Merge pull request #27504 from mrc0mmand/fuzz-manager-serialize

test: add a simple fuzzer for manager serialization

src/core/fuzz-manager-serialize.c

@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <stdio.h>
+
+#include "alloc-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "manager-serialize.h"
+#include "manager.h"
+#include "service.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_(manager_freep) Manager *m = NULL;
+        _cleanup_fclose_ FILE *f = NULL, *null = NULL;
+        _cleanup_fdset_free_ FDSet *fdset = NULL;
+
+        /* We don't want to fill the logs with messages about parse errors.
+         * Disable most logging if not running standalone. */
+        if (!getenv("SYSTEMD_LOG_LEVEL")) {
+                log_set_max_level(LOG_CRIT);
+                log_set_target(LOG_TARGET_NULL);
+        }
+
+        assert_se(manager_new(RUNTIME_SCOPE_SYSTEM, MANAGER_TEST_RUN_BASIC, &m) >= 0);
+        /* Set log overrides as well to make it harder for a serialization file
+         * to switch log levels/targets during fuzzing */
+        manager_override_log_level(m, log_get_max_level());
+        manager_override_log_target(m, log_get_target());
+        assert_se(null = fopen("/dev/null", "we"));
+        assert_se(fdset = fdset_new());
+        assert_se(f = data_to_file(data, size));
+
+        (void) manager_deserialize(m, f, fdset);
+        (void) manager_serialize(m, null, fdset, true);
+        (void) manager_serialize(m, null, fdset, false);
+
+        return 0;
+}

src/core/meson.build

@@ -192,4 +192,11 @@ fuzzers += [
                 ],
                 'dependencies' : libmount,
         },
+        {
+                'sources' : files('fuzz-manager-serialize.c'),
+                'link_with' : [
+                        libcore,
+                        libshared
+                ],
+        },
 ]

src/core/service.c

@@ -3219,6 +3219,11 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
         } else if (streq(key, "accept-socket")) {
                 Unit *socket;
 
+                if (u->type != UNIT_SOCKET) {
+                        log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
+                        return 0;
+                }
+
                 r = manager_load_unit(u->manager, value, NULL, NULL, &socket);
                 if (r < 0)
                         log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);

src/shared/bpf-program.c

@@ -467,6 +467,9 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b
                 return at;
 
         /* The rest is the path */
+        if (isempty(v))
+                return -EINVAL;
+
         l = cunescape(v, 0, &unescaped);
         if (l < 0)
                 return l;

src/shared/varlink.c

@@ -3063,7 +3063,9 @@ int varlink_server_deserialize_one(VarlinkServer *s, const char *value, FDSet *f
         r = safe_atoi(buf, &fd);
         if (r < 0)
                 return log_debug_errno(r, "Unable to parse VarlinkServerSocket varlink-server-socket-fd=%s: %m", buf);
-
+        if (fd < 0)
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "VarlinkServerSocket varlink-server-socket-fd= has an invalid value: %d", fd);
         if (!fdset_contains(fds, fd))
                 return log_debug_errno(SYNTHETIC_ERRNO(EBADF),
                                        "VarlinkServerSocket varlink-server-socket-fd= has unknown fd %d: %m", fd);

test/fuzz/fuzz-manager-serialize/crash-4a3d5bed0213b88d06d6f20e7af44a02daf28961

@@ -0,0 +1,5 @@
+current-jobda90d3313a435b56a7-dbus-broker.service-enN2wt
+varlink-server-socket-address=/run/systemd/is.oystem.ManagedOOM varlink-server-socket-fd=-3
+varlink-server-socket-address=/run/systemd/userdb/io.systemd.DynamicUsr varlink-server-socket-fd=44
+
+systemd-udevd-co~ntrassert-timestamp=1682967574856rted-

test/fuzz/fuzz-manager-serialize/crash-9eec6b7ef6fd5c9568189f9259e6ce0546752085

@@ -0,0 +1,10 @@
+current-job-tmp-dir=/niliclrd,ng
+
+plymo-.sliceuth-quiwt-dir=/niliclrd,ng
+
+plymo-.sliceuth-quiwt-ait.service
+srd2043d7818E@96s
+8582967570742745a94
+accept-socket=runn2043ait.service
+srd2043d7818E@96s
+8582967570742745a94

