picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/libsystemd/sd-bus
History
Zbigniew Jędrzejewski-Szmek af7bce4165 fuzz: skip bus error map in bus_error_name_to_errno() 
Fuzzing with AddressSanitizer reports an error here:
==11==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe53f5497d8 at pc 0x7fe53ef055c9 bp 0x7ffd344e9380 sp 0x7ffd344e9378
READ of size 4 at 0x7fe53f5497d8 thread T0
SCARINESS: 27 (4-byte-read-global-buffer-overflow-far-from-bounds)
    #0 0x7fe53ef055c8 in bus_error_name_to_errno /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24
    #1 0x7fe53ef0577b in bus_error_setfv /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:274:17
    #2 0x7fe53ef0595a in sd_bus_error_setf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:284:21
    #3 0x561059 in manager_load_unit_prepare /work/build/../../src/systemd/src/core/manager.c
    #4 0x560680 in manager_load_unit /work/build/../../src/systemd/src/core/manager.c:1773:13
    #5 0x5d49a6 in unit_add_dependency_by_name /work/build/../../src/systemd/src/core/unit.c:2882:13
    #6 0x538996 in config_parse_unit_deps /work/build/../../src/systemd/src/core/load-fragment.c:152:21
    #7 0x6db771 in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:155:32
    #8 0x6d697e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:273:16
    #9 0x6d5c48 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:390:21
    #10 0x535678 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:41:16
    #11 0x73bd60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
    #12 0x73a39f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3
    #13 0x73d9bc in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:650:19
    #14 0x73fa05 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:773:5
    #15 0x71f75d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
    #16 0x71285c in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #17 0x7fe53da0482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x430e68 in _start (/out/fuzz-unit-file+0x430e68)

0x7fe53f5497d8 is located 8 bytes to the right of global variable 'bus_common_errors' defined in '../../src/systemd/src/libsystemd/sd-bus/bus-common-errors.c:28:51' (0x7fe53f549300) of size 1232
SUMMARY: AddressSanitizer: global-buffer-overflow /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 in bus_error_name_to_errno
Shadow bytes around the buggy address:
  0x0ffd27ea12a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffd27ea12f0: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9
  0x0ffd27ea1300: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ffd27ea1310: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ffd27ea1320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea1330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea1340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11==ABORTING

but I think it's a false positive because of our low-level magic in how this
area is constructed.
2018-03-11 16:33:59 +01:00
..
bus-common-errors.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-common-errors.h resolved: implement D-Bus API for DNS-SD 2017-12-08 14:29:27 +02:00
bus-container.c fd-util: move certain fds above fd #2 (#8129) 2018-02-09 17:53:28 +01:00
bus-container.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-control.c Add support for SD_BUS_DEFAULT* 2018-01-23 09:40:25 -05:00
bus-control.h sd-bus: add asynchronous version of sd_bus_match() 2018-01-05 13:58:32 +01:00
bus-convenience.c Add support for SD_BUS_DEFAULT* 2018-01-23 09:40:25 -05:00
bus-creds.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-creds.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-dump.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-dump.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-error.c fuzz: skip bus error map in bus_error_name_to_errno() 2018-03-11 16:33:59 +01:00
bus-error.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-gvariant.c log: minimize includes in log.h 2018-01-11 14:44:31 +01:00
bus-gvariant.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-internal.c sd-bus: when debug logging about messages, show the same bits of it everywhere 2018-01-05 13:55:08 +01:00
bus-internal.h sd-bus: cleanup ssh sessions (Closes: #8076) 2018-02-08 10:14:48 -08:00
bus-introspect.c tree-wide: use __fsetlocking() instead of fxyz_unlocked() 2017-12-14 10:42:25 +01:00
bus-introspect.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-kernel.c sd-bus: get rid of kdbus flags cruft 2018-01-05 13:55:08 +01:00
bus-kernel.h sd-bus: get rid of kdbus flags cruft 2018-01-05 13:55:08 +01:00
bus-match.c tree-wide: use __fsetlocking() instead of fxyz_unlocked() 2017-12-14 10:42:25 +01:00
bus-match.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-message.c Merge pull request #8314 from poettering/rearrange-stdio 2018-03-02 15:42:03 +01:00
bus-message.h sd-bus: drop some unused fields from the sd_bus_message structure 2018-01-05 13:58:32 +01:00
bus-objects.c Add support for SD_BUS_DEFAULT* 2018-01-23 09:40:25 -05:00
bus-objects.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-protocol.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-signature.c log: minimize includes in log.h 2018-01-11 14:44:31 +01:00
bus-signature.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-slot.c sd-bus: when disconnecting a slot, also reset its memory 2018-01-05 13:58:32 +01:00
bus-slot.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-socket.c sd-bus: do not try to close already closed fd (#8392) 2018-03-08 14:19:35 +01:00
bus-socket.h sd-bus: optionally, use inotify to wait for bus sockets to appear 2018-01-05 13:55:08 +01:00
bus-track.c Add support for SD_BUS_DEFAULT* 2018-01-23 09:40:25 -05:00
bus-track.h Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
bus-type.c log: minimize includes in log.h 2018-01-11 14:44:31 +01:00
bus-type.h log: minimize includes in log.h 2018-01-11 14:44:31 +01:00
GVARIANT-SERIALIZATION sd-bus: drop kdbus-related docs (#5533) 2017-03-07 07:51:35 +01:00
sd-bus.c sd-bus: add APIs to query the current read and write queue size 2018-02-27 19:54:29 +01:00
test-bus-benchmark.c tree-wide: use EXIT_SUCCESS/EXIT_FAILURE in exit() where we can 2017-12-25 11:48:21 +01:00
test-bus-chat.c tree-wide: install matches asynchronously 2018-01-05 13:58:32 +01:00
test-bus-cleanup.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-creds.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-error.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-gvariant.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-introspect.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-marshal.c tests: skip g_dbus_message_new_from_blob under asan 2018-03-09 15:17:03 +00:00
test-bus-match.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-objects.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-server.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-signature.c Add SPDX license identifiers to source files under the LGPL 2017-11-19 19:08:15 +01:00
test-bus-track.c log: minimize includes in log.h 2018-01-11 14:44:31 +01:00
test-bus-vtable-cc.cc tests,meson: add test-bus-vtable, compiled as C and C++ 2017-05-13 15:50:44 -04:00
test-bus-vtable.c test-bus-vtable: it's OK if dbus is not running 2017-05-30 21:17:46 -04:00
test-bus-watch-bind.c sd-bus: optionally, use inotify to wait for bus sockets to appear 2018-01-05 13:55:08 +01:00