Brian Stinson 2593d8
From 2d197adc6d7109d5901401a90288530582f3f991 Mon Sep 17 00:00:00 2001
Brian Stinson 2593d8
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Brian Stinson 2593d8
Date: Tue, 26 Feb 2019 13:00:35 +0100
Brian Stinson 2593d8
Subject: [PATCH] fuzz-journal-stream: avoid assertion failure on samples which
Brian Stinson 2593d8
 don't fit in pipe
Brian Stinson 2593d8
MIME-Version: 1.0
Brian Stinson 2593d8
Content-Type: text/plain; charset=UTF-8
Brian Stinson 2593d8
Content-Transfer-Encoding: 8bit
Brian Stinson 2593d8
Brian Stinson 2593d8
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11587.
Brian Stinson 2593d8
We had a sample which was large enough that write(2) failed to push all the
Brian Stinson 2593d8
data into the pipe, and an assert failed. The code could be changed to use
Brian Stinson 2593d8
a loop, but then we'd need to interleave writes and sd_event_run (to process
Brian Stinson 2593d8
the journal). I don't think the complexity is worth it — fuzzing works best
Brian Stinson 2593d8
if the sample is not too huge anyway. So let's just reject samples above 64k,
Brian Stinson 2593d8
and tell oss-fuzz about this limit.
Brian Stinson 2593d8
Brian Stinson 2593d8
(cherry picked from commit eafadd069c4e30ed62173123326a7237448615d1)
Brian Stinson 2593d8
Brian Stinson 2593d8
Resolves: #1764560
Brian Stinson 2593d8
---
Brian Stinson 2593d8
 src/fuzz/fuzz-journald-stream.c       | 2 +-
Brian Stinson 2593d8
 src/fuzz/fuzz-journald-stream.options | 2 ++
Brian Stinson 2593d8
 2 files changed, 3 insertions(+), 1 deletion(-)
Brian Stinson 2593d8
 create mode 100644 src/fuzz/fuzz-journald-stream.options
Brian Stinson 2593d8
Brian Stinson 2593d8
diff --git a/src/fuzz/fuzz-journald-stream.c b/src/fuzz/fuzz-journald-stream.c
Brian Stinson 2593d8
index 247c0889bc..693b197d3a 100644
Brian Stinson 2593d8
--- a/src/fuzz/fuzz-journald-stream.c
Brian Stinson 2593d8
+++ b/src/fuzz/fuzz-journald-stream.c
Brian Stinson 2593d8
@@ -14,7 +14,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
Brian Stinson 2593d8
         StdoutStream *stream;
Brian Stinson 2593d8
         int v;
Brian Stinson 2593d8
 
Brian Stinson 2593d8
-        if (size == 0)
Brian Stinson 2593d8
+        if (size == 0 || size > 65536)
Brian Stinson 2593d8
                 return 0;
Brian Stinson 2593d8
 
Brian Stinson 2593d8
         if (!getenv("SYSTEMD_LOG_LEVEL"))
Brian Stinson 2593d8
diff --git a/src/fuzz/fuzz-journald-stream.options b/src/fuzz/fuzz-journald-stream.options
Brian Stinson 2593d8
new file mode 100644
Brian Stinson 2593d8
index 0000000000..678d526b1e
Brian Stinson 2593d8
--- /dev/null
Brian Stinson 2593d8
+++ b/src/fuzz/fuzz-journald-stream.options
Brian Stinson 2593d8
@@ -0,0 +1,2 @@
Brian Stinson 2593d8
+[libfuzzer]
Brian Stinson 2593d8
+max_len = 65536