Frantisek Sumsal 909eb4c01d json: correctly handle magic strings when parsing variant strv ... We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz.		2023-05-23 20:18:21 +02:00
..
fuzz-bootspec	fuzz: shorten filename of testcase	2022-12-09 05:01:04 +09:00
fuzz-bus-match	fuzz-bus-match: add example from bugzilla#1935084	2021-03-06 09:32:18 +01:00
fuzz-bus-message	sd-bus: fix buffer overflow	2022-05-28 10:06:14 +02:00
fuzz-calendarspec	shared/calendarspec: fix formatting of entries which collapse to a star	2022-05-10 14:35:57 +02:00
fuzz-catalog	fuzz: rename the longest test samples	2022-03-21 11:42:35 +01:00
fuzz-dhcp6-client	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-dhcp-client	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-dhcp-server	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
fuzz-dhcp-server-relay	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
fuzz-dns-packet	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
fuzz-env-file	fuzz: add env-file fuzzer	2019-03-11 14:11:28 +01:00
fuzz-etc-hosts	resolve: dedup entries in /etc/hosts	2022-12-13 20:37:48 +09:00
fuzz-fido-id-desc	udev: Add id program and rule for FIDO security tokens	2019-09-07 02:23:58 +09:00
fuzz-journal-remote	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-journald-audit	journald: check whether sscanf has changed the value corresponding to %n	2018-11-17 11:25:19 +01:00
fuzz-journald-kmsg	fuzz: rename test cases for brevity and meaning	2022-05-04 11:51:15 +02:00
fuzz-journald-native-fd	tests: add a fuzzer for server_process_native_file	2018-11-23 17:29:59 +01:00
fuzz-journald-stream	tests: add a fuzzer for journald streams	2018-11-20 03:03:32 +01:00
fuzz-journald-syslog	fuzz: unify the "fuzz-regressions" directory with the main corpus	2018-10-02 09:41:25 +02:00
fuzz-json	shared/json: fix memleak in sort	2022-05-10 17:08:37 +02:00
fuzz-link-parser	meson: Generate fuzzer inputs with directives	2022-10-20 14:43:50 +02:00
fuzz-lldp-rx	test: also rename {test,fuzz}-lldp.c	2021-09-27 23:55:11 +09:00
fuzz-manager-serialize	fuzz: rename long samples	2023-05-18 15:23:27 +02:00
fuzz-ndisc-rs	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
fuzz-netdev-parser	meson: Generate fuzzer inputs with directives	2022-10-20 14:43:50 +02:00
fuzz-network-parser	fuzz: rename long samples	2023-05-18 15:23:27 +02:00
fuzz-nspawn-oci	json: correctly handle magic strings when parsing variant strv	2023-05-23 20:18:21 +02:00
fuzz-nspawn-settings	test: update nspawn's basic config file used for fuzzing	2023-05-15 09:00:17 +02:00
fuzz-resource-record	fuzz: shorten filename of testcase	2022-12-09 05:01:04 +09:00
fuzz-systemctl-parse-argv	fuzz: rename long samples	2023-05-18 15:23:27 +02:00
fuzz-udev-database	fuzz: add a sample for fuzz-udev-database	2019-02-26 13:28:30 +09:00
fuzz-udev-rules	udev/scsi_id: rename positional arguments	2023-04-11 06:07:03 +09:00
fuzz-unit-file	fuzz: rename long samples	2023-05-18 15:23:27 +02:00
fuzz-varlink	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
fuzz-xdg-desktop	fuzz: rename samples to avoid long test names	2022-07-05 21:49:12 +02:00
.gitattributes	gitattributes: introduce and use "generated" attribute	2021-10-18 09:42:55 +02:00
generate-directives.py	meson: Generate fuzzer inputs with directives	2022-10-20 14:43:50 +02:00
meson.build	meson: Copy files with git only in true git repository	2023-03-02 15:04:40 +00:00