Partially revert "ma-setup: simplify" #15

haraldh · 2015-06-02T13:50:40Z

No description provided.

dvdhrm · 2015-06-04T14:43:49Z

Zbigniew applied this as 116b6c8.

Fixes: Message: Process 806 (systemd-importd) of user 0 dumped core. Stack trace of thread 806: #0 0x00007f5eaeff7227 raise (libc.so.6) #1 0x00007f5eaeff8e8a abort (libc.so.6) #2 0x000055b6d3418f4f log_assert_failed (systemd-importd) #3 0x000055b6d3409daf safe_close (systemd-importd) #4 0x000055b6d33c25ea closep (systemd-importd) #5 0x000055b6d33c38d9 setup_machine_directory (systemd-importd) #6 0x000055b6d33b8536 method_pull_tar_or_raw (systemd-importd) #7 0x000055b6d33ed097 method_callbacks_run (systemd-importd) #8 0x000055b6d33ef929 object_find_and_run (systemd-importd) #9 0x000055b6d33eff6b bus_process_object (systemd-importd) #10 0x000055b6d3447f77 process_message (systemd-importd) #11 0x000055b6d344815a process_running (systemd-importd) #12 0x000055b6d3448a10 bus_process_internal (systemd-importd) #13 0x000055b6d3448ae1 sd_bus_process (systemd-importd) #14 0x000055b6d3449779 time_callback (systemd-importd) #15 0x000055b6d3454ff4 source_dispatch (systemd-importd) #16 0x000055b6d34562b9 sd_event_dispatch (systemd-importd) #17 0x000055b6d34566f8 sd_event_run (systemd-importd) #18 0x000055b6d33ba72a bus_event_loop_with_idle (systemd-importd) #19 0x000055b6d33b95bc manager_run (systemd-importd) #20 0x000055b6d33b9766 main (systemd-importd) #21 0x00007f5eaefe2a00 __libc_start_main (libc.so.6) #22 0x000055b6d33b5569 _start (systemd-importd)

This makes systemctl robust regarding journal truncation. This is a follow-up for 2cf4172 Fixes: Core was generated by `./systemctl status systemd-journald'. Program terminated with signal SIGBUS, Bus error. PID 8569 - core TID 8569: #0 0x00007f246cc89ed6 __memcmp_sse4_1 #1 0x0000557ebbc6f42c journal_file_init_header #2 0x0000557ebbc77262 journal_file_open #3 0x0000557ebbc42999 file_type_wanted #4 0x0000557ebbc42e08 add_any_file #5 0x0000557ebbc43832 add_directory #6 0x0000557ebbc4401c add_root_directory #7 0x0000557ebbc442e9 add_root_directory #8 0x0000557ebbc446fc add_search_paths #9 0x0000557ebbbacb5e show_journal_by_unit #10 0x0000557ebbb8376d print_status_info #11 0x0000557ebbb86a0b show_one #12 0x0000557ebbb87954 show #13 0x0000557ebbc20b1f dispatch_verb #14 0x0000557ebbb90615 systemctl_main #15 0x0000557ebbb9159f main #16 0x00007f246cb3e731 __libc_start_main #17 0x0000557ebbb75ae9 _start

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 #2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 #3 0x55637c758c77 in strv_freep src/basic/strv.h:37 #4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) #20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 #2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 #3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 #4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) #1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 #2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 #3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 #4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 systemd#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 systemd#3 0x55637c758c77 in strv_freep src/basic/strv.h:37 systemd#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) systemd#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 systemd#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 systemd#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 systemd#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) systemd#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 systemd#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 systemd#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 systemd#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015 (cherry picked from commit 8af35ba) Related: #1409997

