build(deps): bump systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13 #7

dependabot · 2022-09-01T08:10:18Z

Bumps systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13. This release includes the previously tagged commit.

Release notes

Sourced from systemd/mkosi's releases.

v13

The --network-veth option has been renamed to --netdev. The old name made sense with virtual ethernet devices, but when booting images with qemu a TUN/TAP device is used instead.

The network config file installed by mkosi when the --netdev (previously --network-veth) option is used (formerly /etc/systemd/network/80-mkosi-network-veth.network in the image) now only matches network interfaces using the virtio_net driver. Please make sure you weren't relying on this file to configure any network interfaces other than the tun/tap virtio-net interface created by mkosi when booting the image in QEMU with the --netdev option. If you were relying on this config file to configure other interfaces, you'll have to re-create it with the correct match and a lower initial number in the filename to make sure systemd-networkd will keep configuring your interface, e.g. via the mkosi.skeleton or mkosi.extra trees or a mkosi.postinst script.

The kernel-install script for building unified kernel images has been removed. From v13 onwards, on systems using kernel-install, mkosi won't automatically build new unified kernel images when a kernel is updated or installed. To keep the old behavior, you can install the kernel-install script manually via a skeleton tree; a copy can be found here.

New QemuKvm option configures whether to use KVM when running mkosi qemu.

mkosi will not default to the same OS release as the host system anymore when the host system uses the same distribution as the image that's being built. Instead, when no release is specified, mkosi will now always default to the default version embedded in mkosi itself.

mkosi will now use the pacman keyring from the host when building Arch images. This means that users will, on top of installing archlinux-keyring, also have to run pacman-key --init and pacman-key --populate archlinux on the host system to be able to build Arch images. Also, unless the package manager is configured to do it automatically, the host keyring will have to be updated after archlinux-keyring updates by running pacman-key --populate archlinux and pacman-key --updatedb.

Direct qemu linux boot is now supported with BootProtocols=linux. When enabled, the kernel image, initrd, and cmdline will be extracted from the image and passed to qemu by mkosi qemu to directly boot into the kernel image without a bootloader. This can be used to boot for example s390x images in qemu.

The initrd will now always be rebuilt after the extra trees and build artifacts have been installed into the image.

The github action has been migrated to Ubuntu Jammy. To migrate any jobs using the action, add runs-on: ubuntu-22.04 to the job config.

All images are now configured by default with the C.UTF-8 locale.

New --repository-directory option can be used to configure a directory with extra repository files to be used by the package manager when building an image. Note that this option is currently only supported for pacman and dnf-based distros.

Option --skeleton-tree is now supported on Debian-based distros.

Changelog

Sourced from systemd/mkosi's changelog.

mkosi Changelog

v14

Support for Clear Linux was dropped. See systemd/mkosi#1037 for more information.

Support for Photon was dropped. See systemd/mkosi#1048 for more information.

The Arch kernel/bootloader pacman hooks were removed. For anyone that still wants to use them, they can be found here.

mkosi now creates distro~~release subdirectories inside the build, cache and output directories for each distro~~release combination that is built. This allows building for multiple distros without throwing away the results of a previous distro build every time.

The preferred names for mkosi configuration files and directories are now mkosi.conf and mkosi.conf.d/ respectively. The old names (mkosi.default and mkosi.default.d) have been removed from the docs but are still supported for backwards compatibility.

plain_squashfs type images will now also be named with a .raw suffix.

tar type images will now respect the --compress option.

Pacman's SigLevel option was changed to use the same default value as used on Arch which is SigLevel = Required DatabaseOptional. If this results in keyring errors, you need to update the keyring by running pacman-key --populate archlinux.

Support for CentOS 7 was dropped.

Support for BIOS/grub was dropped. To allow users to configure grub themselves, the new --bios-size option can be used to add a BIOS boot partition of the specified size on which grub can be installed.

mkosi now runs apt and dpkg on the host. As such, we now require apt and dpkg to be installed on the host along with debootstrap in order to be able to build debian/ubuntu images.

Split dm-verity artifacts default names have been changed to match what systemd and other tools expect: image.root.raw, image.root.verity, image.root.roothash, image.root.roothash.p7s (same for usr variants).

v13

The --network-veth option has been renamed to --netdev. The old name made sense with virtual ethernet devices, but when booting images with qemu a TUN/TAP device is used instead.

The network config file installed by mkosi when the --netdev (previously --network-veth) option is used (formerly /etc/systemd/network/80-mkosi-network-veth.network in the image) now only matches network interfaces using the virtio_net driver. Please make sure you weren't relying on this file to configure any network interfaces other than the tun/tap virtio-net interface created by mkosi when booting the image in QEMU with the --netdev option. If you were relying on this config file to configure other interfaces, you'll have to re-create it with the correct match and a lower initial number in the filename to make sure systemd-networkd will keep configuring your interface, e.g. via the mkosi.skeleton or mkosi.extra trees or a mkosi.postinst script.

The kernel-install script for building unified kernel images has been

... (truncated)

Commits

a0f7898 action: Use /etc/os-release as cache key instead of runner.os
77f4487 Default to -cpu max when running VMs using QEMU
c53cb3b Change --qemu-smp default from 2 to 1
c9306d9 action: Compile systemd-nspawn v251 from source
4cb6290 Don't override stat of destination root when using copy_path()
44dfd9e ci: Update to Ubuntu 22.04 LTS
8374f03 Communicate the associated dir in the ESP via /etc/kernel/entry-token
d99143c Merge pull request #1007 from DaanDeMeyer/always-initrd
b2472e2 Merge pull request #1015 from pyfisch/veritysetup
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13. This release includes the previously tagged commit. - [Release notes](https://github.com/systemd/mkosi/releases) - [Changelog](https://github.com/systemd/mkosi/blob/main/NEWS.md) - [Commits](systemd/mkosi@679bcc9...a2091d1) --- updated-dependencies: - dependency-name: systemd/mkosi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

bluca · 2022-09-01T08:36:22Z

@dependabot ignore this dependency

dependabot · 2022-09-01T08:36:28Z

OK, I won't notify you about systemd/mkosi again, unless you re-open this PR or update it yourself. 😢

This is a workaround for an issue in the memory sanitizer. If a function is called with too many arguments, then the sanitizer triggers the following false-positive warning: ==349==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f8b247134a7 in json_buildv /work/build/../../src/systemd/src/shared/json.c:3213:17 #1 0x7f8b24714231 in json_build /work/build/../../src/systemd/src/shared/json.c:4117:13 #2 0x7f8b24487fa5 in show_boot_entries /work/build/../../src/systemd/src/shared/bootspec.c:1424:29 #3 0x4a6a1b in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bootspec.c:119:16 #4 0x4c6693 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #5 0x4c5e7a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #6 0x4c7ce4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #7 0x4c7f19 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #8 0x4b757f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #9 0x4e0bd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f8b23ead082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #11 0x41f69d in _start (build-out/fuzz-bootspec+0x41f69d) Follow-up for systemd#24541. Fixes systemd#24551.

We would print the whole thing in extenso. Users generally don't care, and would likely prefer to just get the compact identifier of the package that they can use in a bug report or package manager commands. Before: systemd-coredump[40645]: [🡕] Process 1975 (gnome-shell) of user 1000 dumped core. Module /usr/bin/gnome-shell (deleted) with build-id aafdb7d69a7efca937e490080ad9348541fc57d8 Metadata for module /usr/bin/gnome-shell (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-3.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } Module /usr/lib64/gnome-shell/libgvc.so (deleted) with build-id 56cbb9862e1ee84ca1549b94f2b4cda03537613e Metadata for module /usr/lib64/gnome-shell/libgvc.so (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-2.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } Module /usr/lib64/libLLVM-14.so (deleted) with build-id ffa7e43f48eb4c189304c0241b1862710de4c3a4 Metadata for module /usr/lib64/libLLVM-14.so (deleted) owned by FDO found: { "type" : "rpm", "name" : "gnome-shell", "version" : "43~rc-2.fc37", "architecture" : "x86_64", "osCpe" : "cpe:/o:fedoraproject:fedora:37" } After: systemd-coredump[235218]: [🡕] Process 235216 (bash) of user 1000 dumped core. Module libtinfo.so.6 from rpm ncurses-6.3-3.20220501.fc37.x86_64, build-id=71a04d23fd572525eb6efc47026c379725e06d96 Module bash from rpm bash-5.1.16-3.fc37.x86_64, build-id=6c936aff95a2ccda04a3fb685a81a84a0a8d10da Stack trace of thread 235216: #0 0x00007fa409ec8d8b kill (libc.so.6 + 0x38d8b) #1 0x0000560d35e366b1 kill_builtin (bash + 0xad6b1) #2 0x0000560d35dd7227 execute_builtin.lto_priv.0 (bash + 0x4e227) #3 0x0000560d35dd0459 execute_simple_command (bash + 0x47459) #4 0x0000560d35dd1de0 execute_command_internal (bash + 0x48de0) #5 0x0000560d35e307aa parse_and_execute (bash + 0xa77aa) #6 0x0000560d35e91b08 run_one_command.isra.0 (bash + 0x108b08) #7 0x0000560d35dba07c main (bash + 0x3107c) #8 0x00007fa409eb3510 __libc_start_call_main (libc.so.6 + 0x23510) #9 0x00007fa409eb35c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x235c9) #10 0x0000560d35dbad85 _start (bash + 0x31d85)

This wrapper is used in situations where we don't care about *San reports, we just want to make things work. However, with enabled LSan we might trigger some bogus reports we're definitely not interested in, causing unexpected test fails. Spotted on C8S in TEST-34-DYNAMICUSERMIGRATE: ``` [10654.804162] testsuite-34.sh[56]: + systemctl start testservice-34-check-writable.service Starting testservice-34-check-writable.service... [10655.055969] bash[546]: + set -o pipefail [10655.056127] bash[546]: + declare -a writable_dirs [10655.056234] bash[546]: + readarray -t writable_dirs [10655.060838] bash[548]: ++ find / '(' -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc -o -path /sys/devices/system/cpu ')' -prune -o -type d -writable -print [10655.061534] bash[549]: ++ sort -u [10655.688740] bash[547]: ================================================================= [10655.689075] bash[547]: ==547==ERROR: LeakSanitizer: detected memory leaks [10655.689246] bash[547]: Direct leak of 112 byte(s) in 1 object(s) allocated from: [10655.743851] bash[547]: #0 0x7ffff752d364 (/usr/lib64/clang/14.0.0/lib/libclang_rt.asan-powerpc64le.so+0x13d364) (BuildId: 321f4ed1caea6a1a4c37f9272e07275cf16f034d) [10655.744060] bash[547]: #1 0x1000b5d20 in xmalloc (/usr/bin/bash+0xb5d20) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744224] bash[547]: #2 0x100083338 (/usr/bin/bash+0x83338) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744393] bash[547]: #3 0x10008847c (/usr/bin/bash+0x8847c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744552] bash[547]: #4 0x1000af6ec in redirection_expand (/usr/bin/bash+0xaf6ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744728] bash[547]: #5 0x1000b005c (/usr/bin/bash+0xb005c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744886] bash[547]: #6 0x1000b1388 in do_redirections (/usr/bin/bash+0xb1388) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745051] bash[547]: #7 0x100050484 (/usr/bin/bash+0x50484) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745208] bash[547]: #8 0x100052160 in execute_command_internal (/usr/bin/bash+0x52160) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745376] bash[547]: #9 0x100052a10 in execute_command_internal (/usr/bin/bash+0x52a10) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745536] bash[547]: #10 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745711] bash[547]: #11 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745870] bash[547]: #12 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746038] bash[547]: #13 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746198] bash[547]: #14 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746367] bash[547]: #15 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746548] bash[547]: #16 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746741] bash[547]: #17 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746897] bash[547]: #18 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747067] bash[547]: #19 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747227] bash[547]: #20 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747414] bash[547]: #21 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747573] bash[547]: #22 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747741] bash[547]: #23 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747896] bash[547]: #24 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748064] bash[547]: #25 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748225] bash[547]: #26 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748390] bash[547]: systemd#27 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748553] bash[547]: systemd#28 0x1000bf91c in parse_and_execute (/usr/bin/bash+0xbf91c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748717] bash[547]: systemd#29 0x1000311ec (/usr/bin/bash+0x311ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748883] bash[547]: Direct leak of 17 byte(s) in 1 object(s) allocated from: ... ```

``` ../src/basic/hexdecoct.c:66:44: runtime error: applying zero offset to null pointer #0 0x7f6022650c44 in hexmem /home/vagrant/systemd/build-fuzzers/../src/basic/hexdecoct.c:66:44 #1 0x577583 in dns_resource_record_to_string /home/vagrant/systemd/build-fuzzers/../src/resolve/resolved-dns-rr.c:1140:21 #2 0x563669 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build-fuzzers/../src/resolve/fuzz-resource-record.c:25:39 #3 0x44d2a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x44d2a1) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #4 0x42d32f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-resource-record+0x42d32f) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #5 0x434920 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-resource-record+0x434920) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #6 0x424006 in main (/home/vagrant/systemd/out/fuzz-resource-record+0x424006) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) #7 0x7f602142950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c) #8 0x7f60214295c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x295c8) (BuildId: 85c438f4ff93e21675ff174371c9c583dca00b2c) #9 0x424044 in _start (/home/vagrant/systemd/out/fuzz-resource-record+0x424044) (BuildId: 88135c111396e9441a475302ccabd2f9a58c7e89) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/basic/hexdecoct.c:66:44 in ```

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 #1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 #2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 #3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 #4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 #5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 #6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 #7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) #8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) #9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ```

The COREDUMP_EXE attribute is "optional", i.e. we continue to process the crash even if we didn't acquire it. The coredump generation code assumed that it is always available: #5 endswith at ../src/fundamental/string-util-fundamental.c:41 [ endswith() is called with NULL here, and an assertion fails. ] #6 submit_coredump at ../src/coredump/coredump.c:823 #7 process_socket at ../src/coredump/coredump.c:1038 #8 run at ../src/coredump/coredump.c:1413 We use the exe path for loop detection, and also (ultimately) pass it to dwfl_core_file_report(). The latter seems to be fine will NULL, so let's just change our code to look at COMM, which should be more reliable anyway. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2036517. (cherry picked from commit c790632)

================================================================= ==81071==ERROR: LeakSanitizer: detected memory leaks Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x51245c in __interceptor_reallocarray (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51245c) #1 0x7f01440c67e6 in strv_push /home/vagrant/systemd/build/../src/basic/strv.c:435:13 #2 0x7f01440ca9e1 in strv_consume /home/vagrant/systemd/build/../src/basic/strv.c:506:13 #3 0x7f01440ca9e1 in strv_extend /home/vagrant/systemd/build/../src/basic/strv.c:558:16 #4 0x5806e3 in dhcp_lease_parse_search_domains /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:900:21 #5 0x57c1be in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:727:21 #6 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 #7 0x571c6a in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:376:13 #8 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 #9 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:74:16 #10 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) #11 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) #12 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) #13 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) #14 0x7f0142fff55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) (cherry picked from commit 9591c0a)

``` timedatectl list-timezones --no-pager ... ==164329==ERROR: LeakSanitizer: detected memory leaks Direct leak of 8192 byte(s) in 1 object(s) allocated from: #0 0x7fe8a74b6f8c in reallocarray (/lib64/libasan.so.6+0xaef8c) #1 0x7fe8a63485dc in strv_push ../src/basic/strv.c:419 #2 0x7fe8a6349419 in strv_consume ../src/basic/strv.c:490 #3 0x7fe8a634958d in strv_extend ../src/basic/strv.c:542 #4 0x7fe8a643d787 in bus_message_read_strv_extend ../src/libsystemd/sd-bus/bus-message.c:5606 #5 0x7fe8a643db9d in sd_bus_message_read_strv ../src/libsystemd/sd-bus/bus-message.c:5628 #6 0x4085fb in list_timezones ../src/timedate/timedatectl.c:314 #7 0x7fe8a61ef3e1 in dispatch_verb ../src/shared/verbs.c:103 #8 0x410f91 in timedatectl_main ../src/timedate/timedatectl.c:1025 #9 0x41111c in run ../src/timedate/timedatectl.c:1043 #10 0x411242 in main ../src/timedate/timedatectl.c:1046 #11 0x7fe8a489df1f in __libc_start_call_main (/lib64/libc.so.6+0x40f1f) ``` (cherry picked from commit a2e37d5)

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 #1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 #2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 #3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 #4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 #5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 #6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 #7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) #8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) #9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ``` (cherry picked from commit 9f804ab) (cherry picked from commit a11a949) (cherry picked from commit 4551936)

[ 49.275617] testsuite-46.sh[1862]: ================================================================= [ 49.275870] testsuite-46.sh[1862]: ==1862==ERROR: LeakSanitizer: detected memory leaks [ 49.276039] testsuite-46.sh[1862]: Direct leak of 103 byte(s) in 14 object(s) allocated from: [ 49.276515] testsuite-46.sh[1862]: #0 0x7f4dbc07243b in strdup (/lib64/libasan.so.8+0x7243b) [ 49.276707] testsuite-46.sh[1862]: #1 0x7f4dbb3900d5 in free_and_strdup ../src/basic/string-util.c:952 [ 49.276931] testsuite-46.sh[1862]: #2 0x7f4dbb15c67d in json_dispatch_user_group_name ../src/shared/json.c:4699 [ 49.277134] testsuite-46.sh[1862]: #3 0x7f4dbb16da9b in json_dispatch ../src/shared/json.c:4395 [ 49.277352] testsuite-46.sh[1862]: #4 0x7f4dbb25b28e in userdb_on_query_reply ../src/shared/userdb.c:305 [ 49.277603] testsuite-46.sh[1862]: #5 0x7f4dbb2748b9 in varlink_dispatch_reply ../src/shared/varlink.c:760 [ 49.277766] testsuite-46.sh[1862]: #6 0x7f4dbb2748b9 in varlink_process ../src/shared/varlink.c:951 [ 49.277975] testsuite-46.sh[1862]: #7 0x7f4dbb27a001 in defer_callback ../src/shared/varlink.c:1897 [ 49.278197] testsuite-46.sh[1862]: #8 0x7f4dbb5d57dd in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4191 [ 49.278421] testsuite-46.sh[1862]: #9 0x7f4dbb5d685d in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4780 [ 49.278675] testsuite-46.sh[1862]: #10 0x7f4dbb5d70bf in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4841 [ 49.278873] testsuite-46.sh[1862]: #11 0x7f4dbb257e7c in userdb_process ../src/shared/userdb.c:591 [ 49.279048] testsuite-46.sh[1862]: #12 0x7f4dbb25f78f in membershipdb_iterator_get ../src/shared/userdb.c:1411 [ 49.279280] testsuite-46.sh[1862]: #13 0x7f4dbb23a98c in user_record_show ../src/shared/user-record-show.c:187 [ 49.279504] testsuite-46.sh[1862]: #14 0x404ae3 in show_user ../src/userdb/userdbctl.c:93 [ 49.279710] testsuite-46.sh[1862]: #15 0x40b4f5 in display_user ../src/userdb/userdbctl.c:418 [ 49.279961] testsuite-46.sh[1862]: #16 0x7f4dbb2804d2 in dispatch_verb ../src/shared/verbs.c:110 [ 49.280233] testsuite-46.sh[1862]: #17 0x40dcf3 in run ../src/userdb/userdbctl.c:1327 [ 49.280434] testsuite-46.sh[1862]: #18 0x40dcf3 in main ../src/userdb/userdbctl.c:1330 [ 49.280657] testsuite-46.sh[1862]: #19 0x7f4db9e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) [ 49.280907] testsuite-46.sh[1862]: SUMMARY: AddressSanitizer: 103 byte(s) leaked in 14 allocation(s).

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 #1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 #2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 #3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 #4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 #5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 #6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 #7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) #8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) #9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ``` (cherry picked from commit 9f804ab)

+ machinectl image-status container1 container1 container0 container1 container2 container3 container4 ================================================================= ==1354==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4704 byte(s) in 6 object(s) allocated from: #0 0x7fc3670ba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x7fc365e91e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 #2 0x7fc365e92dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 #3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x413b76 in show_image ../src/machine/machinectl.c:1014 #10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #12 0x42ebbd in run ../src/machine/machinectl.c:3006 #13 0x42ece3 in main ../src/machine/machinectl.c:3009 #14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 666 byte(s) in 6 object(s) allocated from: #0 0x7fc3670b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) #1 0x7fc365f09822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 #2 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #3 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #4 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #5 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #6 0x413b76 in show_image ../src/machine/machinectl.c:1014 #7 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #8 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #9 0x42ebbd in run ../src/machine/machinectl.c:3006 #10 0x42ece3 in main ../src/machine/machinectl.c:3009 #11 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 12 byte(s) in 6 object(s) allocated from: #0 0x7fc36707243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc365ec1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 #2 0x7fc365e93586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 #3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x413b76 in show_image ../src/machine/machinectl.c:1014 #10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 #12 0x42ebbd in run ../src/machine/machinectl.c:3006 #13 0x42ece3 in main ../src/machine/machinectl.c:3009 #14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 5382 byte(s) leaked in 18 allocation(s).

+ machinectl status long-running long-running long-running ================================================================= ==986==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1568 byte(s) in 2 object(s) allocated from: #0 0x7fe57caba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x7fe57b891e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 #2 0x7fe57b892dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 #3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x40f71c in show_machine ../src/machine/machinectl.c:713 #10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #12 0x42ebf9 in run ../src/machine/machinectl.c:3005 #13 0x42ed1f in main ../src/machine/machinectl.c:3008 #14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 234 byte(s) in 2 object(s) allocated from: #0 0x7fe57cab95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) #1 0x7fe57b909822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 #2 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #3 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #4 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #5 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #6 0x40f71c in show_machine ../src/machine/machinectl.c:713 #7 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #8 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #9 0x42ebf9 in run ../src/machine/machinectl.c:3005 #10 0x42ed1f in main ../src/machine/machinectl.c:3008 #11 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 4 byte(s) in 2 object(s) allocated from: #0 0x7fe57ca7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fe57b8c1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 #2 0x7fe57b893586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 #3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 #4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 #5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 #6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 #7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 #8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 #9 0x40f71c in show_machine ../src/machine/machinectl.c:713 #10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 #11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 #12 0x42ebf9 in run ../src/machine/machinectl.c:3005 #13 0x42ed1f in main ../src/machine/machinectl.c:3008 #14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 1806 byte(s) leaked in 6 allocation(s).

When merging the settings we take the pointer to the array of extra devices, but don't reset the array counter to zero. This later leads to a NULL pointer dereference, where device_node_array_free() attempts to loop over a NULL pointer: + systemd-nspawn --oci-bundle=/var/lib/machines/testsuite-13.oci-bundle.Npo ../src/nspawn/nspawn-settings.c:118:29: runtime error: member access within null pointer of type 'struct DeviceNode' #0 0x4b91ee in device_node_array_free ../src/nspawn/nspawn-settings.c:118 #1 0x4ba42a in settings_free ../src/nspawn/nspawn-settings.c:161 #2 0x410b79 in settings_freep ../src/nspawn/nspawn-settings.h:249 #3 0x446ce8 in load_oci_bundle ../src/nspawn/nspawn.c:4733 #4 0x44ff42 in run ../src/nspawn/nspawn.c:5476 #5 0x455296 in main ../src/nspawn/nspawn.c:5919 #6 0x7f0cb7a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #7 0x7f0cb7a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #8 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/nspawn/nspawn-settings.c:118:29 in Also, add an appropriate assert to catch such issues in the future.

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 #15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING

Whoopsie. ================================================================= ==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658 READ of size 8 at 0x00000051d0b8 thread T0 #0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347 #1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838 #2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905 #4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030 #6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198 #8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #10 0x4552fb in main ../src/nspawn/nspawn.c:5920 #11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284) 0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8 0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch Shadow bytes around the buggy address: 0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9 0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3789231==ABORTING

In case one of the allocations fails. For example: AddressSanitizer:DEADLYSIGNAL ================================================================= ==17==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb352a476e5 bp 0x7ffe45154850 sp 0x7ffe45154008 T0) ==17==The signal is caused by a READ memory access. ==17==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fb352a476e5 (/lib/x86_64-linux-gnu/libc.so.6+0x1886e5) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #1 0x435878 in __interceptor_strlen /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc #2 0x4de1e4 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-calendarspec.c:20:21 #3 0x4deea8 in NaloFuzzerTestOneInput (/build/fuzz-calendarspec+0x4deea8) #4 0x4fde33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #5 0x4fd61a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #6 0x4fece9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #7 0x4ff9b5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #8 0x4eed1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #9 0x4ef5e8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #10 0x4df105 in main (/build/fuzz-calendarspec+0x4df105) #11 0x7fb3528e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #12 0x41f80d in _start (/build/fuzz-calendarspec+0x41f80d) Found by Nallocfuzz.

As it might hide a possible allocation error since it uses the returns_nonnull attribute: AddressSanitizer:DEADLYSIGNAL ================================================================= ==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f317897db8d bp 0x7ffd436fe9a0 sp 0x7ffd436fe970 T0) ==8==The signal is caused by a WRITE memory access. ==8==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f317897db8d in source_new /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1214:18 #1 0x7f317897e68c in sd_event_add_time /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1417:13 #2 0x7f317897a0f6 in event_reset_time /work/build/../../src/systemd/src/libsystemd/sd-event/event-util.c:68:21 #3 0x4e2c8e in client_initialize_time_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1366:13 #4 0x4eb0fd in client_initialize_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1380:9 #5 0x4eb0fd in client_start_delayed /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1410:16 #6 0x4e30aa in client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1415:16 #7 0x4e30aa in sd_dhcp_client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:2045:13 #8 0x4e700e in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-client.c:73:15 #9 0x5062f8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-client+0x5062f8) #10 0x525283 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x524a6a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x526139 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x526e05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x51616f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x516a38 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x506555 in main (/build/fuzz-dhcp-client+0x506555) #17 0x7f3177ce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #18 0x420c4d in _start (/build/fuzz-dhcp-client+0x420c4d) Found by Nallocfuzz.

==8==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 168 byte(s) in 3 object(s) allocated from: #0 0x4a0e6e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 #1 0x4dec61 in calloc (/build/fuzz-bus-match+0x4dec61) #2 0x7f7c25e2b92d in bus_match_add_leaf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-match.c:548:13 #3 0x7f7c25e2b92d in bus_match_add /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-match.c:886:16 #4 0x4de864 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd/sd-bus/fuzz-bus-match.c:83:21 #5 0x4defc8 in NaloFuzzerTestOneInput (/build/fuzz-bus-match+0x4defc8) #6 0x4fdf53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd73a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fee09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ffad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4eee3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4df225 in main (/build/fuzz-bus-match+0x4df225) #13 0x7f7c252e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_calloc--calloc--bus_match_add_leaf SUMMARY: AddressSanitizer: 168 byte(s) leaked in 3 allocation(s). Found by Nallocfuzz.

We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz.

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 #2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 #3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 #4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 #5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 #2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 #3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) #2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 #3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 #4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz.

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 #15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 #16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) #17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) #24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

Whoopsie. ================================================================= ==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658 READ of size 8 at 0x00000051d0b8 thread T0 #0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347 #1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838 #2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905 #4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030 #6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198 #8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #10 0x4552fb in main ../src/nspawn/nspawn.c:5920 #11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284) 0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8 0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch Shadow bytes around the buggy address: 0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9 0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3789231==ABORTING (cherry picked from commit 525c3e3) (cherry picked from commit b8ed816)

We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 #1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 #2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 #4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 #5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 #6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 #7 0x40691c in main ../src/fuzz/fuzz-main.c:50 #8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz. (cherry picked from commit 909eb4c) (cherry picked from commit 58c1816)

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 #2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 #3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 #4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 #5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 #1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 #2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 #3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) #2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 #3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 #4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 #5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 #6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) #7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) #14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz. (cherry picked from commit ac874b8) (cherry picked from commit b1663b8)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a)

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 #18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 #19 0x4252e0 in main ../src/core/main.c:3072 #20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).

On faster machines we might be too fast and kill the fake binary during fork() which then makes kernel report a "wrong" binary in the coredump, e.g.: [ 31.408078] testsuite-74.sh[548]: + /tmp/make-dump /tmp/test-dump SIGTRAP [ 31.409720] testsuite-74.sh[560]: + bin=/tmp/test-dump [ 31.409720] testsuite-74.sh[560]: + sig=SIGTRAP [ 31.409720] testsuite-74.sh[560]: + ulimit -c unlimited [ 31.409720] testsuite-74.sh[560]: + pid=561 [ 31.409720] testsuite-74.sh[560]: + sleep 1 [ 31.409720] testsuite-74.sh[560]: + kill -s SIGTRAP 561 [ 31.409720] testsuite-74.sh[560]: + wait 561 [ 31.491757] systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 31.524488] systemd[1]: Started [email protected]. [ 31.616372] systemd-coredump[564]: [🡕] Process 561 (make-dump) of user 0 dumped core. Stack trace of thread 561: #0 0x00007ff86bb49af7 _Fork (libc.so.6 + 0xd4af7) #1 0x00007ff86bb4965f __libc_fork (libc.so.6 + 0xd465f) #2 0x000055e88011b0ad make_child (bash + 0x550ad) #3 0x000055e8800fd05f n/a (bash + 0x3705f) #4 0x000055e880100116 execute_command_internal (bash + 0x3a116) #5 0x000055e8801011f2 execute_command_internal (bash + 0x3b1f2) #6 0x000055e8801025b6 execute_command (bash + 0x3c5b6) #7 0x000055e8800f134b reader_loop (bash + 0x2b34b) #8 0x000055e8800e757d main (bash + 0x2157d) #9 0x00007ff86ba98850 n/a (libc.so.6 + 0x23850) #10 0x00007ff86ba9890a __libc_start_main (libc.so.6 + 0x2390a) #11 0x000055e8800e83b5 _start (bash + 0x223b5) ELF object binary architecture: AMD x86-64 [ 31.666617] testsuite-74.sh[560]: /tmp/make-dump: line 12: 561 Trace/breakpoint trap (core dumped) "$bin" infinity ... $ coredumpctl list --file system.journal TIME PID UID GID SIG COREFILE EXE SIZE Fri 2023-06-02 10:42:10 CEST 561 0 0 SIGTRAP journal /usr/bin/bash - Fri 2023-06-02 10:42:11 CEST 570 0 0 SIGABRT journal /tmp/test-dump - Fri 2023-06-02 10:42:12 CEST 582 0 0 SIGTRAP missing /tmp/test-dump - Fri 2023-06-02 10:42:13 CEST 593 0 0 SIGABRT missing /tmp/test-dump -

When the header= option comes before any other type= defining one, we trip over an assertion: Jun 04 15:45:33 H testsuite-24.sh[752]: + systemctl start [email protected] Jun 04 15:45:33 H systemd[1]: Starting [email protected]... Jun 04 15:45:33 H systemd-cryptsetup[4641]: Assertion 'name' failed at src/basic/strv.c:21, function strv_find(). Aborting. ... Jun 04 15:45:33 H systemd-coredump[4643]: Process 4641 (systemd-cryptse) of user 0 dumped core. ... Stack trace of thread 4641: #0 0x00007ff9256afe5c __pthread_kill_implementation (libc.so.6 + 0x8ce5c) #1 0x00007ff92565fa76 raise (libc.so.6 + 0x3ca76) #2 0x00007ff9256497fc abort (libc.so.6 + 0x267fc) #3 0x00007ff926076047 log_assert_failed (libsystemd-shared-253.so + 0x276047) #4 0x00007ff9260ab317 strv_find (libsystemd-shared-253.so + 0x2ab317) #5 0x0000000000405927 parse_one_option (systemd-cryptsetup + 0x5927) #6 0x0000000000407793 parse_options (systemd-cryptsetup + 0x7793) #7 0x000000000040fa0c run (systemd-cryptsetup + 0xfa0c) #8 0x000000000041137f main (systemd-cryptsetup + 0x1137f) #9 0x00007ff92564a510 __libc_start_call_main (libc.so.6 + 0x27510) #10 0x00007ff92564a5c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x275c9) #11 0x0000000000403915 _start (systemd-cryptsetup + 0x3915) ELF object binary architecture: AMD x86-64

Provides coverage for systemd#26872. With systemd#26875 reverted: [16444.287652] testsuite-03.sh[71]: + for i in {0..19} [16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service [16444.359503] systemd[1]: ================================================================= [16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68 [16444.360798] systemd[1]: [16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd) [16444.391684] systemd[1]: #0 0x7f73b25ec7a5 (/lib64/libasan.so.5+0x557a5) [16444.392167] systemd[1]: #1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5) [16444.392442] systemd[1]: #2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996 [16444.392750] systemd[1]: #3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058 [16444.393101] systemd[1]: #4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392 [16444.393540] systemd[1]: #5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.393946] systemd[1]: #6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394262] systemd[1]: #7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394532] systemd[1]: #8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394812] systemd[1]: #9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 ...

