From b53bd7a32b9a6090a8cecca9a0243938313914c4 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Sat, 6 Jan 2024 13:57:09 +0100 Subject: [PATCH] test: reinitialize arg_transport before parsing arguments Since libfuzzer feeds a single fuzzing process with multiple inputs, we might carry over arg_transport from a previous invocation, tripping over the assert in acquire_bus(): +----------------------------------------Release Build Stacktrace----------------------------------------+ Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==2739==ERROR: AddressSanitizer: ABRT on unknown address 0x00000ab3 (pc 0xf7f52509 bp 0xffdf74cc sp 0xffdf74b0 T0) SCARINESS: 10 (signal) #0 0xf7f52509 in linux-gate.so.1 #1 0xf703b415 in raise #2 0xf70233f6 in abort #3 0xf772ac0a in log_assert_failed systemd/src/basic/log.c:968:9 #4 0xf77300d5 in log_assert_failed_return systemd/src/basic/log.c:987:17 #5 0xf7432bbf in bus_connect_transport systemd/src/shared/bus-util.c:284:9 #6 0x818cd17 in acquire_bus systemd/src/systemctl/systemctl-util.c:53:29 #7 0x815fd3c in help_boot_loader_entry systemd/src/systemctl/systemctl-logind.c:431:13 #8 0x819ca87 in systemctl_parse_argv systemd/src/systemctl/systemctl.c:863:37 #9 0x8197632 in systemctl_dispatch_parse_argv systemd/src/systemctl/systemctl.c:1137:16 #10 0x813328d in LLVMFuzzerTestOneInput systemd/src/systemctl/fuzz-systemctl-parse-argv.c:54:13 #11 0x81bbe7e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x81bb5b8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x81bd42d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #14 0x81bd62e in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #15 0x81ac84c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x81d65c7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #17 0xf7024ed4 in __libc_start_main #18 0x806bdb5 in _start Resolves: #30802 --- src/systemctl/fuzz-systemctl-parse-argv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/systemctl/fuzz-systemctl-parse-argv.c b/src/systemctl/fuzz-systemctl-parse-argv.c index 9ea8f7ae87eb5..99cf6c297f8dd 100644 --- a/src/systemctl/fuzz-systemctl-parse-argv.c +++ b/src/systemctl/fuzz-systemctl-parse-argv.c @@ -49,7 +49,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { opterr = 0; /* do not print errors */ } + /* We need to reset some global state manually here since libfuzzer feeds a single process with + * multiple inputs, so we might carry over state from previous invocations that can trigger + * certain asserts. */ optind = 0; /* this tells the getopt machinery to reinitialize */ + arg_transport = BUS_TRANSPORT_LOCAL; r = systemctl_dispatch_parse_argv(strv_length(argv), argv); if (r < 0)