mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-22 22:03:43 +03:00
json: correctly handle magic strings when parsing variant strv
We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz.
This commit is contained in:
parent
13f37e6e97
commit
909eb4c01d
@ -2187,7 +2187,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) {
|
||||
if (!json_variant_is_array(v))
|
||||
return -EINVAL;
|
||||
|
||||
sensitive = v->sensitive;
|
||||
sensitive = json_variant_is_sensitive(v);
|
||||
|
||||
size_t n = json_variant_elements(v);
|
||||
l = new(char*, n+1);
|
||||
@ -2198,7 +2198,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) {
|
||||
JsonVariant *e;
|
||||
|
||||
assert_se(e = json_variant_by_index(v, i));
|
||||
sensitive = sensitive || e->sensitive;
|
||||
sensitive = sensitive || json_variant_is_sensitive(e);
|
||||
|
||||
if (!json_variant_is_string(e)) {
|
||||
l[i] = NULL;
|
||||
|
1
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string
Normal file
1
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string
Normal file
@ -0,0 +1 @@
|
||||
{"ociVersion":"1.0.0","process":{"args":[]}}
|
1
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2
Normal file
1
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2
Normal file
@ -0,0 +1 @@
|
||||
{"ociVersion":"1.0.0","process":{"args":[""]}}
|
Loading…
x
Reference in New Issue
Block a user