test/fuzz/fuzz-manager-serialize/crash-fc5f5254c946097a774cccec5427289b748e6f2a

@@ -0,0 +1,11 @@
+curr    :er
+82967574637335/dprunning
+
+run-stedm\x2dsysctl.service.mount
+s4002
+te-ewal=0
+stat25 0
+ip-bpf-egress-installed=1651 4116038
+condi/dpad-nriv-j0
+userspmath-pci\x2d0000:00:01.1\x2d0
+ip-bpf-egress-installed=1651 recvmsg6

test/fuzz/fuzz-manager-serialize/state

@@ -0,0 +1,233 @@
+current-job-id=148
+n-installed-jobs=76
+n-failed-jobs=0
+taint-usr=no
+ready-sent=no
+taint-logged=yes
+service-watchdogs=yes
+show-status-overridden=
+log-level-override=
+log-target-override=
+runtime-watchdog-overridden=
+reboot-watchdog-overridden=
+kexec-watchdog-overridden=
+pretimeout-watchdog-overridden=
+pretimeout-watchdog-governor-overridden=
+kernel-timestamp=1682967570742745 0
+userspace-timestamp=1682967574137496 3394743
+security-start-timestamp=1682967574141658 3398906
+security-finish-timestamp=1682967574144881 3402129
+generators-start-timestamp=1682967574184585 3441832
+generators-finish-timestamp=1682967574611957 3869206
+units-load-start-timestamp=1682967574612243 3869490
+units-load-finish-timestamp=1682967574636269 3893517
+units-load-timestamp=1682967579189877 8447124
+env=
+notify-fd=40
+notify-socket=/run/systemd/notify
+cgroups-agent-fd=
+user-lookup=41 42
+subscribed=:1.2
+subscribed=:1.4
+dynamic-user=
+destroy-ipc-uid=
+destroy-ipc-gid=
+exec-runtime=foo tmp-dir=foo var-tmp-dir=foo netns-socket-0=0 netns-socket-1=0 ipcns-socket-0=0 ipcns-socket-1=0
+exec-runtime=systemd-resolved.service tmp-dir=/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-systemd-resolved.service-9RLwQC var-tmp-dir=/var/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-systemd-resolved.service-lH60S6
+exec-runtime=systemd-logind.service tmp-dir=/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-systemd-logind.service-U3Mkrl var-tmp-dir=/var/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-systemd-logind.service-bLqCAv
+exec-runtime=dbus-broker.service tmp-dir=/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-dbus-broker.service-tjqGny var-tmp-dir=/var/tmp/systemd-private-a0d7e38d0d2043da90d3313a435b56a7-dbus-broker.service-enN2wt
+varlink-server-socket-address=/run/systemd/io.system.ManagedOOM varlink-server-socket-fd=43
+varlink-server-socket-address=/run/systemd/userdb/io.systemd.DynamicUser varlink-server-socket-fd=44
+
+systemd-udevd-control.socket
+state=running
+result=success
+n-accepted=0
+n-refused=0
+socket=51 5 /run/udev/control
+state-change-timestamp=1682967575463460 4720707
+inactive-exit-timestamp=1682967574856752 4113999
+active-enter-timestamp=1682967574856752 4113999
+condition-timestamp=1682967574856210 4113458
+assert-timestamp=1682967574856251 4113498
+condition-result=yes
+assert-result=yes
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=
+cpu-usage-last=
+managed-oom-kill-last=
+oom-kill-last=
+cgroup=/system.slice/systemd-udevd-control.socket
+cgroup-realized=no
+cgroup-realized-mask=
+cgroup-enabled-mask=
+cgroup-invalidated-mask=bpf-firewall
+ip-bpf-ingress-installed=
+ip-bpf-egress-installed=
+bpf-device-control-installed=
+ip-bpf-custom-ingress-installed=
+ip-bpf-custom-egress-installed=
+restrict-ifaces-bpf-fd=
+ref-uid=
+ref-gid=
+invocation-id=17e82c0e231b44d9a783ea3e6ddd7357
+freezer-state=running
+markers=
+ref=
+io-accounting-read-bytes-base=
+io-accounting-write-bytes-base=
+io-accounting-read-operations-base=
+io-accounting-write-operations-base=
+ip-accounting-ingress-bytes=
+ip-accounting-ingress-packets=
