.c:452:21 #14 0x7faf3deb8c57 in config_parse_many /home/vagrant/systemd/build/../src/shared/conf-parser.c:511:16 #15 0x57c2eb in network_load_one /home/vagrant/systemd/build/../src/network/networkd-network.c:470:13 #16 0x543490 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/network/fuzz-network-parser.c:26:16 #17 0x44e3e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-network-parser+0x44e3e8) #18 0x433505 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-network-parser+0x433505) #19 0x43c449 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-network-parser+0x43c449) #20 0x42c4a6 in main (/home/vagrant/systemd/out/fuzz-network-parser+0x42c4a6) #21 0x7faf3d3ad1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #22 0x42c4fd in _start (/home/vagrant/systemd/out/fuzz-network-parser+0x42c4fd) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ``` --- src/network/networkd-dhcp-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/networkd-dhcp-common.c b/src/network/networkd-dhcp-common.c index 55191849d8..3d9dab7e3c 100644 --- a/src/network/networkd-dhcp-common.c +++ b/src/network/networkd-dhcp-common.c @@ -499,7 +499,7 @@ int config_parse_dhcp_send_option( r = extract_first_word(&p, &word, ":", 0); if (r == -ENOMEM) return log_oom(); - if (r <= 0) { + if (r <= 0 || isempty(p)) { log_syntax(unit, LOG_ERR, filename, line, r, "Invalid DHCP option, ignoring assignment: %s", rvalue); return 0; From 0d5266541cdaebf15bf0d06790f01768483587c0 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Fri, 22 May 2020 13:35:00 +0200 Subject: [PATCH 2/2] tests: add a testcase for https://github.com/systemd/systemd/issues/15885 --- test/fuzz/fuzz-network-parser/github-15885 | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 test/fuzz/fuzz-network-parser/github-15885 diff --git a/test/fuzz/fuzz-network-parser/github-15885 b/test/fuzz/fuzz-network-parser/github-15885 new file mode 100644 index 0000000000..9bbdcb29e6 --- /dev/null +++ b/test/fuzz/fuzz-network-parser/github-15885 @@ -0,0 +1,9 @@ +[DHCPv4] +SendOption=1:string: +SendOption=1:uint8: +SendOption=1:uint16: +SendOption=1:uint32: +SendOption=1:ipv4address: +SendOption=1:ipv4address:127.0.0.1 +SendOption=1:ipv6address: +SendOption=1:ipv6address:52:54:00:b9:b5:61