oss-fuzz: fuzz lxc_config_define_add and lxc_config_define_load

.github/workflows/cifuzz.yml

@@ -28,7 +28,7 @@ jobs:
         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
         with:
           oss-fuzz-project-name: 'lxc'
-          fuzz-seconds: 180
+          fuzz-seconds: 360
           dry-run: false
           sanitizer: ${{ matrix.sanitizer }}
       - name: Upload Crash

src/lxc/confile.c

@@ -3111,7 +3111,9 @@ bool lxc_config_define_load(struct lxc_list *defines, struct lxc_container *c)
 			break;
 	}
 
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	lxc_config_define_free(defines);
+#endif /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 
 	return bret;
 }
@@ -3125,6 +3127,7 @@ void lxc_config_define_free(struct lxc_list *defines)
 		free(new_item->key);
 		free(new_item->val);
 		lxc_list_del(it);
+		free(it->elem);
 		free(it);
 	}
 }

src/tests/fuzz-lxc-define-load.c

@@ -0,0 +1,64 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "conf.h"
+#include "confile.h"
+#include "lxctest.h"
+#include "utils.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	__do_free char *new_str = NULL;
+	struct lxc_container *c = NULL;
+	struct lxc_list defines;
+	struct lxc_list *it;
+	__do_close int devnull_fd = -EBADF;
+
+	if (size > 102400)
+		return 0;
+
+	c = lxc_container_new("FUZZ", NULL);
+	lxc_test_assert_abort(c);
+
+	new_str = (char *)malloc(size+1);
+	lxc_test_assert_abort(new_str);
+	memcpy(new_str, data, size);
+	new_str[size] = '\0';
+
+	lxc_list_init(&defines);
+
+	if (lxc_config_define_add(&defines, new_str) < 0)
+		goto out;
+
+	if (!lxc_config_define_load(&defines, c))
+		goto out;
+
+	devnull_fd = open_devnull();
+	lxc_test_assert_abort(devnull_fd >= 0);
+
+	lxc_list_for_each(it, &defines) {
+		__do_free char *val = NULL;
+		struct new_config_item *config_item = it->elem;
+		int len;
+
+		len = c->get_config_item(c, config_item->key, NULL, 0);
+		if (len < 0)
+			continue;
+
+		val = (char *)malloc(len + 1);
+		lxc_test_assert_abort(val);
+
+		if (c->get_config_item(c, config_item->key, val, len + 1) != len)
+			continue;
+
+		if (len > 0)
+			dprintf(devnull_fd, "[%s/%s]\n", config_item->key, val);
+	}
+
+out:
+	lxc_container_put(c);
+	lxc_config_define_free(&defines);
+
+	return 0;
+}

src/tests/oss-fuzz.sh

@@ -43,8 +43,11 @@ sed -i 's/^AC_CHECK_LIB(util/#/' configure.ac
 
 make -j$(nproc)
 
-$CC -c -o fuzz-lxc-config-read.o $CFLAGS -Isrc -Isrc/lxc src/tests/fuzz-lxc-config-read.c
-$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-lxc-config-read.o src/lxc/.libs/liblxc.a -o $OUT/fuzz-lxc-config-read
+for fuzz_target_source in src/tests/fuzz-lxc*.c; do
+    fuzz_target_name=$(basename "$fuzz_target_source" ".c")
+    $CC -c -o "$fuzz_target_name.o" $CFLAGS -Isrc -Isrc/lxc "$fuzz_target_source"
+    $CXX $CXXFLAGS $LIB_FUZZING_ENGINE "$fuzz_target_name.o" src/lxc/.libs/liblxc.a -o "$OUT/$fuzz_target_name"
+done
 
 perl -lne 'if (/config_jump_table\[\]\s*=/../^}/) { /"([^"]+)"/ && print "$1=" }' src/lxc/confile.c >doc/examples/keys.conf
 [[ -s doc/examples/keys.conf ]]
@@ -53,3 +56,7 @@ perl -lne 'if (/config_jump_table_net\[\]\s*=/../^}/) { /"([^"]+)"/ && print "lx
 [[ -s doc/examples/lxc-net-keys.conf ]]
 
 zip -r $OUT/fuzz-lxc-config-read_seed_corpus.zip doc/examples
+
+mkdir fuzz-lxc-define-load_seed_corpus
+perl -lne '/([^=]+)/ && print "printf $1= >fuzz-lxc-define-load_seed_corpus/$1"' doc/examples/{keys,lxc-net-keys}.conf | bash
+zip -r $OUT/fuzz-lxc-define-load_seed_corpus.zip fuzz-lxc-define-load_seed_corpus