+ip-accounting-egress-bytes=
+ip-accounting-egress-packets=
+io-accounting-read-bytes-last=
+io-accounting-write-bytes-last=
+io-accounting-read-operations-last=
+io-accounting-write-operations-last=
+job
+job-id=
+job-type=
+job-state=
+job-irreversible=
+job-sent-dbus-new-signal=
+job-ignore-order=
+job-begin=
+job-begin-running=
+subscribed=
+activation-details-unit-type=
+activation-details-unit-name=
+
+
+basic.target
+state=active
+state-change-timestamp=1682967576420561 5677809
+inactive-exit-timestamp=1682967576420561 5677809
+active-enter-timestamp=1682967576420561 5677809
+condition-timestamp=1682967576420494 5677742
+assert-timestamp=1682967576420506 5677753
+condition-result=yes
+assert-result=yes
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=0
+io-accounting-read-bytes-base=0
+io-accounting-write-bytes-base=0
+io-accounting-read-operations-base=0
+io-accounting-write-operations-base=0
+cgroup-realized=no
+cgroup-invalidated-mask=bpf-firewall
+invocation-id=9c5c2f671fca4512aaf3a1a2ba2272ca
+freezer-state=running
+
+dev-disk-by\x2dpath-pci\x2d0000:00:01.1\x2data\x2d2.0.device
+sysfs=/sys/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0/block/sr0
+path=/dev/disk/by-path/pci-0000:00:01.1-ata-2.0
+state=plugged
+found=found-udev
+state-change-timestamp=1682967576333166 5590413
+inactive-exit-timestamp=1682967576333166 5590413
+active-enter-timestamp=1682967576333166 5590413
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=0
+io-accounting-read-bytes-base=0
+io-accounting-write-bytes-base=0
+io-accounting-read-operations-base=0
+io-accounting-write-operations-base=0
+cgroup-realized=no
+cgroup-invalidated-mask=bpf-firewall
+invocation-id=603717818eb740968fd5e4d4acff07bb
+freezer-state=running
+
+plymouth-quit-wait.service
+state=dead
+result=success
+reload-result=success
+main-pid-known=no
+bus-name-good=no
+bus-name-owner=yes
+n-restarts=0
+flush-n-restarts=no
+forbid-restart=no
+state-change-timestamp=1682967578033073 7290321
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=0
+io-accounting-read-bytes-base=0
+io-accounting-write-bytes-base=0
+io-accounting-read-operations-base=0
+io-accounting-write-operations-base=0
+cgroup-realized=no
+cgroup-invalidated-mask=bpf-firewall
+freezer-state=running
+
+run-credentials-systemd\x2dsysctl.service.mount
+state=mounted
+result=success
+reload-result=success
+n-retry-umount=0
+state-change-timestamp=1682967574956755 4214002
+inactive-exit-timestamp=1682967574956755 4214002
+active-enter-timestamp=1682967574956755 4214002
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=0
+io-accounting-read-bytes-base=0
+io-accounting-write-bytes-base=0
+io-accounting-read-operations-base=0
+io-accounting-write-operations-base=0
+cgroup-realized=no
+cgroup-invalidated-mask=bpf-firewall
+invocation-id=63a57e2e3d3a47c28e09dc34fca94c41
+freezer-state=running
+
+system.slice
+state=active
+state-change-timestamp=1682967574637337 3894584
+inactive-exit-timestamp=1682967574637337 3894584
+active-enter-timestamp=1682967574637337 3894584
+transient=no
+in-audit=no
+exported-invocation-id=no
+exported-log-level-max=no
+exported-log-extra-fields=no
+exported-log-rate-limit-interval=no
+exported-log-rate-limit-burst=no
+cpu-usage-base=0
+io-accounting-read-bytes-base=0
+io-accounting-write-bytes-base=0
+io-accounting-read-operations-base=0
+io-accounting-write-operations-base=0
+cgroup=/system.slice
+cgroup-realized=yes
+cgroup-realized-mask=memory pids bpf-firewall bpf-devices
+cgroup-enabled-mask=memory pids
+freezer-state=running