Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow while processing a transaction #26872

Closed
mrc0mmand opened this issue Mar 17, 2023 · 1 comment · Fixed by #26875
Closed

Heap-buffer-overflow while processing a transaction #26872

mrc0mmand opened this issue Mar 17, 2023 · 1 comment · Fixed by #26875
Labels
bug 🐛 Programming errors, that need preferential fixing pid1
Milestone
v254

Comments

@mrc0mmand
Copy link
Member

systemd version the issue has been seen with

latest main

Used distribution

Fedora 37

Linux kernel version used

No response

CPU architectures issue was seen on

None

Component

No response

Expected behaviour you didn't see

No response

Unexpected behaviour you saw

I tried (again) to tackle #24452, and managed to trigger a heap-buffer-overlow in the transaction processing stuff:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000fc720 at pc 0x7f81d567481e bp 0x7fff26241a00 sp 0x7fff262411b0
READ of size 65 at 0x6060000fc720 thread T0 (systemd)
    #0 0x7f81d567481d in printf_common(void*, char const*, __va_list_tag*) (/lib64/libasan.so.8+0x7481d)
    #1 0x7f81d5686ed5 in vasprintf (/lib64/libasan.so.8+0x86ed5)
    #2 0x7f81d391acef in log_format_iovec ../src/basic/log.c:954
    #3 0x7f81d391c024 in log_struct_internal ../src/basic/log.c:1016
    #4 0x7f81d4e72278 in transaction_verify_order_one ../src/core/transaction.c:392
    #5 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #6 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #7 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #8 0x7f81d4e756f6 in transaction_verify_order ../src/core/transaction.c:490
    #9 0x7f81d4e756f6 in transaction_activate ../src/core/transaction.c:727
    #10 0x7f81d4d22f81 in manager_add_job ../src/core/manager.c:1987
    #11 0x7f81d4bfd919 in bus_unit_queue_job_one ../src/core/dbus-unit.c:1776
    #12 0x7f81d4bfeca9 in bus_unit_queue_job ../src/core/dbus-unit.c:1884
    #13 0x7f81d4bff579 in bus_unit_method_start_generic ../src/core/dbus-unit.c:428
    #14 0x7f81d4bcbf9f in method_start_unit_generic ../src/core/dbus-manager.c:749
    #15 0x7f81d4bcc12d in method_start_unit ../src/core/dbus-manager.c:753
    #16 0x7f81d3a38b04 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
    #17 0x7f81d3a38b04 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319
    #18 0x7f81d3a3d572 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439
    #19 0x7f81d3a81b18 in process_message ../src/libsystemd/sd-bus/sd-bus.c:2981
    #20 0x7f81d3a81b18 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3023
    #21 0x7f81d3a81b18 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3243
    #22 0x7f81d3a82154 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3270
    #23 0x7f81d3a82d5c in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3627
    #24 0x7f81d3bc54cb in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4159
    #25 0x7f81d3bc6b88 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780
    #26 0x7f81d3bc73ea in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841
    #27 0x7f81d4d3b1a3 in manager_loop ../src/core/manager.c:3161
    #28 0x417ff1 in invoke_main_loop ../src/core/main.c:1963
    #29 0x417ff1 in main ../src/core/main.c:3084
    #30 0x7f81d244a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
    #31 0x7f81d244a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
    #32 0x4073b4 in _start (/usr/lib/systemd/systemd+0x4073b4)

