summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorYu Watanabe <watanabe.yu+github@gmail.com>2021-12-31 04:30:43 +0900
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2022-05-12 13:31:11 +0200
commit7593691aadc7e1e9c5f17fd26424abe337d56302 (patch)
tree679f27ca634c56508788eee6d3809c71c1c48005 /src
parent96974ea4a85bee508659f8c36f6a32c6b89646f4 (diff)
downloadsystemd-7593691aadc7e1e9c5f17fd26424abe337d56302.tar.gz
fuzzers: add input size limits, always configure limits in two ways
Without the size limits, oss-fuzz creates huge samples that time out. Usually this is because some of our code has bad algorithmic complexity. For data like configuration samples we don't need to care about this: non-rogue configs are rarely more than a few items, and a bit of a slowdown with a few hundred items is acceptable. This wouldn't be OK for processing of untrusted data though. We need to set the limit in two ways: through .options and in the code. The first because it nicely allows libFuzzer to avoid wasting time, and the second because fuzzers like hongfuzz and afl don't support .options. While at it, let's fix an off-by-one (65535 is the largest offset for a power-of-two size, but we're checking the size here). Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Diffstat (limited to 'src')
-rw-r--r--src/core/fuzz-unit-file.c4
-rw-r--r--src/fuzz/fuzz-bootspec.c2
-rw-r--r--src/fuzz/fuzz-bootspec.options2
-rw-r--r--src/fuzz/fuzz-env-file.c2
-rw-r--r--src/fuzz/fuzz-env-file.options2
-rw-r--r--src/journal-remote/fuzz-journal-remote.c2
-rw-r--r--src/libsystemd/sd-bus/fuzz-bus-match.c3
-rw-r--r--src/libsystemd/sd-bus/fuzz-bus-match.options2
-rw-r--r--src/network/fuzz-netdev-parser.c3
-rw-r--r--src/network/fuzz-netdev-parser.options2
-rw-r--r--src/network/fuzz-network-parser.c2
-rw-r--r--src/network/fuzz-network-parser.options2
-rw-r--r--src/nspawn/fuzz-nspawn-oci.c3
-rw-r--r--src/nspawn/fuzz-nspawn-settings.c3
-rw-r--r--src/resolve/fuzz-dns-packet.options2
-rw-r--r--src/udev/fuzz-udev-rules.c3
-rw-r--r--src/udev/net/fuzz-link-parser.c2
-rw-r--r--src/udev/net/fuzz-link-parser.options2
-rw-r--r--src/xdg-autostart-generator/fuzz-xdg-desktop.c3
-rw-r--r--src/xdg-autostart-generator/fuzz-xdg-desktop.options2
20 files changed, 38 insertions, 10 deletions
diff --git a/src/core/fuzz-unit-file.c b/src/core/fuzz-unit-file.c
index c12e874e2d..81cede2193 100644
--- a/src/core/fuzz-unit-file.c
+++ b/src/core/fuzz-unit-file.c
@@ -21,7 +21,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
const char *name;
long offset;
+ if (size > 65536)
+ return 0;
+
f = data_to_file(data, size);
+
assert_se(f);
if (read_line(f, LINE_MAX, &p) < 0)
diff --git a/src/fuzz/fuzz-bootspec.c b/src/fuzz/fuzz-bootspec.c
index fa9e3f06e0..0594a0dea5 100644
--- a/src/fuzz/fuzz-bootspec.c
+++ b/src/fuzz/fuzz-bootspec.c
@@ -84,7 +84,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL;
int r;
- if (size > 65535)
+ if (size > 65536)
return 0;
/* Disable most logging if not running standalone */
diff --git a/src/fuzz/fuzz-bootspec.options b/src/fuzz/fuzz-bootspec.options
index 0824b19fab..678d526b1e 100644
--- a/src/fuzz/fuzz-bootspec.options
+++ b/src/fuzz/fuzz-bootspec.options
@@ -1,2 +1,2 @@
[libfuzzer]
-max_len = 65535
+max_len = 65536
diff --git a/src/fuzz/fuzz-env-file.c b/src/fuzz/fuzz-env-file.c
index 3b3e625608..431f172306 100644
--- a/src/fuzz/fuzz-env-file.c
+++ b/src/fuzz/fuzz-env-file.c
@@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_strv_free_ char **rl = NULL, **rlp = NULL;
- if (size > 65535)
+ if (size > 65536)
return 0;
f = data_to_file(data, size);
diff --git a/src/fuzz/fuzz-env-file.options b/src/fuzz/fuzz-env-file.options
index 0824b19fab..678d526b1e 100644
--- a/src/fuzz/fuzz-env-file.options
+++ b/src/fuzz/fuzz-env-file.options
@@ -1,2 +1,2 @@
[libfuzzer]
-max_len = 65535
+max_len = 65536
diff --git a/src/journal-remote/fuzz-journal-remote.c b/src/journal-remote/fuzz-journal-remote.c
index a8e56e21b2..dd7884ee9a 100644
--- a/src/journal-remote/fuzz-journal-remote.c
+++ b/src/journal-remote/fuzz-journal-remote.c
@@ -24,7 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(journal_remote_server_destroy) RemoteServer s = {};
int r;
- if (size <= 2)
+ if (size <= 2 || size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/libsystemd/sd-bus/fuzz-bus-match.c b/src/libsystemd/sd-bus/fuzz-bus-match.c
index 0585338e28..39ab62196a 100644
--- a/src/libsystemd/sd-bus/fuzz-bus-match.c
+++ b/src/libsystemd/sd-bus/fuzz-bus-match.c
@@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(sd_bus_unrefp) sd_bus *bus = NULL;
int r;
+ if (size > 65536)
+ return 0;
+
/* We don't want to fill the logs with messages about parse errors.
