Merge pull request #10817 from evverx/audit-fuzzer

Add a fuzzer for process_audit_string

src/fuzz/fuzz-journald-audit.c

@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "fuzz.h"
+#include "fuzz-journald.h"
+#include "journald-audit.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        Server s;
+
+        dummy_server_init(&s, data, size);
+        process_audit_string(&s, 0, s.buffer, size);
+        server_done(&s);
+
+        return 0;
+}

src/fuzz/fuzz-journald-kmsg.c

@@ -1,29 +1,17 @@
 /* SPDX-License-Identifier: LGPL-2.1+ */
 
 #include "fuzz.h"
+#include "fuzz-journald.h"
 #include "journald-kmsg.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-        Server s = {};
-        _cleanup_free_ char *buffer = NULL;
+        Server s;
 
         if (size == 0)
                 return 0;
 
-        s = (Server) {
-                .syslog_fd = -1,
-                .native_fd = -1,
-                .stdout_fd = -1,
-                .dev_kmsg_fd = -1,
-                .audit_fd = -1,
-                .hostname_fd = -1,
-                .notify_fd = -1,
-                .storage = STORAGE_NONE,
-        };
-        assert_se(sd_event_default(&s.event) >= 0);
-        buffer = memdup(data, size);
-        assert_se(buffer);
-        dev_kmsg_record(&s, buffer, size);
+        dummy_server_init(&s, data, size);
+        dev_kmsg_record(&s, s.buffer, size);
         server_done(&s);
 
         return 0;

src/fuzz/fuzz-journald.c

@@ -5,12 +5,29 @@
 #include "journald-server.h"
 #include "sd-event.h"
 
+void dummy_server_init(Server *s, const uint8_t *buffer, size_t size) {
+        *s = (Server) {
+                .syslog_fd = -1,
+                .native_fd = -1,
+                .stdout_fd = -1,
+                .dev_kmsg_fd = -1,
+                .audit_fd = -1,
+                .hostname_fd = -1,
+                .notify_fd = -1,
+                .storage = STORAGE_NONE,
+        };
+        assert_se(sd_event_default(&s->event) >= 0);
+        s->buffer = memdup_suffix0(buffer, size);
+        assert_se(s->buffer);
+        s->buffer_size = size + 1;
+}
+
 void fuzz_journald_processing_function(
                 const uint8_t *data,
                 size_t size,
                 void (*f)(Server *s, const char *buf, size_t raw_len, const struct ucred *ucred, const struct timeval *tv, const char *label, size_t label_len)
         ) {
-        Server s = {};
+        Server s;
         char *label = NULL;
         size_t label_len = 0;
         struct ucred *ucred = NULL;
@@ -19,12 +36,7 @@ void fuzz_journald_processing_function(
         if (size == 0)
                 return;
 
-        assert_se(sd_event_default(&s.event) >= 0);
-        s.syslog_fd = s.native_fd = s.stdout_fd = s.dev_kmsg_fd = s.audit_fd = s.hostname_fd = s.notify_fd = -1;
-        s.buffer = memdup_suffix0(data, size);
-        assert_se(s.buffer);
-        s.buffer_size = size + 1;
-        s.storage = STORAGE_NONE;
+        dummy_server_init(&s, data, size);
         (*f)(&s, s.buffer, size, ucred, tv, label, label_len);
         server_done(&s);
 }

src/fuzz/fuzz-journald.h

@@ -3,6 +3,8 @@
 
 #include "journald-server.h"
 
+void dummy_server_init(Server *s, const uint8_t *buffer, size_t size);
+
 void fuzz_journald_processing_function(
                 const uint8_t *data,
                 size_t size,

src/fuzz/meson.build

@@ -51,7 +51,14 @@ fuzzers += [
           libshared],
          [libmount]],
 
-        [['src/fuzz/fuzz-journald-kmsg.c'],
+        [['src/fuzz/fuzz-journald-audit.c',
+          'src/fuzz/fuzz-journald.c'],
+         [libjournal_core,
+          libshared],
+         [libselinux]],
+
+        [['src/fuzz/fuzz-journald-kmsg.c',
+          'src/fuzz/fuzz-journald.c'],
          [libjournal_core,
           libshared],
          [libselinux]],

src/journal/journald-audit.c

@@ -313,7 +313,7 @@ static int map_all_fields(
         }
 }
 
-static void process_audit_string(Server *s, int type, const char *data, size_t size) {
+void process_audit_string(Server *s, int type, const char *data, size_t size) {
         size_t n_iov_allocated = 0, n_iov = 0, z;
         _cleanup_free_ struct iovec *iov = NULL;
         uint64_t seconds, msec, id;
@@ -341,11 +341,12 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
         if (!p)
                 return;
 
+        k = 0;
         if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
                    &seconds,
                    &msec,
                    &id,
-                   &k) != 3)
+                   &k) != 3 || k == 0)
                 return;
 
         p += k;

src/journal/journald-audit.h

@@ -6,4 +6,6 @@
 
 void server_process_audit_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const union sockaddr_union *sa, socklen_t salen);
 
+void process_audit_string(Server *s, int type, const char *data, size_t size);
+
 int server_open_audit(Server*s);

test/fuzz/fuzz-journald-audit/basic

@@ -0,0 +1 @@
+audit(1542398162.211:744): pid=7376 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="vagrant" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

test/fuzz/fuzz-journald-audit/crash

@@ -0,0 +1 @@
+audit(1542398162.211:744) pid=7376 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="vagrant" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'