fuzz: add test case for oss-fuzz #6897 and a work-around

The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c). The hostname needs a dash for msan to report this, so a simpler case from @evverx with the dash hardcoded is also added. The issue is a false positive from msan, which does not instruct stpncpy (https://github.com/google/sanitizers/issues/926). Let's add a work-around until this is fixed.
2018-03-16 12:02:54 +01:00 · 2018-03-16 12:02:54 +01:00 · 1c56d50109
parent 10062bbc35
commit 1c56d50109
4 changed files with 18 additions and 0 deletions
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@ -1977,6 +1977,14 @@ int cg_slice_to_path(const char *unit, char **ret) {
                _cleanup_free_ char *escaped = NULL;
                char n[dash - p + sizeof(".slice")];

+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+                /* msan doesn't instrument stpncpy, so it thinks
+                 * n is later used unitialized:
+                 * https://github.com/google/sanitizers/issues/926
+                 */
+                zero(n);
+#endif
+
                /* Don't allow trailing or double dashes */
                if (IN_SET(dash[1], 0, '-'))
                        return -EINVAL;
--- a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
@ -0,0 +1,4 @@
+service
+[Service]
+Slice=%H.slice
+TemporaryFileSystem=%c
--- a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
@ -0,0 +1,4 @@
+service
+[Service]
+Slice=abc-def.slice
+TemporaryFileSystem=%c
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@ -35,4 +35,6 @@ fuzz_regression_tests = '''
        fuzz-unit-file/oss-fuzz-6917
        fuzz-unit-file/oss-fuzz-6892
        fuzz-unit-file/oss-fuzz-6908
+        fuzz-unit-file/oss-fuzz-6897
+        fuzz-unit-file/oss-fuzz-6897-evverx
 '''.split()