C utility functions for OpenWrt https://git.openwrt.org/project/libubox/atom?h=master 2020-05-26T07:48:07Z 2020-05-26T07:48:07Z Petr Štetiar 2020-05-26T07:22:13Z urn:sha1:cf2e8eb485abc30ed8acc51ba5cb50d2bbc8e3d1 Following regression was introduced in commit 5e75160f4878 ("blobmsg: fix attrs iteration in the blobmsg_check_array_len()"): Thread 1 "test-fuzz" received signal SIGSEGV, Segmentation fault. in blob_len (attr=0x6020000100d4) at libubox/blob.h:102 102 return (be32_to_cpu(attr->id_len) & BLOB_ATTR_LEN_MASK) - sizeof(struct blob_attr); blob_len (attr=0x6020000100d4) at /libubox/blob.h:102 blob_raw_len (attr=0x6020000100d4) at /libubox/blob.h:111 blob_pad_len (attr=0x6020000100d4) at /libubox/blob.h:120 blobmsg_check_array_len (attr=0x6020000000d0, type=0, blob_len=10) at /libubox/blobmsg.c:145 fuzz_blobmsg_parse (data=0x6020000000d0 "\001\004", size=10) at /libubox/tests/fuzz/test-fuzz.c:57 Signed-off-by: Petr Štetiar <ynezz@true.cz> 2020-01-20T15:54:10Z Juraj Vijtiuk 2020-01-12T11:26:18Z urn:sha1:43a103ff17ee5872669f8712606578c90c14591d Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The out of bounds read happens because blob_attr and blobmsg_hdr have flexible array members, whose size is 0 in the corresponding sizeofs. For example the __blob_for_each_attr macro checks whether rem >= sizeof(struct blob_attr). However, what LibFuzzer discovered was, if the input data was only 4 bytes, the data would be casted to blob_attr, and later on blob_data(attr) would be called even though attr->data was empty. The same issue could appear with data larger than 4 bytes, where data wasn't empty, but contained only the start of the blobmsg_hdr struct, and blobmsg_hdr name was empty. The bugs were discovered by fuzzing blobmsg_parse and blobmsg_array_parse with LibFuzzer. CC: Luka Perkov <luka.perkov@sartura.hr> Reviewed-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> [refactored some checks, added fuzz inputs, adjusted unit test results] Signed-off-by: Petr Štetiar <ynezz@true.cz> 2020-01-20T15:54:10Z Petr Štetiar 2020-01-18T17:32:55Z urn:sha1:5c0faaf4f5e26180dcc31b7e8558d57426d84085 Help detecting Valgrind OOB reads and other issues. Conditional jump or move depends on uninitialised value(s) at 0x5452886: blobmsg_parse (blobmsg.c:203) by 0x400A8E: test_blobmsg (tests/test-blobmsg-parse.c:66) by 0x400A8E: main (tests/test-blobmsg-parse.c:82) Conditional jump or move depends on uninitialised value(s) at 0x545247F: blobmsg_check_name (blobmsg.c:39) by 0x545247F: blobmsg_check_attr_len (blobmsg.c:79) by 0x5452710: blobmsg_parse_array (blobmsg.c:159) by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69) by 0x400AB8: main (tests/test-blobmsg-parse.c:82) Conditional jump or move depends on uninitialised value(s) at 0x54524A0: blobmsg_check_name (blobmsg.c:42) by 0x54524A0: blobmsg_check_attr_len (blobmsg.c:79) by 0x5452710: blobmsg_parse_array (blobmsg.c:159) by 0x400AB8: test_blobmsg (tests/test-blobmsg-parse.c:69) by 0x400AB8: main (tests/test-blobmsg-parse.c:82) Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/021204.html Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-11T05:35:17Z urn:sha1:586ce031eaa0e732603adbc9509aeaca4d6b2769 In order to increase test coverage. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-10T13:58:40Z urn:sha1:8a34788b46c4800a8ed66bfe028da5c621f267f3 ==31775==ERROR: AddressSanitizer: SEGV on unknown address 0x604000a7c715 ==31775==The signal is caused by a READ memory access. #0 blobmsg_check_attr blobmsg.c:48:6 #1 blobmsg_parse_array blobmsg.c:118:8 #2 fuzz_blobmsg_parse test-blobmsg-parse-fuzzer.c:35:2 Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-09T14:27:16Z urn:sha1:478597b9f9ae66836759701a9ec708816506d07c Found by fuzzer: ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455 The signal is caused by a READ memory access. #0 in blob_check_type blob.c:214:43 #1 in blob_parse_attr blob.c:234:9 #2 in blob_parse_untrusted blob.c:272:12 #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2 #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2 Caused by following line: if (type == BLOB_ATTR_STRING && data[len - 1] != 0) where len was pointing outside of the data buffer. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-09T13:47:40Z urn:sha1:325418a7a3c0e22cfbd6726693d780c1afd9d9c6 In order to be able to use invalid input for testing as well. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-10T16:12:07Z urn:sha1:833d25797b16b3720d86843a43e1438c4b029de9 ==5872==ERROR: AddressSanitizer: SEGV on unknown address 0x6020004100b4 ==5872==The signal is caused by a READ memory access. #0 blob_data blob.h #1 blob_parse blob.c:228:2 Signed-off-by: Petr Štetiar <ynezz@true.cz> 2019-12-25T09:31:58Z Petr Štetiar 2019-12-08T14:11:02Z urn:sha1:436d6363a10bbb41ab92602b4eb0030992bb1785 LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. Lets use libFuzzer to fuzz blob and blobmsg parsing for the start. Ref: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Petr Štetiar <ynezz@true.cz>