mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-04 07:43:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

fuzzers: add input size limits, always configure limits in two ways

Browse Source 
Without the size limits, oss-fuzz creates huge samples that time out. Usually
this is because some of our code has bad algorithmic complexity. For data like
configuration samples we don't need to care about this: non-rogue configs are
rarely more than a few items, and a bit of a slowdown with a few hundred items
is acceptable. This wouldn't be OK for processing of untrusted data though.

We need to set the limit in two ways: through .options and in the code. The
first because it nicely allows libFuzzer to avoid wasting time, and the second
because fuzzers like hongfuzz and afl don't support .options.

While at it, let's fix an off-by-one (65535 is the largest offset for a
power-of-two size, but we're checking the size here).

Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
This commit is contained in:
Yu Watanabe 2021-12-31 04:30:43 +09:00 committed by Zbigniew Jędrzejewski-Szmek
parent 96974ea4a8
commit 7593691aad
20 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/core/fuzz-unit-file.c
View File

@ -21,7 +21,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
const char *name;
long offset;
if (size > 65536)
return 0;
f = data_to_file(data, size);
assert_se(f);
if (read_line(f, LINE_MAX, &p) < 0)

2
src/fuzz/fuzz-bootspec.c
View File

@ -84,7 +84,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL;
int r;
if (size > 65535)
if (size > 65536)
return 0;
/* Disable most logging if not running standalone */

2
src/fuzz/fuzz-bootspec.options
View File

@ -1,2 +1,2 @@
[libfuzzer]
max_len = 65535
max_len = 65536

2
src/fuzz/fuzz-env-file.c
View File

@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_strv_free_ char **rl = NULL, **rlp = NULL;
if (size > 65535)
if (size > 65536)
return 0;
f = data_to_file(data, size);

2
src/fuzz/fuzz-env-file.options
View File

@ -1,2 +1,2 @@
[libfuzzer]
max_len = 65535
max_len = 65536

2
src/journal-remote/fuzz-journal-remote.c
View File

@ -24,7 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(journal_remote_server_destroy) RemoteServer s = {};
int r;
if (size <= 2)
if (size <= 2 || size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))

3
src/libsystemd/sd-bus/fuzz-bus-match.c
View File

@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(sd_bus_unrefp) sd_bus *bus = NULL;
int r;
if (size > 65536)
return 0;
/* We don't want to fill the logs with messages about parse errors.
* Disable most logging if not running standalone */
if (!getenv("SYSTEMD_LOG_LEVEL"))

2
src/libsystemd/sd-bus/fuzz-bus-match.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65536

3
src/network/fuzz-netdev-parser.c
View File

@ -11,6 +11,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(unlink_tempfilep) char netdev_config[] = "/tmp/fuzz-networkd.XXXXXX";
if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
log_set_max_level(LOG_CRIT);

2
src/network/fuzz-netdev-parser.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65536

2
src/network/fuzz-network-parser.c
View File

@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(unlink_tempfilep) char network_config[] = "/tmp/fuzz-networkd.XXXXXX";
if (size > 65535)
if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))

2
src/network/fuzz-network-parser.options
View File

@ -1,2 +1,2 @@
[libfuzzer]
max_len = 65535
max_len = 65536

3
src/nspawn/fuzz-nspawn-oci.c
View File

@ -9,6 +9,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(settings_freep) Settings *s = NULL;
if (size > 65536)
return 0;
f = data_to_file(data, size);
assert_se(f);

3
src/nspawn/fuzz-nspawn-settings.c
View File

@ -9,6 +9,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(settings_freep) Settings *s = NULL;
if (size > 65536)
return 0;
f = data_to_file(data, size);
assert_se(f);

2
src/resolve/fuzz-dns-packet.options
View File

@ -1,2 +1,2 @@
[libfuzzer]
max_len = 65535
max_len = 65536

3
src/udev/fuzz-udev-rules.c
View File

@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-udev-rules.XXXXXX";
int r;
if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
log_set_max_level(LOG_CRIT);

2
src/udev/net/fuzz-link-parser.c
View File

@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-link-config.XXXXXX";
_cleanup_fclose_ FILE *f = NULL;
if (size > 65535)
if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))

2
src/udev/net/fuzz-link-parser.options
View File

@ -1,2 +1,2 @@
[libfuzzer]
max_len = 65535
max_len = 65536

3
src/xdg-autostart-generator/fuzz-xdg-desktop.c
View File

@ -17,6 +17,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(xdg_autostart_service_freep) XdgAutostartService *service = NULL;
_cleanup_(rm_rf_physical_and_freep) char *tmpdir = NULL;
if (size > 65536)
return 0;
/* We don't want to fill the logs with messages about parse errors.
* Disable most logging if not running standalone */
if (!getenv("SYSTEMD_LOG_LEVEL"))

2
src/xdg-autostart-generator/fuzz-xdg-desktop.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65536