shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-26 10:03:40 +03:00
Code

Merge pull request #27527 from mrc0mmand/fuzz-manager-serialize

Browse Source 
core: a couple of follow-ups for issues found by fuzz-manager-serialize
This commit is contained in:
Luca Boccassi 2023-05-06 01:53:26 +01:00 committed by GitHub
commit 8069cdc7e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 174 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

240
src/core/socket.c
View File

@ -2597,6 +2597,7 @@ static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
Socket *s = SOCKET(u);
int r;
assert(u);
assert(key);
@ -2651,124 +2652,183 @@ static int socket_deserialize_item(Unit *u, const char *key, const char *value,
s->control_command = s->exec_command[id];
}
} else if (streq(key, "fifo")) {
int fd, skip = 0;
_cleanup_free_ char *fdv = NULL;
bool found = false;
int fd;
if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse fifo value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_FIFO &&
path_equal_or_files_same(p->path, value+skip, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching fifo socket found: %s", value+skip);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid fifo value: %s", fdv);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_FIFO &&
path_equal_or_files_same(p->path, value, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching fifo socket found: %s", value);
} else if (streq(key, "special")) {
int fd, skip = 0;
_cleanup_free_ char *fdv = NULL;
bool found = false;
int fd;
if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse special value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_SPECIAL &&
path_equal_or_files_same(p->path, value+skip, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching special socket found: %s", value+skip);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid special value: %s", fdv);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_SPECIAL &&
path_equal_or_files_same(p->path, value, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching special socket found: %s", value);
} else if (streq(key, "mqueue")) {
int fd, skip = 0;
_cleanup_free_ char *fdv = NULL;
bool found = false;
int fd;
if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse mqueue value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_MQUEUE &&
streq(p->path, value+skip)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching mqueue socket found: %s", value+skip);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid mqueue value: %s", fdv);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_MQUEUE &&
streq(p->path, value)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching mqueue socket found: %s", value);
} else if (streq(key, "socket")) {
int fd, type, skip = 0;
_cleanup_free_ char *fdv = NULL, *typev = NULL;
bool found = false;
int fd, type;
if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
log_unit_debug(u, "Failed to parse socket value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
socket_address_is(&p->address, value+skip, type)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching %s socket found: %s",
socket_address_type_to_string(type), value+skip);
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse socket fd from value: %s", value);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid socket fd: %s", fdv);
return 0;
}
r = extract_first_word(&value, &typev, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse socket type from value: %s", value);
return 0;
}
if (safe_atoi(typev, &type) < 0 || type < 0) {
log_unit_debug(u, "Invalid socket type: %s", typev);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
socket_address_is(&p->address, value, type)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching %s socket found: %s",
socket_address_type_to_string(type), value);
} else if (streq(key, "netlink")) {
int fd, skip = 0;
_cleanup_free_ char *fdv = NULL;
bool found = false;
int fd;
if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse socket value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
socket_address_is_netlink(&p->address, value+skip)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching netlink socket found: %s", value+skip);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid socket value: %s", fdv);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
socket_address_is_netlink(&p->address, value)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching netlink socket found: %s", value);
} else if (streq(key, "ffs")) {
int fd, skip = 0;
_cleanup_free_ char *fdv = NULL;
bool found = false;
int fd;
if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
r = extract_first_word(&value, &fdv, NULL, 0);
if (r <= 0) {
log_unit_debug(u, "Failed to parse ffs value: %s", value);
else {
bool found = false;
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_USB_FUNCTION &&
path_equal_or_files_same(p->path, value+skip, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching ffs socket found: %s", value+skip);
return 0;
}
fd = parse_fd(fdv);
if (fd < 0 || !fdset_contains(fds, fd)) {
log_unit_debug(u, "Invalid ffs value: %s", fdv);
return 0;
}
LIST_FOREACH(port, p, s->ports)
if (p->fd < 0 &&
p->type == SOCKET_USB_FUNCTION &&
path_equal_or_files_same(p->path, value, 0)) {
p->fd = fdset_remove(fds, fd);
found = true;
break;
}
if (!found)
log_unit_debug(u, "No matching ffs socket found: %s", value);
} else
log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);

4
src/core/unit.c
View File

@ -6162,7 +6162,9 @@ int activation_details_deserialize(const char *key, const char *value, Activatio
return -EINVAL;
t = unit_type_from_string(value);
if (t == _UNIT_TYPE_INVALID)
/* The activation details vtable has defined ops only for path
* and timer units */
if (!IN_SET(t, UNIT_PATH, UNIT_TIMER))
return -EINVAL;
*details = malloc0(activation_details_vtable[t]->object_size);

14
src/shared/fdset.c
View File

@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
/* Avoid integer overflow in FD_TO_PTR() */
if (fd == INT_MAX)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
return set_put(MAKE_SET(s), FD_TO_PTR(fd));
}
@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
/* Avoid integer overflow in FD_TO_PTR() */
if (fd == INT_MAX) {
log_debug("Refusing invalid fd: %d", fd);
return false;
}
return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
}
@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
/* Avoid integer overflow in FD_TO_PTR() */
if (fd == INT_MAX)
return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
}

BIN
test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-4847017160212480.fuzz Normal file
View File

Binary file not shown.

3
test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 Normal file
View File

@ -0,0 +1,3 @@
l.socket
socket=2147483647 5

4
test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6207619447259136.fuzz Normal file
View File

@ -0,0 +1,4 @@
d.socket
job
activation-details-unit-type=service