`fuzz-unit-file` seems to fail as soon as it starts when being run under `msan` #8474

evverx · 2018-03-17T09:29:06Z

I don't know why OSS-Fuzz hasn't reported this yet, so I'll leave it here:

$ sudo python infra/helper.py run_fuzzer systemd fuzz-unit-file
Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz-unit-file
Using seed corpus: fuzz-unit-file_seed_corpus.zip
/out/fuzz-unit-file -rss_limit_mb=2048 -timeout=25 /tmp/input < /dev/null
INFO: Seed: 2068745949
INFO: Loaded 2 modules   (51132 inline 8-bit counters): 32527 [0x7f22c0d9ea49, 0x7f22c0da6958), 18605 [0xe08248, 0xe0caf5),
INFO: Loaded 2 PC tables (51132 PCs): 32527 [0x7f22c0da6958,0x7f22c0e25a48), 18605 [0xe0caf8,0xe555c8),
INFO:       12 files found in /tmp/input
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 13911 bytes
INFO: seed corpus: files: 12 min: 14b max: 13911b total: 23606b rss: 103Mb
==9==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f22c068ae44 in trim_cb /work/build/../../src/systemd/src/basic/cgroup-util.c:726:13
    #1 0x7f22bf3973cc  (/lib/x86_64-linux-gnu/libc.so.6+0xf93cc)
    #2 0x7f22bf3977fd  (/lib/x86_64-linux-gnu/libc.so.6+0xf97fd)
    #3 0x7f22c068a400 in cg_trim /work/build/../../src/systemd/src/basic/cgroup-util.c:744:13
    #4 0x6535fd in manager_shutdown_cgroup /work/build/../../src/systemd/src/core/cgroup.c:2310:24
    #5 0x4fc740 in manager_free /work/build/../../src/systemd/src/core/manager.c:1200:9
    #6 0x4b2fc0 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:59:1
    #7 0x8a7e05 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
    #8 0x8a4fcc in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3
    #9 0x8af909 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:725:7
    #10 0x8b0283 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:741:3
    #11 0x8751c4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
    #12 0x8605c1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #13 0x7f22bf2be82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x433b38 in _start (/out/fuzz-unit-file+0x433b38)

  Uninitialized value was created by an allocation of 'fs' in the stack frame of function 'cg_unified_update'
    #0 0x7f22c069b5d0 in cg_unified_update /work/build/../../src/systemd/src/basic/cgroup-util.c:2473

