New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

networkd: bond - only set packets_per_slave on balance-rr mode #12

Merged
merged 1 commit into from Jun 26, 2015

Conversation

Projects
None yet
3 participants
@marineam

marineam commented Jun 26, 2015

Otherwise the creation of the bond fails.

Required for coreos/coreos-overlay#1282

@vcaputo

This comment has been minimized.

vcaputo commented Jun 26, 2015

Does this fix coreos/bugs#36 ?

@marineam

This comment has been minimized.

marineam commented Jun 26, 2015

@vcaputo don't think so, it is just this simpler bug: systemd#90

@vcaputo

This comment has been minimized.

vcaputo commented Jun 26, 2015

I see, lgtm.

marineam added a commit that referenced this pull request Jun 26, 2015

Merge pull request #12 from marineam/v220-coreos
networkd: bond - only set packets_per_slave on balance-rr mode

@marineam marineam merged commit e959b60 into coreos:v220-coreos Jun 26, 2015

@marineam marineam deleted the marineam:v220-coreos branch Jun 26, 2015

crawford pushed a commit to crawford/systemd that referenced this pull request Apr 28, 2016

shared/machine-pool: fix another mkfs.btrfs checking
Fixes:
       Message: Process 806 (systemd-importd) of user 0 dumped core.

                Stack trace of thread 806:
                #0  0x00007f5eaeff7227 raise (libc.so.6)
                systemd#1  0x00007f5eaeff8e8a abort (libc.so.6)
                systemd#2  0x000055b6d3418f4f log_assert_failed (systemd-importd)
                systemd#3  0x000055b6d3409daf safe_close (systemd-importd)
                systemd#4  0x000055b6d33c25ea closep (systemd-importd)
                systemd#5  0x000055b6d33c38d9 setup_machine_directory (systemd-importd)
                systemd#6  0x000055b6d33b8536 method_pull_tar_or_raw (systemd-importd)
                coreos#7  0x000055b6d33ed097 method_callbacks_run (systemd-importd)
                coreos#8  0x000055b6d33ef929 object_find_and_run (systemd-importd)
                coreos#9  0x000055b6d33eff6b bus_process_object (systemd-importd)
                coreos#10 0x000055b6d3447f77 process_message (systemd-importd)
                coreos#11 0x000055b6d344815a process_running (systemd-importd)
                coreos#12 0x000055b6d3448a10 bus_process_internal (systemd-importd)
                coreos#13 0x000055b6d3448ae1 sd_bus_process (systemd-importd)
                coreos#14 0x000055b6d3449779 time_callback (systemd-importd)
                coreos#15 0x000055b6d3454ff4 source_dispatch (systemd-importd)
                coreos#16 0x000055b6d34562b9 sd_event_dispatch (systemd-importd)
                coreos#17 0x000055b6d34566f8 sd_event_run (systemd-importd)
                coreos#18 0x000055b6d33ba72a bus_event_loop_with_idle (systemd-importd)
                coreos#19 0x000055b6d33b95bc manager_run (systemd-importd)
                coreos#20 0x000055b6d33b9766 main (systemd-importd)
                coreos#21 0x00007f5eaefe2a00 __libc_start_main (libc.so.6)
                coreos#22 0x000055b6d33b5569 _start (systemd-importd)

ajeddeloh pushed a commit to ajeddeloh/systemd that referenced this pull request Jun 9, 2016

systemctl: install sigbus handler (systemd#3435)
This makes systemctl robust regarding journal truncation.
This is a follow-up for 2cf4172

Fixes:
Core was generated by `./systemctl status systemd-journald'.
Program terminated with signal SIGBUS, Bus error.
PID 8569 - core
TID 8569:
 #0  0x00007f246cc89ed6 __memcmp_sse4_1
 systemd#1  0x0000557ebbc6f42c journal_file_init_header
 systemd#2  0x0000557ebbc77262 journal_file_open
 systemd#3  0x0000557ebbc42999 file_type_wanted
 systemd#4  0x0000557ebbc42e08 add_any_file
 systemd#5  0x0000557ebbc43832 add_directory
 systemd#6  0x0000557ebbc4401c add_root_directory
 coreos#7  0x0000557ebbc442e9 add_root_directory
 coreos#8  0x0000557ebbc446fc add_search_paths
 coreos#9  0x0000557ebbbacb5e show_journal_by_unit
 coreos#10 0x0000557ebbb8376d print_status_info
 coreos#11 0x0000557ebbb86a0b show_one
 coreos#12 0x0000557ebbb87954 show
 coreos#13 0x0000557ebbc20b1f dispatch_verb
 coreos#14 0x0000557ebbb90615 systemctl_main
 coreos#15 0x0000557ebbb9159f main
 coreos#16 0x00007f246cb3e731 __libc_start_main
 coreos#17 0x0000557ebbb75ae9 _start