load-fragment: use UNESCAPE_RELAX flag to parse exec directives

Fuzzing with AddressSanitizer reports an error here: ==11==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe53f5497d8 at pc 0x7fe53ef055c9 bp 0x7ffd344e9380 sp 0x7ffd344e9378 READ of size 4 at 0x7fe53f5497d8 thread T0 SCARINESS: 27 (4-byte-read-global-buffer-overflow-far-from-bounds) #0 0x7fe53ef055c8 in bus_error_name_to_errno /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 #1 0x7fe53ef0577b in bus_error_setfv /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:274:17 #2 0x7fe53ef0595a in sd_bus_error_setf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:284:21 #3 0x561059 in manager_load_unit_prepare /work/build/../../src/systemd/src/core/manager.c #4 0x560680 in manager_load_unit /work/build/../../src/systemd/src/core/manager.c:1773:13 #5 0x5d49a6 in unit_add_dependency_by_name /work/build/../../src/systemd/src/core/unit.c:2882:13 #6 0x538996 in config_parse_unit_deps /work/build/../../src/systemd/src/core/load-fragment.c:152:21 #7 0x6db771 in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:155:32 #8 0x6d697e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:273:16 #9 0x6d5c48 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:390:21 #10 0x535678 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:41:16 #11 0x73bd60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13 #12 0x73a39f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3 #13 0x73d9bc in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:650:19 #14 0x73fa05 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:773:5 #15 0x71f75d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6 #16 0x71285c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #17 0x7fe53da0482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x430e68 in _start (/out/fuzz-unit-file+0x430e68) 0x7fe53f5497d8 is located 8 bytes to the right of global variable 'bus_common_errors' defined in '../../src/systemd/src/libsystemd/sd-bus/bus-common-errors.c:28:51' (0x7fe53f549300) of size 1232 SUMMARY: AddressSanitizer: global-buffer-overflow /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 in bus_error_name_to_errno Shadow bytes around the buggy address: 0x0ffd27ea12a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ffd27ea12f0: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9 0x0ffd27ea1300: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ffd27ea1310: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ffd27ea1320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea1330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea1340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11==ABORTING but I think it's a false positive because of our low-level magic in how this area is constructed.

`fuzz-journal-remote` seems to be failing under `msan` as soon as it starts: $ sudo infra/helper.py run_fuzzer systemd fuzz-journal-remote Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz-journal-remote Using seed corpus: fuzz-journal-remote_seed_corpus.zip /out/fuzz-journal-remote -rss_limit_mb=2048 -timeout=25 /tmp/fuzz-journal-remote_corpus -max_len=65536 < /dev/null INFO: Seed: 3380449479 INFO: Loaded 2 modules (36336 inline 8-bit counters): 36139 [0x7ff36ea31d39, 0x7ff36ea3aa64), 197 [0x9998c8, 0x99998d), INFO: Loaded 2 PC tables (36336 PCs): 36139 [0x7ff36ea3aa68,0x7ff36eac7d18), 197 [0x999990,0x99a5e0), INFO: 2 files found in /tmp/fuzz-journal-remote_corpus INFO: seed corpus: files: 2 min: 4657b max: 7790b total: 12447b rss: 97Mb Uninitialized bytes in __interceptor_pwrite64 at offset 24 inside [0x7fffdd4d7230, 240) ==15==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7ff36e685e8a in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:436:13 #1 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #2 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #3 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #4 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #5 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #6 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #7 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #8 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #9 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #10 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #11 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #12 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #13 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x41f9d8 in _start (/out/fuzz-journal-remote+0x41f9d8) Uninitialized value was stored to memory at #0 0x7ff36e61cd41 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:288:16 #1 0x7ff36e685cec in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:426:13 #2 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #3 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #4 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #5 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #6 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #7 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #8 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #9 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #10 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #11 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #12 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #13 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #14 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #15 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Uninitialized value was created by an allocation of 't' in the stack frame of function 'sd_id128_randomize' #0 0x7ff36e61cb00 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:274 SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/journal/journal-file.c:436:13 in journal_file_init_header Exiting MS: 0 ; base unit: 0000000000000000000000000000000000000000 artifact_prefix='./'; Test unit written to ./crash-847911777b3096783f4ee70a69ab6d28380c810b [vagrant@localhost oss-fuzz]$ sudo infra/helper.py check_build --sanitizer=memory systemd Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -e SANITIZER=memory -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner test_all INFO: performing bad build checks for /out/fuzz-dhcp-server. INFO: performing bad build checks for /out/fuzz-journal-remote. INFO: performing bad build checks for /out/fuzz-unit-file. INFO: performing bad build checks for /out/fuzz-dns-packet. 4 fuzzers total, 0 seem to be broken (0%). Check build passed. It's a false positive which is most likely caused by google/sanitizers#852. I think it could be got around by avoiding `getrandom` when the code is compiled with `msan`

