oss-fuzz: fuzz lxc_config_define_add and lxc_config_define_load

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
lxc · Apr 7, 2021 · cc52125 · cc52125
1 parent 5a624e0
commit cc52125
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 2 deletions.
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
@@ -2847,7 +2847,9 @@ bool lxc_config_define_load(struct lxc_list *defines, struct lxc_container *c)
 			break;
 	}
 
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	lxc_config_define_free(defines);
+#endif /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 
 	return bret;
 }

diff --git a/src/tests/fuzz-lxc-define-load.c b/src/tests/fuzz-lxc-define-load.c
@@ -0,0 +1,64 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "conf.h"
+#include "confile.h"
+#include "lxctest.h"
+#include "utils.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	__do_free char *new_str = NULL;
+	struct lxc_container *c = NULL;
+	struct lxc_list defines;
+	struct lxc_list *it;
+	__do_close int devnull_fd = -EBADF;
+
+	if (size > 102400)
+		return 0;
+
+	c = lxc_container_new("FUZZ", NULL);
+	lxc_test_assert_abort(c);
+
+	new_str = (char *)malloc(size+1);
+	lxc_test_assert_abort(new_str);
+	memcpy(new_str, data, size);
+	new_str[size] = '\0';
+
+	lxc_list_init(&defines);
+
+	if (lxc_config_define_add(&defines, new_str) < 0)
+		goto out;
+
+	if (!lxc_config_define_load(&defines, c))
+		goto out;
+
+	devnull_fd = open_devnull();
+	lxc_test_assert_abort(devnull_fd >= 0);
+
+	lxc_list_for_each(it, &defines) {
+		__do_free char *val = NULL;
+		struct new_config_item *config_item = it->elem;
+		int len;
+
+		len = c->get_config_item(c, config_item->key, NULL, 0);
+		if (len < 0)
+			continue;
+
+		val = (char *)malloc(len + 1);
+		lxc_test_assert_abort(val);
+
+		if (c->get_config_item(c, config_item->key, val, len + 1) != len)
+			continue;
+
+		if (len > 0)
+			dprintf(devnull_fd, "[%s/%s]\n", config_item->key, val);
+	}
+
+out:
+	lxc_container_put(c);
+	lxc_config_define_free(&defines);
+
+	return 0;
+}
diff --git a/src/tests/oss-fuzz.sh b/src/tests/oss-fuzz.sh
@@ -43,8 +43,11 @@ sed -i 's/^AC_CHECK_LIB(util/#/' configure.ac
 
 make -j$(nproc)
 
-$CC -c -o fuzz-lxc-config-read.o $CFLAGS -Isrc -Isrc/lxc src/tests/fuzz-lxc-config-read.c
-$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-lxc-config-read.o src/lxc/.libs/liblxc.a -o $OUT/fuzz-lxc-config-read
+for fuzz_target_source in src/tests/fuzz-lxc*.c; do
+    fuzz_target_name=$(basename "$fuzz_target_source" ".c")
+    $CC -c -o "$fuzz_target_name.o" $CFLAGS -Isrc -Isrc/lxc "$fuzz_target_source"
+    $CXX $CXXFLAGS $LIB_FUZZING_ENGINE "$fuzz_target_name.o" src/lxc/.libs/liblxc.a -o "$OUT/$fuzz_target_name"
+done
 
 perl -lne 'if (/config_jump_table\[\]\s*=/../^}/) { /"([^"]+)"/ && print "$1=" }' src/lxc/confile.c >doc/examples/keys.conf
 [[ -s doc/examples/keys.conf ]]
@@ -53,3 +56,7 @@ perl -lne 'if (/config_jump_table_net\[\]\s*=/../^}/) { /"([^"]+)"/ && print "lx
 [[ -s doc/examples/lxc-net-keys.conf ]]
 
 zip -r $OUT/fuzz-lxc-config-read_seed_corpus.zip doc/examples
+
+mkdir fuzz-lxc-define-load_seed_corpus
+perl -lne '/([^=]+)/ && print "printf $1= >fuzz-lxc-define-load_seed_corpus/$1"' doc/examples/{keys,lxc-net-keys}.conf | bash
+zip -r $OUT/fuzz-lxc-define-load_seed_corpus.zip fuzz-lxc-define-load_seed_corpus