dm0- pushed a commit that referenced this pull request Feb 17, 2017

shared: fix double free in link
Fixes:
```
touch hola.service
systemctl link $(pwd)/hola.service $(pwd)/hola.service
```

```
==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd):
    #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
    systemd#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83
    systemd#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89
    systemd#3 0x55637c758c77 in strv_freep src/basic/strv.h:37
    systemd#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960
    systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
    systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
    #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
    #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
    #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
    #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
    #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
    #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
    #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
    #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
    #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
    #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
    #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
    #18 0x55637c6a2194 in main src/core/main.c:1920
    #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339)

0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573)
freed by thread T0 (systemd) here:
    #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
    systemd#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630
    systemd#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602
    systemd#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996
    systemd#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985
    systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
    systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
    #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
    #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
    #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
    #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
    #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
    #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
    #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
    #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
    #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
    #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
    #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
    #18 0x55637c6a2194 in main src/core/main.c:1920
        #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)

previously allocated by thread T0 (systemd) here:
    #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160)
    systemd#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552
    systemd#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578
    systemd#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600
    systemd#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969
    systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
    systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
    #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
    #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
    #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
    #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
    #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
    #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
    #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
    #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
    #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
    #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
    #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
    #18 0x55637c6a2194 in main src/core/main.c:1920
    #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
==1==ABORTING
```

Closes systemd#5015

dm0- pushed a commit that referenced this pull request Feb 17, 2017

sd-network: fix memleak in dhcp6_option_parse_domainname (systemd#5114)
The simplest way to reproduce:
```diff
diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c
index bd289fa..7b0a5ef 100644
--- a/src/libsystemd-network/test-dhcp6-client.c
+++ b/src/libsystemd-network/test-dhcp6-client.c
@@ -168,7 +168,7 @@ static uint8_t msg_advertise[198] = {
         0x00, 0x17, 0x00, 0x10, 0x20, 0x01, 0x0d, 0xb8,
         0xde, 0xad, 0xbe, 0xef, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x0b,
-        0x03, 0x6c, 0x61, 0x62, 0x05, 0x69, 0x6e, 0x74,
+        0x01, 0x6c, 0x01, 0x62, 0x00, 0x0a, 0x6e, 0x74,
         0x72, 0x61, 0x00, 0x00, 0x1f, 0x00, 0x10, 0x20,
         0x01, 0x0d, 0xb8, 0xde, 0xad, 0xbe, 0xef, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
@@ -338,9 +338,7 @@ static int test_advertise_option(sd_event *e) {
         assert_se(!memcmp(addrs, &msg_advertise[124], r * 16));

         r = sd_dhcp6_lease_get_domains(lease, &domains);
-        assert_se(r == 1);
-        assert_se(!strcmp("lab.intra", domains[0]));
-        assert_se(domains[1] == NULL);
+        assert_se(r == -ENOENT);

         r = sd_dhcp6_lease_get_ntp_addrs(lease, &addrs);
         assert_se(r == 1);
```

Fixes:
```
=================================================================
==15043==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160)
    systemd#1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552
    systemd#2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399
    systemd#3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225
    systemd#4 0x55f775774b95 in test_advertise_option src/libsystemd-network/test-dhcp6-client.c:287
    systemd#5 0x55f77577883e in main src/libsystemd-network/test-dhcp6-client.c:759
    systemd#6 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400)

Direct leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160)
    systemd#1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552
    systemd#2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399
    systemd#3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225
    systemd#4 0x55f775781348 in client_parse_message src/libsystemd-network/sd-dhcp6-client.c:807
    systemd#5 0x55f775781ba2 in client_receive_advertise src/libsystemd-network/sd-dhcp6-client.c:895
    systemd#6 0x55f775782453 in client_receive_message src/libsystemd-network/sd-dhcp6-client.c:994
    #7 0x7f13c7e447f4 in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
    #8 0x7f13c7e471b0 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
    #9 0x7f13c7e47ab3 in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
    #10 0x7f13c7e47c21 in sd_event_loop src/libsystemd/sd-event/sd-event.c:2706
    #11 0x55f77577863c in test_client_solicit src/libsystemd-network/test-dhcp6-client.c:737
    #12 0x55f77577884b in main src/libsystemd-network/test-dhcp6-client.c:760
    #13 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 2 allocation(s).
```

