From c4f883b78e5ffd326a82eaf18e01a9e4e243db58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 12 May 2022 12:51:11 +0200 Subject: [PATCH] fuzzers: ignore size limits when compiled standalone This way we can still call fuzzers on old samples, but oss-fuzz will not waste its and our time finding overly large inputs. --- meson.build | 5 +++++ src/boot/efi/fuzz-bcd.c | 2 +- src/core/fuzz-unit-file.c | 2 +- src/fuzz/fuzz-bootspec.c | 2 +- src/fuzz/fuzz-env-file.c | 2 +- src/fuzz/fuzz.h | 12 ++++++++++++ src/journal-remote/fuzz-journal-remote.c | 2 +- src/journal/fuzz-journald-stream.c | 2 +- src/libsystemd-network/fuzz-dhcp6-client.c | 2 +- src/libsystemd-network/fuzz-lldp-rx.c | 2 +- src/libsystemd-network/fuzz-ndisc-rs.c | 2 +- src/libsystemd/sd-bus/fuzz-bus-match.c | 2 +- src/network/fuzz-netdev-parser.c | 2 +- src/network/fuzz-network-parser.c | 2 +- src/nspawn/fuzz-nspawn-oci.c | 2 +- src/nspawn/fuzz-nspawn-settings.c | 2 +- src/resolve/fuzz-dns-packet.c | 2 +- src/udev/fido_id/fuzz-fido-id-desc.c | 3 ++- src/udev/fuzz-udev-rules.c | 2 +- src/udev/net/fuzz-link-parser.c | 2 +- src/xdg-autostart-generator/fuzz-xdg-desktop.c | 2 +- 21 files changed, 37 insertions(+), 19 deletions(-) diff --git a/meson.build b/meson.build index 7d4233ca7f..e43dcf7d50 100644 --- a/meson.build +++ b/meson.build @@ -50,6 +50,11 @@ endif skip_deps = want_ossfuzz or get_option('skip-deps') fuzzer_build = want_ossfuzz or want_libfuzzer +# If we're building *not* for actual fuzzing, allow input samples of any size +# (for testing and for reproduction of issues discovered with previously-higher +# limits). +conf.set10('FUZZ_USE_SIZE_LIMIT', fuzzer_build) + # Create a title-less summary section early, so it ends up first in the output. # More items are added later after they have been detected. summary({'build mode' : get_option('mode')}) diff --git a/src/boot/efi/fuzz-bcd.c b/src/boot/efi/fuzz-bcd.c index 3df55a5c36..e56183c4f0 100644 --- a/src/boot/efi/fuzz-bcd.c +++ b/src/boot/efi/fuzz-bcd.c @@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_free_ void *p = NULL; /* This limit was borrowed from src/boot/efi/boot.c */ - if (size > 100*1024) + if (outside_size_range(size, 0, 100*1024)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/core/fuzz-unit-file.c b/src/core/fuzz-unit-file.c index 81cede2193..058be6aa74 100644 --- a/src/core/fuzz-unit-file.c +++ b/src/core/fuzz-unit-file.c @@ -21,7 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { const char *name; long offset; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; f = data_to_file(data, size); diff --git a/src/fuzz/fuzz-bootspec.c b/src/fuzz/fuzz-bootspec.c index 0594a0dea5..c26cc94db9 100644 --- a/src/fuzz/fuzz-bootspec.c +++ b/src/fuzz/fuzz-bootspec.c @@ -84,7 +84,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL; int r; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; /* Disable most logging if not running standalone */ diff --git a/src/fuzz/fuzz-env-file.c b/src/fuzz/fuzz-env-file.c index 431f172306..6217361b2e 100644 --- a/src/fuzz/fuzz-env-file.c +++ b/src/fuzz/fuzz-env-file.c @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_fclose_ FILE *f = NULL; _cleanup_strv_free_ char **rl = NULL, **rlp = NULL; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; f = data_to_file(data, size); diff --git a/src/fuzz/fuzz.h b/src/fuzz/fuzz.h index d7cbb0bb16..04c438edaf 100644 --- a/src/fuzz/fuzz.h +++ b/src/fuzz/fuzz.h @@ -4,6 +4,7 @@ #include #include +#include "env-util.h" #include "fileio.h" /* The entry point into the fuzzer */ @@ -15,3 +16,14 @@ static inline FILE* data_to_file(const uint8_t *data, size_t size) { else return fmemopen_unlocked((char*) data, size, "re"); } + +/* Check if we are within the specified size range. + * The upper limit is ignored if FUZZ_USE_SIZE_LIMIT is unset. + */ +static inline bool outside_size_range(size_t size, size_t lower, size_t upper) { + if (size < lower) + return true; + if (size > upper) + return FUZZ_USE_SIZE_LIMIT; + return false; +} diff --git a/src/journal-remote/fuzz-journal-remote.c b/src/journal-remote/fuzz-journal-remote.c index dd7884ee9a..db10c2b012 100644 --- a/src/journal-remote/fuzz-journal-remote.c +++ b/src/journal-remote/fuzz-journal-remote.c @@ -24,7 +24,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(journal_remote_server_destroy) RemoteServer s = {}; int r; - if (size <= 2 || size > 65536) + if (outside_size_range(size, 3, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/journal/fuzz-journald-stream.c b/src/journal/fuzz-journald-stream.c index 8a979df3ce..67e990ab7c 100644 --- a/src/journal/fuzz-journald-stream.c +++ b/src/journal/fuzz-journald-stream.c @@ -16,7 +16,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { StdoutStream *stream; int v; - if (size == 0 || size > 65536) + if (outside_size_range(size, 1, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/libsystemd-network/fuzz-dhcp6-client.c b/src/libsystemd-network/fuzz-dhcp6-client.c index 32e35510e5..3b53c5c6a8 100644 --- a/src/libsystemd-network/fuzz-dhcp6-client.c +++ b/src/libsystemd-network/fuzz-dhcp6-client.c @@ -73,7 +73,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { struct in6_addr hint = { { { 0x3f, 0xfe, 0x05, 0x01, 0xff, 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } } }; static const char *v1_data = "hogehoge", *v2_data = "foobar"; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; assert_se(sd_event_new(&e) >= 0); diff --git a/src/libsystemd-network/fuzz-lldp-rx.c b/src/libsystemd-network/fuzz-lldp-rx.c index 6ee623fa11..6419075a4a 100644 --- a/src/libsystemd-network/fuzz-lldp-rx.c +++ b/src/libsystemd-network/fuzz-lldp-rx.c @@ -23,7 +23,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(sd_event_unrefp) sd_event *e = NULL; _cleanup_(sd_lldp_rx_unrefp) sd_lldp_rx *lldp_rx = NULL; - if (size > 2048) + if (outside_size_range(size, 0, 2048)) return 0; assert_se(sd_event_new(&e) == 0); diff --git a/src/libsystemd-network/fuzz-ndisc-rs.c b/src/libsystemd-network/fuzz-ndisc-rs.c index 20350d449c..b294611fab 100644 --- a/src/libsystemd-network/fuzz-ndisc-rs.c +++ b/src/libsystemd-network/fuzz-ndisc-rs.c @@ -43,7 +43,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(sd_event_unrefp) sd_event *e = NULL; _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL; - if (size > 2048) + if (outside_size_range(size, 0, 2048)) return 0; assert_se(sd_event_new(&e) >= 0); diff --git a/src/libsystemd/sd-bus/fuzz-bus-match.c b/src/libsystemd/sd-bus/fuzz-bus-match.c index 39ab62196a..f74394bcde 100644 --- a/src/libsystemd/sd-bus/fuzz-bus-match.c +++ b/src/libsystemd/sd-bus/fuzz-bus-match.c @@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(sd_bus_unrefp) sd_bus *bus = NULL; int r; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; /* We don't want to fill the logs with messages about parse errors. diff --git a/src/network/fuzz-netdev-parser.c b/src/network/fuzz-netdev-parser.c index d8cbd2891c..77e87e9c43 100644 --- a/src/network/fuzz-netdev-parser.c +++ b/src/network/fuzz-netdev-parser.c @@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_fclose_ FILE *f = NULL; _cleanup_(unlink_tempfilep) char netdev_config[] = "/tmp/fuzz-networkd.XXXXXX"; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/network/fuzz-network-parser.c b/src/network/fuzz-network-parser.c index 630c86a98c..0c9d6d2110 100644 --- a/src/network/fuzz-network-parser.c +++ b/src/network/fuzz-network-parser.c @@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_fclose_ FILE *f = NULL; _cleanup_(unlink_tempfilep) char network_config[] = "/tmp/fuzz-networkd.XXXXXX"; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/nspawn/fuzz-nspawn-oci.c b/src/nspawn/fuzz-nspawn-oci.c index 7110a66187..5d0383479b 100644 --- a/src/nspawn/fuzz-nspawn-oci.c +++ b/src/nspawn/fuzz-nspawn-oci.c @@ -9,7 +9,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_fclose_ FILE *f = NULL; _cleanup_(settings_freep) Settings *s = NULL; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; f = data_to_file(data, size); diff --git a/src/nspawn/fuzz-nspawn-settings.c b/src/nspawn/fuzz-nspawn-settings.c index 7683814659..40ee78438d 100644 --- a/src/nspawn/fuzz-nspawn-settings.c +++ b/src/nspawn/fuzz-nspawn-settings.c @@ -9,7 +9,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_fclose_ FILE *f = NULL; _cleanup_(settings_freep) Settings *s = NULL; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; f = data_to_file(data, size); diff --git a/src/resolve/fuzz-dns-packet.c b/src/resolve/fuzz-dns-packet.c index b9a0aa1216..de5ee20434 100644 --- a/src/resolve/fuzz-dns-packet.c +++ b/src/resolve/fuzz-dns-packet.c @@ -7,7 +7,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; - if (size > DNS_PACKET_SIZE_MAX) + if (outside_size_range(size, 0, DNS_PACKET_SIZE_MAX)) return 0; assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, 0, DNS_PACKET_SIZE_MAX) >= 0); diff --git a/src/udev/fido_id/fuzz-fido-id-desc.c b/src/udev/fido_id/fuzz-fido-id-desc.c index 44d66df1a0..dd2ae5b3ac 100644 --- a/src/udev/fido_id/fuzz-fido-id-desc.c +++ b/src/udev/fido_id/fuzz-fido-id-desc.c @@ -15,8 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (!getenv("SYSTEMD_LOG_LEVEL")) log_set_max_level(LOG_CRIT); - if (size > HID_MAX_DESCRIPTOR_SIZE) + if (outside_size_range(size, 0, HID_MAX_DESCRIPTOR_SIZE)) return 0; + (void) is_fido_security_token_desc(data, size); return 0; diff --git a/src/udev/fuzz-udev-rules.c b/src/udev/fuzz-udev-rules.c index 0208f8c2d8..255d5df757 100644 --- a/src/udev/fuzz-udev-rules.c +++ b/src/udev/fuzz-udev-rules.c @@ -15,7 +15,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-udev-rules.XXXXXX"; int r; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/udev/net/fuzz-link-parser.c b/src/udev/net/fuzz-link-parser.c index 5727897305..c809791bc1 100644 --- a/src/udev/net/fuzz-link-parser.c +++ b/src/udev/net/fuzz-link-parser.c @@ -11,7 +11,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-link-config.XXXXXX"; _cleanup_fclose_ FILE *f = NULL; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; if (!getenv("SYSTEMD_LOG_LEVEL")) diff --git a/src/xdg-autostart-generator/fuzz-xdg-desktop.c b/src/xdg-autostart-generator/fuzz-xdg-desktop.c index 0ae27fc39d..084c907307 100644 --- a/src/xdg-autostart-generator/fuzz-xdg-desktop.c +++ b/src/xdg-autostart-generator/fuzz-xdg-desktop.c @@ -17,7 +17,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { _cleanup_(xdg_autostart_service_freep) XdgAutostartService *service = NULL; _cleanup_(rm_rf_physical_and_freep) char *tmpdir = NULL; - if (size > 65536) + if (outside_size_range(size, 0, 65536)) return 0; /* We don't want to fill the logs with messages about parse errors.