fuzzers: ignore size limits when compiled standalone

This way we can still call fuzzers on old samples, but oss-fuzz will not waste its and our time finding overly large inputs.
2024-07-08 20:15:55 +00:00 · 2022-05-12 12:51:11 +02:00 · 2022-05-12 12:51:11 +02:00 · c4f883b78e
commit c4f883b78e
parent 7593691aad
21 changed files with 37 additions and 19 deletions
--- a/meson.build
+++ b/meson.build
@ -50,6 +50,11 @@ endif
 skip_deps = want_ossfuzz or get_option('skip-deps')
 fuzzer_build = want_ossfuzz or want_libfuzzer

+# If we're building *not* for actual fuzzing, allow input samples of any size
+# (for testing and for reproduction of issues discovered with previously-higher
+# limits).
+conf.set10('FUZZ_USE_SIZE_LIMIT', fuzzer_build)
+
 # Create a title-less summary section early, so it ends up first in the output.
 # More items are added later after they have been detected.
 summary({'build mode' : get_option('mode')})
--- a/src/boot/efi/fuzz-bcd.c
+++ b/src/boot/efi/fuzz-bcd.c
@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_free_ void *p = NULL;

        /* This limit was borrowed from src/boot/efi/boot.c */
-        if (size > 100*1024)
+        if (outside_size_range(size, 0, 100*1024))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/core/fuzz-unit-file.c
+++ b/src/core/fuzz-unit-file.c
@ -21,7 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        const char *name;
        long offset;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        f = data_to_file(data, size);
--- a/src/fuzz/fuzz-bootspec.c
+++ b/src/fuzz/fuzz-bootspec.c
@ -84,7 +84,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL;
        int r;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        /* Disable most logging if not running standalone */
--- a/src/fuzz/fuzz-env-file.c
+++ b/src/fuzz/fuzz-env-file.c
@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_strv_free_ char **rl = NULL, **rlp =  NULL;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        f = data_to_file(data, size);
--- a/src/fuzz/fuzz.h
+++ b/src/fuzz/fuzz.h
@ -4,6 +4,7 @@
 #include <stddef.h>
 #include <stdint.h>

+#include "env-util.h"
 #include "fileio.h"

 /* The entry point into the fuzzer */
@ -15,3 +16,14 @@ static inline FILE* data_to_file(const uint8_t *data, size_t size) {
        else
                return fmemopen_unlocked((char*) data, size, "re");
 }
+
+/* Check if we are within the specified size range.
+ * The upper limit is ignored if FUZZ_USE_SIZE_LIMIT is unset.
+ */
+static inline bool outside_size_range(size_t size, size_t lower, size_t upper) {
+        if (size < lower)
+                return true;
+        if (size > upper)
+                return FUZZ_USE_SIZE_LIMIT;
+        return false;
+}
--- a/src/journal-remote/fuzz-journal-remote.c
+++ b/src/journal-remote/fuzz-journal-remote.c
@ -24,7 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(journal_remote_server_destroy) RemoteServer s = {};
        int r;

-        if (size <= 2 || size > 65536)
+        if (outside_size_range(size, 3, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/journal/fuzz-journald-stream.c
+++ b/src/journal/fuzz-journald-stream.c
@ -16,7 +16,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        StdoutStream *stream;
        int v;

-        if (size == 0 || size > 65536)
+        if (outside_size_range(size, 1, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/libsystemd-network/fuzz-dhcp6-client.c
+++ b/src/libsystemd-network/fuzz-dhcp6-client.c
@ -73,7 +73,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        struct in6_addr hint = { { { 0x3f, 0xfe, 0x05, 0x01, 0xff, 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } } };
        static const char *v1_data = "hogehoge", *v2_data = "foobar";