ajeddeloh pushed a commit to ajeddeloh/systemd that referenced this pull request Jan 20, 2018

network: fix memory leak when an netdev was skipped
In general we'd leak anything that was allocated in the first parsing of
netdev, e.g. netdev name, host name, etc. Use normal netdev_unref to make sure
everything is freed.

--- command ---
/home/zbyszek/src/systemd/build2/test-network
--- stderr ---
/etc/systemd/network/wg0.netdev:3: Failed to parse netdev kind, ignoring: wireguard
/etc/systemd/network/wg0.netdev:5: Unknown section 'WireGuard'. Ignoring.
/etc/systemd/network/wg0.netdev:9: Unknown section 'WireGuardPeer'. Ignoring.
NetDev has no Kind configured in /etc/systemd/network/wg0.netdev. Ignoring
/etc/systemd/network/br0.network:13: Unknown lvalue 'NetDev' in section 'Network'
br0: netdev ready

=================================================================
==11666==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x7f3a314cf238 in __interceptor_strdup (/lib64/libasan.so.4+0x77238)
    systemd#1 0x7f3a30e71ad1 in free_and_strdup ../src/basic/string-util.c:870
    systemd#2 0x7f3a30d34fba in config_parse_ifname ../src/shared/conf-parser.c:981
    systemd#3 0x7f3a30d2f5b0 in next_assignment ../src/shared/conf-parser.c:155
    systemd#4 0x7f3a30d30303 in parse_line ../src/shared/conf-parser.c:273
    systemd#5 0x7f3a30d30dee in config_parse ../src/shared/conf-parser.c:390
    systemd#6 0x7f3a30d310a5 in config_parse_many_files ../src/shared/conf-parser.c:428
    coreos#7 0x7f3a30d3181c in config_parse_many ../src/shared/conf-parser.c:487
    coreos#8 0x55b4200f9b00 in netdev_load_one ../src/network/netdev/netdev.c:634
    coreos#9 0x55b4200fb562 in netdev_load ../src/network/netdev/netdev.c:778
    coreos#10 0x55b4200c607a in manager_load_config ../src/network/networkd-manager.c:1299
    coreos#11 0x55b4200818e0 in test_load_config ../src/network/test-network.c:128
    coreos#12 0x55b42008343b in main ../src/network/test-network.c:254
    coreos#13 0x7f3a305f8889 in __libc_start_main (/lib64/libc.so.6+0x20889)

SUMMARY: AddressSanitizer: 4 byte(s) leaked in 1 allocation(s).
-------

dm0- pushed a commit that referenced this pull request Jun 22, 2018

fuzz: skip bus error map in bus_error_name_to_errno()
Fuzzing with AddressSanitizer reports an error here:
==11==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe53f5497d8 at pc 0x7fe53ef055c9 bp 0x7ffd344e9380 sp 0x7ffd344e9378
READ of size 4 at 0x7fe53f5497d8 thread T0
SCARINESS: 27 (4-byte-read-global-buffer-overflow-far-from-bounds)
    #0 0x7fe53ef055c8 in bus_error_name_to_errno /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24
    systemd#1 0x7fe53ef0577b in bus_error_setfv /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:274:17
    systemd#2 0x7fe53ef0595a in sd_bus_error_setf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:284:21
    systemd#3 0x561059 in manager_load_unit_prepare /work/build/../../src/systemd/src/core/manager.c
    systemd#4 0x560680 in manager_load_unit /work/build/../../src/systemd/src/core/manager.c:1773:13
    systemd#5 0x5d49a6 in unit_add_dependency_by_name /work/build/../../src/systemd/src/core/unit.c:2882:13
    systemd#6 0x538996 in config_parse_unit_deps /work/build/../../src/systemd/src/core/load-fragment.c:152:21
    #7 0x6db771 in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:155:32
    #8 0x6d697e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:273:16
    #9 0x6d5c48 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:390:21
    #10 0x535678 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:41:16
    #11 0x73bd60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
    #12 0x73a39f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3
    #13 0x73d9bc in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:650:19
    #14 0x73fa05 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:773:5
    #15 0x71f75d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
    #16 0x71285c in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #17 0x7fe53da0482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x430e68 in _start (/out/fuzz-unit-file+0x430e68)