0x6060000fc720 is located 0 bytes to the right of 64-byte region [0x6060000fc6e0,0x6060000fc720)
allocated by thread T0 (systemd) here:
    #0 0x7f81d56b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5)
    #1 0x7f81d3898e77 in greedy_realloc ../src/basic/alloc-util.c:70
    #2 0x7f81d4e71ea2 in merge_unit_ids ../src/core/transaction.c:332
    #3 0x7f81d4e71ea2 in transaction_verify_order_one ../src/core/transaction.c:388
    #4 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #5 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #6 0x7f81d4e73784 in transaction_verify_order_one ../src/core/transaction.c:463
    #7 0x7f81d4e756f6 in transaction_verify_order ../src/core/transaction.c:490
    #8 0x7f81d4e756f6 in transaction_activate ../src/core/transaction.c:727
    #9 0x7f81d4d22f81 in manager_add_job ../src/core/manager.c:1987
    #10 0x7f81d4bfd919 in bus_unit_queue_job_one ../src/core/dbus-unit.c:1776
    #11 0x7f81d4bfeca9 in bus_unit_queue_job ../src/core/dbus-unit.c:1884
    #12 0x7f81d4bff579 in bus_unit_method_start_generic ../src/core/dbus-unit.c:428
    #13 0x7f81d4bcbf9f in method_start_unit_generic ../src/core/dbus-manager.c:749
    #14 0x7f81d4bcc12d in method_start_unit ../src/core/dbus-manager.c:753
    #15 0x7f81d3a38b04 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
    #16 0x7f81d3a38b04 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319
    #17 0x7f81d3a3d572 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439
    #18 0x7f81d3a81b18 in process_message ../src/libsystemd/sd-bus/sd-bus.c:2981
    #19 0x7f81d3a81b18 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3023
    #20 0x7f81d3a81b18 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3243
    #21 0x7f81d3a82154 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3270
    #22 0x7f81d3a82d5c in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3627
    #23 0x7f81d3bc54cb in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4159
    #24 0x7f81d3bc6b88 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780
    #25 0x7f81d3bc73ea in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841
    #26 0x7f81d4d3b1a3 in manager_loop ../src/core/manager.c:3161
    #27 0x417ff1 in invoke_main_loop ../src/core/main.c:1963
    #28 0x417ff1 in main ../src/core/main.c:3084
    #29 0x7f81d244a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x7481d) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c0c80017890: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c800178a0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0c800178b0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c800178c0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800178d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c800178e0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800178f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80017930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING

To reproduce this replace the contents of test/units/testsuite-60.sh with:

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux

for ((i = 0; i < 500; i++)); do
    systemctl list-jobs
    systemd-analyze dump testsuite.target
    systemctl restart --no-block tmp.mount
    systemctl daemon-reexec
    systemd-analyze dump testsuite.target
done

touch /testok

And then simply:

sudo make -C test/TEST-60-MOUNT-RATELIMIT/ clean setup run TEST_NO_QEMU=1 BUILD_DIR=$PWD/build-san TEST_SAVE_JOURNAL=fail

Steps to reproduce the problem

No response

Additional program output to the terminal or log subsystem illustrating the issue

No response
@mrc0mmand mrc0mmand added bug 🐛 Programming errors, that need preferential fixing pid1 labels Mar 17, 2023
@mrc0mmand mrc0mmand added this to the v254 milestone Mar 17, 2023
@evverx
Copy link
Member

evverx commented Mar 18, 2023

Looks like the backtrace is the same as #24990 (comment). I suspect it was introduced in 15ed3c3 as well.

yuwata added a commit to yuwata/systemd that referenced this issue Mar 18, 2023
@yuwata
core/transaction: make merge_unit_ids() always return NUL-terminated …
366eced 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.
@yuwata yuwata mentioned this issue Mar 18, 2023
Merged
mrc0mmand pushed a commit to mrc0mmand/systemd that referenced this issue Mar 18, 2023
@yuwata @mrc0mmand
core/transaction: make merge_unit_ids() always return NUL-terminated …
6d10950 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.
@mrc0mmand mrc0mmand mentioned this issue Mar 20, 2023
Closed
taniishkaaa pushed a commit to taniishkaaa/systemd that referenced this issue Mar 22, 2023
@yuwata @taniishkaaa
core/transaction: make merge_unit_ids() always return NUL-terminated …
fa481c6 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.
taniishkaaa pushed a commit to taniishkaaa/systemd that referenced this issue Mar 22, 2023
@yuwata @taniishkaaa
core/transaction: make merge_unit_ids() always return NUL-terminated …
1b74da5 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.
bluca pushed a commit to bluca/systemd that referenced this issue Mar 29, 2023
@yuwata @keszybz
core/transaction: make merge_unit_ids() always return NUL-terminated …
7002c5c 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.