Spotted while fuzzing systemd#27890. ================================================================= ==908098==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f4efe6d81f5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xd81f5) (BuildId: dc689b05ca2577037af24700212bb5cce1f91c8a) #1 0x7f4efb8e3ace in greedy_realloc ../src/basic/alloc-util.c:70 #2 0x7f4efb93b713 in extract_first_word ../src/basic/extract-word.c:62 #3 0x7f4efb970d50 in set_put_strsplit ../src/basic/hashmap.c:1902 #4 0x7f4efd76c27e in exec_context_deserialize ../src/core/execute-serialize.c:3341 #5 0x7f4efd778dcb in exec_deserialize ../src/core/execute-serialize.c:4122 #6 0x4032c0 in LLVMFuzzerTestOneInput ../src/core/fuzz-execute-serialize.c:60 #7 0x403c58 in main ../src/fuzz/fuzz-main.c:50 #8 0x7f4efecccb49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #9 0x7f4efecccc0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #10 0x402344 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-san/fuzz-execute-serialize+0x402344) (BuildId: 195f382cf1e39b9ba48d6dcf5a90f786d72837a8) SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Aborted (core dumped) ==911550==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x4df281 in strdup (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x4df281) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #1 0x7fe4ae2b38fc in _set_put_strndup_full /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/basic/hashmap.c:1868:21 #2 0x7fe4b0bad897 in exec_context_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:3914:29 #3 0x7fe4b0b80592 in exec_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:4109:13 #4 0x531d0f in LLVMFuzzerTestOneInput /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/fuzz-execute-serialize.c:59:16 #5 0x440594 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440594) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #6 0x43f9b9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x43f9b9) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #7 0x440fd5 in fuzzer::Fuzzer::MutateAndTestOne() (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440fd5) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #8 0x441955 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x441955) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #9 0x42e151 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x42e151) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #10 0x45a916 in main (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x45a916) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) #11 0x7fe4ac449b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #12 0x7fe4ac449c0a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #13 0x422b74 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x422b74) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).

Introduced by 41712cd. ================================================================= ==2194==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 359856 byte(s) in 459 object(s) allocated from: #0 0x7ffff7511df4 (/usr/lib64/clang/16/lib/linux/libclang_rt.asan-powerpc64le.so+0x191df4) (BuildId: 47e1dd371a2b8525b6cb737760a4dc535f30ea10) #1 0x7ffff6bb5fb0 in message_from_header /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-message.c:372:13 #2 0x7ffff6bb5fb0 in bus_message_from_malloc /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-message.c:421:13 #3 0x7ffff6c23f54 in bus_socket_make_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-socket.c:1222:13 #4 0x7ffff6c22d10 in bus_socket_read_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/bus-socket.c #5 0x7ffff6c4d414 in bus_read_message /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/sd-bus.c:2082:16 #6 0x7ffff6c4d414 in sd_bus_call /systemd-meson-build/../root/systemd/src/libsystemd/sd-bus/sd-bus.c:2480:21 #7 0x7ffff6682904 in bus_service_manager_reload /systemd-meson-build/../root/systemd/src/shared/bus-unit-util.c:2823:13 #8 0x1000d570 in daemon_reload /systemd-meson-build/../root/systemd/src/sysext/sysext.c:233:16 #9 0x100090f8 in merge /systemd-meson-build/../root/systemd/src/sysext/sysext.c:895:21 #10 0x10006ff4 in verb_merge /systemd-meson-build/../root/systemd/src/sysext/sysext.c:964:16 #11 0x7ffff69ae894 in dispatch_verb /systemd-meson-build/../root/systemd/src/shared/verbs.c:103:24 #12 0x10004570 in sysext_main /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1194:16 #13 0x10004570 in run /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1214:16 #14 0x10004570 in main /systemd-meson-build/../root/systemd/src/sysext/sysext.c:1217:1 #15 0x7ffff5f5a968 in generic_start_main.isra.0 (/lib64/libc.so.6+0x2a968) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) #16 0x7ffff5f5ab00 in __libc_start_main (/lib64/libc.so.6+0x2ab00) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) Indirect leak of 124984 byte(s) in 459 object(s) allocated from: ... #11 0x7ffff5f5a968 in generic_start_main.isra.0 (/lib64/libc.so.6+0x2a968) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) #12 0x7ffff5f5ab00 in __libc_start_main (/lib64/libc.so.6+0x2ab00) (BuildId: c218e04818632a05c23f6fdcca16f93e95ea7de2) SUMMARY: AddressSanitizer: 493766 byte(s) leaked in 1383 allocation(s).

When exiting PID 1 we most likely don't have stdio/stdout open, so the final LSan check would not print any actionable information and would just crash PID 1 leading up to a kernel panic, which is a bit annoying. Let's instead attempt to open /dev/console, and if we succeed redirect LSan's report there. The result is a bit messy, as it's slightly interleaved with the kernel panic, but it's definitely better than not having the stack trace at all: [ OK ] Reached target final.target. [ OK ] Finished systemd-poweroff.service. [ OK ] Reached target poweroff.target. ================================================================= 3 1m 43.251782] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 43.252838] CPU: 2 PID: 1 Comm: systemd Not tainted 6.4.12-200.fc38.x86_64 #1 ==[1==ERR O R :4 3Le.a2k53562] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 43.254683] Call Trace: [ 43.254911] <TASK> [ 43.255107] dump_stack_lvl+0x47/0x60 S[ a 43.n2555i05] panic+t0x192/0x350 izer[ :43.255966 ] do_exit+0x990/0xdb10 etec[ 43.256504] do_group_exit+0x31/0x80 [ 43.256889] __x64_sys_exit_group+0x18/0x20 [ 43.257288] do_syscall_64+0x60/0x90 o_user_mod leaks[ 43.257618] ? syscall_exit_t +0x2b/0x40 [ 43.258411] ? do_syscall_64+0x6c/0x90 1mDirect le[ 43.258755] ak of 21 byte(s)? exc_page_fault+0x7f/0x180 [ 43.259446] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 43.259901] RiIP: 0033:0x7f357nb8f3ad4 1 objec[ 43.260354] Ctode: 48 89 (f7 0f 05 c3 sf3 0f 1e fa b8 3b 00 00 00) 0f 05 c3 0f 1f 4 0 00 f3 0f 1e fa 50 58 b8 e7 00 00 00 48 83 ec 08 48 63 ff 0f 051 [ 43.262581] RSP: 002b:00007ffc25872440 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 a RBX: 00007f357be9b218 RCX: 00007f357b8f3ad4m:ffd [ 43.264512] RDX: 0000000000000001 RSI: 00007f357b933b63 RDI: 0000000000000001 [ 43.265355] RBP: 00007f357be9b218 R08: efffffffffffffff R09: 00007ffc258721ef [ 43.266191] R10: 000000000000003f R11: 0000000000000202 R12: 00000fe6ae9e0000 [ 43.266891] R13: 00007f3574f00000 R14: 0000000000000000 R15: 0000000000000007 [ 43.267517] </TASK> #0 0x7f357b8814a8 in strdup (/lib64/libasan.so.8+0x814a8) (BuildId: e5f0a0d511a659fbc47bf41072869139cb2db47f) #1 0x7f3578d43317 in cg_path_decode_unit ../src/basic/cgroup-util.c:1132 #2 0x7f3578d43936 in cg_path_get_unit ../src/basic/cgroup-util.c:1190 #3 0x7f3578d440f6 in cg_pid_get_unit ../src/basic/cgroup-util.c:1234 #4 0x7f35789263d7 in bus_log_caller ../src/shared/bus-util.c:734 #5 0x7f357a9cf10a in method_reload ../src/core/dbus-manager.c:1621 #6 0x7f3578f77497 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7f3578f80dd8 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7f3578f82487 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7f3578fe41f1 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3007 #10 0x7f3578fe477b in process_running ../src/libsystemd/sd-bus/sd-bus.c:3049 #11 0x7f3578fe75d1 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3269 #12 0x7f3578fe776e in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3296 #13 0x7f3578feaedc in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3638 #14 0x7f35791c2f68 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7f35791cc6f9 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7f35791cd830 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7f357abcd572 in manager_loop ../src/core/manager.c:3244 #18 0x41db21 in invoke_main_loop ../src/core/main.c:1960 #19 0x426615 in main ../src/core/main.c:3125 #20 0x7f3577c49b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #21 0x7f3577c49c0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #22 0x408494 in _start (/usr/lib/systemd/systemd+0x408494) (BuildId: fe61e1b0f00b6a36aa34e707a98c15c52f6b960a) SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). [ 43.295912] Kernel Offset: 0x7000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 43.297036] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Originally noticed in systemd#28579.

fuzzers randomly fail with the following: ``` ==172==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f41169cb39b in update_argv /work/build/../../src/systemd/src/basic/argv-util.c:96:13 #1 0x7f41169cb39b in rename_process /work/build/../../src/systemd/src/basic/argv-util.c:210:16 #2 0x7f4116b6824e in safe_fork_full /work/build/../../src/systemd/src/basic/process-util.c:1516:21 #3 0x7f4116bffa36 in safe_fork /work/build/../../src/systemd/src/basic/process-util.h:191:16 #4 0x7f4116bffa36 in parse_timestamp /work/build/../../src/systemd/src/basic/time-util.c:1047:13 #5 0x4a61e6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-time-util.c:16:16 #6 0x4c4a13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4c41fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4c58c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4c6595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4b58ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4def52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7f4115ea3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340) #13 0x41f5ad in _start (build-out/fuzz-time-util+0x41f5ad) DEDUP_TOKEN: update_argv--rename_process--safe_fork_full Uninitialized value was created by an allocation of 'fv' in the stack frame of function 'have_effective_cap' #0 0x7f41169d3540 in have_effective_cap /work/build/../../src/systemd/src/basic/capability-util.c:21 ```

When assert_return() is critical, the following assertion is triggered on exit: --- #0 0x00007f8b1f6b0884 in __pthread_kill_implementation () from target:/lib64/libc.so.6 #1 0x00007f8b1f65fafe in raise () from target:/lib64/libc.so.6 #2 0x00007f8b1f64887f in abort () from target:/lib64/libc.so.6 #3 0x00007f8b208d02d6 in log_assert_failed (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:948 #4 0x00007f8b208d0457 in log_assert_failed_return (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:967 #5 0x00007f8b20c7d102 in sd_event_add_io (e=0x617000000080, ret=0x60c000000a20, fd=11, events=1, callback=0x7dfd85 <ipv4acd_on_packet>, userdata=0x60c000000a00) at ../src/libsystemd/sd-event/sd-event.c:1252 #6 0x00000000007e3934 in sd_ipv4acd_start (acd=0x60c000000a00, reset_conflicts=true) at ../src/libsystemd-network/sd-ipv4acd.c:597 #7 0x00000000007e72b9 in ipv4ll_start_internal (ll=0x6080000006a0, reset_generation=true) at ../src/libsystemd-network/sd-ipv4ll.c:278 #8 0x00000000007e7462 in sd_ipv4ll_start (ll=0x6080000006a0) at ../src/libsystemd-network/sd-ipv4ll.c:298 #9 0x00000000006047a1 in dhcp4_handler (client=0x617000000400, event=0, userdata=0x61a000000680) at ../src/network/networkd-dhcp4.c:1183 #10 0x000000000075b1ed in client_notify (client=0x617000000400, event=0) at ../src/libsystemd-network/sd-dhcp-client.c:783 #11 0x000000000075bf8d in client_stop (client=0x617000000400, error=0) at ../src/libsystemd-network/sd-dhcp-client.c:821 #12 0x000000000077710f in sd_dhcp_client_stop (client=0x617000000400) at ../src/libsystemd-network/sd-dhcp-client.c:2388 #13 0x000000000065cdd1 in link_stop_engines (link=0x61a000000680, may_keep_dhcp=true) at ../src/network/networkd-link.c:336 #14 0x000000000041f214 in manager_free (m=0x618000000080) at ../src/network/networkd-manager.c:613 #15 0x00000000004124e3 in manager_freep (p=0x7f8b1c800040) at ../src/network/networkd-manager.h:128 #16 0x00000000004139f6 in run (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:24 #17 0x0000000000413b20 in main (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:119 --- Prompted by systemd#30049 (comment).

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f013205fafe in raise () from /lib64/libc.so.6 #2 0x00007f013204887f in abort () from /lib64/libc.so.6 #3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 #4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 #5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 #6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 #7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 #8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 #9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 #10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 #11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 #12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by systemd#30049 (comment).

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f013205fafe in raise () from /lib64/libc.so.6 #2 0x00007f013204887f in abort () from /lib64/libc.so.6 #3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 #4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 #5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 #6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 #7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 #8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 #9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 #10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 #11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 #12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by systemd#30049 (comment). (cherry picked from commit a4be4ad)

Avoid passing a NULL message to sd_bus_message_is_signal(), to not trip over an assertion: [ 132.869436] H testsuite-82.sh[614]: + systemctl --no-block --check-inhibitors=yes soft-reboot [ 132.967386] H systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 133.018292] H systemd[1]: Starting inhibit.service... [ 133.122610] H systemd[1]: Started [email protected]. [ 133.163643] H systemd[1]: Started inhibit.service. [ 133.206836] H testsuite-82.sh[614]: + exec sleep infinity [ 133.236762] H systemd-logind[611]: The system will reboot now! [ 135.891607] H systemd-coredump[667]: [🡕] Process 663 (busctl) of user 0 dumped core. Stack trace of thread 663: #0 0x00007f2ec45e6acf raise (libc.so.6 + 0x4eacf) #1 0x00007f2ec45b9ea5 abort (libc.so.6 + 0x21ea5) #2 0x00007f2ec4b5c9a6 log_assert_failed (libsystemd-shared-255.so + 0x1ff9a6) #3 0x00007f2ec4b5dca5 log_assert_failed_return (libsystemd-shared-255.so + 0x200ca5) #4 0x00007f2ec4bb3df6 sd_bus_message_is_signal (libsystemd-shared-255.so + 0x256df6) #5 0x000000000040e478 monitor (busctl + 0xe478) #6 0x000000000040e82f verb_monitor (busctl + 0xe82f) #7 0x00007f2ec4b202cb dispatch_verb (libsystemd-shared-255.so + 0x1c32cb) #8 0x00000000004074fa busctl_main (busctl + 0x74fa) #9 0x0000000000407525 run (busctl + 0x7525) #10 0x000000000040ff67 main (busctl + 0xff67) #11 0x00007f2ec45d2d85 __libc_start_main (libc.so.6 + 0x3ad85) #12 0x00000000004044be _start (busctl + 0x44be) ELF object binary architecture: AMD x86-64 [ 136.141152] H dbus-daemon[634]: [system] Monitoring connection :1.2 closed. [ 136.152233] H systemd[1]: busctl.service: Main process exited, code=dumped, status=6/ABRT [ 136.153996] H systemd[1]: busctl.service: Failed with result 'core-dump'. The asertion in question: Assertion 'm' failed at src/libsystemd/sd-bus/bus-message.c:1015, function sd_bus_message_is_signal(). Aborting. We can get a NULL message here through sd_bus_process() -> bus_process_internal() -> process_running(), so let's handle this case appropriately.

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 #4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 #5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 #6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 #7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 #8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 #9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 #10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 #11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 #12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 #13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 #14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 #15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 #16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: systemd#30618

Since libfuzzer feeds a single fuzzing process with multiple inputs, we might carry over arg_transport from a previous invocation, tripping over the assert in acquire_bus(): +----------------------------------------Release Build Stacktrace----------------------------------------+ Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==2739==ERROR: AddressSanitizer: ABRT on unknown address 0x00000ab3 (pc 0xf7f52509 bp 0xffdf74cc sp 0xffdf74b0 T0) SCARINESS: 10 (signal) #0 0xf7f52509 in linux-gate.so.1 #1 0xf703b415 in raise #2 0xf70233f6 in abort #3 0xf772ac0a in log_assert_failed systemd/src/basic/log.c:968:9 #4 0xf77300d5 in log_assert_failed_return systemd/src/basic/log.c:987:17 #5 0xf7432bbf in bus_connect_transport systemd/src/shared/bus-util.c:284:9 #6 0x818cd17 in acquire_bus systemd/src/systemctl/systemctl-util.c:53:29 #7 0x815fd3c in help_boot_loader_entry systemd/src/systemctl/systemctl-logind.c:431:13 #8 0x819ca87 in systemctl_parse_argv systemd/src/systemctl/systemctl.c:863:37 #9 0x8197632 in systemctl_dispatch_parse_argv systemd/src/systemctl/systemctl.c:1137:16 #10 0x813328d in LLVMFuzzerTestOneInput systemd/src/systemctl/fuzz-systemctl-parse-argv.c:54:13 #11 0x81bbe7e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x81bb5b8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x81bd42d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #14 0x81bd62e in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #15 0x81ac84c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x81d65c7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #17 0xf7024ed4 in __libc_start_main #18 0x806bdb5 in _start Resolves: systemd#30802

Avoid passing a NULL message to sd_bus_message_is_signal(), to not trip over an assertion: [ 132.869436] H testsuite-82.sh[614]: + systemctl --no-block --check-inhibitors=yes soft-reboot [ 132.967386] H systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 133.018292] H systemd[1]: Starting inhibit.service... [ 133.122610] H systemd[1]: Started [email protected]. [ 133.163643] H systemd[1]: Started inhibit.service. [ 133.206836] H testsuite-82.sh[614]: + exec sleep infinity [ 133.236762] H systemd-logind[611]: The system will reboot now! [ 135.891607] H systemd-coredump[667]: [🡕] Process 663 (busctl) of user 0 dumped core. Stack trace of thread 663: #0 0x00007f2ec45e6acf raise (libc.so.6 + 0x4eacf) #1 0x00007f2ec45b9ea5 abort (libc.so.6 + 0x21ea5) #2 0x00007f2ec4b5c9a6 log_assert_failed (libsystemd-shared-255.so + 0x1ff9a6) #3 0x00007f2ec4b5dca5 log_assert_failed_return (libsystemd-shared-255.so + 0x200ca5) #4 0x00007f2ec4bb3df6 sd_bus_message_is_signal (libsystemd-shared-255.so + 0x256df6) #5 0x000000000040e478 monitor (busctl + 0xe478) #6 0x000000000040e82f verb_monitor (busctl + 0xe82f) #7 0x00007f2ec4b202cb dispatch_verb (libsystemd-shared-255.so + 0x1c32cb) #8 0x00000000004074fa busctl_main (busctl + 0x74fa) #9 0x0000000000407525 run (busctl + 0x7525) #10 0x000000000040ff67 main (busctl + 0xff67) #11 0x00007f2ec45d2d85 __libc_start_main (libc.so.6 + 0x3ad85) #12 0x00000000004044be _start (busctl + 0x44be) ELF object binary architecture: AMD x86-64 [ 136.141152] H dbus-daemon[634]: [system] Monitoring connection :1.2 closed. [ 136.152233] H systemd[1]: busctl.service: Main process exited, code=dumped, status=6/ABRT [ 136.153996] H systemd[1]: busctl.service: Failed with result 'core-dump'. The asertion in question: Assertion 'm' failed at src/libsystemd/sd-bus/bus-message.c:1015, function sd_bus_message_is_signal(). Aborting. We can get a NULL message here through sd_bus_process() -> bus_process_internal() -> process_running(), so let's handle this case appropriately. (cherry picked from commit b4a21d5)

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 #4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 #5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 #6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 #7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 #8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 #9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 #10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 #11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 #12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 #13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 #14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 #15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 #16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: systemd#30618 (cherry picked from commit ac1b7b9)

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5 (cherry picked from commit 842a674)

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5 (cherry picked from commit 842a674) (cherry picked from commit b342fb5)

Most places already check that the UNIT_VTABLE pointer is valid before calling it, but a couple don't, so add the same checks. Also ensure the type is valid before using it as an index in the array, to avoid out of bounds accesses. This should hopefully at least address a crash observed in the wild on arm64: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2098861 (gdb) bt full #0 0x0000e14d99f296a8 in ?? () No symbol table info available. #1 0x0000e14d999df8e4 in missing_rt_tgsigqueueinfo (info=0xffffddda1ca0, sig=11, tid=<optimized out>, tgid=1227) at ../src/basic/missing_syscall.h:384 No locals. #2 propagate_signal (sig=sig@entry=11, siginfo=siginfo@entry=0xffffddda1ca0) at ../src/basic/signal-util.c:301 p = 1227 __func__ = "propagate_signal" #3 0x0000bb509f70e9bc [PAC] in crash (sig=11, siginfo=0xffffddda1ca0, context=<optimized out>) at ../src/core/crash-handler.c:94 sa = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = { 0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0} pid = 0 __func__ = "crash" #4 <signal handler called> No symbol table info available. #5 0x0000e14d99d2944c in unit_active_state (u=u@entry=0xbb50c8aeeb10) at ../src/core/unit.c:941 __func__ = "unit_active_state" #6 0x0000e14d99d2d454 in unit_may_gc (u=0xbb50c8aeeb10) at ../src/core/unit.c:465 state = <optimized out> r = <optimized out> __func__ = "unit_may_gc" #7 0x0000e14d99d2e7d8 [PAC] in unit_add_to_gc_queue (u=u@entry=0xbb50c8aeeb10) at ../src/core/unit.c:535 __func__ = "unit_add_to_gc_queue" #8 0x0000e14d99d2efe0 [PAC] in unit_clear_dependencies (u=0xbb50c8b0a7c0) at ../src/core/unit.c:656 other_deps = 0x0 other = 0xbb50c8aeeb10 deps = 0xbb50c8bd9270 __func__ = <optimized out> #9 unit_free (u=0xbb50c8b0a7c0) at ../src/core/unit.c:797 slice = 0x0 t = 0x0 __func__ = "unit_free" #10 0x0000e14d99ce228c [PAC] in manager_clear_jobs_and_units.part.0.lto_priv.0 (m=m@entry=0xbb50c8acf790) at ../src/core/manager.c:1594 u = <optimized out> __func__ = <optimized out> #11 0x0000e14d99ce2624 [PAC] in manager_clear_jobs_and_units (m=0xbb50c8acf790) at ../src/core/manager.c:1591 u = <optimized out> u = <optimized out> __func__ = <optimized out> #12 manager_reload (m=m@entry=0xbb50c8acf790) at ../src/core/manager.c:3568 reloading = 0x0 fds = 0xbb50c8acd8a8 f = 0xbb50c8d6dfe0 r = 0 __func__ = "manager_reload" #13 0x0000bb509f709338 [PAC] in invoke_main_loop (ret_error_message=0xffffddda3178, ret_switch_root_init=<synthetic pointer>, ret_switch_root_dir=<synthetic pointer>, ret_fds=0xffffddda3168, ret_retval=<synthetic pointer>, saved_rlimit_memlock=0xffffddda31a0, saved_rlimit_nofile=0xffffddda31b0, m=0xbb50c8acf790) at ../src/core/main.c:1982 saved_log_target = <optimized out> saved_log_level = <optimized out> objective = 2 r = <optimized out> r = <optimized out> __func__ = <optimized out> objective = <optimized out> saved_log_target = <optimized out> saved_log_level = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _level = <optimized out> _e = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> #14 main (argc=1, argv=0xffffddda3668) at ../src/core/main.c:3106 initrd_timestamp = <optimized out> userspace_timestamp = {realtime = 1739974537959351, monotonic = 743773} kernel_timestamp = {realtime = 1739974537215578, monotonic = 0} security_start_timestamp = {realtime = 1739974537972541, monotonic = 756963} security_finish_timestamp = {realtime = 1739974537973484, monotonic = 757906} saved_rlimit_nofile = {rlim_cur = 1024, rlim_max = 4096} saved_rlimit_memlock = {rlim_cur = 8388608, rlim_max = 8388608} skip_setup = <optimized out> loaded_policy = false queue_default_job = <optimized out> first_boot = <optimized out> switch_root_dir = 0x0 switch_root_init = 0x0 before_startup = <optimized out> after_startup = <optimized out> error_message = 0x0 r = <optimized out> retval = 1 m = 0xbb50c8acf790 fds = 0x0 systemd = "systemd" __func__ = "main" _found = <optimized out> __assert_in_set = <optimized out>

Most places already check that the UNIT_VTABLE pointer is valid before calling it, but a couple don't, so add the same checks. Also ensure the type is valid before using it as an index in the array, to avoid out of bounds accesses. Finally in the cleanup path check that the vtable is defined at all, as it seems in some cases it isn't, as shown in the backtrace below. This should hopefully at least address a crash observed in the wild on arm64: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2098861 (gdb) bt full #0 0x0000e14d99f296a8 in ?? () No symbol table info available. #1 0x0000e14d999df8e4 in missing_rt_tgsigqueueinfo (info=0xffffddda1ca0, sig=11, tid=<optimized out>, tgid=1227) at ../src/basic/missing_syscall.h:384 No locals. #2 propagate_signal (sig=sig@entry=11, siginfo=siginfo@entry=0xffffddda1ca0) at ../src/basic/signal-util.c:301 p = 1227 __func__ = "propagate_signal" #3 0x0000bb509f70e9bc [PAC] in crash (sig=11, siginfo=0xffffddda1ca0, context=<optimized out>) at ../src/core/crash-handler.c:94 sa = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = { 0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0} pid = 0 __func__ = "crash" #4 <signal handler called> No symbol table info available. #5 0x0000e14d99d2944c in unit_active_state (u=u@entry=0xbb50c8aeeb10) at ../src/core/unit.c:941 __func__ = "unit_active_state" #6 0x0000e14d99d2d454 in unit_may_gc (u=0xbb50c8aeeb10) at ../src/core/unit.c:465 state = <optimized out> r = <optimized out> __func__ = "unit_may_gc" #7 0x0000e14d99d2e7d8 [PAC] in unit_add_to_gc_queue (u=u@entry=0xbb50c8aeeb10) at ../src/core/unit.c:535 __func__ = "unit_add_to_gc_queue" #8 0x0000e14d99d2efe0 [PAC] in unit_clear_dependencies (u=0xbb50c8b0a7c0) at ../src/core/unit.c:656 other_deps = 0x0 other = 0xbb50c8aeeb10 deps = 0xbb50c8bd9270 __func__ = <optimized out> #9 unit_free (u=0xbb50c8b0a7c0) at ../src/core/unit.c:797 slice = 0x0 t = 0x0 __func__ = "unit_free" #10 0x0000e14d99ce228c [PAC] in manager_clear_jobs_and_units.part.0.lto_priv.0 (m=m@entry=0xbb50c8acf790) at ../src/core/manager.c:1594 u = <optimized out> __func__ = <optimized out> #11 0x0000e14d99ce2624 [PAC] in manager_clear_jobs_and_units (m=0xbb50c8acf790) at ../src/core/manager.c:1591 u = <optimized out> u = <optimized out> __func__ = <optimized out> #12 manager_reload (m=m@entry=0xbb50c8acf790) at ../src/core/manager.c:3568 reloading = 0x0 fds = 0xbb50c8acd8a8 f = 0xbb50c8d6dfe0 r = 0 __func__ = "manager_reload" #13 0x0000bb509f709338 [PAC] in invoke_main_loop (ret_error_message=0xffffddda3178, ret_switch_root_init=<synthetic pointer>, ret_switch_root_dir=<synthetic pointer>, ret_fds=0xffffddda3168, ret_retval=<synthetic pointer>, saved_rlimit_memlock=0xffffddda31a0, saved_rlimit_nofile=0xffffddda31b0, m=0xbb50c8acf790) at ../src/core/main.c:1982 saved_log_target = <optimized out> saved_log_level = <optimized out> objective = 2 r = <optimized out> r = <optimized out> __func__ = <optimized out> objective = <optimized out> saved_log_target = <optimized out> saved_log_level = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _level = <optimized out> _e = <optimized out> _pvar_ = <optimized out> _var_ = <optimized out> _nullvalue_ = <optimized out> _level = <optimized out> _e = <optimized out> _level = <optimized out> _e = <optimized out> #14 main (argc=1, argv=0xffffddda3668) at ../src/core/main.c:3106 initrd_timestamp = <optimized out> userspace_timestamp = {realtime = 1739974537959351, monotonic = 743773} kernel_timestamp = {realtime = 1739974537215578, monotonic = 0} security_start_timestamp = {realtime = 1739974537972541, monotonic = 756963} security_finish_timestamp = {realtime = 1739974537973484, monotonic = 757906} saved_rlimit_nofile = {rlim_cur = 1024, rlim_max = 4096} saved_rlimit_memlock = {rlim_cur = 8388608, rlim_max = 8388608} skip_setup = <optimized out> loaded_policy = false queue_default_job = <optimized out> first_boot = <optimized out> switch_root_dir = 0x0 switch_root_init = 0x0 before_startup = <optimized out> after_startup = <optimized out> error_message = 0x0 r = <optimized out> retval = 1 m = 0xbb50c8acf790 fds = 0x0 systemd = "systemd" __func__ = "main" _found = <optimized out> __assert_in_set = <optimized out>

The following failure should be in libxkbcommon and/or sanitizer. There is nothing we can do here. Let's skip it. ``` TEST-73-LOCALE.sh[3733]: + assert_rc 0 localectl set-keymap lv TEST-73-LOCALE.sh[6699]: + set +ex TEST-73-LOCALE.sh[6700]: Failed to set keymap: Remote peer disconnected TEST-73-LOCALE.sh[6703]: FAIL: expected: '0' actual: '1' TEST-73-LOCALE.sh[157]: + rm -f /etc/dbus-1/system.d/systemd-localed-read-only.conf [FAILED] Failed to start TEST-73-LOCALE.service - TEST-73-LOCALE. ``` ``` ==3719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa51f161000 at pc 0x7fa521250be4 bp 0x7ffe49130a80 sp 0x7ffe49130240 READ of size 19126 at 0x7fa51f161000 thread T0 #0 0x7fa521250be3 in strndup (/usr/lib/clang/20/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0x50be3) (BuildId: aa6231e817f72469c44a6c6cee9f0694a87db7fb) #1 0x7fa51f128325 (/lib64/libxkbcommon.so.0+0x1c325) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #2 0x7fa51f121952 (/lib64/libxkbcommon.so.0+0x15952) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #3 0x7fa51f123d3a (/lib64/libxkbcommon.so.0+0x17d3a) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #4 0x7fa51f117c86 (/lib64/libxkbcommon.so.0+0xbc86) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #5 0x7fa51f12548f (/lib64/libxkbcommon.so.0+0x1948f) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #6 0x7fa51f125c9e (/lib64/libxkbcommon.so.0+0x19c9e) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #7 0x7fa51f126a59 (/lib64/libxkbcommon.so.0+0x1aa59) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #8 0x7fa51f12cec6 (/lib64/libxkbcommon.so.0+0x20ec6) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #9 0x7fa51f12e3c2 (/lib64/libxkbcommon.so.0+0x223c2) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #10 0x7fa51f12a4e5 in xkb_keymap_new_from_names (/lib64/libxkbcommon.so.0+0x1e4e5) (BuildId: 72e8cb985db37963272d140f7b2aee551c465ff5) #11 0x5574dd63f864 in verify_xkb_rmlvo /usr/src/debug/systemd/src/locale/xkbcommon-util.c:69:14 (snip) ```

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 1, 2022

bluca closed this Sep 1, 2022

dependabot bot deleted the dependabot/github_actions/systemd/mkosi-a2091d1cd31294dc2611649d09a51cc8fb2817fd branch September 1, 2022 08:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13 #7

build(deps): bump systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13 #7

dependabot bot commented on behalf of github Sep 1, 2022

bluca commented Sep 1, 2022

dependabot bot commented on behalf of github Sep 1, 2022

build(deps): bump systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13 #7

build(deps): bump systemd/mkosi from 679bcc98fb8fbe7b53ed809c7019992877e18c14 to 13 #7

Conversation

dependabot bot commented on behalf of github Sep 1, 2022

v13

mkosi Changelog

v14

v13

bluca commented Sep 1, 2022

dependabot bot commented on behalf of github Sep 1, 2022