cifuzz: try steps.*.outcome by evverx · Pull Request #1 · evverx/systemd

evverx · 2020-04-29T05:07:59Z

No description provided.

Having taken a look at https://github.com/systemd/systemd/runs/645252074?check_suite_focus=true where fuzz-journal-remote failed with ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==16==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f864f98948e bp 0x7ffde5c6b7c0 sp 0x7ffde5c6b560 T0) ==16==The signal is caused by a READ memory access. ==16==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f864f98948e in output_short /work/build/../../src/systemd/src/shared/logs-show.c #1 0x7f864f984624 in show_journal_entry /work/build/../../src/systemd/src/shared/logs-show.c:1154:15 #2 0x7f864f984b63 in show_journal /work/build/../../src/systemd/src/shared/logs-show.c:1239:21 #3 0x4cabab in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:67:21 #4 0x51fd16 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:556:15 #5 0x51c330 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3 #6 0x523700 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:765:7 #7 0x5246cd in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:792:3 #8 0x4de3d1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:824:6 #9 0x4cfb47 in main /src/libfuzzer/FuzzerMain.cpp:19:10 #10 0x7f864e69782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x41f2a8 in _start (out/fuzz-journal-remote+0x41f2a8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /work/build/../../src/systemd/src/shared/logs-show.c in output_short ==16==ABORTING MS: 0 ; base unit: 0000000000000000000000000000000000000000 0x44,0x3d,0xa,0x5f,0x5f,0x52,0x45,0x41,0x4c,0x54,0x49,0x4d,0x45,0x5f,0x54,0x49,0x4d,0x45,0x53,0x54,0x41,0x4d,0x50,0x3d,0x31,0xa,0xa, D=\x0a__REALTIME_TIMESTAMP=1\x0a\x0a artifact_prefix='./'; Test unit written to ./crash-d635b9dd31cceff3c912fd45e1a58d7e90f0ad73 Base64: RD0KX19SRUFMVElNRV9USU1FU1RBTVA9MQoK ``` I was wondering why it hadn't been caught by the compiler even though clang should have failed to compile it with ``` ../src/shared/logs-show.c:624:25: warning: null passed to a callee that requires a non-null argument [-Wnonnull] print_multiline(f, 4 + fieldlen + 1, 0, OUTPUT_FULL_WIDTH, 0, false, ^ ../src/shared/logs-show.c:161:24: note: callee declares array parameter as static here size_t highlight[static 2]) { ^ ~~~~~~~~~~ ../src/shared/logs-show.c:1239:21: warning: null passed to a callee that requires a non-null argument [-Wnonnull] r = show_journal_entry(f, j, mode, n_columns, flags, NULL, NULL, ellipsized); ^ ~~~~ ../src/shared/logs-show.c:1133:30: note: callee declares array parameter as static here const size_t highlight[static 2], ^ ~~~~~~~~~~ 2 warnings generated. ``` Given that judging by systemd#13039 it doesn't seem to be the first time issues like that have been missed I think it would be better to turn nonnull on and get around false positives on a case-by-case basis with DISABLE_WARNING_NONNULL .. REENABLE_WARNING Reopens systemd#6119

Fixes: oss-fuzz#22208 ``` test/fuzz/fuzz-calendarspec/oss-fuzz-22208... ../src/shared/calendarspec.c:666:48: runtime error: signed integer overflow: 2147000000 + 1000000 cannot be represented in type 'int' #0 0x7f0b9f6cc56a in prepend_component ../src/shared/calendarspec.c:666 #1 0x7f0b9f6cd03a in parse_chain ../src/shared/calendarspec.c:718 #2 0x7f0b9f6cea1c in parse_calendar_time ../src/shared/calendarspec.c:845 #3 0x7f0b9f6d1397 in calendar_spec_from_string ../src/shared/calendarspec.c:1084 #4 0x401570 in LLVMFuzzerTestOneInput ../src/fuzz/fuzz-calendarspec.c:17 #5 0x401ae0 in main ../src/fuzz/fuzz-main.c:39 #6 0x7f0b9e31b1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #7 0x40122d in _start (/home/fsumsal/repos/systemd/build/fuzz-calendarspec+0x40122d) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/calendarspec.c:666:48 in ```

``` p11-kit-0.23.20-1.fc32.x86_64 pam-1.3.1-26.fc33.x86_64 xz-libs-5.2.5-1.fc33.x86_64 zlib-1.2.11-21.fc32.x86_64 (gdb) bt lvalue=0x560e10 "SendOption", ltype=2, rvalue=0x560e1b "11:string", data=0x561e20, userdata=0x561cd0) at ../src/network/networkd-dhcp-common.c:580 table=0x4392e0 <network_network_gperf_lookup>, section=0x560ef0 "DHCPv4", section_line=14, lvalue=0x560e10 "SendOption", rvalue=0x560e1b "11:string", flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:132 lookup=0x7ffff7d2f76d <config_item_perf_lookup>, table=0x4392e0 <network_network_gperf_lookup>, flags=CONFIG_PARSE_WARN, section=0x7fffffffc9f8, section_line=0x7fffffffc9a0, section_ignored=0x7fffffffc99d, l=0x560e10 "SendOption", userdata=0x561cd0) at ../src/shared/conf-parser.c:270 lookup=0x7ffff7d2f76d <config_item_perf_lookup>, table=0x4392e0 <network_network_gperf_lookup>, flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:395 lookup=0x7ffff7d2f76d <config_item_perf_lookup>, table=0x4392e0 <network_network_gperf_lookup>, flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:452 dropin_dirname=0x7fffffffcbd0 "veth99.network.d", sections=0x4f3a18 "Match", lookup=0x7ffff7d2f76d <config_item_perf_lookup>, table=0x4392e0 <network_network_gperf_lookup>, flags=CONFIG_PARSE_WARN, userdata=0x561cd0) at ../src/shared/conf-parser.c:511 (gdb) q A debugging session is active. Inferior 1 [process 118718] will be killed. ``` ``` $ printf '[DHCPv4]\nSendOption=1:uint8' >crash $ ./out/fuzz-network-parser ./crash INFO: Seed: 1158717610 INFO: Loaded 2 modules (199728 inline 8-bit counters): 136668 [0x7faf3e91a930, 0x7faf3e93bf0c), 63060 [0xadf190, 0xaee7e4), INFO: Loaded 2 PC tables (199728 PCs): 136668 [0x7faf3e93bf10,0x7faf3eb51cd0), 63060 [0xaee7e8,0xbe4d28), ./out/fuzz-network-parser: Running 1 inputs 1 time(s) each. Running: ./crash Assertion 's' failed at src/basic/parse-util.c:458, function int safe_atou8(const char *, uint8_t *)(). Aborting. ==5588== ERROR: libFuzzer: deadly signal #0 0x51811e in __sanitizer_print_stack_trace (/home/vagrant/systemd/out/fuzz-network-parser+0x51811e) #1 0x46b921 in fuzzer::PrintStackTrace() (/home/vagrant/systemd/out/fuzz-network-parser+0x46b921) #2 0x44ded6 in fuzzer::Fuzzer::CrashCallback() (.part.0) (/home/vagrant/systemd/out/fuzz-network-parser+0x44ded6) #3 0x44df9d in fuzzer::Fuzzer::StaticCrashSignalCallback() (/home/vagrant/systemd/out/fuzz-network-parser+0x44df9d) #4 0x7faf3d6d7b1f (/lib64/libpthread.so.0+0x14b1f) #5 0x7faf3d3c2624 in raise (/lib64/libc.so.6+0x3c624) #6 0x7faf3d3ab8d8 in abort (/lib64/libc.so.6+0x258d8) #7 0x7faf3e12593a in log_assert_failed_realm /home/vagrant/systemd/build/../src/basic/log.c:819:9 #8 0x7faf3e140ce1 in safe_atou8 /home/vagrant/systemd/build/../src/basic/parse-util.c:458:9 #9 0x68089c in config_parse_dhcp_send_option /home/vagrant/systemd/build/../src/network/networkd-dhcp-common.c:517:21 #10 0x7faf3debed4e in next_assignment /home/vagrant/systemd/build/../src/shared/conf-parser.c:132:32 #11 0x7faf3deb7783 in parse_line /home/vagrant/systemd/build/../src/shared/conf-parser.c:270:16 #12 0x7faf3deb606c in config_parse /home/vagrant/systemd/build/../src/shared/conf-parser.c:395:21 #13 0x7faf3deb85ee in config_parse_many_files /home/vagrant/systemd/build/../src/shared/conf-parser.c:452:21 #14 0x7faf3deb8c57 in config_parse_many /home/vagrant/systemd/build/../src/shared/conf-parser.c:511:16 #15 0x57c2eb in network_load_one /home/vagrant/systemd/build/../src/network/networkd-network.c:470:13 #16 0x543490 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/network/fuzz-network-parser.c:26:16 #17 0x44e3e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-network-parser+0x44e3e8) #18 0x433505 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-network-parser+0x433505) #19 0x43c449 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-network-parser+0x43c449) #20 0x42c4a6 in main (/home/vagrant/systemd/out/fuzz-network-parser+0x42c4a6) #21 0x7faf3d3ad1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) #22 0x42c4fd in _start (/home/vagrant/systemd/out/fuzz-network-parser+0x42c4fd) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ```

…tches AddressSanitizer:DEADLYSIGNAL ================================================================= ==12==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000c (pc 0x7f0a518b3428 bp 0x7fffa463bfd0 sp 0x7fffa463be68 T0) SCARINESS: 10 (signal) #0 0x7f0a518b3428 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x35428) #1 0x7f0a518b5029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029) #2 0x7f0a52ca635a in log_assert_failed_realm /work/build/../../src/systemd/src/basic/log.c:819:9 #3 0x4eea92 in config_parse_wireguard_endpoint /work/build/../../src/systemd/src/network/netdev/wireguard.c:808:9 #4 0x7f0a52b2f74e in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:133:32 #5 0x7f0a52b2954e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:242:16 #6 0x7f0a52b28911 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:377:21 #7 0x7f0a52b29ec6 in config_parse_many_files /work/build/../../src/systemd/src/shared/conf-parser.c:439:21 #8 0x7f0a52b2a5a6 in config_parse_many /work/build/../../src/systemd/src/shared/conf-parser.c:507:16 #9 0x4d8d6c in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:732:13 #10 0x4d3e2b in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16 #11 0x6b3266 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15 #12 0x6af860 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3 #13 0x6b6970 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7 #14 0x6b7376 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3 #15 0x67573f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6 #16 0x667097 in main /src/libfuzzer/FuzzerMain.cpp:19:10 #17 0x7f0a5189e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x4295a8 in _start (out/fuzz-netdev-parser+0x4295a8) DEDUP_TOKEN: raise--abort--log_assert_failed_realm AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35428) in raise ==12==ABORTING

We'd try to map a zero-byte buffer from a NULL pointer, which is undefined behaviour. src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60: runtime error: applying zero offset to null pointer #0 0x7f6ff064e691 in find_part /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60 #1 0x7f6ff0640788 in message_peek_body /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3283:16 #2 0x7f6ff064e8db in enter_struct_or_dict_entry /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3967:21 #3 0x7f6ff06444ac in bus_message_enter_struct /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4009:13 #4 0x7f6ff0641dde in sd_bus_message_enter_container /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4136:21 #5 0x7f6ff0619874 in sd_bus_message_dump /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-dump.c:178:29 #6 0x4293d9 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bus-message.c:39:9 #7 0x441986 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15 #8 0x44121e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3 #9 0x443164 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7 #10 0x4434bc in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3 #11 0x42d2bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6 #12 0x42978a in main /src/libfuzzer/FuzzerMain.cpp:19:10 #13 0x7f6fef13c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x407808 in _start (out/fuzz-bus-message+0x407808)

Coverity says: CID 1446387 (#1 of 1): Bad bit shift operation (BAD_SHIFT) 8. negative_shift: In expression 1U << (int)cmd, shifting by a negative amount has undefined behavior. The shift amount, cmd, is -22. I don't think there's any issue, unless we forget to set token->data appropriately. Let's add an assert.

The current pattern '#' triggers on the openSUSE kernel version that is printed early during boot when no actual prompt is ready > [ 0.000000] Linux version 5.12.10-1-default (geeko@buildhost) (gcc (SUSE Linux) 11.1.1 20210510 [revision 23855a176609fe8dda6abaf2b21846b4517966eb], GNU ld (GNU Binutils; openSUSE Tumbleweed) 2.36.1.20210326-4) #1 SMP Fri Jun 11 05:05:06 UTC 2021 (b92eaf7) Instead wait for pattern that: a) should have fewer false positives, b) still be with working on distro shells: openSUSE (red color) ^[[1m^[[31mimage:~ #^[[m^O arch [root@image ~]# debian root@image:~# ubuntu root@image:~# fedora [root@image ~]#