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        assert_se(sd_event_new(&e) >= 0);
--- a/src/libsystemd-network/fuzz-lldp-rx.c
+++ b/src/libsystemd-network/fuzz-lldp-rx.c
@ -23,7 +23,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
        _cleanup_(sd_lldp_rx_unrefp) sd_lldp_rx *lldp_rx = NULL;

-        if (size > 2048)
+        if (outside_size_range(size, 0, 2048))
                return 0;

        assert_se(sd_event_new(&e) == 0);
--- a/src/libsystemd-network/fuzz-ndisc-rs.c
+++ b/src/libsystemd-network/fuzz-ndisc-rs.c
@ -43,7 +43,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
        _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL;

-        if (size > 2048)
+        if (outside_size_range(size, 0, 2048))
                return 0;

        assert_se(sd_event_new(&e) >= 0);
--- a/src/libsystemd/sd-bus/fuzz-bus-match.c
+++ b/src/libsystemd/sd-bus/fuzz-bus-match.c
@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(sd_bus_unrefp) sd_bus *bus = NULL;
        int r;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        /* We don't want to fill the logs with messages about parse errors.
--- a/src/network/fuzz-netdev-parser.c
+++ b/src/network/fuzz-netdev-parser.c
@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_(unlink_tempfilep) char netdev_config[] = "/tmp/fuzz-networkd.XXXXXX";

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/network/fuzz-network-parser.c
+++ b/src/network/fuzz-network-parser.c
@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_(unlink_tempfilep) char network_config[] = "/tmp/fuzz-networkd.XXXXXX";

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/nspawn/fuzz-nspawn-oci.c
+++ b/src/nspawn/fuzz-nspawn-oci.c
@ -9,7 +9,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_(settings_freep) Settings *s = NULL;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        f = data_to_file(data, size);
--- a/src/nspawn/fuzz-nspawn-settings.c
+++ b/src/nspawn/fuzz-nspawn-settings.c
@ -9,7 +9,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_fclose_ FILE *f = NULL;
        _cleanup_(settings_freep) Settings *s = NULL;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        f = data_to_file(data, size);
--- a/src/resolve/fuzz-dns-packet.c
+++ b/src/resolve/fuzz-dns-packet.c
@ -7,7 +7,7 @@
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;

-        if (size > DNS_PACKET_SIZE_MAX)
+        if (outside_size_range(size, 0, DNS_PACKET_SIZE_MAX))
                return 0;

        assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, 0, DNS_PACKET_SIZE_MAX) >= 0);
--- a/src/udev/fido_id/fuzz-fido-id-desc.c
+++ b/src/udev/fido_id/fuzz-fido-id-desc.c
@ -15,8 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        if (!getenv("SYSTEMD_LOG_LEVEL"))
                log_set_max_level(LOG_CRIT);

-        if (size > HID_MAX_DESCRIPTOR_SIZE)
+        if (outside_size_range(size, 0, HID_MAX_DESCRIPTOR_SIZE))
                return 0;
+
        (void) is_fido_security_token_desc(data, size);

        return 0;
--- a/src/udev/fuzz-udev-rules.c
+++ b/src/udev/fuzz-udev-rules.c
@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-udev-rules.XXXXXX";
        int r;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/udev/net/fuzz-link-parser.c
+++ b/src/udev/net/fuzz-link-parser.c
@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-link-config.XXXXXX";
        _cleanup_fclose_ FILE *f = NULL;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        if (!getenv("SYSTEMD_LOG_LEVEL"))
--- a/src/xdg-autostart-generator/fuzz-xdg-desktop.c
+++ b/src/xdg-autostart-generator/fuzz-xdg-desktop.c
@ -17,7 +17,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        _cleanup_(xdg_autostart_service_freep) XdgAutostartService *service = NULL;
        _cleanup_(rm_rf_physical_and_freep) char *tmpdir = NULL;

-        if (size > 65536)
+        if (outside_size_range(size, 0, 65536))
                return 0;

        /* We don't want to fill the logs with messages about parse errors.