* Disable most logging if not running standalone */
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/libsystemd/sd-bus/fuzz-bus-match.options b/src/libsystemd/sd-bus/fuzz-bus-match.options
new file mode 100644
index 0000000000..678d526b1e
--- /dev/null
+++ b/src/libsystemd/sd-bus/fuzz-bus-match.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536
diff --git a/src/network/fuzz-netdev-parser.c b/src/network/fuzz-netdev-parser.c
index bb4b487ab2..d8cbd2891c 100644
--- a/src/network/fuzz-netdev-parser.c
+++ b/src/network/fuzz-netdev-parser.c
@@ -11,6 +11,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(unlink_tempfilep) char netdev_config[] = "/tmp/fuzz-networkd.XXXXXX";
+ if (size > 65536)
+ return 0;
+
if (!getenv("SYSTEMD_LOG_LEVEL"))
log_set_max_level(LOG_CRIT);
diff --git a/src/network/fuzz-netdev-parser.options b/src/network/fuzz-netdev-parser.options
new file mode 100644
index 0000000000..678d526b1e
--- /dev/null
+++ b/src/network/fuzz-netdev-parser.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536
diff --git a/src/network/fuzz-network-parser.c b/src/network/fuzz-network-parser.c
index 9290aa58d6..630c86a98c 100644
--- a/src/network/fuzz-network-parser.c
+++ b/src/network/fuzz-network-parser.c
@@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(unlink_tempfilep) char network_config[] = "/tmp/fuzz-networkd.XXXXXX";
- if (size > 65535)
+ if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/network/fuzz-network-parser.options b/src/network/fuzz-network-parser.options
index 0824b19fab..678d526b1e 100644
--- a/src/network/fuzz-network-parser.options
+++ b/src/network/fuzz-network-parser.options
@@ -1,2 +1,2 @@
[libfuzzer]
-max_len = 65535
+max_len = 65536
diff --git a/src/nspawn/fuzz-nspawn-oci.c b/src/nspawn/fuzz-nspawn-oci.c
index 91f2a81dfc..7110a66187 100644
--- a/src/nspawn/fuzz-nspawn-oci.c
+++ b/src/nspawn/fuzz-nspawn-oci.c
@@ -9,6 +9,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(settings_freep) Settings *s = NULL;
+ if (size > 65536)
+ return 0;
+
f = data_to_file(data, size);
assert_se(f);
diff --git a/src/nspawn/fuzz-nspawn-settings.c b/src/nspawn/fuzz-nspawn-settings.c
index 6b91e1506e..7683814659 100644
--- a/src/nspawn/fuzz-nspawn-settings.c
+++ b/src/nspawn/fuzz-nspawn-settings.c
@@ -9,6 +9,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_fclose_ FILE *f = NULL;
_cleanup_(settings_freep) Settings *s = NULL;
+ if (size > 65536)
+ return 0;
+
f = data_to_file(data, size);
assert_se(f);
diff --git a/src/resolve/fuzz-dns-packet.options b/src/resolve/fuzz-dns-packet.options
index 0824b19fab..678d526b1e 100644
--- a/src/resolve/fuzz-dns-packet.options
+++ b/src/resolve/fuzz-dns-packet.options
@@ -1,2 +1,2 @@
[libfuzzer]
-max_len = 65535
+max_len = 65536
diff --git a/src/udev/fuzz-udev-rules.c b/src/udev/fuzz-udev-rules.c
index 17f5ea121b..0208f8c2d8 100644
--- a/src/udev/fuzz-udev-rules.c
+++ b/src/udev/fuzz-udev-rules.c
@@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-udev-rules.XXXXXX";
int r;
+ if (size > 65536)
+ return 0;
+
if (!getenv("SYSTEMD_LOG_LEVEL"))
log_set_max_level(LOG_CRIT);
diff --git a/src/udev/net/fuzz-link-parser.c b/src/udev/net/fuzz-link-parser.c
index b871a4e23c..5727897305 100644
--- a/src/udev/net/fuzz-link-parser.c
+++ b/src/udev/net/fuzz-link-parser.c
@@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-link-config.XXXXXX";
_cleanup_fclose_ FILE *f = NULL;
- if (size > 65535)
+ if (size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/udev/net/fuzz-link-parser.options b/src/udev/net/fuzz-link-parser.options
index 0824b19fab..678d526b1e 100644
--- a/src/udev/net/fuzz-link-parser.options
+++ b/src/udev/net/fuzz-link-parser.options
@@ -1,2 +1,2 @@
[libfuzzer]
-max_len = 65535
+max_len = 65536
diff --git a/src/xdg-autostart-generator/fuzz-xdg-desktop.c b/src/xdg-autostart-generator/fuzz-xdg-desktop.c
index 52ba7ff0a4..0ae27fc39d 100644
--- a/src/xdg-autostart-generator/fuzz-xdg-desktop.c
+++ b/src/xdg-autostart-generator/fuzz-xdg-desktop.c
@@ -17,6 +17,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
_cleanup_(xdg_autostart_service_freep) XdgAutostartService *service = NULL;
_cleanup_(rm_rf_physical_and_freep) char *tmpdir = NULL;
+ if (size > 65536)
+ return 0;
+
/* We don't want to fill the logs with messages about parse errors.
* Disable most logging if not running standalone */
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/xdg-autostart-generator/fuzz-xdg-desktop.options b/src/xdg-autostart-generator/fuzz-xdg-desktop.options
new file mode 100644
index 0000000000..678d526b1e
--- /dev/null
+++ b/src/xdg-autostart-generator/fuzz-xdg-desktop.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536
View Lorry Controller Status