so we can run TEST-46 under sanitizers once again. `systemd-homed` runs fsck on home directories, which reports a memory leak we're not interested in. Let's introduce an LSan suppression file to get around this. Since the patterns in the suppression file are matched using basic substring match[0], they're a bit cumbersome, but should get the work one. [0] https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions Example leaks (as reported by TEST-46): ``` systemd-homed[1333]: ================================================================= systemd-homed[1333]: ==1333==ERROR: LeakSanitizer: detected memory leaks systemd-homed[1333]: Direct leak of 24 byte(s) in 1 object(s) allocated from: systemd-homed[1333]: #0 0x7f0c8facccd1 in calloc (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xf4cd1) systemd-homed[1333]: #1 0x558d9494ff67 (/usr/bin/fsck+0x3f67) systemd-homed[1333]: Direct leak of 6 byte(s) in 1 object(s) allocated from: systemd-homed[1333]: #0 0x7f0c8fa906c1 in strdup (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xb86c1) systemd-homed[1333]: #1 0x558d949518fd (/usr/bin/fsck+0x58fd) systemd-homed[1333]: SUMMARY: AddressSanitizer: 30 byte(s) leaked in 2 allocation(s). systemd-homed[1337]: ==1337==WARNING: Symbolizer was blocked from starting itself! systemd-homed[1337]: ================================================================= systemd-homed[1337]: ==1337==ERROR: LeakSanitizer: detected memory leaks systemd-homed[1337]: Direct leak of 67584 byte(s) in 1 object(s) allocated from: systemd-homed[1337]: #0 0x7f01edb84b19 (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xf4b19) systemd-homed[1337]: #1 0x7f01e8326829 (/usr/bin/../lib/libLLVM-12.so+0xb46829) systemd-homed[1337]: SUMMARY: AddressSanitizer: 67584 byte(s) leaked in 1 allocation(s). ``` With the suppression file: ``` systemd-homed[1339]: ----------------------------------------------------- systemd-homed[1339]: Suppressions used: systemd-homed[1339]: count bytes template systemd-homed[1339]: 2 30 /bin/fsck$ systemd-homed[1339]: ----------------------------------------------------- systemd-homed[1343]: ==1343==WARNING: Symbolizer was blocked from starting itself! systemd-homed[1343]: ----------------------------------------------------- systemd-homed[1343]: Suppressions used: systemd-homed[1343]: count bytes template systemd-homed[1343]: 1 67584 /lib/libLLVM systemd-homed[1343]: ----------------------------------------------------- ```

ELF descriptors created with elf_memory have to be released with elf_end ``` ==2879==ERROR: LeakSanitizer: detected memory leaks Direct leak of 264 byte(s) in 1 object(s) allocated from: #0 0x50faa7 in calloc (/home/vagrant/systemd/build/fuzz-core+0x50faa7) #1 0x7fead94aef51 in allocate_elf /home/vagrant/oss-fuzz/projects/libbpf/libbpf/elfutils/libelf/./common.h:74:17 #2 0x7fead94acda6 in __libelf_read_mmaped_file /home/vagrant/oss-fuzz/projects/libbpf/libbpf/elfutils/libelf/elf_begin.c:571:10 #3 0x7fead94cb0f2 in elf_memory /home/vagrant/oss-fuzz/projects/libbpf/libbpf/elfutils/libelf/elf_memory.c:49:10 #4 0x5481f9 in module_callback /home/vagrant/systemd/build/../src/coredump/stacktrace.c:305:31 #5 0x7fead96ad1ba in dwfl_getmodules /home/vagrant/oss-fuzz/projects/libbpf/libbpf/elfutils/libdwfl/dwfl_getmodules.c:86:16 #6 0x547980 in parse_core /home/vagrant/systemd/build/../src/coredump/stacktrace.c:368:13 #7 0x5472e7 in coredump_parse_core /home/vagrant/systemd/build/../src/coredump/stacktrace.c:408:13 ```

It was reported as used by the linker: > [It is] called in the setup of ld-linux-x86-64.so.2 from _dl_sysdep_start. > My local call stack (with LTO): > > #0 init_cpu_features.constprop.0 (/usr/lib64/ld-linux-x86-64.so.2) > #1 _dl_sysdep_start (/usr/lib64/ld-linux-x86-64.so.2) > #2 _dl_start (/usr/lib64/ld-linux-x86-64.so.2) > #3 _start (/usr/lib64/ld-linux-x86-64.so.2) > > Looking through the source, I think it's this (links for glibc 2.34): > - First dl_platform_init calls _dl_x86_init_cpu_features, a wrapper for init_cpu_features. > - Then init_cpu_features calls get_cet_status. > - At last, get_cet_status invokes arch_prctl. Fixes systemd#22033.

on 32-bit architectures so that it won't get lost. ``` ==169373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4900780 at pc 0xf75dd9cf bp 0xfff63438 sp 0xfff6342c READ of size 1 at 0xf4900780 thread T0 #0 0xf75dd9ce in bus_message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:5272 #1 0xf75b68c3 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:568 #2 0x80497f3 in LLVMFuzzerTestOneInput ../src/libsystemd/sd-bus/fuzz-bus-message.c:30 #3 0x804a0ba in main ../src/fuzz/fuzz-main.c:50 #4 0xf6f1f468 in __libc_start_call_main (/lib/libc.so.6+0x25468) #5 0xf6f1f549 in __libc_start_main_impl (/lib/libc.so.6+0x25549) #6 0x804928b in _start (/home/vagrant/systemd/build/fuzz-bus-message+0x804928b) 0xf4900780 is located 0 bytes to the right of 16-byte region [0xf4900770,0xf4900780) allocated by thread T0 here: #0 0xf7abb39b in malloc (/lib/libasan.so.6+0xb239b) #1 0xf744cf1f in memdup ../src/basic/alloc-util.c:16 #2 0x8049723 in LLVMFuzzerTestOneInput ../src/libsystemd/sd-bus/fuzz-bus-message.c:28 #3 0x804a0ba in main ../src/fuzz/fuzz-main.c:50 #4 0xf6f1f468 in __libc_start_call_main (/lib/libc.so.6+0x25468) ```

by always calling journal_remote_server_destroy, which resets global variables like journal_remote_server_global. It should prevent crashes like ``` Assertion 'journal_remote_server_global == NULL' failed at src/journal-remote/journal-remote.c:312, function int journal_remote_server_init(RemoteServer *, const char *, JournalWriteSplitMode, _Bool, _Bool)(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==24769==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000060c1 (pc 0x7f23b4d5818b bp 0x7ffcbc4080c0 sp 0x7ffcbc407e70 T0) SCARINESS: 10 (signal) #0 0x7f23b4d5818b in raise /build/glibc-eX1tMB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1 #1 0x7f23b4d37858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7 #2 0x7f23b5731809 in log_assert_failed systemd/src/basic/log.c:866:9 ```

Turns out that part of systemd isn't covered by any fuzz targets and that's not ideal considering that it parses data sent remotely. The fuzzer triggers an infinite loop in lease_parse_routes as soon as it starts so it seems to be working :-) ``` INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 23620602 INFO: Loaded 2 modules (182073 inline 8-bit counters): 176548 [0x7fdf511fc8d0, 0x7fdf51227a74), 5525 [0x5f6ef0, 0x5f8485), INFO: Loaded 2 PC tables (182073 PCs): 176548 [0x7fdf51227a78,0x7fdf514d94b8), 5525 [0x5f8488,0x60ddd8), ./build/fuzz-dhcp-client: Running 1 inputs 1 time(s) each. Running: test/fuzz/fuzz-dhcp-client/timeout-ed34161922c7075c4773f2ada3dee8685d220980 ALARM: working on the last Unit for 31 seconds and the timeout value is 30 (use -timeout=N to change) ==80731== ERROR: libFuzzer: timeout after 31 seconds #0 0x51b32e in __sanitizer_print_stack_trace (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51b32e) #1 0x4689e9 in fuzzer::PrintStackTrace() (/home/vagrant/systemd/build/fuzz-dhcp-client+0x4689e9) #2 0x44a0f4 in fuzzer::Fuzzer::StaticAlarmCallback() (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a0f4) #3 0x7fdf4f8b474f (/lib64/libc.so.6+0x4274f) #4 0x465fee in __sanitizer_cov_trace_const_cmp4 (/home/vagrant/systemd/build/fuzz-dhcp-client+0x465fee) #5 0x57eee5 in lease_parse_routes /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:495:23 #6 0x57baf3 in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:701:21 #7 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 #8 0x571cea in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:381:21 #9 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 #10 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:78:9 #11 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) #12 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) #13 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) #14 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) #15 0x7fdf4f89f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #16 0x7fdf4f89f60b in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2d60b) #17 0x421fd4 in _start (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421fd4) SUMMARY: libFuzzer: timeout ```

================================================================= ==81071==ERROR: LeakSanitizer: detected memory leaks Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x51245c in __interceptor_reallocarray (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51245c) #1 0x7f01440c67e6 in strv_push /home/vagrant/systemd/build/../src/basic/strv.c:435:13 #2 0x7f01440ca9e1 in strv_consume /home/vagrant/systemd/build/../src/basic/strv.c:506:13 #3 0x7f01440ca9e1 in strv_extend /home/vagrant/systemd/build/../src/basic/strv.c:558:16 #4 0x5806e3 in dhcp_lease_parse_search_domains /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:900:21 #5 0x57c1be in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:727:21 #6 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 #7 0x571c6a in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:376:13 #8 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 #9 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:74:16 #10 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) #11 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) #12 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) #13 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) #14 0x7f0142fff55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)

==25679==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x511e2f in __interceptor_realloc (/home/vagrant/systemd/out/fuzz-lease-load+0x511e2f) #1 0x7f9588047529 in greedy_realloc /home/vagrant/systemd/build/../src/basic/alloc-util.c:70:13 #2 0x7f958806e3f7 in parse_env_file_internal /home/vagrant/systemd/build/../src/basic/env-file.c:120:38 #3 0x7f958806f1d5 in parse_env_filev /home/vagrant/systemd/build/../src/basic/env-file.c:348:13 #4 0x7f958806f1d5 in parse_env_file_sentinel /home/vagrant/systemd/build/../src/basic/env-file.c:365:13 #5 0x5530ff in dhcp_lease_load /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:1151:13 #6 0x54a2b1 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-lease-load.c:33:16 #7 0x44a099 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-lease-load+0x44a099) #8 0x44a84b in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, fuzzer::fuzzer_allocator<unsigned char> > const&) (/home/vagrant/systemd/out/fuzz-lease-load+0x44a84b) #9 0x42a1a7 in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/vagrant/systemd/out/fuzz-lease-load+0x42a1a7) #10 0x432753 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-lease-load+0x432753) #11 0x421ca6 in main (/home/vagrant/systemd/out/fuzz-lease-load+0x421ca6) #12 0x7f95876bb55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

…propriate

Inspired by systemd#23913, let's complain if people use paths with ".." in Type #1 bootspec entries. Let's prefix all paths with "/" if it is missing. Let's simplify all paths. let's refuse paths/warn with "..". Fixes: systemd#23913

This is a workaround for an issue in the memory sanitizer. If a function is called with too many arguments, then the sanitizer triggers the following false-positive warning: ==349==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f8b247134a7 in json_buildv /work/build/../../src/systemd/src/shared/json.c:3213:17 #1 0x7f8b24714231 in json_build /work/build/../../src/systemd/src/shared/json.c:4117:13 #2 0x7f8b24487fa5 in show_boot_entries /work/build/../../src/systemd/src/shared/bootspec.c:1424:29 #3 0x4a6a1b in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bootspec.c:119:16 #4 0x4c6693 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #5 0x4c5e7a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #6 0x4c7ce4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #7 0x4c7f19 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #8 0x4b757f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #9 0x4e0bd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f8b23ead082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #11 0x41f69d in _start (build-out/fuzz-bootspec+0x41f69d) Follow-up for systemd#24541. Fixes systemd#24551.

We would print the whole thing in extenso. Users generally don't care, and would likely prefer to just get the compact identifier of the package that they can use in a bug report or package manager commands. Before: systemd-coredump[40645]: [🡕] Process 1975 (gnome-shell) of user 1000 dumped core. Module /usr/bin/gnome-shell (deleted) with build-id aafdb7d69a7efca937e490080ad9348541fc57d8 Metadata for module /usr/bin/gnome-shell (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-3.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } Module /usr/lib64/gnome-shell/libgvc.so (deleted) with build-id 56cbb9862e1ee84ca1549b94f2b4cda03537613e Metadata for module /usr/lib64/gnome-shell/libgvc.so (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-2.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } Module /usr/lib64/libLLVM-14.so (deleted) with build-id ffa7e43f48eb4c189304c0241b1862710de4c3a4 Metadata for module /usr/lib64/libLLVM-14.so (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-2.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } After: systemd-coredump[235218]: [🡕] Process 235216 (bash) of user 1000 dumped core. Module libtinfo.so.6 from rpm ncurses-6.3-3.20220501.fc37.x86_64, build-id=71a04d23fd572525eb6efc47026c379725e06d96 Module bash from rpm bash-5.1.16-3.fc37.x86_64, build-id=6c936aff95a2ccda04a3fb685a81a84a0a8d10da Stack trace of thread 235216: #0 0x00007fa409ec8d8b kill (libc.so.6 + 0x38d8b) #1 0x0000560d35e366b1 kill_builtin (bash + 0xad6b1) #2 0x0000560d35dd7227 execute_builtin.lto_priv.0 (bash + 0x4e227) #3 0x0000560d35dd0459 execute_simple_command (bash + 0x47459) #4 0x0000560d35dd1de0 execute_command_internal (bash + 0x48de0) #5 0x0000560d35e307aa parse_and_execute (bash + 0xa77aa) #6 0x0000560d35e91b08 run_one_command.isra.0 (bash + 0x108b08) #7 0x0000560d35dba07c main (bash + 0x3107c) #8 0x00007fa409eb3510 __libc_start_call_main (libc.so.6 + 0x23510) #9 0x00007fa409eb35c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x235c9) #10 0x0000560d35dbad85 _start (bash + 0x31d85)

This wrapper is used in situations where we don't care about *San reports, we just want to make things work. However, with enabled LSan we might trigger some bogus reports we're definitely not interested in, causing unexpected test fails. Spotted on C8S in TEST-34-DYNAMICUSERMIGRATE: ``` [10654.804162] testsuite-34.sh[56]: + systemctl start testservice-34-check-writable.service Starting testservice-34-check-writable.service... [10655.055969] bash[546]: + set -o pipefail [10655.056127] bash[546]: + declare -a writable_dirs [10655.056234] bash[546]: + readarray -t writable_dirs [10655.060838] bash[548]: ++ find / '(' -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc -o -path /sys/devices/system/cpu ')' -prune -o -type d -writable -print [10655.061534] bash[549]: ++ sort -u [10655.688740] bash[547]: ================================================================= [10655.689075] bash[547]: ==547==ERROR: LeakSanitizer: detected memory leaks [10655.689246] bash[547]: Direct leak of 112 byte(s) in 1 object(s) allocated from: [10655.743851] bash[547]: #0 0x7ffff752d364 (/usr/lib64/clang/14.0.0/lib/libclang_rt.asan-powerpc64le.so+0x13d364) (BuildId: 321f4ed1caea6a1a4c37f9272e07275cf16f034d) [10655.744060] bash[547]: #1 0x1000b5d20 in xmalloc (/usr/bin/bash+0xb5d20) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744224] bash[547]: #2 0x100083338 (/usr/bin/bash+0x83338) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744393] bash[547]: #3 0x10008847c (/usr/bin/bash+0x8847c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744552] bash[547]: #4 0x1000af6ec in redirection_expand (/usr/bin/bash+0xaf6ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744728] bash[547]: #5 0x1000b005c (/usr/bin/bash+0xb005c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744886] bash[547]: #6 0x1000b1388 in do_redirections (/usr/bin/bash+0xb1388) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745051] bash[547]: #7 0x100050484 (/usr/bin/bash+0x50484) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745208] bash[547]: #8 0x100052160 in execute_command_internal (/usr/bin/bash+0x52160) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745376] bash[547]: #9 0x100052a10 in execute_command_internal (/usr/bin/bash+0x52a10) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745536] bash[547]: #10 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745711] bash[547]: #11 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745870] bash[547]: #12 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746038] bash[547]: #13 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746198] bash[547]: #14 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746367] bash[547]: #15 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746548] bash[547]: #16 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746741] bash[547]: #17 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746897] bash[547]: #18 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747067] bash[547]: #19 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747227] bash[547]: #20 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747414] bash[547]: #21 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747573] bash[547]: #22 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747741] bash[547]: #23 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747896] bash[547]: #24 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748064] bash[547]: #25 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748225] bash[547]: #26 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748390] bash[547]: #27 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748553] bash[547]: #28 0x1000bf91c in parse_and_execute (/usr/bin/bash+0xbf91c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748717] bash[547]: #29 0x1000311ec (/usr/bin/bash+0x311ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748883] bash[547]: Direct leak of 17 byte(s) in 1 object(s) allocated from: ... ```

The test would fail when addresses were being removed in parallel. In general, the check is only valid when the machine configuration is static, which in general isn't true. CentOS CI (Arch Linux) fails in TEST-02-UNITTESTS test-local-addresses: 10:38:05 (gdb) #0 0x00007f86260a164c in ?? () from /usr/lib/libc.so.6 10:38:05 No symbol table info available. 10:38:05 #1 0x00007f8626051958 in raise () from /usr/lib/libc.so.6 10:38:05 No symbol table info available. 10:38:05 #2 0x00007f862603b53d in abort () from /usr/lib/libc.so.6 10:38:05 No symbol table info available. 10:38:05 #3 0x00007f862639a755 in log_assert_failed ( 10:38:05 text=text@entry=0x56180e56c03b "n == n_ipv4 + n_ipv6", 10:38:05 file=file@entry=0x56180e56c0d1 "src/test/test-local-addresses.c", 10:38:05 line=line@entry=45, 10:38:05 func=func@entry=0x56180e56c360 <__PRETTY_FUNCTION__.6> "test_local_addresses") at ../build/src/basic/log.c:853 10:38:05 No locals. 10:38:05 #4 0x000056180e56b77e in test_local_addresses () 10:38:05 at ../build/src/test/test-local-addresses.c:45 10:38:05 a = 0x0 10:38:05 n = 234 10:38:05 n_ipv4 = 236 10:38:05 n_ipv6 = 7 10:38:05 __PRETTY_FUNCTION__ = "test_local_addresses" 10:38:05 __func__ = "test_local_addresses" 10:38:05 #5 0x000056180e56ba67 in run_test_table () at ../build/src/shared/tests.h:106 10:38:05 r = 0 10:38:05 t = 0x56180e56e010 <__unique_prefix_static_test_table_entry10> 10:38:05 __PRETTY_FUNCTION__ = <optimized out> 10:38:05 __func__ = "run_test_table" 10:38:05 #6 0x000056180e56bb2f in main (argc=1, argv=0x7ffc3a814808) 10:38:05 at ../build/src/test/test-local-addresses.c:81 10:38:05 _intro = 0x0 10:38:05 _outro = 0x0 10:38:05 _r = 0 10:38:05 _q = 0 10:38:05 (gdb) The logs show that there's a huge number of private addresses, probably from some other test running in parallel.

…ocale= \#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:295 No locals. \#1 0x0000557444eb172b in process_locale () at ../src/firstboot/firstboot.c:342 etc_localeconf = 0x7ffd40217b80 "/root/root/etc/locale.conf" locales = {0x0, 0x0, 0x0} i = 0 r = <optimized out> __PRETTY_FUNCTION__ = "process_locale" __func__ = "process_locale" \#2 0x0000557444eaff93 in run (argv=0x7ffd40217d98, argc=3) at ../src/firstboot/firstboot.c:1401 loop_device = 0x0 unlink_dir = 0x0 r = <optimized out> loop_device = <optimized out> unlink_dir = <optimized out> r = <optimized out> __func__ = <optimized out> __PRETTY_FUNCTION__ = <optimized out> enabled = <optimized out> _error = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> \#3 main (argc=3, argv=0x7ffd40217d98) at ../src/firstboot/firstboot.c:1432 r = <optimized out> __PRETTY_FUNCTION__ = "main" Fixes systemd#25249

``` ../src/basic/hexdecoct.c:66:44: runtime error: applying zero offset to null pointer #0 0x7f6022650c44 in hexmem /home/vagrant/systemd/build-fuzzers/../src/basic/hexdecoct.c:66:44 #1 0x577583 in dns_resource_record_to_string /home/vagrant/systemd/build-fuzzers/../src/resolve/resolved-dns-rr.c:1140:21 #2 0x563669 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build-fuzzers/../src/resolve/fuzz-resource-record.c:25:39 #3 0x44d2a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x44d2a1) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #4 0x42d32f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x42d32f) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #5 0x434920 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-resource-record+0x434920) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #6 0x424006 in main (/home/vagrant/systemd/out/fuzz-resource-record+0x424006) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #7 0x7f602142950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c) #8 0x7f60214295c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x295c8) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c) #9 0x424044 in _start (/home/vagrant/systemd/out/fuzz-resource-record+0x424044) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/basic/hexdecoct.c:66:44 in ```

Currently the kernel-install man page only documents the bls layout for use with the boot loader spec type #1. 90-loaderentry.install uses this layout to generate loader entries and copy the kernel image and initrd to $BOOT. This commit documents a second layout "uki" and adds 90-uki-copy.install, which copies a UKI "uki.efi" from the staging area or any file with the .efi extension given on the command line to $BOOT/EFI/Linux/$ENTRY_TOKEN-$KERNEl_VERSION(+$TRIES).efi This allows for both locally generated and distro-provided UKIs to be handled by kernel-install.

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 #1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 #2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 #3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 #4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 #5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 #6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 #7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) #8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) #9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ```

[ 49.275617] testsuite-46.sh[1862]: ================================================================= [ 49.275870] testsuite-46.sh[1862]: ==1862==ERROR: LeakSanitizer: detected memory leaks [ 49.276039] testsuite-46.sh[1862]: Direct leak of 103 byte(s) in 14 object(s) allocated from: [ 49.276515] testsuite-46.sh[1862]: #0 0x7f4dbc07243b in strdup (/lib64/libasan.so.8+0x7243b) [ 49.276707] testsuite-46.sh[1862]: #1 0x7f4dbb3900d5 in free_and_strdup ../src/basic/string-util.c:952 [ 49.276931] testsuite-46.sh[1862]: #2 0x7f4dbb15c67d in json_dispatch_user_group_name ../src/shared/json.c:4699 [ 49.277134] testsuite-46.sh[1862]: #3 0x7f4dbb16da9b in json_dispatch ../src/shared/json.c:4395 [ 49.277352] testsuite-46.sh[1862]: #4 0x7f4dbb25b28e in userdb_on_query_reply ../src/shared/userdb.c:305 [ 49.277603] testsuite-46.sh[1862]: #5 0x7f4dbb2748b9 in varlink_dispatch_reply ../src/shared/varlink.c:760 [ 49.277766] testsuite-46.sh[1862]: #6 0x7f4dbb2748b9 in varlink_process ../src/shared/varlink.c:951 [ 49.277975] testsuite-46.sh[1862]: #7 0x7f4dbb27a001 in defer_callback ../src/shared/varlink.c:1897 [ 49.278197] testsuite-46.sh[1862]: #8 0x7f4dbb5d57dd in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4191 [ 49.278421] testsuite-46.sh[1862]: #9 0x7f4dbb5d685d in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780 [ 49.278675] testsuite-46.sh[1862]: #10 0x7f4dbb5d70bf in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841 [ 49.278873] testsuite-46.sh[1862]: #11 0x7f4dbb257e7c in userdb_process ../src/shared/userdb.c:591 [ 49.279048] testsuite-46.sh[1862]: #12 0x7f4dbb25f78f in membershipdb_iterator_get ../src/shared/userdb.c:1411 [ 49.279280] testsuite-46.sh[1862]: #13 0x7f4dbb23a98c in user_record_show ../src/shared/user-record-show.c:187 [ 49.279504] testsuite-46.sh[1862]: #14 0x404ae3 in show_user ../src/userdb/userdbctl.c:93 [ 49.279710] testsuite-46.sh[1862]: #15 0x40b4f5 in display_user ../src/userdb/userdbctl.c:418 [ 49.279961] testsuite-46.sh[1862]: #16 0x7f4dbb2804d2 in dispatch_verb ../src/shared/verbs.c:110 [ 49.280233] testsuite-46.sh[1862]: #17 0x40dcf3 in run ../src/userdb/userdbctl.c:1327 [ 49.280434] testsuite-46.sh[1862]: #18 0x40dcf3 in main ../src/userdb/userdbctl.c:1330 [ 49.280657] testsuite-46.sh[1862]: #19 0x7f4db9e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) [ 49.280907] testsuite-46.sh[1862]: SUMMARY: AddressSanitizer: 103 byte(s) leaked in 14 allocation(s).

$ dd if=/dev/zero of=luks.img bs=1M count=64 $ echo 1231dfsd234d | cryptsetup luksFormat luks.img $ build-san/systemd-cryptenroll luks.img SLOT TYPE 0 password ================================================================= ==640364==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f43ffeb95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) #1 0x7f43ff0a4f2f in greedy_realloc ../src/basic/alloc-util.c:70 #2 0x404d9f in list_enrolled ../src/cryptenroll/cryptenroll-list.c:30 #3 0x40f149 in run ../src/cryptenroll/cryptenroll.c:673 #4 0x40f149 in main ../src/cryptenroll/cryptenroll.c:692 #5 0x7f43fd64a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Aborted (core dumped) Reported in systemd#27007.

+ machinectl image-status container1 container1 container0 container1 container2 container3 container4 ================================================================= ==1354==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4704 byte(s) in 6 object(s) allocated from: #0 0x7fc3670ba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x7fc365e91e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 #2 0x7fc365e92dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 #3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x413b76 in show_image ../src/machine/machinectl.c:1014 #10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #12 0x42ebbd in run ../src/machine/machinectl.c:3006 #13 0x42ece3 in main ../src/machine/machinectl.c:3009 #14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 666 byte(s) in 6 object(s) allocated from: #0 0x7fc3670b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) #1 0x7fc365f09822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 #2 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #3 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #4 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #5 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #6 0x413b76 in show_image ../src/machine/machinectl.c:1014 #7 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #8 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #9 0x42ebbd in run ../src/machine/machinectl.c:3006 #10 0x42ece3 in main ../src/machine/machinectl.c:3009 #11 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 12 byte(s) in 6 object(s) allocated from: #0 0x7fc36707243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc365ec1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 #2 0x7fc365e93586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 #3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x413b76 in show_image ../src/machine/machinectl.c:1014 #10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #12 0x42ebbd in run ../src/machine/machinectl.c:3006 #13 0x42ece3 in main ../src/machine/machinectl.c:3009 #14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 5382 byte(s) leaked in 18 allocation(s).

+ machinectl status long-running long-running long-running ================================================================= ==986==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1568 byte(s) in 2 object(s) allocated from: #0 0x7fe57caba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x7fe57b891e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 #2 0x7fe57b892dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 #3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x40f71c in show_machine ../src/machine/machinectl.c:713 #10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #12 0x42ebf9 in run ../src/machine/machinectl.c:3005 #13 0x42ed1f in main ../src/machine/machinectl.c:3008 #14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 234 byte(s) in 2 object(s) allocated from: #0 0x7fe57cab95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) #1 0x7fe57b909822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 #2 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #3 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #4 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #5 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #6 0x40f71c in show_machine ../src/machine/machinectl.c:713 #7 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #8 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #9 0x42ebf9 in run ../src/machine/machinectl.c:3005 #10 0x42ed1f in main ../src/machine/machinectl.c:3008 #11 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 4 byte(s) in 2 object(s) allocated from: #0 0x7fe57ca7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fe57b8c1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 #2 0x7fe57b893586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 #3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x40f71c in show_machine ../src/machine/machinectl.c:713 #10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #12 0x42ebf9 in run ../src/machine/machinectl.c:3005 #13 0x42ed1f in main ../src/machine/machinectl.c:3008 #14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 1806 byte(s) leaked in 6 allocation(s).

