Skip to content

L
lxc
Switch branch/tag
  1. 30 Mar, 2021 8 commits
  3. 29 Mar, 2021 22 commits
  5. 28 Mar, 2021 9 commits
    • Merge pull request #3745 from evverx/ubsan-msan-support · cc19bc54
      Christian Brauner authored 
      oss-fuzz/cifuzz: a couple of follow-up commits
    • Merge pull request #3744 from evverx/oss-fuzz-32596 · 94d05c50
      Christian Brauner authored 
      confile_utils: fix a signed integer overflow
    • Merge pull request #3743 from brauner/2021-03-27/fixes_3 · db62570f
      Stéphane Graber authored 
      oss-fuzz: fixes
    • string_utils: work around an MSan false positive · f6727edb
      Evgeny Vereshchagin authored 
      MSan doesn't instrument stpncpy (https://github.com/google/sanitizers/issues/926),
which causes the fuzzer to fail with:
```
$ cat ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
lxc.console.size=123

$ ./out/fuzz-lxc-config-read ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
INFO: Seed: 3561494591
INFO: Loaded 1 modules   (18795 inline 8-bit counters): 18795 [0x866b98, 0x86b503),
INFO: Loaded 1 PC tables (18795 PCs): 18795 [0x86b508,0x8b4bb8),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
==850885==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x6b3e7f in parse_byte_size_string /home/vagrant/lxc/src/lxc/string_utils.c:912:6
    #1 0x550991 in set_config_console_size /home/vagrant/lxc/src/lxc/confile.c:2483:8
    #2 0x5346e2 in parse_line /home/vagrant/lxc/src/lxc/confile.c:2962:9
    #3 0x64b3cd in lxc_file_for_each_line_mmap /home/vagrant/lxc/src/lxc/parse.c:125:9
    #4 0x53340c in lxc_config_read /home/vagrant/lxc/src/lxc/confile.c:3039:9
    #5 0x4e7ec2 in LLVMFuzzerTestOneInput /home/vagrant/lxc/src/tests/fuzz-lxc-config-read.c:23:2
    #6 0x44ad2c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x44ad2c)
    #7 0x42ca4d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x42ca4d)
    #8 0x433af0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x433af0)
    #9 0x423ff6 in main (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x423ff6)
    #10 0x7f79bdc89081 in __libc_start_main (/lib64/libc.so.6+0x27081)
    #11 0x42402d in _start (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x42402d)

  Uninitialized value was created by an allocation of 'dup' in the stack frame of function 'parse_byte_size_string'
    #0 0x6b3330 in parse_byte_size_string /home/vagrant/lxc/src/lxc/string_utils.c:901

SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/vagrant/lxc/src/lxc/string_utils.c:912:6 in parse_byte_size_string
Exiting
```

Closes https://oss-fuzz.com/testcase-detail/5829890470445056Signed-off-by: 's avatarEvgeny Vereshchagin <evvers@ya.ru>
    • cifuzz: turn on MSan · cf0f7aba
      Evgeny Vereshchagin authored 
      Signed-off-by: 's avatarEvgeny Vereshchagin <evvers@ya.ru>
    • string_utils: handle overflow correct in parse_byte_size_string() · 4c5479d2
      Christian Brauner authored 
      This takes the overflow handling code from the kernel.

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32549Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • cifuzz: turn on UBsan · a6fa6772
      Evgeny Vereshchagin authored 
      Signed-off-by: 's avatarEvgeny Vereshchagin <evvers@ya.ru>
    • oss-fuzz.sh: take SANITIZER into account · 745d6048
      Evgeny Vereshchagin authored 
      to make it possible to build the fuzzer with UBSan and MSan locally

```
$ SANITIZER=undefined ./src/tests/oss-fuzz.sh
$ printf 'lxc.signal.stop=sigrtmax-020000000020' >oss-fuzz-32596
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 ./out/fuzz-lxc-config-read oss-fuzz-32596
INFO: Seed: 595864277
INFO: Loaded 1 modules   (61553 inline 8-bit counters): 61553 [0x80a1b0, 0x819221),
INFO: Loaded 1 PC tables (61553 PCs): 61553 [0x819228,0x909938),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: oss-fuzz-32596
confile_utils.c:1051:20: runtime error: signed integer overflow: 64 - -2147483632 cannot be represented in type 'int'
    #0 0x51799a in rt_sig_num /home/vagrant/lxc/src/lxc/confile_utils.c:1051:20
    #1 0x517268 in sig_parse /home/vagrant/lxc/src/lxc/confile_utils.c:1069:11
    #2 0x500ca4 in set_config_signal_stop /home/vagrant/lxc/src/lxc/confile.c:1738:10
    #3 0x4b8c7c in parse_line /home/vagrant/lxc/src/lxc/confile.c:2962:9
    #4 0x5a5eb0 in lxc_file_for_each_line_mmap /home/vagrant/lxc/src/lxc/parse.c:125:9

```
Signed-off-by: 's avatarEvgeny Vereshchagin <evvers@ya.ru>
    • confile_utils: fix a signed integer overflow · e6b35fbf
      Evgeny Vereshchagin authored 
      This was triggered by the following chain of conversions:

lxc_safe_uint("020000000020") -> 2147483664 (uint)
sig_num(2147483664 (uint)) -> -2147483632 (int)

64 - -2147483632 cannot be represented in type 'int'

Closes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32596Signed-off-by: 's avatarEvgeny Vereshchagin <evvers@ya.ru>
  7. 27 Mar, 2021 1 commit