(cherry picked from commit 366eced)
keszybz pushed a commit to keszybz/systemd that referenced this issue Mar 30, 2023
@yuwata @keszybz
core/transaction: make merge_unit_ids() always return NUL-terminated …
89f7809 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.

(cherry picked from commit 366eced)
(cherry picked from commit 7002c5c)
mrc0mmand added a commit to mrc0mmand/systemd that referenced this issue Jun 23, 2023
@mrc0mmand
test: test transactions with cycles
184be14 
Provides coverage for systemd#26872.

With systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...
mrc0mmand added a commit to mrc0mmand/systemd that referenced this issue Jun 23, 2023
@mrc0mmand
test: test transactions with cycles
0651e71 
Provides coverage for systemd#26872.

With systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...
@mrc0mmand mrc0mmand mentioned this issue Jun 23, 2023
Merged
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 7, 2023
@mrc0mmand @bluca
test: test transactions with cycles
aaff82f 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 7, 2023
@mrc0mmand @bluca
test: test transactions with cycles
8ce998b 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
bluca pushed a commit to systemd/systemd-stable that referenced this issue Jul 7, 2023
@mrc0mmand @bluca
test: test transactions with cycles
fdc6ce1 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 7, 2023
@mrc0mmand @bluca
test: test transactions with cycles
e627eee 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
bluca pushed a commit to systemd/systemd-stable that referenced this issue Jul 8, 2023
@mrc0mmand @bluca
test: test transactions with cycles
4ac2071 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 9, 2023
@mrc0mmand @bluca
test: test transactions with cycles
e3e2f63 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 9, 2023
@mrc0mmand @bluca
test: test transactions with cycles
ba13254 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 9, 2023
@mrc0mmand @bluca
test: test transactions with cycles
95cbee9 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 9, 2023
@mrc0mmand @bluca
test: test transactions with cycles
af971f7 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
bluca pushed a commit to bluca/systemd-stable that referenced this issue Jul 10, 2023
@mrc0mmand @bluca
test: test transactions with cycles
e02891f 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
bluca pushed a commit to systemd/systemd-stable that referenced this issue Jul 10, 2023
@mrc0mmand @bluca
test: test transactions with cycles
5657505 
Provides coverage for systemd/systemd#26872.

With systemd/systemd#26875 reverted:

[16444.287652] testsuite-03.sh[71]: + for i in {0..19}
[16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service
[16444.359503] systemd[1]: =================================================================
[16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68
[16444.360798] systemd[1]:
[16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd)
[16444.391684] systemd[1]:     #0 0x7f73b25ec7a5  (/lib64/libasan.so.5+0x557a5)
[16444.392167] systemd[1]:     #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5)
[16444.392442] systemd[1]:     #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996
[16444.392750] systemd[1]:     #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058
[16444.393101] systemd[1]:     #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392
[16444.393540] systemd[1]:     #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.393946] systemd[1]:     #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394262] systemd[1]:     #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394532] systemd[1]:     #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
[16444.394812] systemd[1]:     #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463
...

(cherry picked from commit 0651e71)
(cherry picked from commit fdc6ce1)
(cherry picked from commit 4ac2071)
valentindavid pushed a commit to valentindavid/systemd that referenced this issue Aug 8, 2023
@yuwata @keszybz
core/transaction: make merge_unit_ids() always return NUL-terminated …
1ece85e 
…string

Follow-up for 924775e.

The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.

Fixes systemd#26872.

(cherry picked from commit 366eced)
(cherry picked from commit 7002c5c)
(cherry picked from commit 89f7809)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 Programming errors, that need preferential fixing pid1
Milestone
v254
Development

Successfully merging a pull request may close this issue.

core/transaction: several fixes for merge_unit_ids() yuwata/systemd
2 participants
@mrc0mmand @evverx