When merging the settings we take the pointer to the array of extra devices, but don't reset the array counter to zero. This later leads to a NULL pointer dereference, where device_node_array_free() attempts to loop over a NULL pointer: + systemd-nspawn --oci-bundle=/var/lib/machines/testsuite-13.oci-bundle.Npo ../src/nspawn/nspawn-settings.c:118:29: runtime error: member access within null pointer of type 'struct DeviceNode' #0 0x4b91ee in device_node_array_free ../src/nspawn/nspawn-settings.c:118 #1 0x4ba42a in settings_free ../src/nspawn/nspawn-settings.c:161 #2 0x410b79 in settings_freep ../src/nspawn/nspawn-settings.h:249 #3 0x446ce8 in load_oci_bundle ../src/nspawn/nspawn.c:4733 #4 0x44ff42 in run ../src/nspawn/nspawn.c:5476 #5 0x455296 in main ../src/nspawn/nspawn.c:5919 #6 0x7f0cb7a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #7 0x7f0cb7a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #8 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/nspawn/nspawn-settings.c:118:29 in Also, add an appropriate assert to catch such issues in the future.

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 #15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING

Whoopsie. ================================================================= ==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658 READ of size 8 at 0x00000051d0b8 thread T0 #0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347 #1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838 #2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905 #4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030 #6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198 #8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #10 0x4552fb in main ../src/nspawn/nspawn.c:5920 #11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284) 0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8 0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch Shadow bytes around the buggy address: 0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9 0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3789231==ABORTING

In case one of the allocations fails. For example: AddressSanitizer:DEADLYSIGNAL ================================================================= ==17==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb352a476e5 bp 0x7ffe45154850 sp 0x7ffe45154008 T0) ==17==The signal is caused by a READ memory access. ==17==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fb352a476e5 (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #1 0x435878 in __interceptor_strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc #2 0x4de1e4 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-calendarspec.c:20:21 #3 0x4deea8 in NaloFuzzerTestOneInput (/build/fuzz-calendarspec+0x4deea8) #4 0x4fde33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #5 0x4fd61a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #6 0x4fece9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #7 0x4ff9b5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #8 0x4eed1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #9 0x4ef5e8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #10 0x4df105 in main (/build/fuzz-calendarspec+0x4df105) #11 0x7fb3528e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #12 0x41f80d in _start (/build/fuzz-calendarspec+0x41f80d) Found by Nallocfuzz.

As it might hide a possible allocation error since it uses the returns_nonnull attribute: AddressSanitizer:DEADLYSIGNAL ================================================================= ==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f317897db8d bp 0x7ffd436fe9a0 sp 0x7ffd436fe970 T0) ==8==The signal is caused by a WRITE memory access. ==8==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f317897db8d in source_new /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1214:18 #1 0x7f317897e68c in sd_event_add_time /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1417:13 #2 0x7f317897a0f6 in event_reset_time /work/build/../../src/systemd/src/libsystemd/sd-event/event-util.c:68:21 #3 0x4e2c8e in client_initialize_time_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1366:13 #4 0x4eb0fd in client_initialize_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1380:9 #5 0x4eb0fd in client_start_delayed /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1410:16 #6 0x4e30aa in client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1415:16 #7 0x4e30aa in sd_dhcp_client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:2045:13 #8 0x4e700e in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-client.c:73:15 #9 0x5062f8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-client+0x5062f8) #10 0x525283 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x524a6a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x526139 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x526e05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x51616f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x516a38 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x506555 in main (/build/fuzz-dhcp-client+0x506555) #17 0x7f3177ce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #18 0x420c4d in _start (/build/fuzz-dhcp-client+0x420c4d) Found by Nallocfuzz.

==8==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 168 byte(s) in 3 object(s) allocated from: #0 0x4a0e6e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 #1 0x4dec61 in calloc (/build/fuzz-bus-match+0x4dec61) #2 0x7f7c25e2b92d in bus_match_add_leaf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-match.c:548:13 #3 0x7f7c25e2b92d in bus_match_add /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-match.c:886:16 #4 0x4de864 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd/sd-bus/fuzz-bus-match.c:83:21 #5 0x4defc8 in NaloFuzzerTestOneInput (/build/fuzz-bus-match+0x4defc8) #6 0x4fdf53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd73a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fee09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ffad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4eee3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4df225 in main (/build/fuzz-bus-match+0x4df225) #13 0x7f7c252e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_calloc--calloc--bus_match_add_leaf SUMMARY: AddressSanitizer: 168 byte(s) leaked in 3 allocation(s). Found by Nallocfuzz.

We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz.

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 #2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 #3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 #4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 #5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 #2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 #3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) #2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 #3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 #4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz.

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 #15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 #16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) #17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) #24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

Otherwise we might hit an assertion during cleanup if the following mmap_cache_new() call fails: Assertion 'p->n_ref > 0' failed at src/journal-remote/journal-remote-write.c:80, function writer_unref(). Aborting. ==2069==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000815 (pc 0x7f39dcd0200b bp 0x7ffe2fe24db0 sp 0x7ffe2fe24b60 T0) SCARINESS: 10 (signal) #0 0x7f39dcd0200b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #1 0x7f39dcce1858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x7f39dd747e49 in log_assert_failed /work/build/../../src/systemd/src/basic/log.c:940:9 #3 0x4e4431 in writer_unref /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:80:1 #4 0x4e3fd5 in writer_unrefp /work/build/../../src/systemd/src/journal-remote/journal-remote-write.h:27:1 #5 0x4e3fd5 in writer_new /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:56:1 #6 0x4e04bc in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:125:21 #7 0x4e0e0b in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:181:13 #8 0x4e0e0b in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:233:13 #9 0x4df99f in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/journal-remote/fuzz-journal-remote.c:54:9 #10 0x4e8f48 in NaloFuzzerTestOneInput (/build/fuzz-journal-remote+0x4e8f48) #11 0x507f53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x50773a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x508e09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #14 0x509ad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #15 0x4f8e3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x4f9708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #17 0x4e91c5 in main (/build/fuzz-journal-remote+0x4e91c5) #18 0x7f39dcce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #19 0x420bcd in _start (/build/fuzz-journal-remote+0x420bcd) DEDUP_TOKEN: raise--abort--log_assert_failed AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in raise Found by Nallocufzz.

If we fail any allocation prior adding the lease to the server lease hashmap. ==2103==ERROR: LeakSanitizer: detected memory leaks Direct leak of 128 byte(s) in 2 object(s) allocated from: #0 0x4a203e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 #1 0x4f6341 in calloc (/build/fuzz-dhcp-server+0x4f6341) #2 0x4ec818 in add_lease /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:26:9 #3 0x4ec2bf in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:75:9 #4 0x4f68a8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-server+0x4f68a8) #5 0x5158b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #6 0x51509a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #7 0x516769 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #8 0x517435 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #9 0x50679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #10 0x507068 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #11 0x4f6b25 in main (/build/fuzz-dhcp-server+0x4f6b25) #12 0x7f16084e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_calloc--calloc--add_lease SUMMARY: AddressSanitizer: 128 byte(s) leaked in 2 allocation(s). Found by Nallocufzz.

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 #18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 #19 0x4252e0 in main ../src/core/main.c:3072 #20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).

