[lxc-devel] [lxc/lxc] 96160d: conf: fix a memory leak
Christian Brauner
noreply at github.com
Mon Mar 29 15:07:03 UTC 2021
Branch: refs/heads/stable-4.0
Home: https://github.com/lxc/lxc
Commit: 96160d10745b695ce2325f231917453db6f90840
https://github.com/lxc/lxc/commit/96160d10745b695ce2325f231917453db6f90840
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: fix a memory leak
It was triggered by passing "lxc.selinux.context.keyring=xroot" to the
fuzz target introduced in https://github.com/google/oss-fuzz/pull/5498
```
=================================================================
==22==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 6 byte(s) in 1 object(s) allocated from:
#0 0x538ca4 in __strdup /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:468:3
#1 0x5c40e8 in set_config_string_item /src/lxc/src/lxc/confile_utils.c:635:14
#2 0x44394e in set_config_selinux_context_keyring /src/lxc/src/lxc/confile.c:1596:9
#3 0x5af955 in parse_line /src/lxc/src/lxc/confile.c:2953:9
#4 0x4475cd in lxc_file_for_each_line_mmap /src/lxc/src/lxc/parse.c:125:9
#5 0x5af24f in lxc_config_read /src/lxc/src/lxc/confile.c:3024:9
#6 0x580b04 in LLVMFuzzerTestOneInput /src/fuzz-lxc-config-read.c:36:2
#7 0x483643 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#8 0x46d4a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#9 0x4732ea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#10 0x49f022 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f16d09b883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
```
This is a follow-up to https://github.com/lxc/lxc/commit/4fef78bc332a2d186dca6f
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 54b0023f26483ac01de384e0e3487e1daf35949f
https://github.com/lxc/lxc/commit/54b0023f26483ac01de384e0e3487e1daf35949f
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
A .github/workflows/cifuzz.yml
Log Message:
-----------
ci: turn on CIFuzz
Now that lxc has been integrated into OSS-Fuzz it should be
possible to start using https://google.github.io/oss-fuzz/getting-started/continuous-integration/
(mostly to make sure that the project is buildable there).
It should help to keep the integration in more or less good shape.
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 0b382e933d0efaace297054be2841872d71aeba8
https://github.com/lxc/lxc/commit/0b382e933d0efaace297054be2841872d71aeba8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: fix set_config_sysctl()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32487
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: ab0df3689b6373d73c409d1272b5b37d893f0686
https://github.com/lxc/lxc/commit/ab0df3689b6373d73c409d1272b5b37d893f0686
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: reinitialize sysctl list after clearing it
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32474
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 4e16a3acf995f093bf4b9f7b1dac4295f635e5ef
https://github.com/lxc/lxc/commit/4e16a3acf995f093bf4b9f7b1dac4295f635e5ef
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: delete netdev from list
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32478
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: dee51406f2d7f8b07014ca4b0ce41998e0c25023
https://github.com/lxc/lxc/commit/dee51406f2d7f8b07014ca4b0ce41998e0c25023
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/list.h
Log Message:
-----------
list: add lxc_list_new() helper
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: abd9627adc851f8bdade2752270f233fceba2bb3
https://github.com/lxc/lxc/commit/abd9627adc851f8bdade2752270f233fceba2bb3
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: use lxc_list_new() everywhere
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 503e11fdc965473ea833896de1cccf9452c8fa21
https://github.com/lxc/lxc/commit/503e11fdc965473ea833896de1cccf9452c8fa21
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: use lxc_list_new() everywhere
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 6fc91bb1c7b97234e0948c3aae35036c640248c5
https://github.com/lxc/lxc/commit/6fc91bb1c7b97234e0948c3aae35036c640248c5
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
A src/tests/fuzz-lxc-config-read.c
A src/tests/oss-fuzz.sh
Log Message:
-----------
oss-fuzz: make it possible to build the fuzzer without docker
With this patch applied the fuzz target can be built (with ASan)
and run with
```
./src/tests/oss-fuzz.sh
./out/fuzz-lxc-config-read doc/examples/
```
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32475 can be
reproduced by running
```
$ echo "lxc.console.buffer.size=d" >oss-fuzz-32475
$ ./out/fuzz-lxc-config-read ./oss-fuzz-32475
INFO: Seed: 1044753468
INFO: Loaded 1 modules (18770 inline 8-bit counters): 18770 [0x883cc0, 0x888612),
INFO: Loaded 1 PC tables (18770 PCs): 18770 [0x888618,0x8d1b38),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: oss-fuzz-32475
=================================================================
==2052097==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcca063e7f at pc 0x000000659e0d bp 0x7ffcca063e30 sp 0x7ffcca063e28
READ of size 1 at 0x7ffcca063e7f thread T0
...
```
I'll point OSS-Fuzz to the build script once this patch is merged.
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: e0a5467c341a3655222ac055e6bde5d253a187da
https://github.com/lxc/lxc/commit/e0a5467c341a3655222ac055e6bde5d253a187da
Author: Sam Boyles <sam.boyles at alliedtelesis.co.nz>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/network.c
M src/lxc/network.h
Log Message:
-----------
network: handle name collisions when returning physical interfaces to host
Reviewed-by: Blair Steven <blair.steven at alliedtelesis.co.nz>
Signed-off-by: Sam Boyles <sam.boyles at alliedtelesis.co.nz>
Commit: d7398424b818202c8531dd632c77bd894571a99b
https://github.com/lxc/lxc/commit/d7398424b818202c8531dd632c77bd894571a99b
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/tests/fuzz-lxc-config-read.c
Log Message:
-----------
fuzz: create tmpfiles in /tmp
It's mostly a cosmetic change that should prevent the fuzzer
from cluttering the "$OUT" directory (which OSS-Fuzz uses to
build docker images):
```
Step #44: Already have image: gcr.io/oss-fuzz/lxc
Step #44: adding: fuzz-lxc-config-read (deflated 67%)
Step #44: adding: fuzz-lxc-config-read-WBWKxN (deflated 32%)
Step #44: adding: fuzz-lxc-config-read_seed_corpus.zip (stored 0%)
Step #44: adding: honggfuzz (deflated 66%)
Step #44: adding: llvm-symbolizer (deflated 65%)
```
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 5c7716a711c86b645b4fa5a1e50a304a9a8e4c54
https://github.com/lxc/lxc/commit/5c7716a711c86b645b4fa5a1e50a304a9a8e4c54
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M README.md
Log Message:
-----------
README: add OSS-Fuzz/CIFuzz badges
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: e9eaf1308c9f111d0cb44af82feca1cf3fc1bb2a
https://github.com/lxc/lxc/commit/e9eaf1308c9f111d0cb44af82feca1cf3fc1bb2a
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/tests/oss-fuzz.sh
Log Message:
-----------
fuzz: generate all the config keys and add them to the seed corpus
It should help to cover more code faster
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: b61757b3ad893c3ca27741b2f95ca29ea7bed75b
https://github.com/lxc/lxc/commit/b61757b3ad893c3ca27741b2f95ca29ea7bed75b
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/log.c
Log Message:
-----------
log: dont create log file for fuzz builds
Fixes: #3730
Fixes: https://github.com/google/oss-fuzz/issues/5509
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a842308f63174a8b9213397754f2f60d7a83e500
https://github.com/lxc/lxc/commit/a842308f63174a8b9213397754f2f60d7a83e500
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/log.c
Log Message:
-----------
log: don't create directories for fuzz builds
Fixes: #3730
Fixes: https://github.com/google/oss-fuzz/issues/5509
Suggested-by: Evgeny Vereshchagin <evvers at ya.ru>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: f04892685f3140e17909122afa09f657cbf512bc
https://github.com/lxc/lxc/commit/f04892685f3140e17909122afa09f657cbf512bc
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
M src/lxc/log.c
M src/tests/parse_config_file.c
Log Message:
-----------
log: handle empty log name
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32491
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: b4d341d7ca328830fa4919ee6782852dc3335d7e
https://github.com/lxc/lxc/commit/b4d341d7ca328830fa4919ee6782852dc3335d7e
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: be stricter in config helpers
We never call these helper without an initialized config afaict but
since we're now exposing these two functions to oss-fuzz directly in a
way we never do to users so let's be stricter about it.
Inspired-by: #3733
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: e6d15fca7b3c227fbeefda9b67f2c6672d1b4c1b
https://github.com/lxc/lxc/commit/e6d15fca7b3c227fbeefda9b67f2c6672d1b4c1b
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: don't leak memory when overwriting lxc.rootfs.options
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32473
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 2875de4a355ce934335139ca586d2de441d6a56a
https://github.com/lxc/lxc/commit/2875de4a355ce934335139ca586d2de441d6a56a
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: fix real-time signal parsing
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32521
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 19c8192fbf2ace75a8dc89e2d8666ec060c5964d
https://github.com/lxc/lxc/commit/19c8192fbf2ace75a8dc89e2d8666ec060c5964d
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: prevent UAF in lxc_clear_limits()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32532
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 05eac3f2986b824033c2697df725c74fc70fe0ca
https://github.com/lxc/lxc/commit/05eac3f2986b824033c2697df725c74fc70fe0ca
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: improve network parser
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 71cfd6ccfbdabcce917a006396ad1c2c4e47b4d5
https://github.com/lxc/lxc/commit/71cfd6ccfbdabcce917a006396ad1c2c4e47b4d5
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/string_utils.c
Log Message:
-----------
string_utils: fix parse_byte_size_string()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32475
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 9253c0836431bcd230a88302030d9cd5c592b137
https://github.com/lxc/lxc/commit/9253c0836431bcd230a88302030d9cd5c592b137
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
M src/lxc/log.c
Log Message:
-----------
log: avoid regressions for relative log paths
We need to allow relative log paths.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 2896136e1c86737c0c65364493797c98deffc846
https://github.com/lxc/lxc/commit/2896136e1c86737c0c65364493797c98deffc846
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: don't leak list
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: b47332893f85790bbccf1420f0c86d0e43a47bd2
https://github.com/lxc/lxc/commit/b47332893f85790bbccf1420f0c86d0e43a47bd2
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.h
M src/lxc/confile.c
Log Message:
-----------
confile: fix setting prlimits
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32532
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 3cec50fc4c6a1324cb90d44f139d4af9123b72e3
https://github.com/lxc/lxc/commit/3cec50fc4c6a1324cb90d44f139d4af9123b72e3
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/string_utils.c
Log Message:
-----------
string_utils: always memset buf in lxc_safe_int64_residual()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32482
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: c98770b9fcd66d85b368894f53ff3b106241ef43
https://github.com/lxc/lxc/commit/c98770b9fcd66d85b368894f53ff3b106241ef43
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: reinitialize lists
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 5c1a9b8ac3bfb573af7f6d5ea1c3109282cb54ec
https://github.com/lxc/lxc/commit/5c1a9b8ac3bfb573af7f6d5ea1c3109282cb54ec
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: free network list items
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32484
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 6219606ba1cc6def1e57501a3d1f32bc7bab0417
https://github.com/lxc/lxc/commit/6219606ba1cc6def1e57501a3d1f32bc7bab0417
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: coding style cleanups
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 6712de30a401adc814e7471cfbdadc2fe90e442d
https://github.com/lxc/lxc/commit/6712de30a401adc814e7471cfbdadc2fe90e442d
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: make string calculations in get_network_config_ops() more obvious
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 0977c023aa434004bc56d789c4072c49068ebd67
https://github.com/lxc/lxc/commit/0977c023aa434004bc56d789c4072c49068ebd67
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: use correct check for too large network lists
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32558
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 8fa51b7a5b0636d9f3c02890042a61e9f26ffeb1
https://github.com/lxc/lxc/commit/8fa51b7a5b0636d9f3c02890042a61e9f26ffeb1
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: improve network vetting
Move all input sanity checks up and add two missing checks for the
correct network type when using veth-vlan and vlan network types.
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32513
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 1f860b31eabbbcd54a56752e925f32dcece97ad5
https://github.com/lxc/lxc/commit/1f860b31eabbbcd54a56752e925f32dcece97ad5
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: fix a memory leak in set_config_net_hwaddr
It was found by ClusterFuzz in https://oss-fuzz.com/testcase-detail/4747480244813824
but hasn't been reported on Monorail
(https://bugs.chromium.org/p/oss-fuzz/) yet
```
$ cat minimized-from-1a18983c13ce64e8a3bd0f699a97d25beb21481e
lxc.net.0.hwaddr=0
lxc.net.0.hwaddr=4
./out/fuzz-lxc-config-read minimized-from-1a18983c13ce64e8a3bd0f699a97d25beb21481e
INFO: Seed: 1473396311
INFO: Loaded 1 modules (18821 inline 8-bit counters): 18821 [0x885fa0, 0x88a925),
INFO: Loaded 1 PC tables (18821 PCs): 18821 [0x88a928,0x8d4178),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: minimized-from-1a18983c13ce64e8a3bd0f699a97d25beb21481e
=================================================================
==226185==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 2 byte(s) in 1 object(s) allocated from:
#0 0x4d25d7 in strdup (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x4d25d7)
#1 0x58e48f in set_config_net_hwaddr /home/vagrant/lxc/src/lxc/confile.c:654:14
#2 0x59af3b in set_config_net_nic /home/vagrant/lxc/src/lxc/confile.c:5276:9
#3 0x571c29 in parse_line /home/vagrant/lxc/src/lxc/confile.c:2958:9
#4 0x61b0b2 in lxc_file_for_each_line_mmap /home/vagrant/lxc/src/lxc/parse.c:125:9
#5 0x5710ed in lxc_config_read /home/vagrant/lxc/src/lxc/confile.c:3035:9
#6 0x542cd6 in LLVMFuzzerTestOneInput /home/vagrant/lxc/src/tests/fuzz-lxc-config-read.c:23:2
#7 0x449e8c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x449e8c)
#8 0x42bbad in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x42bbad)
#9 0x432c50 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x432c50)
#10 0x423136 in main (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x423136)
#11 0x7f2cbb992081 in __libc_start_main (/lib64/libc.so.6+0x27081)
SUMMARY: AddressSanitizer: 2 byte(s) leaked in 1 allocation(s).
```
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 0274a0ee9ff1122c4304c0441f60da9d7a966124
https://github.com/lxc/lxc/commit/0274a0ee9ff1122c4304c0441f60da9d7a966124
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: prevent recursion when parsing networks
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32558
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32484
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 1998f661a01e4e2d16bf77e8f7a57a9127767221
https://github.com/lxc/lxc/commit/1998f661a01e4e2d16bf77e8f7a57a9127767221
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M .github/workflows/cifuzz.yml
Log Message:
-----------
ci: turn on ASan on CIFuzz
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 5335a80ff80f63e83cd511644b017885d69d6f23
https://github.com/lxc/lxc/commit/5335a80ff80f63e83cd511644b017885d69d6f23
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: free list during lxc_remove_nic_by_idx()
Reported-by: Evgeny Vereshchagin <evvers at ya.ru>
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32484
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 265542bb270ea2c006cb96f8c9bac8bcf0b51a02
https://github.com/lxc/lxc/commit/265542bb270ea2c006cb96f8c9bac8bcf0b51a02
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: add missing prefix validation
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32488
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 285dd691fc9719b4201eb0cf7b7dc317f31c9735
https://github.com/lxc/lxc/commit/285dd691fc9719b4201eb0cf7b7dc317f31c9735
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: don't leak memory in case multiple shmounts are set
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32503
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 8122eb0f646e383eb65012e68259f963e7759e4a
https://github.com/lxc/lxc/commit/8122eb0f646e383eb65012e68259f963e7759e4a
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile_utils.c
Log Message:
-----------
confile_utils: fix a signed integer overflow
This was triggered by the following chain of conversions:
lxc_safe_uint("020000000020") -> 2147483664 (uint)
sig_num(2147483664 (uint)) -> -2147483632 (int)
64 - -2147483632 cannot be represented in type 'int'
Closes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32596
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: affdb4a484683b3349ce4f7471081fa523daf165
https://github.com/lxc/lxc/commit/affdb4a484683b3349ce4f7471081fa523daf165
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/tests/oss-fuzz.sh
Log Message:
-----------
oss-fuzz.sh: take SANITIZER into account
to make it possible to build the fuzzer with UBSan and MSan locally
```
$ SANITIZER=undefined ./src/tests/oss-fuzz.sh
$ printf 'lxc.signal.stop=sigrtmax-020000000020' >oss-fuzz-32596
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 ./out/fuzz-lxc-config-read oss-fuzz-32596
INFO: Seed: 595864277
INFO: Loaded 1 modules (61553 inline 8-bit counters): 61553 [0x80a1b0, 0x819221),
INFO: Loaded 1 PC tables (61553 PCs): 61553 [0x819228,0x909938),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: oss-fuzz-32596
confile_utils.c:1051:20: runtime error: signed integer overflow: 64 - -2147483632 cannot be represented in type 'int'
#0 0x51799a in rt_sig_num /home/vagrant/lxc/src/lxc/confile_utils.c:1051:20
#1 0x517268 in sig_parse /home/vagrant/lxc/src/lxc/confile_utils.c:1069:11
#2 0x500ca4 in set_config_signal_stop /home/vagrant/lxc/src/lxc/confile.c:1738:10
#3 0x4b8c7c in parse_line /home/vagrant/lxc/src/lxc/confile.c:2962:9
#4 0x5a5eb0 in lxc_file_for_each_line_mmap /home/vagrant/lxc/src/lxc/parse.c:125:9
```
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 51b0e727ef35f1d1a876818db5abc88854f26f57
https://github.com/lxc/lxc/commit/51b0e727ef35f1d1a876818db5abc88854f26f57
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M .github/workflows/cifuzz.yml
Log Message:
-----------
cifuzz: turn on UBsan
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: 8ccd3d762add5b86a9e56ebaa2d3233008076bac
https://github.com/lxc/lxc/commit/8ccd3d762add5b86a9e56ebaa2d3233008076bac
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/compiler.h
M src/lxc/confile.c
M src/lxc/string_utils.c
M src/lxc/string_utils.h
M src/tests/lxc-test-utils.c
Log Message:
-----------
string_utils: handle overflow correct in parse_byte_size_string()
This takes the overflow handling code from the kernel.
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32549
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 0e24c1b25754ec76ea140a9926585268b224cf5b
https://github.com/lxc/lxc/commit/0e24c1b25754ec76ea140a9926585268b224cf5b
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M .github/workflows/cifuzz.yml
Log Message:
-----------
cifuzz: turn on MSan
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: a348e8f47bb20a6dc75d1dfc8e90b43b824de0a1
https://github.com/lxc/lxc/commit/a348e8f47bb20a6dc75d1dfc8e90b43b824de0a1
Author: Evgeny Vereshchagin <evvers at ya.ru>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/string_utils.c
Log Message:
-----------
string_utils: work around an MSan false positive
MSan doesn't instrument stpncpy (https://github.com/google/sanitizers/issues/926),
which causes the fuzzer to fail with:
```
$ cat ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
lxc.console.size=123
$ ./out/fuzz-lxc-config-read ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
INFO: Seed: 3561494591
INFO: Loaded 1 modules (18795 inline 8-bit counters): 18795 [0x866b98, 0x86b503),
INFO: Loaded 1 PC tables (18795 PCs): 18795 [0x86b508,0x8b4bb8),
./out/fuzz-lxc-config-read: Running 1 inputs 1 time(s) each.
Running: ../minimized-from-740f56329efc60eab59b8194132b712a873e88a3
==850885==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x6b3e7f in parse_byte_size_string /home/vagrant/lxc/src/lxc/string_utils.c:912:6
#1 0x550991 in set_config_console_size /home/vagrant/lxc/src/lxc/confile.c:2483:8
#2 0x5346e2 in parse_line /home/vagrant/lxc/src/lxc/confile.c:2962:9
#3 0x64b3cd in lxc_file_for_each_line_mmap /home/vagrant/lxc/src/lxc/parse.c:125:9
#4 0x53340c in lxc_config_read /home/vagrant/lxc/src/lxc/confile.c:3039:9
#5 0x4e7ec2 in LLVMFuzzerTestOneInput /home/vagrant/lxc/src/tests/fuzz-lxc-config-read.c:23:2
#6 0x44ad2c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x44ad2c)
#7 0x42ca4d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x42ca4d)
#8 0x433af0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x433af0)
#9 0x423ff6 in main (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x423ff6)
#10 0x7f79bdc89081 in __libc_start_main (/lib64/libc.so.6+0x27081)
#11 0x42402d in _start (/home/vagrant/lxc/out/fuzz-lxc-config-read+0x42402d)
Uninitialized value was created by an allocation of 'dup' in the stack frame of function 'parse_byte_size_string'
#0 0x6b3330 in parse_byte_size_string /home/vagrant/lxc/src/lxc/string_utils.c:901
SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/vagrant/lxc/src/lxc/string_utils.c:912:6 in parse_byte_size_string
Exiting
```
Closes https://oss-fuzz.com/testcase-detail/5829890470445056
Signed-off-by: Evgeny Vereshchagin <evvers at ya.ru>
