You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
systemd/SOURCES/0264-fuzz-journal-stream-av...

48 lines
1.8 KiB

From 2d197adc6d7109d5901401a90288530582f3f991 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 26 Feb 2019 13:00:35 +0100
Subject: [PATCH] fuzz-journal-stream: avoid assertion failure on samples which
don't fit in pipe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11587.
We had a sample which was large enough that write(2) failed to push all the
data into the pipe, and an assert failed. The code could be changed to use
a loop, but then we'd need to interleave writes and sd_event_run (to process
the journal). I don't think the complexity is worth it — fuzzing works best
if the sample is not too huge anyway. So let's just reject samples above 64k,
and tell oss-fuzz about this limit.
(cherry picked from commit eafadd069c4e30ed62173123326a7237448615d1)
Resolves: #1764560
---
src/fuzz/fuzz-journald-stream.c | 2 +-
src/fuzz/fuzz-journald-stream.options | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
create mode 100644 src/fuzz/fuzz-journald-stream.options
diff --git a/src/fuzz/fuzz-journald-stream.c b/src/fuzz/fuzz-journald-stream.c
index 247c0889bc..693b197d3a 100644
--- a/src/fuzz/fuzz-journald-stream.c
+++ b/src/fuzz/fuzz-journald-stream.c
@@ -14,7 +14,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
StdoutStream *stream;
int v;
- if (size == 0)
+ if (size == 0 || size > 65536)
return 0;
if (!getenv("SYSTEMD_LOG_LEVEL"))
diff --git a/src/fuzz/fuzz-journald-stream.options b/src/fuzz/fuzz-journald-stream.options
new file mode 100644
index 0000000000..678d526b1e
--- /dev/null
+++ b/src/fuzz/fuzz-journald-stream.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536