summaryrefslogtreecommitdiffstats
path: root/src/fuzz
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-10 20:49:52 +0000
commit55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch)
tree33f869f55a1b149e9b7c2b7e201867ca5dd52992 /src/fuzz
parentInitial commit. (diff)
downloadsystemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz
systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/fuzz')
-rw-r--r--src/fuzz/fuzz-bootspec-gen.py21
-rw-r--r--src/fuzz/fuzz-bootspec.c123
-rw-r--r--src/fuzz/fuzz-bootspec.options2
-rw-r--r--src/fuzz/fuzz-bus-label.c20
-rw-r--r--src/fuzz/fuzz-calendarspec.c57
-rw-r--r--src/fuzz/fuzz-catalog.c25
-rw-r--r--src/fuzz/fuzz-compress.c66
-rw-r--r--src/fuzz/fuzz-env-file.c28
-rw-r--r--src/fuzz/fuzz-env-file.options2
-rw-r--r--src/fuzz/fuzz-hostname-setup.c20
-rw-r--r--src/fuzz/fuzz-json.c115
-rw-r--r--src/fuzz/fuzz-main.c56
-rw-r--r--src/fuzz/fuzz-time-util.c26
-rw-r--r--src/fuzz/fuzz-udev-database.c25
-rw-r--r--src/fuzz/fuzz-varlink-idl.c34
-rw-r--r--src/fuzz/fuzz-varlink.c129
-rw-r--r--src/fuzz/fuzz.h40
-rw-r--r--src/fuzz/meson.build16
18 files changed, 805 insertions, 0 deletions
diff --git a/src/fuzz/fuzz-bootspec-gen.py b/src/fuzz/fuzz-bootspec-gen.py
new file mode 100644
index 0000000..99af3f5
--- /dev/null
+++ b/src/fuzz/fuzz-bootspec-gen.py
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+"""Generate sample input for fuzz-bootspec"""
+
+import json
+import os
+import sys
+
+config = open(sys.argv[1]).read()
+loader = [entry for entry in open(sys.argv[2], encoding='utf-16-le').read().split('\0')
+ if len(entry) > 2] # filter out fluff from bad decoding
+entries = [(os.path.basename(name), open(name).read())
+ for name in sys.argv[3:]]
+
+data = {
+ 'config': config,
+ 'entries': entries,
+ 'loader': loader,
+}
+
+print(json.dumps(data, indent=4))
diff --git a/src/fuzz/fuzz-bootspec.c b/src/fuzz/fuzz-bootspec.c
new file mode 100644
index 0000000..0c61cbe
--- /dev/null
+++ b/src/fuzz/fuzz-bootspec.c
@@ -0,0 +1,123 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <string.h>
+
+#include "bootspec.h"
+#include "env-util.h"
+#include "escape.h"
+#include "fuzz.h"
+#include "fd-util.h"
+#include "json.h"
+
+static int json_dispatch_config(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
+ BootConfig *config = ASSERT_PTR(userdata);
+
+ const char *s = json_variant_string(variant);
+ if (!s)
+ return -EINVAL;
+
+ _cleanup_fclose_ FILE *f = NULL;
+ assert_se(f = data_to_file((const uint8_t*) s, strlen(s)));
+
+ (void) boot_loader_read_conf(config, f, "memstream");
+ return 0;
+}
+
+static int json_dispatch_entries(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
+ BootConfig *config = ASSERT_PTR(userdata);
+ JsonVariant *entry;
+
+ JSON_VARIANT_ARRAY_FOREACH(entry, variant) {
+ if (!json_variant_is_array(entry) ||
+ json_variant_elements(entry) < 1)
+ return -EINVAL;
+
+ JsonVariant *v;
+ const char *id = NULL, *raw = NULL;
+ _cleanup_free_ char *data = NULL;
+ ssize_t len = -ENODATA;
+
+ v = json_variant_by_index(entry, 0);
+ if (v)
+ id = json_variant_string(v);
+ if (!id)
+ continue;
+
+ v = json_variant_by_index(entry, 1);
+ if (v)
+ raw = json_variant_string(v);
+ if (raw)
+ len = cunescape(raw, UNESCAPE_RELAX | UNESCAPE_ACCEPT_NUL, &data);
+ if (len >= 0) {
+ _cleanup_fclose_ FILE *f = NULL;
+ assert_se(f = data_to_file((const uint8_t*) data, len));
+
+ assert_se(boot_config_load_type1(config, f, "/", "/entries", id) != -ENOMEM);
+ }
+ }
+
+ return 0;
+}
+
+static int json_dispatch_loader(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
+ BootConfig *config = ASSERT_PTR(userdata);
+ _cleanup_strv_free_ char **entries = NULL;
+ int r;
+
+ r = json_dispatch_strv(name, variant, flags, &entries);
+ if (r < 0)
+ return r;
+
+ (void) boot_config_augment_from_loader(config, entries, false);
+ return 0;
+}
+
+static const JsonDispatch data_dispatch[] = {
+ { "config", JSON_VARIANT_STRING, json_dispatch_config, 0, 0 },
+ { "entries", JSON_VARIANT_ARRAY, json_dispatch_entries, 0, 0 },
+ { "loader", JSON_VARIANT_ARRAY, json_dispatch_loader, 0, 0 },
+ {}
+};
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_free_ const char *datadup = NULL;
+ _cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL;
+ int r;
+
+ if (outside_size_range(size, 0, 65536))
+ return 0;
+
+ fuzz_setup_logging();
+
+ assert_se(datadup = memdup_suffix0(data, size));
+
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+ r = json_parse(datadup, 0, &v, NULL, NULL);
+ if (r < 0)
+ return 0;
+
+ r = json_dispatch(v, data_dispatch, 0, &config);
+ if (r < 0)
+ return 0;
+
+ assert_se(boot_config_finalize(&config) >= 0);
+
+ (void) boot_config_select_special_entries(&config, /* skip_efivars= */ false);
+
+ _cleanup_close_ int orig_stdout_fd = -EBADF;
+ if (getenv_bool("SYSTEMD_FUZZ_OUTPUT") <= 0) {
+ orig_stdout_fd = fcntl(fileno(stdout), F_DUPFD_CLOEXEC, 3);
+ if (orig_stdout_fd < 0)
+ log_warning_errno(orig_stdout_fd, "Failed to duplicate fd 1: %m");
+ else
+ assert_se(freopen("/dev/null", "w", stdout));
+ }
+
+ (void) show_boot_entries(&config, JSON_FORMAT_OFF);
+ (void) show_boot_entries(&config, JSON_FORMAT_PRETTY);
+
+ if (orig_stdout_fd >= 0)
+ assert_se(freopen(FORMAT_PROC_FD_PATH(orig_stdout_fd), "w", stdout));
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-bootspec.options b/src/fuzz/fuzz-bootspec.options
new file mode 100644
index 0000000..678d526
--- /dev/null
+++ b/src/fuzz/fuzz-bootspec.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536
diff --git a/src/fuzz/fuzz-bus-label.c b/src/fuzz/fuzz-bus-label.c
new file mode 100644
index 0000000..c7be82a
--- /dev/null
+++ b/src/fuzz/fuzz-bus-label.c
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <errno.h>
+
+#include "alloc-util.h"
+#include "bus-label.h"
+#include "fuzz.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_free_ char *unescaped = NULL, *escaped = NULL;
+
+ fuzz_setup_logging();
+
+ unescaped = bus_label_unescape_n((const char*)data, size);
+ assert_se(unescaped != NULL);
+ escaped = bus_label_escape(unescaped);
+ assert_se(escaped != NULL);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-calendarspec.c b/src/fuzz/fuzz-calendarspec.c
new file mode 100644
index 0000000..b31a3f2
--- /dev/null
+++ b/src/fuzz/fuzz-calendarspec.c
@@ -0,0 +1,57 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "calendarspec.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "string-util.h"
+#include "time-util.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_(calendar_spec_freep) CalendarSpec *cspec = NULL;
+ _cleanup_free_ char *str = NULL;
+ int r;
+
+ fuzz_setup_logging();
+
+ assert_se(str = memdup_suffix0(data, size));
+
+ size_t l1 = strlen(str);
+ const char* usecs = l1 < size ? str + l1 + 1 : "";
+
+ r = calendar_spec_from_string(str, &cspec);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to parse \"%s\": %m", str);
+ return 0;
+ }
+
+ _cleanup_free_ char *p = NULL;
+ assert_se(calendar_spec_valid(cspec));
+ assert_se(calendar_spec_to_string(cspec, &p) == 0);
+ assert(p);
+
+ log_debug("spec: %s → %s", str, p);
+
+ _cleanup_(calendar_spec_freep) CalendarSpec *cspec2 = NULL;
+ assert_se(calendar_spec_from_string(p, &cspec2) >= 0);
+ assert_se(calendar_spec_valid(cspec2));
+
+ usec_t usec = 0;
+ (void) parse_time(usecs, &usec, 1);
+
+ /* If timezone is set, calendar_spec_next_usec() would fork, bleh :(
+ * Let's not try that. */
+ cspec->timezone = mfree(cspec->timezone);
+
+ log_debug("00: %s", strna(FORMAT_TIMESTAMP(usec)));
+ for (unsigned i = 1; i <= 20; i++) {
+ r = calendar_spec_next_usec(cspec, usec, &usec);
+ if (r < 0) {
+ log_debug_errno(r, "%02u: %m", i);
+ break;
+ }
+ log_debug("%02u: %s", i, FORMAT_TIMESTAMP(usec));
+ }
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-catalog.c b/src/fuzz/fuzz-catalog.c
new file mode 100644
index 0000000..f9561f2
--- /dev/null
+++ b/src/fuzz/fuzz-catalog.c
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "catalog.h"
+#include "fd-util.h"
+#include "fs-util.h"
+#include "fuzz.h"
+#include "tmpfile-util.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_(unlink_tempfilep) char name[] = "/tmp/fuzz-catalog.XXXXXX";
+ _cleanup_close_ int fd = -EBADF;
+ _cleanup_ordered_hashmap_free_free_free_ OrderedHashmap *h = NULL;
+
+ fuzz_setup_logging();
+
+ assert_se(h = ordered_hashmap_new(&catalog_hash_ops));
+
+ fd = mkostemp_safe(name);
+ assert_se(fd >= 0);
+ assert_se(write(fd, data, size) == (ssize_t) size);
+
+ (void) catalog_import_file(h, name);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-compress.c b/src/fuzz/fuzz-compress.c
new file mode 100644
index 0000000..c3f68f6
--- /dev/null
+++ b/src/fuzz/fuzz-compress.c
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <errno.h>
+
+#include "alloc-util.h"
+#include "compress.h"
+#include "fuzz.h"
+
+typedef struct header {
+ uint32_t alg:2; /* We have only three compression algorithms so far, but we might add more in the
+ * future. Let's make this a bit wider so our fuzzer cases remain stable in the
+ * future. */
+ uint32_t sw_len;
+ uint32_t sw_alloc;
+ uint32_t reserved[3]; /* Extra space to keep fuzz cases stable in case we need to
+ * add stuff in the future. */
+ uint8_t data[];
+} header;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_free_ void *buf = NULL, *buf2 = NULL;
+ int r;
+
+ if (size < offsetof(header, data) + 1)
+ return 0;
+
+ const header *h = (struct header*) data;
+ const size_t data_len = size - offsetof(header, data);
+
+ int alg = h->alg;
+
+ fuzz_setup_logging();
+
+ log_info("Using compression %s, data size=%zu",
+ compression_to_string(alg),
+ data_len);
+
+ buf = malloc(MAX(size, 128u)); /* Make the buffer a bit larger for very small data */