[ 49.275617] testsuite-46.sh[1862]: ================================================================= [ 49.275870] testsuite-46.sh[1862]: ==1862==ERROR: LeakSanitizer: detected memory leaks [ 49.276039] testsuite-46.sh[1862]: Direct leak of 103 byte(s) in 14 object(s) allocated from: [ 49.276515] testsuite-46.sh[1862]: #0 0x7f4dbc07243b in strdup (/lib64/libasan.so.8+0x7243b) [ 49.276707] testsuite-46.sh[1862]: #1 0x7f4dbb3900d5 in free_and_strdup ../src/basic/string-util.c:952 [ 49.276931] testsuite-46.sh[1862]: #2 0x7f4dbb15c67d in json_dispatch_user_group_name ../src/shared/json.c:4699 [ 49.277134] testsuite-46.sh[1862]: #3 0x7f4dbb16da9b in json_dispatch ../src/shared/json.c:4395 [ 49.277352] testsuite-46.sh[1862]: #4 0x7f4dbb25b28e in userdb_on_query_reply ../src/shared/userdb.c:305 [ 49.277603] testsuite-46.sh[1862]: #5 0x7f4dbb2748b9 in varlink_dispatch_reply ../src/shared/varlink.c:760 [ 49.277766] testsuite-46.sh[1862]: #6 0x7f4dbb2748b9 in varlink_process ../src/shared/varlink.c:951 [ 49.277975] testsuite-46.sh[1862]: #7 0x7f4dbb27a001 in defer_callback ../src/shared/varlink.c:1897 [ 49.278197] testsuite-46.sh[1862]: #8 0x7f4dbb5d57dd in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4191 [ 49.278421] testsuite-46.sh[1862]: #9 0x7f4dbb5d685d in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780 [ 49.278675] testsuite-46.sh[1862]: #10 0x7f4dbb5d70bf in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841 [ 49.278873] testsuite-46.sh[1862]: #11 0x7f4dbb257e7c in userdb_process ../src/shared/userdb.c:591 [ 49.279048] testsuite-46.sh[1862]: #12 0x7f4dbb25f78f in membershipdb_iterator_get ../src/shared/userdb.c:1411 [ 49.279280] testsuite-46.sh[1862]: #13 0x7f4dbb23a98c in user_record_show ../src/shared/user-record-show.c:187 [ 49.279504] testsuite-46.sh[1862]: #14 0x404ae3 in show_user ../src/userdb/userdbctl.c:93 [ 49.279710] testsuite-46.sh[1862]: #15 0x40b4f5 in display_user ../src/userdb/userdbctl.c:418 [ 49.279961] testsuite-46.sh[1862]: #16 0x7f4dbb2804d2 in dispatch_verb ../src/shared/verbs.c:110 [ 49.280233] testsuite-46.sh[1862]: #17 0x40dcf3 in run ../src/userdb/userdbctl.c:1327 [ 49.280434] testsuite-46.sh[1862]: #18 0x40dcf3 in main ../src/userdb/userdbctl.c:1330 [ 49.280657] testsuite-46.sh[1862]: #19 0x7f4db9e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) [ 49.280907] testsuite-46.sh[1862]: SUMMARY: AddressSanitizer: 103 byte(s) leaked in 14 allocation(s).

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 #15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING

As it might hide a possible allocation error since it uses the returns_nonnull attribute: AddressSanitizer:DEADLYSIGNAL ================================================================= ==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f317897db8d bp 0x7ffd436fe9a0 sp 0x7ffd436fe970 T0) ==8==The signal is caused by a WRITE memory access. ==8==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f317897db8d in source_new /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1214:18 #1 0x7f317897e68c in sd_event_add_time /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1417:13 #2 0x7f317897a0f6 in event_reset_time /work/build/../../src/systemd/src/libsystemd/sd-event/event-util.c:68:21 #3 0x4e2c8e in client_initialize_time_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1366:13 #4 0x4eb0fd in client_initialize_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1380:9 #5 0x4eb0fd in client_start_delayed /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1410:16 #6 0x4e30aa in client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1415:16 #7 0x4e30aa in sd_dhcp_client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:2045:13 #8 0x4e700e in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-client.c:73:15 #9 0x5062f8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-client+0x5062f8) #10 0x525283 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x524a6a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x526139 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x526e05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x51616f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x516a38 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x506555 in main (/build/fuzz-dhcp-client+0x506555) #17 0x7f3177ce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #18 0x420c4d in _start (/build/fuzz-dhcp-client+0x420c4d) Found by Nallocfuzz.

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 #2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 #3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 #4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 #5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 #2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 #3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) #2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 #3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 #4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz.