On faster machines we might be too fast and kill the fake binary during fork() which then makes kernel report a "wrong" binary in the coredump, e.g.: [ 31.408078] testsuite-74.sh[548]: + /tmp/make-dump /tmp/test-dump SIGTRAP [ 31.409720] testsuite-74.sh[560]: + bin=/tmp/test-dump [ 31.409720] testsuite-74.sh[560]: + sig=SIGTRAP [ 31.409720] testsuite-74.sh[560]: + ulimit -c unlimited [ 31.409720] testsuite-74.sh[560]: + pid=561 [ 31.409720] testsuite-74.sh[560]: + sleep 1 [ 31.409720] testsuite-74.sh[560]: + kill -s SIGTRAP 561 [ 31.409720] testsuite-74.sh[560]: + wait 561 [ 31.491757] systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 31.524488] systemd[1]: Started [email protected]. [ 31.616372] systemd-coredump[564]: [🡕] Process 561 (make-dump) of user 0 dumped core. Stack trace of thread 561: #0 0x00007ff86bb49af7 _Fork (libc.so.6 + 0xd4af7) #1 0x00007ff86bb4965f __libc_fork (libc.so.6 + 0xd465f) #2 0x000055e88011b0ad make_child (bash + 0x550ad) #3 0x000055e8800fd05f n/a (bash + 0x3705f) #4 0x000055e880100116 execute_command_internal (bash + 0x3a116) #5 0x000055e8801011f2 execute_command_internal (bash + 0x3b1f2) #6 0x000055e8801025b6 execute_command (bash + 0x3c5b6) #7 0x000055e8800f134b reader_loop (bash + 0x2b34b) #8 0x000055e8800e757d main (bash + 0x2157d) #9 0x00007ff86ba98850 n/a (libc.so.6 + 0x23850) #10 0x00007ff86ba9890a __libc_start_main (libc.so.6 + 0x2390a) #11 0x000055e8800e83b5 _start (bash + 0x223b5) ELF object binary architecture: AMD x86-64 [ 31.666617] testsuite-74.sh[560]: /tmp/make-dump: line 12: 561 Trace/breakpoint trap (core dumped) "$bin" infinity ... $ coredumpctl list --file system.journal TIME PID UID GID SIG COREFILE EXE SIZE Fri 2023-06-02 10:42:10 CEST 561 0 0 SIGTRAP journal /usr/bin/bash - Fri 2023-06-02 10:42:11 CEST 570 0 0 SIGABRT journal /tmp/test-dump - Fri 2023-06-02 10:42:12 CEST 582 0 0 SIGTRAP missing /tmp/test-dump - Fri 2023-06-02 10:42:13 CEST 593 0 0 SIGABRT missing /tmp/test-dump -

When the header= option comes before any other type= defining one, we trip over an assertion: Jun 04 15:45:33 H testsuite-24.sh[752]: + systemctl start [email protected] Jun 04 15:45:33 H systemd[1]: Starting [email protected]... Jun 04 15:45:33 H systemd-cryptsetup[4641]: Assertion 'name' failed at src/basic/strv.c:21, function strv_find(). Aborting. ... Jun 04 15:45:33 H systemd-coredump[4643]: Process 4641 (systemd-cryptse) of user 0 dumped core. ... Stack trace of thread 4641: #0 0x00007ff9256afe5c __pthread_kill_implementation (libc.so.6 + 0x8ce5c) #1 0x00007ff92565fa76 raise (libc.so.6 + 0x3ca76) #2 0x00007ff9256497fc abort (libc.so.6 + 0x267fc) #3 0x00007ff926076047 log_assert_failed (libsystemd-shared-253.so + 0x276047) #4 0x00007ff9260ab317 strv_find (libsystemd-shared-253.so + 0x2ab317) #5 0x0000000000405927 parse_one_option (systemd-cryptsetup + 0x5927) #6 0x0000000000407793 parse_options (systemd-cryptsetup + 0x7793) #7 0x000000000040fa0c run (systemd-cryptsetup + 0xfa0c) #8 0x000000000041137f main (systemd-cryptsetup + 0x1137f) #9 0x00007ff92564a510 __libc_start_call_main (libc.so.6 + 0x27510) #10 0x00007ff92564a5c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x275c9) #11 0x0000000000403915 _start (systemd-cryptsetup + 0x3915) ELF object binary architecture: AMD x86-64

Provides coverage for systemd#26872. With systemd#26875 reverted: [16444.287652] testsuite-03.sh[71]: + for i in {0..19} [16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service [16444.359503] systemd[1]: ================================================================= [16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68 [16444.360798] systemd[1]: [16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd) [16444.391684] systemd[1]: #0 0x7f73b25ec7a5 (/lib64/libasan.so.5+0x557a5) [16444.392167] systemd[1]: #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5) [16444.392442] systemd[1]: #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996 [16444.392750] systemd[1]: #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058 [16444.393101] systemd[1]: #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392 [16444.393540] systemd[1]: #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.393946] systemd[1]: #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394262] systemd[1]: #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394532] systemd[1]: #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394812] systemd[1]: #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 ...

So we're able to detect memory leaks in our NSS modules. An example after introducing a memory leak in nss-myhostname.c: testsuite-71.sh[2881]: ================================================================= testsuite-71.sh[2881]: ==2880==ERROR: LeakSanitizer: detected memory leaks testsuite-71.sh[2881]: Direct leak of 2 byte(s) in 1 object(s) allocated from: testsuite-71.sh[2881]: #0 0x7fa28907243b in strdup (/usr/lib64/libasan.so.8.0.0+0x7243b) testsuite-71.sh[2881]: #1 0x7fa286a7bc10 in gethostname_full ../src/basic/hostname-util.c:67 testsuite-71.sh[2881]: #2 0x7fa286a74af9 in gethostname_malloc ../src/basic/hostname-util.h:24 testsuite-71.sh[2881]: #3 0x7fa286a756f4 in _nss_myhostname_gethostbyname4_r ../src/nss-myhostname/nss-myhostname.c:79 testsuite-71.sh[2881]: #4 0x7fa288f17588 in getaddrinfo (/lib64/libc.so.6+0xf4588) testsuite-71.sh[2881]: #5 0x7fa2890a4d93 in __interceptor_getaddrinfo.part.0 (/usr/lib64/libasan.so.8.0.0+0xa4d93) testsuite-71.sh[2881]: #6 0x55a54b2b7159 in ahosts_keys_int.part.0 (/usr/bin/getent.orig+0x4159) testsuite-71.sh[2881]: SUMMARY: AddressSanitizer: 2 byte(s) leaked in 1 allocation(s).

evverx force-pushed the test-if branch 7 times, most recently from a9418b9 to ac09f2c Compare April 29, 2020 09:50

cifuzz: try steps.*.outcome

47886e8

evverx force-pushed the test-if branch from ac09f2c to 47886e8 Compare April 29, 2020 10:06

evverx closed this Apr 29, 2020

evverx pushed a commit that referenced this pull request Mar 21, 2022

man: cross-link to BLS in more places, use "Type #1", "Type #2" as ap…

a0aa383

…propriate

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cifuzz: try steps.*.outcome#1

cifuzz: try steps.*.outcome#1
evverx wants to merge 1 commit intomasterfrom
test-if

evverx commented Apr 29, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

evverx commented Apr 29, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant