![Evgeny Vereshchagin](/assets/img/avatar_default.png)
`fuzz-journal-remote` seems to be failing under `msan` as soon as it starts: $ sudo infra/helper.py run_fuzzer systemd fuzz-journal-remote Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz-journal-remote Using seed corpus: fuzz-journal-remote_seed_corpus.zip /out/fuzz-journal-remote -rss_limit_mb=2048 -timeout=25 /tmp/fuzz-journal-remote_corpus -max_len=65536 < /dev/null INFO: Seed: 3380449479 INFO: Loaded 2 modules (36336 inline 8-bit counters): 36139 [0x7ff36ea31d39, 0x7ff36ea3aa64), 197 [0x9998c8, 0x99998d), INFO: Loaded 2 PC tables (36336 PCs): 36139 [0x7ff36ea3aa68,0x7ff36eac7d18), 197 [0x999990,0x99a5e0), INFO: 2 files found in /tmp/fuzz-journal-remote_corpus INFO: seed corpus: files: 2 min: 4657b max: 7790b total: 12447b rss: 97Mb Uninitialized bytes in __interceptor_pwrite64 at offset 24 inside [0x7fffdd4d7230, 240) ==15==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7ff36e685e8a in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:436:13 #1 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #2 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #3 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #4 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #5 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #6 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #7 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #8 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #9 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #10 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #11 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #12 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #13 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x41f9d8 in _start (/out/fuzz-journal-remote+0x41f9d8) Uninitialized value was stored to memory at #0 0x7ff36e61cd41 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:288:16 #1 0x7ff36e685cec in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:426:13 #2 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #3 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #4 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #5 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #6 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #7 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #8 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #9 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #10 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #11 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #12 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #13 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #14 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #15 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Uninitialized value was created by an allocation of 't' in the stack frame of function 'sd_id128_randomize' #0 0x7ff36e61cb00 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:274 SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/journal/journal-file.c:436:13 in journal_file_init_header Exiting MS: 0 ; base unit: 0000000000000000000000000000000000000000 artifact_prefix='./'; Test unit written to ./crash-847911777b3096783f4ee70a69ab6d28380c810b [vagrant@localhost oss-fuzz]$ sudo infra/helper.py check_build --sanitizer=memory systemd Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -e SANITIZER=memory -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner test_all INFO: performing bad build checks for /out/fuzz-dhcp-server. INFO: performing bad build checks for /out/fuzz-journal-remote. INFO: performing bad build checks for /out/fuzz-unit-file. INFO: performing bad build checks for /out/fuzz-dns-packet. 4 fuzzers total, 0 seem to be broken (0%). Check build passed. It's a false positive which is most likely caused by https://github.com/google/sanitizers/issues/852. I think it could be got around by avoiding `getrandom` when the code is compiled with `msan`
160 lines
4.8 KiB
C
160 lines
4.8 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
/***
|
|
This file is part of systemd.
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
***/
|
|
|
|
#include <elf.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <linux/random.h>
|
|
#include <stdbool.h>
|
|
#include <stdint.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/time.h>
|
|
|
|
#if HAVE_SYS_AUXV_H
|
|
# include <sys/auxv.h>
|
|
#endif
|
|
|
|
#if USE_SYS_RANDOM_H
|
|
# include <sys/random.h>
|
|
#else
|
|
# include <linux/random.h>
|
|
#endif
|
|
|
|
#include "fd-util.h"
|
|
#include "io-util.h"
|
|
#include "missing.h"
|
|
#include "random-util.h"
|
|
#include "time-util.h"
|
|
|
|
int acquire_random_bytes(void *p, size_t n, bool high_quality_required) {
|
|
static int have_syscall = -1;
|
|
|
|
_cleanup_close_ int fd = -1;
|
|
size_t already_done = 0;
|
|
int r;
|
|
|
|
/* Gathers some randomness from the kernel. This call will never block. If
|
|
* high_quality_required, it will always return some data from the kernel,
|
|
* regardless of whether the random pool is fully initialized or not.
|
|
* Otherwise, it will return success if at least some random bytes were
|
|
* successfully acquired, and an error if the kernel has no entropy whatsover
|
|
* for us. */
|
|
|
|
/* Use the getrandom() syscall unless we know we don't have it. */
|
|
if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) {
|
|
r = getrandom(p, n, GRND_NONBLOCK);
|
|
if (r > 0) {
|
|
have_syscall = true;
|
|
if ((size_t) r == n)
|
|
return 0;
|
|
if (!high_quality_required) {
|
|
/* Fill in the remaining bytes using pseudorandom values */
|
|
pseudorandom_bytes((uint8_t*) p + r, n - r);
|
|
return 0;
|
|
}
|
|
|
|
already_done = r;
|
|
} else if (errno == ENOSYS)
|
|
/* We lack the syscall, continue with reading from /dev/urandom. */
|
|
have_syscall = false;
|
|
else if (errno == EAGAIN) {
|
|
/* The kernel has no entropy whatsoever. Let's remember to
|
|
* use the syscall the next time again though.
|
|
*
|
|
* If high_quality_required is false, return an error so that
|
|
* random_bytes() can produce some pseudorandom
|
|
* bytes. Otherwise, fall back to /dev/urandom, which we know
|
|
* is empty, but the kernel will produce some bytes for us on
|
|
* a best-effort basis. */
|
|
have_syscall = true;
|
|
|
|
if (!high_quality_required)
|
|
return -ENODATA;
|
|
} else
|
|
return -errno;
|
|
}
|
|
|
|
fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
|
if (fd < 0)
|
|
return errno == ENOENT ? -ENOSYS : -errno;
|
|
|
|
return loop_read_exact(fd, (uint8_t*) p + already_done, n - already_done, true);
|
|
}
|
|
|
|
void initialize_srand(void) {
|
|
static bool srand_called = false;
|
|
unsigned x;
|
|
#if HAVE_SYS_AUXV_H
|
|
void *auxv;
|
|
#endif
|
|
|
|
if (srand_called)
|
|
return;
|
|
|
|
#if HAVE_SYS_AUXV_H
|
|
/* The kernel provides us with 16 bytes of entropy in auxv, so let's
|
|
* try to make use of that to seed the pseudo-random generator. It's
|
|
* better than nothing... */
|
|
|
|
auxv = (void*) getauxval(AT_RANDOM);
|
|
if (auxv) {
|
|
assert_cc(sizeof(x) <= 16);
|
|
memcpy(&x, auxv, sizeof(x));
|
|
} else
|
|
#endif
|
|
x = 0;
|
|
|
|
x ^= (unsigned) now(CLOCK_REALTIME);
|
|
x ^= (unsigned) gettid();
|
|
|
|
srand(x);
|
|
srand_called = true;
|
|
}
|
|
|
|
/* INT_MAX gives us only 31 bits, so use 24 out of that. */
|
|
#if RAND_MAX >= INT_MAX
|
|
# define RAND_STEP 3
|
|
#else
|
|
/* SHORT_INT_MAX or lower gives at most 15 bits, we just just 8 out of that. */
|
|
# define RAND_STEP 1
|
|
#endif
|
|
|
|
void pseudorandom_bytes(void *p, size_t n) {
|
|
uint8_t *q;
|
|
|
|
initialize_srand();
|
|
|
|
for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) {
|
|
unsigned rr;
|
|
|
|
rr = (unsigned) rand();
|
|
|
|
#if RAND_STEP >= 3
|
|
if ((size_t) (q - (uint8_t*) p + 2) < n)
|
|
q[2] = rr >> 16;
|
|
#endif
|
|
#if RAND_STEP >= 2
|
|
if ((size_t) (q - (uint8_t*) p + 1) < n)
|
|
q[1] = rr >> 8;
|
|
#endif
|
|
q[0] = rr;
|
|
}
|
|
}
|
|
|
|
void random_bytes(void *p, size_t n) {
|
|
int r;
|
|
|
|
r = acquire_random_bytes(p, n, false);
|
|
if (r >= 0)
|
|
return;
|
|
|
|
/* If some idiot made /dev/urandom unavailable to us, or the
|
|
* kernel has no entropy, use a PRNG instead. */
|
|
return pseudorandom_bytes(p, n);
|
|
}
|