+ if (!buf) {
+ log_oom();
+ return 0;
+ }
+
+ size_t csize;
+ r = compress_blob(alg, h->data, data_len, buf, size, &csize);
+ if (r < 0) {
+ log_error_errno(r, "Compression failed: %m");
+ return 0;
+ }
+
+ log_debug("Compressed %zu bytes to → %zu bytes", data_len, csize);
+
+ size_t sw_alloc = MAX(h->sw_alloc, 1u);
+ buf2 = malloc(sw_alloc);
+ if (!buf2) {
+ log_oom();
+ return 0;
+ }
+
+ size_t sw_len = MIN(data_len - 1, h->sw_len);
+
+ r = decompress_startswith(alg, buf, csize, &buf2, h->data, sw_len, h->data[sw_len]);
+ assert_se(r > 0);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-env-file.c b/src/fuzz/fuzz-env-file.c
new file mode 100644
index 0000000..ff7e529
--- /dev/null
+++ b/src/fuzz/fuzz-env-file.c
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <stdio.h>
+
+#include "alloc-util.h"
+#include "env-file.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "strv.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_strv_free_ char **rl = NULL, **rlp = NULL;
+
+ if (outside_size_range(size, 0, 65536))
+ return 0;
+
+ f = data_to_file(data, size);
+ assert_se(f);
+
+ fuzz_setup_logging();
+
+ (void) load_env_file(f, NULL, &rl);
+ assert_se(fseek(f, 0, SEEK_SET) == 0);
+ (void) load_env_file_pairs(f, NULL, &rlp);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-env-file.options b/src/fuzz/fuzz-env-file.options
new file mode 100644
index 0000000..678d526
--- /dev/null
+++ b/src/fuzz/fuzz-env-file.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65536
diff --git a/src/fuzz/fuzz-hostname-setup.c b/src/fuzz/fuzz-hostname-setup.c
new file mode 100644
index 0000000..4895631
--- /dev/null
+++ b/src/fuzz/fuzz-hostname-setup.c
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "hostname-setup.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_free_ char *ret = NULL;
+
+ f = data_to_file(data, size);
+ assert_se(f);
+
+ fuzz_setup_logging();
+
+ (void) read_etc_hostname_stream(f, &ret);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-json.c b/src/fuzz/fuzz-json.c
new file mode 100644
index 0000000..3d6d689
--- /dev/null
+++ b/src/fuzz/fuzz-json.c
@@ -0,0 +1,115 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "env-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "json.h"
+#include "memstream-util.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_(memstream_done) MemStream m = {};
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
+ FILE *g = NULL;
+ int r;
+
+ fuzz_setup_logging();
+
+ f = data_to_file(data, size);
+ assert_se(f);
+
+ r = json_parse_file(f, NULL, 0, &v, NULL, NULL);
+ if (r < 0) {
+ log_debug_errno(r, "failed to parse input: %m");
+ return 0;
+ }
+
+ if (getenv_bool("SYSTEMD_FUZZ_OUTPUT") <= 0)
+ assert_se(g = memstream_init(&m));
+
+ json_variant_dump(v, 0, g ?: stdout, NULL);
+ json_variant_dump(v, JSON_FORMAT_PRETTY|JSON_FORMAT_COLOR|JSON_FORMAT_SOURCE, g ?: stdout, NULL);
+
+ bool sorted = json_variant_is_sorted(v);
+ log_debug("json_variant_is_sorted: %s", yes_no(sorted));
+
+ r = json_variant_sort(&v);
+ log_debug_errno(r, "json_variant_sort: %d/%m", r);
+
+ sorted = json_variant_is_sorted(v);
+ log_debug("json_variant_is_sorted: %s", yes_no(sorted));
+ assert_se(r < 0 || sorted);
+
+ bool normalized = json_variant_is_normalized(v);
+ log_debug("json_variant_is_normalized: %s", yes_no(normalized));
+
+ r = json_variant_normalize(&v);
+ log_debug_errno(r, "json_variant_normalize: %d/%m", r);
+
+ normalized = json_variant_is_normalized(v);
+ log_debug("json_variant_is_normalized: %s", yes_no(normalized));
+ assert_se(r < 0 || normalized);
+
+ double real = json_variant_real(v);
+ log_debug("json_variant_real: %lf", real);
+
+ bool negative = json_variant_is_negative(v);
+ log_debug("json_variant_is_negative: %s", yes_no(negative));
+
+ bool blank = json_variant_is_blank_object(v);
+ log_debug("json_variant_is_blank_object: %s", yes_no(blank));
+
+ blank = json_variant_is_blank_array(v);
+ log_debug("json_variant_is_blank_array: %s", yes_no(blank));
+
+ size_t elements = json_variant_elements(v);
+ log_debug("json_variant_elements: %zu", elements);
+
+ for (size_t i = 0; i <= elements + 2; i++)
+ (void) json_variant_by_index(v, i);
+
+ assert_se(json_variant_equal(v, v));
+ assert_se(!json_variant_equal(v, NULL));
+ assert_se(!json_variant_equal(NULL, v));
+
+ bool sensitive = json_variant_is_sensitive(v);
+ log_debug("json_variant_is_sensitive: %s", yes_no(sensitive));
+
+ json_variant_sensitive(v);
+
+ sensitive = json_variant_is_sensitive(v);
+ log_debug("json_variant_is_sensitive: %s", yes_no(sensitive));
+
+ const char *source;
+ unsigned line, column;
+ assert_se(json_variant_get_source(v, &source, &line, &column) == 0);
+ log_debug("json_variant_get_source: %s:%u:%u", source ?: "-", line, column);
+
+ r = json_variant_set_field_string(&v, "a", "string-a");
+ log_debug_errno(r, "json_set_field_string: %d/%m", r);
+
+ r = json_variant_set_field_integer(&v, "b", -12345);
+ log_debug_errno(r, "json_set_field_integer: %d/%m", r);
+
+ r = json_variant_set_field_unsigned(&v, "c", 12345);
+ log_debug_errno(r, "json_set_field_unsigned: %d/%m", r);
+
+ r = json_variant_set_field_boolean(&v, "d", false);
+ log_debug_errno(r, "json_set_field_boolean: %d/%m", r);
+
+ r = json_variant_set_field_strv(&v, "e", STRV_MAKE("e-1", "e-2", "e-3"));
+ log_debug_errno(r, "json_set_field_strv: %d/%m", r);
+
+ r = json_variant_filter(&v, STRV_MAKE("a", "b", "c", "d", "e"));
+ log_debug_errno(r, "json_variant_filter: %d/%m", r);
+
+ /* I assume we can merge v with itself… */
+ r = json_variant_merge_object(&v, v);
+ log_debug_errno(r, "json_variant_merge: %d/%m", r);
+
+ r = json_variant_append_array(&v, v);
+ log_debug_errno(r, "json_variant_append_array: %d/%m", r);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-main.c b/src/fuzz/fuzz-main.c
new file mode 100644
index 0000000..cf70424
--- /dev/null
+++ b/src/fuzz/fuzz-main.c
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "fileio.h"
+#include "fuzz.h"
+#include "log.h"
+#include "parse-util.h"
+#include "string-util.h"
+#include "tests.h"
+
+/* This is a test driver for the systemd fuzzers that provides main function
+ * for regression testing outside of oss-fuzz (https://github.com/google/oss-fuzz)
+ *
+ * It reads files named on the command line and passes them one by one into the
+ * fuzzer that it is compiled into. */
+
+/* This one was borrowed from
+ * https://github.com/google/oss-fuzz/blob/646fca1b506b056db3a60d32c4a1a7398f171c94/infra/base-images/base-runner/bad_build_check#L19
+ */
+#define NUMBER_OF_RUNS 4
+
+int main(int argc, char **argv) {
+ int r;
+
+ test_setup_logging(LOG_DEBUG);
+
+ unsigned number_of_runs = NUMBER_OF_RUNS;
+
+ const char *v = getenv("SYSTEMD_FUZZ_RUNS");
+ if (!isempty(v)) {
+ r = safe_atou(v, &number_of_runs);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse SYSTEMD_FUZZ_RUNS=%s: %m", v);
+ }
+
+ for (int i = 1; i < argc; i++) {
+ _cleanup_free_ char *buf = NULL;
+ size_t size;
+ char *name;
+
+ name = argv[i];
+ r = read_full_file(name, &buf, &size);
+ if (r < 0) {
+ log_error_errno(r, "Failed to open '%s': %m", name);
+ return EXIT_FAILURE;
+ }
+ printf("%s... ", name);
+ fflush(stdout);
+ for (unsigned j = 0; j < number_of_runs; j++)
+ if (LLVMFuzzerTestOneInput((uint8_t*)buf, size) == EXIT_TEST_SKIP)
+ return EXIT_TEST_SKIP;
+ printf("ok\n");
+ }
+
+ return EXIT_SUCCESS;
+}
diff --git a/src/fuzz/fuzz-time-util.c b/src/fuzz/fuzz-time-util.c
new file mode 100644
index 0000000..5be2e4f
--- /dev/null
+++ b/src/fuzz/fuzz-time-util.c
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "time-util.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_free_ char *str = NULL;
+ usec_t usec;
+
+ fuzz_setup_logging();
+
+ assert_se(str = memdup_suffix0(data, size));
+
+ (void) parse_timestamp(str, &usec);
+ (void) parse_sec(str, &usec);
+ (void) parse_sec_fix_0(str, &usec);
+ (void) parse_sec_def_infinity(str, &usec);
+ (void) parse_time(str, &usec, USEC_PER_SEC);
+ (void) parse_nsec(str, &usec);
+
+ (void) timezone_is_valid(str, LOG_DEBUG);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-udev-database.c b/src/fuzz/fuzz-udev-database.c
new file mode 100644
index 0000000..6b4fc82
--- /dev/null
+++ b/src/fuzz/fuzz-udev-database.c
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "device-internal.h"
+#include "device-private.h"
+#include "fd-util.h"
+#include "fs-util.h"
+#include "fuzz.h"
+#include "tmpfile-util.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_(sd_device_unrefp) sd_device *dev = NULL;
+ _cleanup_(unlink_tempfilep) char filename[] = "/tmp/fuzz-udev-database.XXXXXX";
+ _cleanup_fclose_ FILE *f = NULL;
+
+ fuzz_setup_logging();
+
+ assert_se(fmkostemp_safe(filename, "r+", &f) == 0);
+ if (size != 0)
+ assert_se(fwrite(data, size, 1, f) == 1);
+
+ fflush(f);
+ assert_se(device_new_aux(&dev) >= 0);
+ (void) device_read_db_internal_filename(dev, filename);
+ return 0;
+}
diff --git a/src/fuzz/fuzz-varlink-idl.c b/src/fuzz/fuzz-varlink-idl.c
new file mode 100644
index 0000000..2436342
--- /dev/null
+++ b/src/fuzz/fuzz-varlink-idl.c
@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <unistd.h>
+
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "io-util.h"
+#include "varlink-idl.h"
+#include "log.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ _cleanup_(varlink_interface_freep) VarlinkInterface *vi = NULL;
+ _cleanup_free_ char *str = NULL, *dump = NULL;
+ int r;
+
+ if (outside_size_range(size, 0, 64 * 1024))
+ return 0;
+
+ fuzz_setup_logging();
+
+ assert_se(str = memdup_suffix0(data, size));
+
+ r = varlink_idl_parse(str, /* line= */ NULL, /* column= */ NULL, &vi);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to parse varlink interface definition: %m");
+ return 0;
+ }
+
+ assert_se(varlink_idl_format(vi, &dump) >= 0);
+ (void) varlink_idl_consistent(vi, LOG_DEBUG);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz-varlink.c b/src/fuzz/fuzz-varlink.c
new file mode 100644
index 0000000..dd63419
--- /dev/null
+++ b/src/fuzz/fuzz-varlink.c
@@ -0,0 +1,129 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <unistd.h>
+
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "hexdecoct.h"
+#include "iovec-util.h"
+#include "varlink.h"
+#include "log.h"
+
+static FILE *null = NULL;
+
+static int method_something(Varlink *v, JsonVariant *p, VarlinkMethodFlags flags, void *userdata) {
+ json_variant_dump(p, JSON_FORMAT_NEWLINE|JSON_FORMAT_PRETTY, null, NULL);
+ return 0;
+}
+
+static int reply_callback(Varlink *v, JsonVariant *p, const char *error_id, VarlinkReplyFlags flags, void *userdata) {
+ json_variant_dump(p, JSON_FORMAT_NEWLINE|JSON_FORMAT_PRETTY, null, NULL);
+ return 0;
+}
+
+static int io_callback(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+ struct iovec *iov = ASSERT_PTR(userdata);
+ bool write_eof = false, read_eof = false;
+
+ assert(s);
+ assert(fd >= 0);
+
+ if ((revents & (EPOLLOUT|EPOLLHUP|EPOLLERR)) && iov->iov_len > 0) {
+ ssize_t n;
+
+ /* never write more than 143 bytes a time, to make broken up recv()s on the other side more
+ * likely, and thus test some additional code paths. */
+ n = send(fd, iov->iov_base, MIN(iov->iov_len, 143U), MSG_NOSIGNAL|MSG_DONTWAIT);
+ if (n < 0) {
+ if (ERRNO_IS_DISCONNECT(errno))
+ write_eof = true;
+ else
+ assert_se(errno == EAGAIN);
+ } else
+ iovec_increment(iov, 1, n);
+ }
+
+ if (revents & EPOLLIN) {
+ char c[137];
+ ssize_t n;
+
+ n = recv(fd, c, sizeof(c), MSG_DONTWAIT);
+ if (n < 0) {
+ if (ERRNO_IS_DISCONNECT(errno))
+ read_eof = true;
+ else
+ assert_se(errno == EAGAIN);
+ } else if (n == 0)
+ read_eof = true;
+ else
+ hexdump(null, c, (size_t) n);
+ }
+
+ /* After we wrote everything we could turn off EPOLLOUT. And if we reached read EOF too turn off the
+ * whole thing. */
+ if (write_eof || iov->iov_len == 0) {
+
+ if (read_eof)
+ assert_se(sd_event_source_set_enabled(s, SD_EVENT_OFF) >= 0);
+ else
+ assert_se(sd_event_source_set_io_events(s, EPOLLIN) >= 0);
+ }
+
+ return 0;
+}
+
+static int idle_callback(sd_event_source *s, void *userdata) {
+ assert(s);
+
+ /* Called as idle callback when there's nothing else to do anymore */
+ sd_event_exit(sd_event_source_get_event(s), 0);
+ return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ struct iovec server_iov = IOVEC_MAKE((void*) data, size), client_iov = IOVEC_MAKE((void*) data, size);
+ /* Important: the declaration order matters here! we want that the fds are closed on return after the
+ * event sources, hence we declare the fds first, the event sources second */
+ _cleanup_close_pair_ int server_pair[2] = EBADF_PAIR, client_pair[2] = EBADF_PAIR;
+ _cleanup_(sd_event_source_unrefp) sd_event_source *idle_event_source = NULL,
+ *server_event_source = NULL, *client_event_source = NULL;
+ _cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
+ _cleanup_(varlink_flush_close_unrefp) Varlink *c = NULL;
+ _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+
+ fuzz_setup_logging();