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 #15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 #16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) #17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) #24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

Otherwise we might hit an assertion during cleanup if the following mmap_cache_new() call fails: Assertion 'p->n_ref > 0' failed at src/journal-remote/journal-remote-write.c:80, function writer_unref(). Aborting. ==2069==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000815 (pc 0x7f39dcd0200b bp 0x7ffe2fe24db0 sp 0x7ffe2fe24b60 T0) SCARINESS: 10 (signal) #0 0x7f39dcd0200b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #1 0x7f39dcce1858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x7f39dd747e49 in log_assert_failed /work/build/../../src/systemd/src/basic/log.c:940:9 #3 0x4e4431 in writer_unref /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:80:1 #4 0x4e3fd5 in writer_unrefp /work/build/../../src/systemd/src/journal-remote/journal-remote-write.h:27:1 #5 0x4e3fd5 in writer_new /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:56:1 #6 0x4e04bc in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:125:21 #7 0x4e0e0b in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:181:13 #8 0x4e0e0b in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:233:13 #9 0x4df99f in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/journal-remote/fuzz-journal-remote.c:54:9 #10 0x4e8f48 in NaloFuzzerTestOneInput (/build/fuzz-journal-remote+0x4e8f48) #11 0x507f53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x50773a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x508e09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #14 0x509ad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #15 0x4f8e3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x4f9708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #17 0x4e91c5 in main (/build/fuzz-journal-remote+0x4e91c5) #18 0x7f39dcce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #19 0x420bcd in _start (/build/fuzz-journal-remote+0x420bcd) DEDUP_TOKEN: raise--abort--log_assert_failed AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in raise Found by Nallocufzz.

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 #18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 #19 0x4252e0 in main ../src/core/main.c:3072 #20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) systemd#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 systemd#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 systemd#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 systemd#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 systemd#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 systemd#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 systemd#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 systemd#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 systemd#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 systemd#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 systemd#14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04)

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 systemd#2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 systemd#3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 systemd#4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 systemd#5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 systemd#2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 systemd#3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) systemd#2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 systemd#3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 systemd#4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz. (cherry picked from commit ac874b8)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) systemd#2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 systemd#3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 systemd#4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 systemd#5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 systemd#6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 systemd#7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 systemd#8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 systemd#9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) systemd#10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf)

Otherwise we might hit an assertion during cleanup if the following mmap_cache_new() call fails: Assertion 'p->n_ref > 0' failed at src/journal-remote/journal-remote-write.c:80, function writer_unref(). Aborting. ==2069==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000815 (pc 0x7f39dcd0200b bp 0x7ffe2fe24db0 sp 0x7ffe2fe24b60 T0) SCARINESS: 10 (signal) #0 0x7f39dcd0200b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#1 0x7f39dcce1858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#2 0x7f39dd747e49 in log_assert_failed /work/build/../../src/systemd/src/basic/log.c:940:9 systemd#3 0x4e4431 in writer_unref /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:80:1 systemd#4 0x4e3fd5 in writer_unrefp /work/build/../../src/systemd/src/journal-remote/journal-remote-write.h:27:1 systemd#5 0x4e3fd5 in writer_new /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:56:1 systemd#6 0x4e04bc in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:125:21 systemd#7 0x4e0e0b in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:181:13 systemd#8 0x4e0e0b in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:233:13 systemd#9 0x4df99f in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/journal-remote/fuzz-journal-remote.c:54:9 systemd#10 0x4e8f48 in NaloFuzzerTestOneInput (/build/fuzz-journal-remote+0x4e8f48) systemd#11 0x507f53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#12 0x50773a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#13 0x508e09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#14 0x509ad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#15 0x4f8e3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#16 0x4f9708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#17 0x4e91c5 in main (/build/fuzz-journal-remote+0x4e91c5) systemd#18 0x7f39dcce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#19 0x420bcd in _start (/build/fuzz-journal-remote+0x420bcd) DEDUP_TOKEN: raise--abort--log_assert_failed AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in raise Found by Nallocufzz. (cherry picked from commit d3d8597)

This wrapper is used in situations where we don't care about *San reports, we just want to make things work. However, with enabled LSan we might trigger some bogus reports we're definitely not interested in, causing unexpected test fails. Spotted on C8S in TEST-34-DYNAMICUSERMIGRATE: ``` [10654.804162] testsuite-34.sh[56]: + systemctl start testservice-34-check-writable.service Starting testservice-34-check-writable.service... [10655.055969] bash[546]: + set -o pipefail [10655.056127] bash[546]: + declare -a writable_dirs [10655.056234] bash[546]: + readarray -t writable_dirs [10655.060838] bash[548]: ++ find / '(' -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc -o -path /sys/devices/system/cpu ')' -prune -o -type d -writable -print [10655.061534] bash[549]: ++ sort -u [10655.688740] bash[547]: ================================================================= [10655.689075] bash[547]: ==547==ERROR: LeakSanitizer: detected memory leaks [10655.689246] bash[547]: Direct leak of 112 byte(s) in 1 object(s) allocated from: [10655.743851] bash[547]: #0 0x7ffff752d364 (/usr/lib64/clang/14.0.0/lib/libclang_rt.asan-powerpc64le.so+0x13d364) (BuildId: 321f4ed1caea6a1a4c37f9272e07275cf16f034d) [10655.744060] bash[547]: #1 0x1000b5d20 in xmalloc (/usr/bin/bash+0xb5d20) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744224] bash[547]: #2 0x100083338 (/usr/bin/bash+0x83338) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744393] bash[547]: #3 0x10008847c (/usr/bin/bash+0x8847c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744552] bash[547]: #4 0x1000af6ec in redirection_expand (/usr/bin/bash+0xaf6ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744728] bash[547]: #5 0x1000b005c (/usr/bin/bash+0xb005c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744886] bash[547]: #6 0x1000b1388 in do_redirections (/usr/bin/bash+0xb1388) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745051] bash[547]: #7 0x100050484 (/usr/bin/bash+0x50484) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745208] bash[547]: #8 0x100052160 in execute_command_internal (/usr/bin/bash+0x52160) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745376] bash[547]: #9 0x100052a10 in execute_command_internal (/usr/bin/bash+0x52a10) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745536] bash[547]: #10 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745711] bash[547]: #11 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745870] bash[547]: #12 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746038] bash[547]: #13 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746198] bash[547]: #14 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746367] bash[547]: systemd#15 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746548] bash[547]: systemd#16 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746741] bash[547]: systemd#17 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746897] bash[547]: systemd#18 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747067] bash[547]: systemd#19 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747227] bash[547]: systemd#20 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747414] bash[547]: systemd#21 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747573] bash[547]: systemd#22 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747741] bash[547]: systemd#23 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747896] bash[547]: systemd#24 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748064] bash[547]: systemd#25 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748225] bash[547]: systemd#26 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748390] bash[547]: systemd#27 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748553] bash[547]: systemd#28 0x1000bf91c in parse_and_execute (/usr/bin/bash+0xbf91c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748717] bash[547]: systemd#29 0x1000311ec (/usr/bin/bash+0x311ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748883] bash[547]: Direct leak of 17 byte(s) in 1 object(s) allocated from: ... ``` (cherry picked from commit b8dd276)

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04) (cherry picked from commit c786122) (cherry picked from commit d45301d)

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 #2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 #3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 #4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 #5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 #2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 #3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) #2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 #3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 #4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz. (cherry picked from commit ac874b8) (cherry picked from commit b1663b8) (cherry picked from commit 6ebbc8f)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a) (cherry picked from commit 06b4e1f)

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 systemd#15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 systemd#16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) systemd#17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) systemd#24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit 6c13a39) (cherry picked from commit b4c9a9b) (cherry picked from commit 6b8b0f5)

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 systemd#15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 systemd#16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 systemd#17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 systemd#18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 systemd#19 0x4252e0 in main ../src/core/main.c:3072 systemd#20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit f8b21a0) (cherry picked from commit 98d2a09) (cherry picked from commit e94157e)

Introduced by 41712cd. ================================================================= ==2194==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 359856 byte(s) in 459 object(s) allocated from: #0 0x7ffff7511df4 (/usr/lib64/clang/16/lib/linux/libclang_rt.asan-powerpc64le.so+0x191df4) (BuildId: 47e1dd371a2b8525b6cb737760a4dc535f30ea10) #1 0x7ffff6bb5fb0 in message_from_header /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-message.c:372:13 #2 0x7ffff6bb5fb0 in bus_message_from_malloc /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-message.c:421:13 #3 0x7ffff6c23f54 in bus_socket_make_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-socket.c:1222:13 #4 0x7ffff6c22d10 in bus_socket_read_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-socket.c #5 0x7ffff6c4d414 in bus_read_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/sd-bus.c:2082:16 #6 0x7ffff6c4d414 in sd_bus_call /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/sd-bus.c:2480:21 #7 0x7ffff6682904 in bus_service_manager_reload /systemd-meson-build/../root/systemd/src/shared/bus-unit-util.c:2823:13 #8 0x1000d570 in daemon_reload /systemd-meson-build/../root/systemd/src/sysext/sysext.c:233:16 #9 0x100090f8 in merge /systemd-meson-build/../root/systemd/src/sysext/sysext.c:895:21 #10 0x10006ff4 in verb_merge /systemd-meson-build/../root/systemd/src/sysext/sysext.c:964:16 #11 0x7ffff69ae894 in dispatch_verb /systemd-meson-build/../root/systemd/src/shared/verbs.c:103:24 #12 0x10004570 in sysext_main /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1194:16 #13 0x10004570 in run /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1214:16 #14 0x10004570 in main /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1217:1 #15 0x7ffff5f5a968 in generic_start_main.isra.0 (/lib64/libc.so.6+0x2a968) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) #16 0x7ffff5f5ab00 in __libc_start_main (/lib64/libc.so.6+0x2ab00) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) Indirect leak of 124984 byte(s) in 459 object(s) allocated from: ... #11 0x7ffff5f5a968 in generic_start_main.isra.0 (/lib64/libc.so.6+0x2a968) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) #12 0x7ffff5f5ab00 in __libc_start_main (/lib64/libc.so.6+0x2ab00) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) SUMMARY: AddressSanitizer: 493766 byte(s) leaked in 1383 allocation(s).

When exiting PID 1 we most likely don't have stdio/stdout open, so the final LSan check would not print any actionable information and would just crash PID 1 leading up to a kernel panic, which is a bit annoying. Let's instead attempt to open /dev/console, and if we succeed redirect LSan's report there. The result is a bit messy, as it's slightly interleaved with the kernel panic, but it's definitely better than not having the stack trace at all: [ OK ] Reached target final.target. [ OK ] Finished systemd-poweroff.service. [ OK ] Reached target poweroff.target. ================================================================= 3 1m 43.251782] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 43.252838] CPU: 2 PID: 1 Comm: systemd Not tainted 6.4.12-200.fc38.x86_64 #1 ==[1==ERR O R :4 3Le.a2k53562] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 43.254683] Call Trace: [ 43.254911] <TASK> [ 43.255107] dump_stack_lvl+0x47/0x60 S[ a 43.n2555i05] panic+t0x192/0x350 izer[ :43.255966 ] do_exit+0x990/0xdb10 etec[ 43.256504] do_group_exit+0x31/0x80 [ 43.256889] __x64_sys_exit_group+0x18/0x20 [ 43.257288] do_syscall_64+0x60/0x90 o_user_mod leaks[ 43.257618] ? syscall_exit_t +0x2b/0x40 [ 43.258411] ? do_syscall_64+0x6c/0x90 1mDirect le[ 43.258755] ak of 21 byte(s)? exc_page_fault+0x7f/0x180 [ 43.259446] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 43.259901] RiIP: 0033:0x7f357nb8f3ad4 1 objec[ 43.260354] Ctode: 48 89 (f7 0f 05 c3 sf3 0f 1e fa b8 3b 00 00 00) 0f 05 c3 0f 1f 4 0 00 f3 0f 1e fa 50 58 b8 e7 00 00 00 48 83 ec 08 48 63 ff 0f 051 [ 43.262581] RSP: 002b:00007ffc25872440 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 a RBX: 00007f357be9b218 RCX: 00007f357b8f3ad4m:ffd [ 43.264512] RDX: 0000000000000001 RSI: 00007f357b933b63 RDI: 0000000000000001 [ 43.265355] RBP: 00007f357be9b218 R08: efffffffffffffff R09: 00007ffc258721ef [ 43.266191] R10: 000000000000003f R11: 0000000000000202 R12: 00000fe6ae9e0000 [ 43.266891] R13: 00007f3574f00000 R14: 0000000000000000 R15: 0000000000000007 [ 43.267517] </TASK> #0 0x7f357b8814a8 in strdup (/lib64/libasan.so.8+0x814a8) (BuildId: e5f0a0d511a659fbc47bf41072869139cb2db47f) #1 0x7f3578d43317 in cg_path_decode_unit ../src/basic/cgroup-util.c:1132 #2 0x7f3578d43936 in cg_path_get_unit ../src/basic/cgroup-util.c:1190 #3 0x7f3578d440f6 in cg_pid_get_unit ../src/basic/cgroup-util.c:1234 #4 0x7f35789263d7 in bus_log_caller ../src/shared/bus-util.c:734 #5 0x7f357a9cf10a in method_reload ../src/core/dbus-manager.c:1621 #6 0x7f3578f77497 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7f3578f80dd8 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7f3578f82487 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7f3578fe41f1 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3007 #10 0x7f3578fe477b in process_running ../src/libsystemd/sd-bus/sd-bus.c:3049 #11 0x7f3578fe75d1 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3269 #12 0x7f3578fe776e in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3296 #13 0x7f3578feaedc in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3638 #14 0x7f35791c2f68 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7f35791cc6f9 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7f35791cd830 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7f357abcd572 in manager_loop ../src/core/manager.c:3244 #18 0x41db21 in invoke_main_loop ../src/core/main.c:1960 #19 0x426615 in main ../src/core/main.c:3125 #20 0x7f3577c49b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #21 0x7f3577c49c0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #22 0x408494 in _start (/usr/lib/systemd/systemd+0x408494) (BuildId: fe61e1b0f00b6a36aa34e707a98c15c52f6b960a) SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). [ 43.295912] Kernel Offset: 0x7000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 43.297036] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Originally noticed in #28579.

When assert_return() is critical, the following assertion is triggered on exit: --- #0 0x00007f8b1f6b0884 in __pthread_kill_implementation () from target:/lib64/libc.so.6 #1 0x00007f8b1f65fafe in raise () from target:/lib64/libc.so.6 #2 0x00007f8b1f64887f in abort () from target:/lib64/libc.so.6 #3 0x00007f8b208d02d6 in log_assert_failed (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:948 #4 0x00007f8b208d0457 in log_assert_failed_return (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:967 #5 0x00007f8b20c7d102 in sd_event_add_io (e=0x617000000080, ret=0x60c000000a20, fd=11, events=1, callback=0x7dfd85 <ipv4acd_on_packet>, userdata=0x60c000000a00) at ../src/libsystemd/sd-event/sd-event.c:1252 #6 0x00000000007e3934 in sd_ipv4acd_start (acd=0x60c000000a00, reset_conflicts=true) at ../src/libsystemd-network/sd-ipv4acd.c:597 #7 0x00000000007e72b9 in ipv4ll_start_internal (ll=0x6080000006a0, reset_generation=true) at ../src/libsystemd-network/sd-ipv4ll.c:278 #8 0x00000000007e7462 in sd_ipv4ll_start (ll=0x6080000006a0) at ../src/libsystemd-network/sd-ipv4ll.c:298 #9 0x00000000006047a1 in dhcp4_handler (client=0x617000000400, event=0, userdata=0x61a000000680) at ../src/network/networkd-dhcp4.c:1183 #10 0x000000000075b1ed in client_notify (client=0x617000000400, event=0) at ../src/libsystemd-network/sd-dhcp-client.c:783 #11 0x000000000075bf8d in client_stop (client=0x617000000400, error=0) at ../src/libsystemd-network/sd-dhcp-client.c:821 #12 0x000000000077710f in sd_dhcp_client_stop (client=0x617000000400) at ../src/libsystemd-network/sd-dhcp-client.c:2388 #13 0x000000000065cdd1 in link_stop_engines (link=0x61a000000680, may_keep_dhcp=true) at ../src/network/networkd-link.c:336 #14 0x000000000041f214 in manager_free (m=0x618000000080) at ../src/network/networkd-manager.c:613 #15 0x00000000004124e3 in manager_freep (p=0x7f8b1c800040) at ../src/network/networkd-manager.h:128 #16 0x00000000004139f6 in run (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:24 #17 0x0000000000413b20 in main (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:119 --- Prompted by #30049 (comment).

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 #4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 #5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 #6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 #7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 #8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 #9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 #10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 #11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 #12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 #13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 #14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 #15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 #16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: #30618

