1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
systemd-stable/test/fuzz/fuzz-bus-message
Zbigniew Jędrzejewski-Szmek b17af3e503 bus-message: avoid dereferencing a NULL pointer
We'd try to map a zero-byte buffer from a NULL pointer, which is undefined behaviour.

src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60: runtime error: applying zero offset to null pointer
    #0 0x7f6ff064e691 in find_part /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60
    #1 0x7f6ff0640788 in message_peek_body /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3283:16
    #2 0x7f6ff064e8db in enter_struct_or_dict_entry /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3967:21
    #3 0x7f6ff06444ac in bus_message_enter_struct /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4009:13
    #4 0x7f6ff0641dde in sd_bus_message_enter_container /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4136:21
    #5 0x7f6ff0619874 in sd_bus_message_dump /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-dump.c:178:29
    #6 0x4293d9 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bus-message.c:39:9
    #7 0x441986 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x44121e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3
    #9 0x443164 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7
    #10 0x4434bc in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3
    #11 0x42d2bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6
    #12 0x42978a in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #13 0x7f6fef13c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x407808 in _start (out/fuzz-bus-message+0x407808)
2020-06-22 17:09:49 +02:00
..
crash-4f0211eb269e28db941961061494bfdbf3345e54 fuzz-bus-message: add two test cases that pass now 2018-10-02 11:53:20 +02:00
crash-26bba7182dedc8848939931d9fcefcb7922f2e56 bus-message: avoid an infinite loop on empty structures 2018-10-02 11:53:20 +02:00
crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e bus-message: do not crash on message with a string of zero length 2018-10-02 11:53:20 +02:00
crash-32bf69483cbd4f2e6d46c25a2f92a472109aee45 fuzz-bus-message: add two test cases that pass now 2018-10-02 11:53:20 +02:00
crash-603dfd98252375ac7dbced53c2ec312671939a36 bus-message: avoid wrap-around when using length read from message 2018-10-02 11:59:08 +02:00
crash-4162a61a79e4c5a832ca5232212f75fa560a1f75 bus-message: return -EBADMSG not -EINVAL on invalid !gvariant messages 2018-10-02 11:53:20 +02:00
crash-37449529b1ad867f0c2671fa80aca5d7812a2b70 bus-message: fix skipping of array fields in !gvariant messages 2018-10-02 11:53:20 +02:00
crash-b88ad9ecf4aacf4a0caca5b5543953265367f084 Introduce free_and_strndup and use it in bus-message.c 2018-10-02 11:42:45 +02:00
crash-c1b37b4729b42c0c05b23cba4eed5d8102498a1e bus-message: let's always use -EBADMSG when the message is bad 2018-10-02 11:53:20 +02:00
crash-d8f3941c74219b4c03532c9b244d5ea539c61af5 bus-message: fix calculation of offsets table for arrays 2018-10-02 11:53:20 +02:00
crash-e1b811da5ca494e494b77c6bd8e1c2f2989425c5 bus-message: fix calculation of offsets table 2018-10-02 11:53:20 +02:00
leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20 sd-bus: unify three code-paths which free struct bus_container 2018-10-02 11:53:20 +02:00
message1 fuzz-bus-message: add fuzzer for message parsing 2018-10-02 11:09:05 +02:00
oss-fuzz-14016 bus-message: validate signature in gvariant messages 2019-04-11 14:01:38 +02:00
oss-fuzz-19446 bus-message: fix negative offset with ~empty message 2020-05-20 09:33:54 +02:00
timeout-08ee8f6446a4064db064e8e0b3d220147f7d0b5b bus-message: avoid an infinite loop on empty structures 2018-10-02 11:53:20 +02:00
zero-offset-to-null-pointer bus-message: avoid dereferencing a NULL pointer 2020-06-22 17:09:49 +02:00