1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
systemd-stable/test/fuzz/fuzz-systemctl-parse-argv
Zbigniew Jędrzejewski-Szmek a88f9dbae2 systemctl: unset const char* arguments in static destructors
When fuzzing, the following happens:
- we parse 'data' and produce an argv array,
- one of the items in argv is assigned to arg_host,
- the argv array is subsequently freed by strv_freep(), and arg_host has a dangling symlink.

In normal use, argv is static, so arg_host can never become a dangling pointer.
In fuzz-systemctl-parse-argv, if we repeatedly parse the same array, we
have some dangling pointers while we're in the middle of parsing. If we parse
the same array a second time, at the end all the dangling pointers will have been
replaced again. But for a short time, if parsing one of the arguments uses another
argument, we would use a dangling pointer.

Such a case occurs when we have --host=… --boot-loader-entry=help. The latter calls
acquire_bus() which uses arg_host.

I'm not particularly happy with making the code more complicated just for
fuzzing, but I think it's better to resolve this, even if the issue cannot
occur in normal invocations, than to deal with fuzzer reports.

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31714.
2021-05-31 19:29:07 +02:00
..
help.input fuzz-systemctl-parse-argv: add "telinit" to the argv[0] list 2021-02-22 14:22:07 +00:00
missing-strv-free.input fuzz-systemctl-parse-argv: call static destuctors 2021-02-16 17:15:11 +01:00
oss-fuzz-31055 basic/alloc-util: also reset the cleaned-up variable in freep() 2021-02-19 15:25:16 +01:00
oss-fuzz-31714 systemctl: unset const char* arguments in static destructors 2021-05-31 19:29:07 +02:00