Since libfuzzer feeds a single fuzzing process with multiple inputs, we might carry over arg_transport from a previous invocation, tripping over the assert in acquire_bus(): +----------------------------------------Release Build Stacktrace----------------------------------------+ Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==2739==ERROR: AddressSanitizer: ABRT on unknown address 0x00000ab3 (pc 0xf7f52509 bp 0xffdf74cc sp 0xffdf74b0 T0) SCARINESS: 10 (signal) #0 0xf7f52509 in linux-gate.so.1 #1 0xf703b415 in raise #2 0xf70233f6 in abort #3 0xf772ac0a in log_assert_failed systemd/src/basic/log.c:968:9 #4 0xf77300d5 in log_assert_failed_return systemd/src/basic/log.c:987:17 #5 0xf7432bbf in bus_connect_transport systemd/src/shared/bus-util.c:284:9 #6 0x818cd17 in acquire_bus systemd/src/systemctl/systemctl-util.c:53:29 #7 0x815fd3c in help_boot_loader_entry systemd/src/systemctl/systemctl-logind.c:431:13 #8 0x819ca87 in systemctl_parse_argv systemd/src/systemctl/systemctl.c:863:37 #9 0x8197632 in systemctl_dispatch_parse_argv systemd/src/systemctl/systemctl.c:1137:16 #10 0x813328d in LLVMFuzzerTestOneInput systemd/src/systemctl/fuzz-systemctl-parse-argv.c:54:13 #11 0x81bbe7e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x81bb5b8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x81bd42d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #14 0x81bd62e in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #15 0x81ac84c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x81d65c7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #17 0xf7024ed4 in __libc_start_main #18 0x806bdb5 in _start Resolves: #30802

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) systemd#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 systemd#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 systemd#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 systemd#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 systemd#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 systemd#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 systemd#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 systemd#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 systemd#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 systemd#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 systemd#14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04) (cherry picked from commit c786122)

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 systemd#2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 systemd#3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 systemd#4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 systemd#5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 systemd#2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 systemd#3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) systemd#2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 systemd#3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 systemd#4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz. (cherry picked from commit ac874b8) (cherry picked from commit b1663b8)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) systemd#2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 systemd#3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 systemd#4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 systemd#5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 systemd#6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 systemd#7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 systemd#8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 systemd#9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) systemd#10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a)

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 systemd#1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) systemd#2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 systemd#3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 systemd#4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 systemd#5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 systemd#6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 systemd#7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 systemd#8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 systemd#9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 systemd#10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 systemd#11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 systemd#12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 systemd#13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 systemd#14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 systemd#15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 systemd#16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) systemd#17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) systemd#24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit 6c13a39) (cherry picked from commit b4c9a9b)

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) systemd#1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 systemd#2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 systemd#3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 systemd#4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 systemd#5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 systemd#6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 systemd#7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 systemd#8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 systemd#9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 systemd#10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 systemd#11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 systemd#12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 systemd#13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 systemd#14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 systemd#15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 systemd#16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 systemd#17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 systemd#18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 systemd#19 0x4252e0 in main ../src/core/main.c:3072 systemd#20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit f8b21a0) (cherry picked from commit 98d2a09)

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 systemd#1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 systemd#2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 systemd#3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 systemd#4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 systemd#5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 systemd#6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 systemd#7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 systemd#8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 systemd#9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 systemd#10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 systemd#11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 systemd#12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 systemd#13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 systemd#14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 systemd#15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 systemd#16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: systemd#30618 (cherry picked from commit ac1b7b9)

Partially revert "ma-setup: simplify"

0f82de8

zonque assigned keszybz Jun 2, 2015

zonque added the bug 🐛 Programming errors, that need preferential fixing label Jun 2, 2015

dvdhrm closed this Jun 4, 2015

crrodriguez mentioned this pull request Jun 8, 2015

util:bind_remount_recursive() fix "use after free" #96

Merged

Serafean mentioned this pull request Jan 14, 2016

I/O errors on journal files can make apps using sd-journal SIGBUS (such as qtcreator) #2323

Open

TKSpyrop mentioned this pull request Feb 9, 2016

systemd crash #2558

Closed

ReubenM mentioned this pull request Jul 25, 2017

systemd-resolved coredump several times a day #6456

Closed

mdrslmr mentioned this pull request Nov 14, 2017

systemd-logind's IP sandbox breaks nss-nis and suchlike #7074

Closed

hexiaowen mentioned this pull request Dec 19, 2017

systemd got a SIGFAULT and freeze when mount_load cgroup-cpuset.mount #7698

Closed

iaguis pushed a commit to kinvolk/systemd that referenced this pull request Feb 6, 2018

Merge pull request systemd#15 from crawford/escape

02a5faf

load-fragment: use UNESCAPE_RELAX flag to parse exec directives

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Partially revert "ma-setup: simplify" #15

Partially revert "ma-setup: simplify" #15

haraldh commented Jun 2, 2015

dvdhrm commented Jun 4, 2015

Partially revert "ma-setup: simplify" #15

Partially revert "ma-setup: simplify" #15

Conversation

haraldh commented Jun 2, 2015

dvdhrm commented Jun 4, 2015