Commit: ed3a03cb865846e3b9fc8168e737931279c043e2
https://github.com/lxc/lxc/commit/ed3a03cb865846e3b9fc8168e737931279c043e2
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: safely clean previous value in set_config_net_ipv6_gateway()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32610
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 9d5a073d6f56d4b0f91e1decc54bcd49455cd069
https://github.com/lxc/lxc/commit/9d5a073d6f56d4b0f91e1decc54bcd49455cd069
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: safely clean previous value in set_config_net_ipv4_gateway()
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32586
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 24ca942032469013dc4877b873f1e93b35beb086
https://github.com/lxc/lxc/commit/24ca942032469013dc4877b873f1e93b35beb086
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
M src/lxc/confile.h
Log Message:
-----------
confile: vet keys more aggressively
Enforce an exact match for all keys where we now the subkeys must match
exactly.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 942b2d318642cc6b596b8d9778daa506a5578a56
https://github.com/lxc/lxc/commit/942b2d318642cc6b596b8d9778daa506a5578a56
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
M src/lxc/confile_utils.c
M src/lxc/confile_utils.h
Log Message:
-----------
confile: clear netdev on network type change
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32584
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: c72590da706e0473564197b3d2d24e345e043b9d
https://github.com/lxc/lxc/commit/c72590da706e0473564197b3d2d24e345e043b9d
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: cleanup set_config_net_hwaddr()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: d47e383174d36861473749b549e91a2c858259cb
https://github.com/lxc/lxc/commit/d47e383174d36861473749b549e91a2c858259cb
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: cleanup set_config_net_mtu()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: ab34ded6e5184b19ca27978c3f1732c70552a6f9
https://github.com/lxc/lxc/commit/ab34ded6e5184b19ca27978c3f1732c70552a6f9
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: cleanup set_config_net_script_up()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 01e3ca9b1e3986deaef6651043e8045edfb61382
https://github.com/lxc/lxc/commit/01e3ca9b1e3986deaef6651043e8045edfb61382
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
confile: cleanup set_config_net_script_down()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: f44eb24426b15c1d1050f039a7438fa0527ebae0
https://github.com/lxc/lxc/commit/f44eb24426b15c1d1050f039a7438fa0527ebae0
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/tests/parse_config_file.c
Log Message:
-----------
tests: fix two false negatives in parse_config_file()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 90accff309a8e83837242fa09ae2723d9bd44289
https://github.com/lxc/lxc/commit/90accff309a8e83837242fa09ae2723d9bd44289
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/tests/parse_config_file.c
Log Message:
-----------
tests: add another test for garbage config key
where a valid key has trailing garbage at the end before the "=".
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 63340988415dacdf42969ac2d518b5c8e158d9dd
https://github.com/lxc/lxc/commit/63340988415dacdf42969ac2d518b5c8e158d9dd
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M configure.ac
M src/lxc/compiler.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/initutils.c
Log Message:
-----------
conf: fix thread_local support detection
Our detection for TLS wasn't working. Fix it.
Fixes: https://github.com/lxc/lxd/issues/8327
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 3d764767900799318a7ec094dcbe94247a0f769a
https://github.com/lxc/lxc/commit/3d764767900799318a7ec094dcbe94247a0f769a
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M src/lxc/lxccontainer.c
Log Message:
-----------
lxccontainer: ensure second parameter to bsearch is never NULL
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 03fd67960a303fdcaded3a2ae8d76cac6d5d6e78
https://github.com/lxc/lxc/commit/03fd67960a303fdcaded3a2ae8d76cac6d5d6e78
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-03-29 (Mon, 29 Mar 2021)
Changed paths:
M configure.ac
M src/lxc/compiler.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/initutils.c
Log Message:
-----------
compiler: fix thread_local detection
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Compare: https://github.com/lxc/lxc/compare/85de87b56820...03fd67960a30
More information about the lxc-devel
mailing list