From 7bb55ed099f611ec7077db69684a6cb93d42dc70 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 24 Mar 2019 00:22:38 +0900 Subject: [PATCH 1/3] util: fix condition_free_list_type() This fixes a bug introduced by c4f58deab56282cd438922203287cb073b861513. Closes oss-fuzz#13878, oss-fuzz#13882, oss-fuzz#13884, oss-fuzz#13886, and oss-fuzz#13888. --- src/shared/condition.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/shared/condition.c b/src/shared/condition.c index 69d65fffbc..32a90bcea3 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -77,17 +77,17 @@ void condition_free(Condition *c) { free(c); } -Condition* condition_free_list_type(Condition *first, ConditionType type) { - Condition *c, *n, *r = NULL; +Condition* condition_free_list_type(Condition *head, ConditionType type) { + Condition *c, *n; - LIST_FOREACH_SAFE(conditions, c, n, first) - if (type < 0 || c->type == type) + LIST_FOREACH_SAFE(conditions, c, n, head) + if (type < 0 || c->type == type) { + LIST_REMOVE(conditions, head, c); condition_free(c); - else if (!r) - r = c; + } - assert(type >= 0 || !r); - return r; + assert(type >= 0 || !head); + return head; } static int condition_test_kernel_command_line(Condition *c) { From 1beabe08d6bce21c7695c22312f74a67d14d992c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 24 Mar 2019 00:27:09 +0900 Subject: [PATCH 2/3] network,udev: explicitly declare 'conditions' is a list --- src/network/netdev/netdev.h | 2 +- src/network/networkd-network.h | 2 +- src/udev/net/link-config.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h index 3c6990236f..ad4dd2e2b0 100644 --- a/src/network/netdev/netdev.h +++ b/src/network/netdev/netdev.h @@ -81,7 +81,7 @@ typedef struct NetDev { char *filename; - Condition *conditions; + LIST_HEAD(Condition, conditions); NetDevState state; NetDevKind kind; diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h index 7211aee8c6..852144da3c 100644 --- a/src/network/networkd-network.h +++ b/src/network/networkd-network.h @@ -97,7 +97,7 @@ struct Network { char **match_driver; char **match_type; char **match_name; - Condition *conditions; + LIST_HEAD(Condition, conditions); char *description; diff --git a/src/udev/net/link-config.h b/src/udev/net/link-config.h index 5dfe5b59b8..efe5f2ce3a 100644 --- a/src/udev/net/link-config.h +++ b/src/udev/net/link-config.h @@ -40,7 +40,7 @@ struct link_config { char **match_driver; char **match_type; char **match_name; - Condition *conditions; + LIST_HEAD(Condition, conditions); char *description; struct ether_addr *mac; From 4d6cd572a720c2f004cf651339565c9c1ebbf446 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 24 Mar 2019 00:34:01 +0900 Subject: [PATCH 3/3] fuzz: add testcases for the bug in condition_free_list_type() --- test/fuzz/fuzz-link-parser/oss-fuzz-13878 | 4 ++++ test/fuzz/fuzz-link-parser/oss-fuzz-13882 | Bin 0 -> 2015 bytes test/fuzz/fuzz-netdev-parser/oss-fuzz-13884 | Bin 0 -> 449 bytes test/fuzz/fuzz-netdev-parser/oss-fuzz-13886 | Bin 0 -> 47998 bytes test/fuzz/fuzz-network-parser/oss-fuzz-13888 | Bin 0 -> 56 bytes 5 files changed, 4 insertions(+) create mode 100644 test/fuzz/fuzz-link-parser/oss-fuzz-13878 create mode 100644 test/fuzz/fuzz-link-parser/oss-fuzz-13882 create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-13884 create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-13886 create mode 100644 test/fuzz/fuzz-network-parser/oss-fuzz-13888 diff --git a/test/fuzz/fuzz-link-parser/oss-fuzz-13878 b/test/fuzz/fuzz-link-parser/oss-fuzz-13878 new file mode 100644 index 0000000000..dbb2abecb0 --- /dev/null +++ b/test/fuzz/fuzz-link-parser/oss-fuzz-13878 @@ -0,0 +1,4 @@ +[Match] +KernelVersion=t +Virtualization=q +KernelVersion= \ No newline at end of file diff --git a/test/fuzz/fuzz-link-parser/oss-fuzz-13882 b/test/fuzz/fuzz-link-parser/oss-fuzz-13882 new file mode 100644 index 0000000000000000000000000000000000000000..7c56ec222d8ad80b37986f731e523f530e62f062 GIT binary patch literal 2015 zcmZR`%*)nu$}A}kFl7J(#_$+0U|34INK8zOLP$ntv1S?*1A{U{v~OZb zaz-qducNbLVs2_lhAo#%QD#|cQIRcINM%8)Etf}rafxklu`QQ>QD%B(USf`4Vs5G} zS3qJ(hOLlJQD$ChaY0E*W`15;Qhs7lib8Qteu+XsVn#`^LV;otNG46s(V5ds&lEyg zTIg9Sq$MZnS%L@y0|*;Tnpj#|B1@WBDp(xrQ9UTUgeqE2?Io+HT1 zNT~>vlG5{vb5a!)9AT-;4CEOjJ#!Fcs%L6flv)G|9%oJqkVEvGqn*t-InDI+EWrvv zLG0*kqz4NMJx~Bb0u-Xd86*&GX{P7w$mwk6XsoBl2{Js|($N{j0AZ+2dPS*vj+xGR zoF>J#&YtFKVDpVik~vNFz~Nw|=corV(_9Z~Ca1BUIXJRS^c=xa?&J)KdM9U2H6uN+ zenUMoJwu39dd?)|sT_rr#FE5paFi>cWU9Psg`%Xy;#7rvP=>Px=QvQp0Bb-b`z3G-~t4t{D9d73X!Dzfc%_H zkU?mLOkTADG_bIQTRx;rQphM$EFn}{;WY?Us)3vX3Fqvj{6t6ufC5?pH5OoHA=I5v z3RWh949NreIyq5qv>=1!-oaduB|?B>Vlsq5Aqh&tkW`sbQe3P6N)M1k1yh~-L6Ey~N!v*q$mEy_#Han8@pP0UO2$;?Z&P0r6N&d*8Z;)-^6 z^>Yn#jpg!8Ni|V5i;m^;OUzBREqC>E4RAfQ)s~CFmx0SS3~r=jQJyVVSY}a4X<|-h zRbokIex7YvE&~Ao*Pa4%Ojv4BF-WgsSVk&Nfo&p^J3&k`y$I5ZiUBSCZdU*R literal 0 HcmV?d00001 diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-13886 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-13886 new file mode 100644 index 0000000000000000000000000000000000000000..1230ffe699b8cd6c4faa8afd0e84a8cacd274174 GIT binary patch literal 47998 zcmY!w1*0J_8UmvsFd71*Aut*OqaiRF0;3@?8UmvsFd71*Aut*OBQFFJN5N}F$Q&vT9d+ku2n_EK@EqRW8};2t2!WJTMXqSy#FFHUSgzEfy!<>{F7MQ$ywn`$ z{M_8cycD0zyj0ud{Ji4)oK!BZXbYFrve;NI1KY%62DrWyn4YlIqTUJQ6~8)Q_VfFd71*Aut*OqaiRF0;3@?8UiCS1V(#`BQn}Y zJv|x%qaiRF0;3@?8UmvsFd71*Aut*OqaiRF0(e4Tw5NzCa7Lv@Ltr!nMnhmU1V%$( zGz3ONU^E0qLtr!nMnhmkhQMe~aYRNtl{_6C9{qmze!o~QuITX0qEz?N#G;gd)YPI_ zE<;nP*{zcXnX8e`c_DsH-11 z=}?uZ49F{XHcoOgG0V?Ox8?EyXRv_$q7qvRLklAVP%cI-U;;{$ax#-4&W9B`Ffn5E zVD)mbUzmAHsdjcrkfmj*lWU1*rn93h7uci4B@TID_m~oP53<>|c`25b(O@Hx2t;ui z%N08EeJmnwL_LpP5%;8=VQGGZRpR6Dw^!-4rXzieinBRikOnjAduAO3KM}1DR72 zooSngZamB!uw7`n;a0<4lnGN#q_tpE5qb=Wbt=T`nXwT6A>4uF8+d5p@R}&~0ZIfQ z9EBo`@GLl95RQPWhYH1tiWY#Atqv!rDJLf!WWc$BM0c5jovd$bTV7-U)(Z0lHJl1@ z5X@wh!1BZwScagqO&~lW?nX8fRvy5;Vr0UFBMc!98>kqB*p4k&ic(^^ptWcmzFLcc ztqNRzr&ih~>XDj&Al8%UdCcH0&m=4PLTtz8`Ev5o1bY6!ZNX^hg32JQh0UPIan8uO z8I=90R%VW-3FJZ%-f|){$3fd&pcta8SSU>_g4g1x;{l0z1{US%mKcKqu=Y1-tO8ph zI9hm8F?*9z!c#vgF(* zk)lazq$F=+lo=%U3(0Px!wMaED-wICk!}8Hw-6(0k*WjQbph&1Y++H0+#14{M#1Aw z=zTwM&tf!9pcNR<`VLK$%9R?K-NMlvH!wLaZ#2iD<%c48R}pRO95N0>VigB2iO_5q z1UYU{4B4RtOOe57eT^0*gCM1Fx#o?Q&BLW^W`vA*F@lRSP~&+t#|_FHH;4zx$sbuo z3u$O;6niV34%H@=Mqi@CsvP0VAY+l&FqNPjZJCyB%jI5_Us_6&4p#n6}E{I+-YF&G?}Q`XQW+f#OKOE+Y^R43{-)Dg9dvZrfS`S zFQA}91t};643)BXUI}PuZX|RGuq;MG2~b$9Lqi)}2H=eqqI*ghLpY;xNBUZe(MI}k zX{3*?WPuem@CpW{Afnc+Chdl?!IcK_efQBRQqb%+a=ikNn&Dm(5M6_!`2pxlJAo05ua(?&y=mZ6J3$JIl&@FHh%3Ub`&FdD1~gLeUG zTLsag6eeY?kNU%CqZ`7o4oZ->cx+&!5_c1p(1tLyOfyWDEr5rp2jfylqD%bI5z)~R zQAmS<$dU!4I>cJIjV?k}Kr8VE`}oZ0h$!yLZSbteg5^Hs);*;iczm5T$V%5yax?@+ zLtr!nMnhmU1ZWfjdHSg($@;~W#U-h^Df*!E-tvo(4u8up%1+TUa4Dz=vd~MRffGO{ zNJ7r?EU_i-l*-JK{G#C0WLv{x$RU?l90gyS4nA_XJlzuaVLG6R2T~5ROm;TGcHk!- zr+Y#V{LI((2}bc_QDSOpN~wDQ=;&dr2V3T)*e2!YrEqaYJLTu4#B%xOr=;3i7#Qjq zC#G-_d9Ekwxx%m`glO+;*fFP|BRs*rHnhZh9xB=asz#=kh6D~!g_{gr^`C)!lrvg* zVo4+93&Dj|1!7;=S#_}CgE_CO{2*_NsJIy$E~7Nw+?+3FP=6eI6iGBnaN(6a;|1&^bU8al-^ z4Ko_4HS54ZxagQ z9gF}+xi1G_eP9o(ogfB5uFnFs?MSZ=MrL{%u>*UCMwX_gm{|pD+JPoAx{b39%ZBi% zr$$3yGz5lW2+(Wzf3(>Sx^9rBGYms{ED56#iT5r*iUvNR7r?@1LW@hdLJM3{a}q1V YQj=|siU&m=_sPslwJpkb&_i_%0FCr1IRF3v literal 0 HcmV?d00001 diff --git a/test/fuzz/fuzz-network-parser/oss-fuzz-13888 b/test/fuzz/fuzz-network-parser/oss-fuzz-13888 new file mode 100644 index 0000000000000000000000000000000000000000..c75fcb4e8a932562412ddb05cc4349bf596cc6cb GIT binary patch literal 56 zcmXRaOXZ68O)N>yh-F~*vE}l}FD|iFwB-uREGj8Y%*m`uEXmBzvxQ1PrF|Wp0slA= A@c;k- literal 0 HcmV?d00001