Frantisek Sumsal 3ee1306688 json: correctly handle magic strings when parsing variant strv ... We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz. (cherry picked from commit 909eb4c01d) (cherry picked from commit 58c1816aa4) (cherry picked from commit 89ab32d166)		2023-06-02 22:45:46 +01:00
..
fuzz-bootspec	bootspec: fix null-dereference-read	2022-12-14 17:52:42 +01:00
fuzz-bus-match	fuzz-bus-match: add example from bugzilla#1935084	2021-03-06 09:32:18 +01:00
fuzz-bus-message	sd-bus: fix buffer overflow	2022-06-02 20:07:10 +02:00
fuzz-calendarspec	shared/calendarspec: fix formatting of entries which collapse to a star	2022-05-10 14:35:57 +02:00
fuzz-catalog	fuzz: rename the longest test samples	2022-03-21 11:42:35 +01:00
fuzz-dhcp6-client	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-dhcp-client	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-dhcp-server	fuzz: rename the longest test samples	2022-03-21 11:42:35 +01:00
fuzz-dhcp-server-relay	fuzz: rename fuzz-dhcp-server-relay-message to fuzz-dhcp-server-relay	2022-03-21 11:43:47 +01:00
fuzz-dns-packet	resolve: slightly optimize dns_answer_add()	2020-12-30 04:14:22 +09:00
fuzz-env-file	fuzz: add env-file fuzzer	2019-03-11 14:11:28 +01:00
fuzz-fido-id-desc	udev: Add id program and rule for FIDO security tokens	2019-09-07 02:23:58 +09:00
fuzz-journal-remote	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-journald-audit	journald: check whether sscanf has changed the value corresponding to %n	2018-11-17 11:25:19 +01:00
fuzz-journald-kmsg	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-journald-native-fd	tests: add a fuzzer for server_process_native_file	2018-11-23 17:29:59 +01:00
fuzz-journald-stream	tests: add a fuzzer for journald streams	2018-11-20 03:03:32 +01:00
fuzz-journald-syslog	fuzz: unify the "fuzz-regressions" directory with the main corpus	2018-10-02 09:41:25 +02:00
fuzz-json	shared/json: fix memleak in sort	2022-05-10 17:08:37 +02:00
fuzz-link-parser	network,udev/net: add Kind= settings in [Match] section	2022-02-17 23:10:26 +09:00
fuzz-lldp-rx	test: also rename {test,fuzz}-lldp.c	2021-09-27 23:55:11 +09:00
fuzz-ndisc-rs	fuzz: drop too large input	2022-05-16 00:25:18 +01:00
fuzz-netdev-parser	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-network-parser	fuzz-network-parser: drop ".network" and shorten names	2022-05-04 12:57:48 +02:00
fuzz-nspawn-oci	json: correctly handle magic strings when parsing variant strv	2023-06-02 22:45:46 +01:00
fuzz-nspawn-settings	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-systemctl-parse-argv	systemctl: unset const char* arguments in static destructors	2021-05-31 19:29:07 +02:00
fuzz-udev-database	fuzz: add a sample for fuzz-udev-database	2019-02-26 13:28:30 +09:00
fuzz-udev-rules	Revert "rules: ubi mtd - add link to named partitions"	2021-07-01 16:50:15 +02:00
fuzz-unit-file	Add ConditionCPUFeature to load-fragment-gperf.gperf (#23076)	2022-04-14 15:30:03 +09:00
fuzz-varlink	shared/varlink: add missing setting of output_buffer_allocated	2019-05-17 15:09:32 +02:00
fuzz-xdg-desktop	xdg-autostart: avoid quadratic behaviour in strv parsing	2020-07-07 12:20:43 +02:00
.gitattributes	gitattributes: introduce and use "generated" attribute	2021-10-18 09:42:55 +02:00
meson.build	meson: pass skip-deps on to the fuzzers as well	2022-02-22 17:50:14 +00:00