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/basic/cgroup-util.c:726:13 in trim_cb
Unique heap origins: 156
Stack depot allocated bytes: 14656
Unique origin histories: 9
History depot allocated bytes: 216
Exiting
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x73,0x77,0x61,0x70,0xa,0x5b,0x55,0x6e,0x69,0x74,0x5d,0xa,0x53,0x6f,0x75,0x72,0x63,0x65,0x50,0x61,0x74,0x68,0x3d,0x2f,0x65,0x74,0x63,0x2f,0x66,0x73,0x74,0x61,0x62,0xa,0x44,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x61,0x74,0x69,0x6f,0x6e,0x3d,0x6d,0x61,0x6e,0x3a,0x66,0x73,0x74,0x61,0x62,0x28,0x35,0x29,0x20,0x6d,0x61,0x6e,0x3a,0x73,0x79,0x73,0x74,0x65,0x6d,0x64,0x2d,0x66,0x73,0x74,0x61,0x62,0x2d,0x67,0x65,0x6e,0x65,0x72,0x61,0x74,0x6f,0x72,0x28,0x38,0x29,0xa,0xa,0x5b,0x53,0x77,0x61,0x70,0x5d,0xa,0x57,0x68,0x61,0x74,0x3d,0x2f,0x64,0x65,0x76,0x2f,0x6d,0x61,0x70,0x70,0x65,0x72,0x2f,0x66,0x65,0x64,0x6f,0x72,0x61,0x5f,0x6b,0x72,0x6f,0x77,0x6b,0x61,0x2d,0x73,0x77,0x61,0x70,0xa,0x4f,0x70,0x74,0x69,0x6f,0x6e,0x73,0x3d,0x64,0x65,0x66,0x61,0x75,0x6c,0x74,0x73,0x2c,0x78,0x2d,0x73,0x79,0x73,0x74,0x65,0x6d,0x64,0x2e,0x64,0x65,0x76,0x69,0x63,0x65,0x2d,0x74,0x69,0x6d,0x65,0x6f,0x75,0x74,0x3d,0x30,0xa,0x50,0x72,0x69,0x6f,0x72,0x69,0x74,0x79,0x3d,0x31,0x31,0xa,0x54,0x69,0x6d,0x65,0x6f,0x75,0x74,0x53,0x65,0x63,0x3d,0x31,0x32,0x33,0x68,0x20,0x35,0x6d,0x69,0x6e,0x20,0x32,0x79,0xa,
swap\x0a[Unit]\x0aSourcePath=/etc/fstab\x0aDocumentation=man:fstab(5) man:systemd-fstab-generator(8)\x0a\x0a[Swap]\x0aWhat=/dev/mapper/fedora_krowka-swap\x0aOptions=defaults,x-systemd.device-timeout=0\x0aPriority=11\x0aTimeoutSec=123h 5min 2y\x0a
artifact_prefix='./'; Test unit written to ./crash-6c77a8b9d7093986c7e7de2899e40a77bca0ee74
Base64: c3dhcApbVW5pdF0KU291cmNlUGF0aD0vZXRjL2ZzdGFiCkRvY3VtZW50YXRpb249bWFuOmZzdGFiKDUpIG1hbjpzeXN0ZW1kLWZzdGFiLWdlbmVyYXRvcig4KQoKW1N3YXBdCldoYXQ9L2Rldi9tYXBwZXIvZmVkb3JhX2tyb3drYS1zd2FwCk9wdGlvbnM9ZGVmYXVsdHMseC1zeXN0ZW1kLmRldmljZS10aW1lb3V0PTAKUHJpb3JpdHk9MTEKVGltZW91dFNlYz0xMjNoIDVtaW4gMnkK

root@4864645ed27b:/src/systemd# clang --version
clang version 7.0.0 (trunk 325667)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin

The text was updated successfully, but these errors were encountered:

keszybz · 2018-03-17T10:25:21Z

I see it too now.

evverx · 2018-03-17T19:00:46Z

The error is likely to be silenced by zeroing fs, but I'll leave another observation here in case anyone would decide to find out what is happening: the test fails when it is run at least two times in a row. Everything is fine when -runs 1 is passed to the fuzzer:

$ sudo python infra/helper.py reproduce systemd fuzz-unit-file ~/systemd/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886 -runs=1
Running: docker run --rm -i --privileged -v /home/vagrant/oss-fuzz/build/out/systemd:/out -v /home/vagrant/systemd/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6886:/testcase -t gcr.io/oss-fuzz-base/base
-runner reproduce fuzz-unit-file -runs=100 -runs=1
+ DEBUGGER=
+ FUZZER=fuzz-unit-file
+ shift
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ cd /out
+ /out/fuzz-unit-file -rss_limit_mb=2048 -timeout=25 -runs=100 -runs=1 /testcase
INFO: Seed: 3127249706
INFO: Loaded 2 modules   (51132 inline 8-bit counters): 32527 [0x7f8fd45b3a49, 0x7f8fd45bb958), 18605 [0xe08248, 0xe0caf5),
INFO: Loaded 2 PC tables (51132 PCs): 32527 [0x7f8fd45bb958,0x7f8fd463aa48), 18605 [0xe0caf8,0xe555c8),
/out/fuzz-unit-file: Running 1 inputs 1 time(s) each.
Running: /testcase
Executed /testcase in 3 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

keszybz · 2018-03-21T12:26:27Z

This is fixed now.

evverx · 2018-03-21T12:49:09Z

I've just rebuilt everything from scratch and run the test. The result was the same:

==9==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7ff12ed4b964 in trim_cb /work/build/../../src/systemd/src/basic/cgroup-util.c:726:13
    #1 0x7ff12da573cc  (/lib/x86_64-linux-gnu/libc.so.6+0xf93cc)
    #2 0x7ff12da577fd  (/lib/x86_64-linux-gnu/libc.so.6+0xf97fd)
    #3 0x7ff12ed4af1e in cg_trim /work/build/../../src/systemd/src/basic/cgroup-util.c:744:13
    #4 0x654b8d in manager_shutdown_cgroup /work/build/../../src/systemd/src/core/cgroup.c:2310:24
    #5 0x4fe030 in manager_free /work/build/../../src/systemd/src/core/manager.c:1202:9
    #6 0x4b47f5 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:77:1
    #7 0x8aa543 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
    #8 0x8a7732 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3
    #9 0x8b2019 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:725:7
    #10 0x8b2993 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:741:3
    #11 0x877824 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
    #12 0x862ad1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #13 0x7ff12d97e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x433e18 in _start (/out/fuzz-unit-file+0x433e18)

  Uninitialized value was created by an allocation of 'fs' in the stack frame of function 'cg_unified_update'
    #0 0x7ff12ed5c070 in cg_unified_update /work/build/../../src/systemd/src/basic/cgroup-util.c:2473

so I don't think it is fixed now.

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes systemd#8474.

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes #8474.

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes systemd/systemd#8474. (cherry picked from commit f6c63f6)

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes systemd/systemd#8474. (cherry picked from commit f6c63f6fc90040f0017a7cc37f3a05d5b86226d7)

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes systemd/systemd#8474.

evverx mentioned this issue Mar 17, 2018

Oss fuzz fixes #8461

Merged

keszybz added the has-pr ✨ label Mar 17, 2018

evverx mentioned this issue Mar 18, 2018

[systemd] Enable memory sanitizer google/oss-fuzz#1084

Merged

evverx added tests and removed has-pr ✨ labels Mar 18, 2018

keszybz closed this as completed Mar 21, 2018

evverx reopened this Mar 21, 2018

evverx mentioned this issue Mar 30, 2018

core: skip the removal of cgroups in the TEST_RUN_MINIMAL mode #8622

Merged

evverx added the has-pr ✨ label Mar 30, 2018

poettering closed this as completed in #8622 Apr 3, 2018

poettering pushed a commit that referenced this issue Apr 3, 2018

core: skip the removal of cgroups in the TEST_RUN_MINIMAL mode (#8622)

f6c63f6

When `systemd` is run in the TEST_RUN_MINIMAL mode, it doesn't really set up cgroups, so it shouldn't try to remove anything. Closes #8474.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`fuzz-unit-file` seems to fail as soon as it starts when being run under `msan` #8474

`fuzz-unit-file` seems to fail as soon as it starts when being run under `msan` #8474

evverx commented Mar 17, 2018

keszybz commented Mar 17, 2018

evverx commented Mar 17, 2018 •

edited

keszybz commented Mar 21, 2018

evverx commented Mar 21, 2018 •

edited

fuzz-unit-file seems to fail as soon as it starts when being run under msan #8474

fuzz-unit-file seems to fail as soon as it starts when being run under msan #8474

Comments

evverx commented Mar 17, 2018

keszybz commented Mar 17, 2018

evverx commented Mar 17, 2018 • edited

keszybz commented Mar 21, 2018

evverx commented Mar 21, 2018 • edited

`fuzz-unit-file` seems to fail as soon as it starts when being run under `msan` #8474

`fuzz-unit-file` seems to fail as soon as it starts when being run under `msan` #8474

evverx commented Mar 17, 2018 •

edited

evverx commented Mar 21, 2018 •

edited