diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-05-31 11:23:20 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-05-31 19:29:07 +0200 |
commit | a88f9dbae2cbd2af6016e7f4dab5b7a0771491c6 (patch) | |
tree | 346d30a31c2b1ebdce8e1d10f8c4b811fbdc221e /src/systemctl/systemctl.h | |
parent | 6b42227edb78193294d8096d39751b5fa45985e7 (diff) | |
download | systemd-a88f9dbae2cbd2af6016e7f4dab5b7a0771491c6.tar.gz |
systemctl: unset const char* arguments in static destructors
When fuzzing, the following happens:
- we parse 'data' and produce an argv array,
- one of the items in argv is assigned to arg_host,
- the argv array is subsequently freed by strv_freep(), and arg_host has a dangling symlink.
In normal use, argv is static, so arg_host can never become a dangling pointer.
In fuzz-systemctl-parse-argv, if we repeatedly parse the same array, we
have some dangling pointers while we're in the middle of parsing. If we parse
the same array a second time, at the end all the dangling pointers will have been
replaced again. But for a short time, if parsing one of the arguments uses another
argument, we would use a dangling pointer.
Such a case occurs when we have --host=… --boot-loader-entry=help. The latter calls
acquire_bus() which uses arg_host.
I'm not particularly happy with making the code more complicated just for
fuzzing, but I think it's better to resolve this, even if the issue cannot
occur in normal invocations, than to deal with fuzzer reports.
Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31714.
Diffstat (limited to 'src/systemctl/systemctl.h')
-rw-r--r-- | src/systemctl/systemctl.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/systemctl/systemctl.h b/src/systemctl/systemctl.h index ed8152e3dd..8199ae9e0d 100644 --- a/src/systemctl/systemctl.h +++ b/src/systemctl/systemctl.h @@ -49,7 +49,7 @@ extern char **arg_states; extern char **arg_properties; extern bool arg_all; extern enum dependency arg_dependency; -extern const char *arg_job_mode; +extern const char *_arg_job_mode; extern UnitFileScope arg_scope; extern bool arg_wait; extern bool arg_no_block; @@ -96,4 +96,8 @@ extern bool arg_read_only; extern bool arg_mkdir; extern bool arg_marked; +static inline const char* arg_job_mode(void) { + return _arg_job_mode ?: "replace"; +} + int systemctl_dispatch_parse_argv(int argc, char *argv[]); |