diff --git a/src/core/socket.c b/src/core/socket.c index 891276fd508..0fd1ad144b0 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -2597,6 +2597,7 @@ static int socket_serialize(Unit *u, FILE *f, FDSet *fds) { static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) { Socket *s = SOCKET(u); + int r; assert(u); assert(key); @@ -2651,124 +2652,183 @@ static int socket_deserialize_item(Unit *u, const char *key, const char *value, s->control_command = s->exec_command[id]; } } else if (streq(key, "fifo")) { - int fd, skip = 0; + _cleanup_free_ char *fdv = NULL; + bool found = false; + int fd; - if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd)) + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { log_unit_debug(u, "Failed to parse fifo value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - p->type == SOCKET_FIFO && - path_equal_or_files_same(p->path, value+skip, 0)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching fifo socket found: %s", value+skip); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid fifo value: %s", fdv); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + p->type == SOCKET_FIFO && + path_equal_or_files_same(p->path, value, 0)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching fifo socket found: %s", value); + } else if (streq(key, "special")) { - int fd, skip = 0; + _cleanup_free_ char *fdv = NULL; + bool found = false; + int fd; - if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd)) + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { log_unit_debug(u, "Failed to parse special value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - p->type == SOCKET_SPECIAL && - path_equal_or_files_same(p->path, value+skip, 0)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching special socket found: %s", value+skip); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid special value: %s", fdv); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + p->type == SOCKET_SPECIAL && + path_equal_or_files_same(p->path, value, 0)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching special socket found: %s", value); + } else if (streq(key, "mqueue")) { - int fd, skip = 0; + _cleanup_free_ char *fdv = NULL; + bool found = false; + int fd; - if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd)) + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { log_unit_debug(u, "Failed to parse mqueue value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - p->type == SOCKET_MQUEUE && - streq(p->path, value+skip)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching mqueue socket found: %s", value+skip); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid mqueue value: %s", fdv); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + p->type == SOCKET_MQUEUE && + streq(p->path, value)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching mqueue socket found: %s", value); + } else if (streq(key, "socket")) { - int fd, type, skip = 0; + _cleanup_free_ char *fdv = NULL, *typev = NULL; + bool found = false; + int fd, type; - if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd)) - log_unit_debug(u, "Failed to parse socket value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - socket_address_is(&p->address, value+skip, type)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching %s socket found: %s", - socket_address_type_to_string(type), value+skip); + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { + log_unit_debug(u, "Failed to parse socket fd from value: %s", value); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid socket fd: %s", fdv); + return 0; + } + + r = extract_first_word(&value, &typev, NULL, 0); + if (r <= 0) { + log_unit_debug(u, "Failed to parse socket type from value: %s", value); + return 0; + } + + if (safe_atoi(typev, &type) < 0 || type < 0) { + log_unit_debug(u, "Invalid socket type: %s", typev); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + socket_address_is(&p->address, value, type)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching %s socket found: %s", + socket_address_type_to_string(type), value); + } else if (streq(key, "netlink")) { - int fd, skip = 0; + _cleanup_free_ char *fdv = NULL; + bool found = false; + int fd; - if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd)) + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { log_unit_debug(u, "Failed to parse socket value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - socket_address_is_netlink(&p->address, value+skip)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching netlink socket found: %s", value+skip); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid socket value: %s", fdv); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + socket_address_is_netlink(&p->address, value)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching netlink socket found: %s", value); + } else if (streq(key, "ffs")) { - int fd, skip = 0; + _cleanup_free_ char *fdv = NULL; + bool found = false; + int fd; - if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd)) + r = extract_first_word(&value, &fdv, NULL, 0); + if (r <= 0) { log_unit_debug(u, "Failed to parse ffs value: %s", value); - else { - bool found = false; - - LIST_FOREACH(port, p, s->ports) - if (p->fd < 0 && - p->type == SOCKET_USB_FUNCTION && - path_equal_or_files_same(p->path, value+skip, 0)) { - p->fd = fdset_remove(fds, fd); - found = true; - break; - } - if (!found) - log_unit_debug(u, "No matching ffs socket found: %s", value+skip); + return 0; } + fd = parse_fd(fdv); + if (fd < 0 || !fdset_contains(fds, fd)) { + log_unit_debug(u, "Invalid ffs value: %s", fdv); + return 0; + } + + LIST_FOREACH(port, p, s->ports) + if (p->fd < 0 && + p->type == SOCKET_USB_FUNCTION && + path_equal_or_files_same(p->path, value, 0)) { + p->fd = fdset_remove(fds, fd); + found = true; + break; + } + if (!found) + log_unit_debug(u, "No matching ffs socket found: %s", value); + } else log_unit_debug(UNIT(s), "Unknown serialization key: %s", key); diff --git a/src/core/unit.c b/src/core/unit.c index c7635a291c5..4e9ae6148f3 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -6162,7 +6162,9 @@ int activation_details_deserialize(const char *key, const char *value, Activatio return -EINVAL; t = unit_type_from_string(value); - if (t == _UNIT_TYPE_INVALID) + /* The activation details vtable has defined ops only for path + * and timer units */ + if (!IN_SET(t, UNIT_PATH, UNIT_TIMER)) return -EINVAL; *details = malloc0(activation_details_vtable[t]->object_size); diff --git a/src/shared/fdset.c b/src/shared/fdset.c index d816a3e4efb..2138ffcdb92 100644 --- a/src/shared/fdset.c +++ b/src/shared/fdset.c @@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd); + return set_put(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) { + log_debug("Refusing invalid fd: %d", fd); + return false; + } + return !!set_get(MAKE_SET(s), FD_TO_PTR(fd)); } @@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) { assert(s); assert(fd >= 0); + /* Avoid integer overflow in FD_TO_PTR() */ + if (fd == INT_MAX) + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd); + return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT; } diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-4847017160212480.fuzz b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-4847017160212480.fuzz new file mode 100644 index 00000000000..13ff22cf4dd Binary files /dev/null and b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-4847017160212480.fuzz differ diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 new file mode 100644 index 00000000000..d0dca3329c6 --- /dev/null +++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6018678331408384 @@ -0,0 +1,3 @@ + +l.socket +socket=2147483647 5 \ No newline at end of file diff --git a/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6207619447259136.fuzz b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6207619447259136.fuzz new file mode 100644 index 00000000000..b3f5c9bae32 --- /dev/null +++ b/test/fuzz/fuzz-manager-serialize/clusterfuzz-testcase-minimized-fuzz-manager-serialize-6207619447259136.fuzz @@ -0,0 +1,4 @@ + +d.socket +job +activation-details-unit-type=service \ No newline at end of file