+
+ assert_se(null = fopen("/dev/null", "we"));
+
+ assert_se(sd_event_default(&e) >= 0);
+
+ /* Test one: write the data as method call to a server */
+ assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, server_pair) >= 0);
+ assert_se(varlink_server_new(&s, 0) >= 0);
+ assert_se(varlink_server_set_description(s, "myserver") >= 0);
+ assert_se(varlink_server_attach_event(s, e, 0) >= 0);
+ assert_se(varlink_server_add_connection(s, server_pair[0], NULL) >= 0);
+ TAKE_FD(server_pair[0]);
+ assert_se(varlink_server_bind_method(s, "io.test.DoSomething", method_something) >= 0);
+ assert_se(sd_event_add_io(e, &server_event_source, server_pair[1], EPOLLIN|EPOLLOUT, io_callback, &server_iov) >= 0);
+
+ /* Test two: write the data as method response to a client */
+ assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, client_pair) >= 0);
+ assert_se(varlink_connect_fd(&c, client_pair[0]) >= 0);
+ TAKE_FD(client_pair[0]);
+ assert_se(varlink_set_description(c, "myclient") >= 0);
+ assert_se(varlink_attach_event(c, e, 0) >= 0);
+ assert_se(varlink_bind_reply(c, reply_callback) >= 0);
+ assert_se(varlink_invoke(c, "io.test.DoSomething", NULL) >= 0);
+ assert_se(sd_event_add_io(e, &client_event_source, client_pair[1], EPOLLIN|EPOLLOUT, io_callback, &client_iov) >= 0);
+
+ assert_se(sd_event_add_defer(e, &idle_event_source, idle_callback, NULL) >= 0);
+ assert_se(sd_event_source_set_priority(idle_event_source, SD_EVENT_PRIORITY_IDLE) >= 0);
+
+ assert_se(sd_event_loop(e) >= 0);
+
+ null = safe_fclose(null);
+
+ return 0;
+}
diff --git a/src/fuzz/fuzz.h b/src/fuzz/fuzz.h
new file mode 100644
index 0000000..698ba42
--- /dev/null
+++ b/src/fuzz/fuzz.h
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "env-util.h"
+#include "fileio.h"
+
+/* The entry point into the fuzzer */
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static inline FILE* data_to_file(const uint8_t *data, size_t size) {
+ if (size == 0)
+ return fopen("/dev/null", "re");
+ else
+ return fmemopen_unlocked((char*) data, size, "r");
+}
+
+/* Check if we are within the specified size range.
+ * The upper limit is ignored if FUZZ_USE_SIZE_LIMIT is unset.
+ */
+static inline bool outside_size_range(size_t size, size_t lower, size_t upper) {
+ if (size < lower)
+ return true;
+ if (size > upper)
+ return FUZZ_USE_SIZE_LIMIT;
+ return false;
+}
+
+static inline void fuzz_setup_logging(void) {
+ /* We don't want to fill the logs and slow down stuff when running
+ * in a fuzzing mode, so disable most of the logging. */
+ log_set_max_level(LOG_CRIT);
+ log_parse_environment();
+ log_open();
+}
+
+/* Force value to not be optimized away. */
+#define DO_NOT_OPTIMIZE(value) ({ asm volatile("" : : "g"(value) : "memory"); })
diff --git a/src/fuzz/meson.build b/src/fuzz/meson.build
new file mode 100644
index 0000000..8c1b2e9
--- /dev/null
+++ b/src/fuzz/meson.build
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+simple_fuzzers += files(
+ 'fuzz-bootspec.c',
+ 'fuzz-bus-label.c',
+ 'fuzz-calendarspec.c',
+ 'fuzz-catalog.c',
+ 'fuzz-compress.c',
+ 'fuzz-env-file.c',
+ 'fuzz-hostname-setup.c',
+ 'fuzz-json.c',
+ 'fuzz-time-util.c',
+ 'fuzz-udev-database.c',
+ 'fuzz-varlink.c',
+ 'fuzz-varlink-idl.c',
+)