0x7fe53f5497d8 is located 8 bytes to the right of global variable 'bus_common_errors' defined in '../../src/systemd/src/libsystemd/sd-bus/bus-common-errors.c:28:51' (0x7fe53f549300) of size 1232
SUMMARY: AddressSanitizer: global-buffer-overflow /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 in bus_error_name_to_errno
Shadow bytes around the buggy address:
  0x0ffd27ea12a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea12e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffd27ea12f0: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9
  0x0ffd27ea1300: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ffd27ea1310: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ffd27ea1320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea1330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd27ea1340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11==ABORTING

but I think it's a false positive because of our low-level magic in how this
area is constructed.

dm0- pushed a commit that referenced this pull request Jun 22, 2018

basic/random-util: do not use getrandom() under msan
`fuzz-journal-remote` seems to be failing under `msan` as soon as it starts:

$ sudo infra/helper.py run_fuzzer systemd fuzz-journal-remote
Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz-journal-remote
Using seed corpus: fuzz-journal-remote_seed_corpus.zip
/out/fuzz-journal-remote -rss_limit_mb=2048 -timeout=25 /tmp/fuzz-journal-remote_corpus -max_len=65536 < /dev/null
INFO: Seed: 3380449479
INFO: Loaded 2 modules   (36336 inline 8-bit counters): 36139 [0x7ff36ea31d39, 0x7ff36ea3aa64), 197 [0x9998c8, 0x99998d),
INFO: Loaded 2 PC tables (36336 PCs): 36139 [0x7ff36ea3aa68,0x7ff36eac7d18), 197 [0x999990,0x99a5e0),
INFO:        2 files found in /tmp/fuzz-journal-remote_corpus
INFO: seed corpus: files: 2 min: 4657b max: 7790b total: 12447b rss: 97Mb
Uninitialized bytes in __interceptor_pwrite64 at offset 24 inside [0x7fffdd4d7230, 240)
==15==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7ff36e685e8a in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:436:13
    systemd#1 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21
    systemd#2 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13
    systemd#3 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13
    systemd#4 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21
    systemd#5 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13
    systemd#6 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13
    #7 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9
    #8 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13
    #9 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3
    #10 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7
    #11 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3
    #12 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6
    #13 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #14 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x41f9d8 in _start (/out/fuzz-journal-remote+0x41f9d8)

  Uninitialized value was stored to memory at
    #0 0x7ff36e61cd41 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:288:16
    systemd#1 0x7ff36e685cec in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:426:13
    systemd#2 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21
    systemd#3 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13
    systemd#4 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13
    systemd#5 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21
    systemd#6 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13
    #7 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13
    #8 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9
    #9 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13
    #10 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3
    #11 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7
    #12 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3
    #13 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6
    #14 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #15 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

  Uninitialized value was created by an allocation of 't' in the stack frame of function 'sd_id128_randomize'
    #0 0x7ff36e61cb00 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:274

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/journal/journal-file.c:436:13 in journal_file_init_header
Exiting
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to ./crash-847911777b3096783f4ee70a69ab6d28380c810b
[vagrant@localhost oss-fuzz]$ sudo infra/helper.py check_build --sanitizer=memory systemd
Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -e SANITIZER=memory -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner test_all
INFO: performing bad build checks for /out/fuzz-dhcp-server.
INFO: performing bad build checks for /out/fuzz-journal-remote.
INFO: performing bad build checks for /out/fuzz-unit-file.
INFO: performing bad build checks for /out/fuzz-dns-packet.
4 fuzzers total, 0 seem to be broken (0%).
Check build passed.

It's a false positive which is most likely caused by
google/sanitizers#852. I think it could be got around
by avoiding `getrandom` when the code is compiled with `msan`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment