mount: use libmount to monitor mountinfo & utab #9

haraldh · 2015-06-02T13:47:46Z

The current implementation directly monitor /proc/self/mountinfo and
/run/mount/utab files. It's really not optimal because utab file is
private libmount stuff without any official guaranteed semantic.

The libmount since v2.26 provides API to monitor mount kernel &
userspace changes. This patch replaces the current implementation with
libmount based solution.

Now the manager.h includes <libmount.h>, so $MOUNT_CFLAGS has been
necessary to add to many tests CFLAGS.

Note that mnt_monitor_event_cleanup() in v2.26 is broken, so the patch
uses mnt_monitor_next_change(). It's exactly the same solution which
uses the current libmount HEAD (mnt_monitor_event_cleanup() is API
shorcut only).

The current implementation directly monitor /proc/self/mountinfo and /run/mount/utab files. It's really not optimal because utab file is private libmount stuff without any official guaranteed semantic. The libmount since v2.26 provides API to monitor mount kernel & userspace changes. This patch replaces the current implementation with libmount based solution. Now the manager.h includes <libmount.h>, so $MOUNT_CFLAGS has been necessary to add to many tests CFLAGS. Note that mnt_monitor_event_cleanup() in v2.26 is broken, so the patch uses mnt_monitor_next_change(). It's exactly the same solution which uses the current libmount HEAD (mnt_monitor_event_cleanup() is API shorcut only).

$ /usr/lib/systemd/systemd-timedated (wait until auto-exit) ================================================================= ==396==ERROR: LeakSanitizer: detected memory leaks Direct leak of 928 byte(s) in 1 object(s) allocated from: #0 0x7f782f788db1 in __interceptor_calloc (/usr/lib64/libasan.so.2+0x96db1) #1 0x562a83ae60cf in bus_message_from_header src/libsystemd/sd-bus/bus-message.c:480 #2 0x562a83ae6f5a in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:576 #3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 #4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 #5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 #6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 #7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 #8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 #9 0x562a83aae1af in main src/timedate/timedated.c:730 #10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 77 byte(s) in 1 object(s) allocated from: #0 0x7f782f788f6a in realloc (/usr/lib64/libasan.so.2+0x96f6a) #1 0x562a83ad418a in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:963 #2 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 #3 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 #4 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 #5 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 #6 0x562a83aae1af in main src/timedate/timedated.c:730 #7 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f782f75493f in strdup (/usr/lib64/libasan.so.2+0x6293f) #1 0x562a83b0229b in bus_message_parse_fields src/libsystemd/sd-bus/bus-message.c:5382 #2 0x562a83ae7290 in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:601 #3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 #4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 #5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 #6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 #7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 #8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 #9 0x562a83aae1af in main src/timedate/timedated.c:730 #10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) SUMMARY: AddressSanitizer: 1007 byte(s) leaked in 3 allocation(s). This is due to missing _cleanup_bus_message_unref_ in context_read_ntp()

karelzak · 2015-06-03T13:06:33Z

I have send a new version to the mailing list. (For the next patches I'll use pull requests.)

haraldh · 2015-06-03T14:16:45Z

Obsoleted with #53

rules: whitelist xvd* devices

$ /usr/lib/systemd/systemd-timedated (wait until auto-exit) ================================================================= ==396==ERROR: LeakSanitizer: detected memory leaks Direct leak of 928 byte(s) in 1 object(s) allocated from: #0 0x7f782f788db1 in __interceptor_calloc (/usr/lib64/libasan.so.2+0x96db1) systemd#1 0x562a83ae60cf in bus_message_from_header src/libsystemd/sd-bus/bus-message.c:480 systemd#2 0x562a83ae6f5a in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:576 systemd#3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 systemd#4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 systemd#5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#9 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 77 byte(s) in 1 object(s) allocated from: #0 0x7f782f788f6a in realloc (/usr/lib64/libasan.so.2+0x96f6a) systemd#1 0x562a83ad418a in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:963 systemd#2 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#3 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#4 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#5 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#6 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#7 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f782f75493f in strdup (/usr/lib64/libasan.so.2+0x6293f) systemd#1 0x562a83b0229b in bus_message_parse_fields src/libsystemd/sd-bus/bus-message.c:5382 systemd#2 0x562a83ae7290 in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:601 systemd#3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 systemd#4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 systemd#5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#9 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) SUMMARY: AddressSanitizer: 1007 byte(s) leaked in 3 allocation(s). This is due to missing _cleanup_bus_message_unref_ in context_read_ntp() (cherry picked from commit 6b71bab)

Fixes: Message: Process 806 (systemd-importd) of user 0 dumped core. Stack trace of thread 806: #0 0x00007f5eaeff7227 raise (libc.so.6) #1 0x00007f5eaeff8e8a abort (libc.so.6) #2 0x000055b6d3418f4f log_assert_failed (systemd-importd) #3 0x000055b6d3409daf safe_close (systemd-importd) #4 0x000055b6d33c25ea closep (systemd-importd) #5 0x000055b6d33c38d9 setup_machine_directory (systemd-importd) #6 0x000055b6d33b8536 method_pull_tar_or_raw (systemd-importd) #7 0x000055b6d33ed097 method_callbacks_run (systemd-importd) #8 0x000055b6d33ef929 object_find_and_run (systemd-importd) #9 0x000055b6d33eff6b bus_process_object (systemd-importd) #10 0x000055b6d3447f77 process_message (systemd-importd) #11 0x000055b6d344815a process_running (systemd-importd) #12 0x000055b6d3448a10 bus_process_internal (systemd-importd) #13 0x000055b6d3448ae1 sd_bus_process (systemd-importd) #14 0x000055b6d3449779 time_callback (systemd-importd) #15 0x000055b6d3454ff4 source_dispatch (systemd-importd) #16 0x000055b6d34562b9 sd_event_dispatch (systemd-importd) #17 0x000055b6d34566f8 sd_event_run (systemd-importd) #18 0x000055b6d33ba72a bus_event_loop_with_idle (systemd-importd) #19 0x000055b6d33b95bc manager_run (systemd-importd) #20 0x000055b6d33b9766 main (systemd-importd) #21 0x00007f5eaefe2a00 __libc_start_main (libc.so.6) #22 0x000055b6d33b5569 _start (systemd-importd)

$ /usr/lib/systemd/systemd-timedated (wait until auto-exit) ================================================================= ==396==ERROR: LeakSanitizer: detected memory leaks Direct leak of 928 byte(s) in 1 object(s) allocated from: #0 0x7f782f788db1 in __interceptor_calloc (/usr/lib64/libasan.so.2+0x96db1) systemd#1 0x562a83ae60cf in bus_message_from_header src/libsystemd/sd-bus/bus-message.c:480 systemd#2 0x562a83ae6f5a in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:576 systemd#3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 systemd#4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 systemd#5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#9 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 77 byte(s) in 1 object(s) allocated from: #0 0x7f782f788f6a in realloc (/usr/lib64/libasan.so.2+0x96f6a) systemd#1 0x562a83ad418a in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:963 systemd#2 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#3 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#4 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#5 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#6 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#7 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) Indirect leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f782f75493f in strdup (/usr/lib64/libasan.so.2+0x6293f) systemd#1 0x562a83b0229b in bus_message_parse_fields src/libsystemd/sd-bus/bus-message.c:5382 systemd#2 0x562a83ae7290 in bus_message_from_malloc src/libsystemd/sd-bus/bus-message.c:601 systemd#3 0x562a83ad3cad in bus_socket_make_message src/libsystemd/sd-bus/bus-socket.c:915 systemd#4 0x562a83ad4cfc in bus_socket_read_message src/libsystemd/sd-bus/bus-socket.c:1051 systemd#5 0x562a83ab733f in bus_read_message src/libsystemd/sd-bus/sd-bus.c:1647 systemd#6 0x562a83ab98ea in sd_bus_call src/libsystemd/sd-bus/sd-bus.c:2038 systemd#7 0x562a83b1f46d in sd_bus_call_method src/libsystemd/sd-bus/bus-convenience.c:94 systemd#8 0x562a83aab3e1 in context_read_ntp src/timedate/timedated.c:192 systemd#9 0x562a83aae1af in main src/timedate/timedated.c:730 systemd#10 0x7f782eb238c4 in __libc_start_main (/lib64/libc.so.6+0x208c4) SUMMARY: AddressSanitizer: 1007 byte(s) leaked in 3 allocation(s). This is due to missing _cleanup_bus_message_unref_ in context_read_ntp() (cherry picked from commit 6b71bab) Cherry-picked from: 6b71bab Resolves: #1222517

Revert original NPIV support patch, instead use patch from systemd#2731

This makes systemctl robust regarding journal truncation. This is a follow-up for 2cf4172 Fixes: Core was generated by `./systemctl status systemd-journald'. Program terminated with signal SIGBUS, Bus error. PID 8569 - core TID 8569: #0 0x00007f246cc89ed6 __memcmp_sse4_1 #1 0x0000557ebbc6f42c journal_file_init_header #2 0x0000557ebbc77262 journal_file_open #3 0x0000557ebbc42999 file_type_wanted #4 0x0000557ebbc42e08 add_any_file #5 0x0000557ebbc43832 add_directory #6 0x0000557ebbc4401c add_root_directory #7 0x0000557ebbc442e9 add_root_directory #8 0x0000557ebbc446fc add_search_paths #9 0x0000557ebbbacb5e show_journal_by_unit #10 0x0000557ebbb8376d print_status_info #11 0x0000557ebbb86a0b show_one #12 0x0000557ebbb87954 show #13 0x0000557ebbc20b1f dispatch_verb #14 0x0000557ebbb90615 systemctl_main #15 0x0000557ebbb9159f main #16 0x00007f246cb3e731 __libc_start_main #17 0x0000557ebbb75ae9 _start

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 #2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 #3 0x55637c758c77 in strv_freep src/basic/strv.h:37 #4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) #20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 #2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 #3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 #4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) #1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 #2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 #3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 #4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015

The simplest way to reproduce: ```diff diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c index bd289fa..7b0a5ef 100644 --- a/src/libsystemd-network/test-dhcp6-client.c +++ b/src/libsystemd-network/test-dhcp6-client.c @@ -168,7 +168,7 @@ static uint8_t msg_advertise[198] = { 0x00, 0x17, 0x00, 0x10, 0x20, 0x01, 0x0d, 0xb8, 0xde, 0xad, 0xbe, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x0b, - 0x03, 0x6c, 0x61, 0x62, 0x05, 0x69, 0x6e, 0x74, + 0x01, 0x6c, 0x01, 0x62, 0x00, 0x0a, 0x6e, 0x74, 0x72, 0x61, 0x00, 0x00, 0x1f, 0x00, 0x10, 0x20, 0x01, 0x0d, 0xb8, 0xde, 0xad, 0xbe, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, @@ -338,9 +338,7 @@ static int test_advertise_option(sd_event *e) { assert_se(!memcmp(addrs, &msg_advertise[124], r * 16)); r = sd_dhcp6_lease_get_domains(lease, &domains); - assert_se(r == 1); - assert_se(!strcmp("lab.intra", domains[0])); - assert_se(domains[1] == NULL); + assert_se(r == -ENOENT); r = sd_dhcp6_lease_get_ntp_addrs(lease, &addrs); assert_se(r == 1); ``` Fixes: ``` ================================================================= ==15043==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160) #1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552 #2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399 #3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225 #4 0x55f775774b95 in test_advertise_option src/libsystemd-network/test-dhcp6-client.c:287 #5 0x55f77577883e in main src/libsystemd-network/test-dhcp6-client.c:759 #6 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400) Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x7f13c8564160 in strdup (/lib64/libasan.so.3+0x5a160) #1 0x7f13c7caaf69 in strv_extend src/basic/strv.c:552 #2 0x55f775787230 in dhcp6_option_parse_domainname src/libsystemd-network/dhcp6-option.c:399 #3 0x55f775788b96 in dhcp6_lease_set_domains src/libsystemd-network/sd-dhcp6-lease.c:225 #4 0x55f775781348 in client_parse_message src/libsystemd-network/sd-dhcp6-client.c:807 #5 0x55f775781ba2 in client_receive_advertise src/libsystemd-network/sd-dhcp6-client.c:895 #6 0x55f775782453 in client_receive_message src/libsystemd-network/sd-dhcp6-client.c:994 #7 0x7f13c7e447f4 in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #8 0x7f13c7e471b0 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #9 0x7f13c7e47ab3 in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #10 0x7f13c7e47c21 in sd_event_loop src/libsystemd/sd-event/sd-event.c:2706 #11 0x55f77577863c in test_client_solicit src/libsystemd-network/test-dhcp6-client.c:737 #12 0x55f77577884b in main src/libsystemd-network/test-dhcp6-client.c:760 #13 0x7f13c7589400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: 8 byte(s) leaked in 2 allocation(s). ```

We would only log a terse message when pid1 or systemd-journald crashed. It seems better to follow the resuse the normal code paths as much as possible, with the following differences: - if pid1 crashes, we cannot launch the helper, so we don't analyze the coredump, just write it to file directly from the helper invoked by the kernel; - if journald crashes, we can produce the backtrace, but we don't log full structured messages. With comparison to previous code, advantages are: - we go through most of the steps, so for example vacuuming is performed, - we gather and log more data. In particular for journald and pid1 crashes we generate a backtrace, and for pid1 crashes we gather metadata (fdinfo, maps, etc.), - coredumpctl shows pid1 crashes. A disavantage (inefficiency) is that we gather metadata for journald crashes which is then ignored because _TRANSPORT=kernel does not support structued messages. Messages for the systemd-journald "crash" have _TRANSPORT=kernel, and _TRANSPORT=journal for the pid1 "crash". Feb 26 16:27:55 systemd[1]: systemd-journald.service: Main process exited, code=dumped, status=11/SEGV Feb 26 16:27:55 systemd[1]: systemd-journald.service: Unit entered failed state. Feb 26 16:37:54 systemd-coredump[18801]: Process 18729 (systemd-journal) of user 0 dumped core. Feb 26 16:37:54 systemd-coredump[18801]: Coredump diverted to /var/lib/systemd/coredump/core.systemd-journal.0.36c14bf3c6ce4c38914f441038990979.18729.1488145074000000.lz4 Feb 26 16:37:54 systemd-coredump[18801]: Stack trace of thread 18729: Feb 26 16:37:54 systemd-coredump[18801]: #0 0x00007f46d6a06b8d fsync (libpthread.so.0) Feb 26 16:37:54 systemd-coredump[18801]: #1 0x00007f46d71bfc47 journal_file_set_online (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #2 0x00007f46d71c1c31 journal_file_append_object (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #3 0x00007f46d71c3405 journal_file_append_data (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #4 0x00007f46d71c4b7c journal_file_append_entry (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #5 0x00005577688cf056 write_to_journal (systemd-journald) Feb 26 16:37:54 systemd-coredump[18801]: #6 0x00005577688d2e98 dispatch_message_real (systemd-journald) Feb 26 16:37:54 kernel: systemd-coredum: 9 output lines suppressed due to ratelimiting Feb 26 16:37:54 systemd-journald[18810]: Journal started Feb 26 16:50:59 systemd-coredump[19229]: Due to PID 1 having crashed coredump collection will now be turned off. Feb 26 16:51:00 systemd[1]: Caught <SEGV>, dumped core as pid 19228. Feb 26 16:51:00 systemd[1]: Freezing execution. Feb 26 16:51:00 systemd-coredump[19229]: Process 19228 (systemd) of user 0 dumped core. Stack trace of thread 19228: #0 0x00007fab82075c47 kill (libc.so.6) #1 0x000055fdf7c38b6b crash (systemd) #2 0x00007fab824175c0 __restore_rt (libpthread.so.0) #3 0x00007fab82148573 epoll_wait (libc.so.6) #4 0x00007fab8366f84a sd_event_wait (libsystemd-shared-233.so) #5 0x00007fab836701de sd_event_run (libsystemd-shared-233.so) #6 0x000055fdf7c4a380 manager_loop (systemd) #7 0x000055fdf7c402c2 main (systemd) #8 0x00007fab82060401 __libc_start_main (libc.so.6) #9 0x000055fdf7c3818a _start (systemd) Poor machine ;)

We would only log a terse message when pid1 or systemd-journald crashed. It seems better to reuse the normal code paths as much as possible, with the following differences: - if pid1 crashes, we cannot launch the helper, so we don't analyze the coredump, just write it to file directly from the helper invoked by the kernel; - if journald crashes, we can produce the backtrace, but we don't log full structured messages. With comparison to previous code, advantages are: - we go through most of the steps, so for example vacuuming is performed, - we gather and log more data. In particular for journald and pid1 crashes we generate a backtrace, and for pid1 crashes we record the metadata (fdinfo, maps, etc.), - coredumpctl shows pid1 crashes. A disavantage (inefficiency) is that we gather metadata for journald crashes which is then ignored because _TRANSPORT=kernel does not support structued messages. Messages for the systemd-journald "crash" have _TRANSPORT=kernel, and _TRANSPORT=journal for the pid1 "crash". Feb 26 16:27:55 systemd[1]: systemd-journald.service: Main process exited, code=dumped, status=11/SEGV Feb 26 16:27:55 systemd[1]: systemd-journald.service: Unit entered failed state. Feb 26 16:37:54 systemd-coredump[18801]: Process 18729 (systemd-journal) of user 0 dumped core. Feb 26 16:37:54 systemd-coredump[18801]: Coredump diverted to /var/lib/systemd/coredump/core.systemd-journal.0.36c14bf3c6ce4c38914f441038990979.18729.1488145074000000.lz4 Feb 26 16:37:54 systemd-coredump[18801]: Stack trace of thread 18729: Feb 26 16:37:54 systemd-coredump[18801]: #0 0x00007f46d6a06b8d fsync (libpthread.so.0) Feb 26 16:37:54 systemd-coredump[18801]: #1 0x00007f46d71bfc47 journal_file_set_online (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #2 0x00007f46d71c1c31 journal_file_append_object (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #3 0x00007f46d71c3405 journal_file_append_data (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #4 0x00007f46d71c4b7c journal_file_append_entry (libsystemd-shared-233.so) Feb 26 16:37:54 systemd-coredump[18801]: #5 0x00005577688cf056 write_to_journal (systemd-journald) Feb 26 16:37:54 systemd-coredump[18801]: #6 0x00005577688d2e98 dispatch_message_real (systemd-journald) Feb 26 16:37:54 kernel: systemd-coredum: 9 output lines suppressed due to ratelimiting Feb 26 16:37:54 systemd-journald[18810]: Journal started Feb 26 16:50:59 systemd-coredump[19229]: Due to PID 1 having crashed coredump collection will now be turned off. Feb 26 16:51:00 systemd[1]: Caught <SEGV>, dumped core as pid 19228. Feb 26 16:51:00 systemd[1]: Freezing execution. Feb 26 16:51:00 systemd-coredump[19229]: Process 19228 (systemd) of user 0 dumped core. Stack trace of thread 19228: #0 0x00007fab82075c47 kill (libc.so.6) #1 0x000055fdf7c38b6b crash (systemd) #2 0x00007fab824175c0 __restore_rt (libpthread.so.0) #3 0x00007fab82148573 epoll_wait (libc.so.6) #4 0x00007fab8366f84a sd_event_wait (libsystemd-shared-233.so) #5 0x00007fab836701de sd_event_run (libsystemd-shared-233.so) #6 0x000055fdf7c4a380 manager_loop (systemd) #7 0x000055fdf7c402c2 main (systemd) #8 0x00007fab82060401 __libc_start_main (libc.so.6) #9 0x000055fdf7c3818a _start (systemd) Poor machine ;)

encoder: fix two image size detection issues

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 systemd#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 systemd#3 0x55637c758c77 in strv_freep src/basic/strv.h:37 systemd#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) systemd#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 systemd#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 systemd#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 systemd#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) systemd#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 systemd#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 systemd#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 systemd#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015 (cherry picked from commit 8af35ba) Related: #1409997

When exiting PID 1 we most likely don't have stdio/stdout open, so the final LSan check would not print any actionable information and would just crash PID 1 leading up to a kernel panic, which is a bit annoying. Let's instead attempt to open /dev/console, and if we succeed redirect LSan's report there. The result is a bit messy, as it's slightly interleaved with the kernel panic, but it's definitely better than not having the stack trace at all: [ OK ] Reached target final.target. [ OK ] Finished systemd-poweroff.service. [ OK ] Reached target poweroff.target. ================================================================= 3 1m 43.251782] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 43.252838] CPU: 2 PID: 1 Comm: systemd Not tainted 6.4.12-200.fc38.x86_64 #1 ==[1==ERR O R :4 3Le.a2k53562] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 43.254683] Call Trace: [ 43.254911] <TASK> [ 43.255107] dump_stack_lvl+0x47/0x60 S[ a 43.n2555i05] panic+t0x192/0x350 izer[ :43.255966 ] do_exit+0x990/0xdb10 etec[ 43.256504] do_group_exit+0x31/0x80 [ 43.256889] __x64_sys_exit_group+0x18/0x20 [ 43.257288] do_syscall_64+0x60/0x90 o_user_mod leaks[ 43.257618] ? syscall_exit_t +0x2b/0x40 [ 43.258411] ? do_syscall_64+0x6c/0x90 1mDirect le[ 43.258755] ak of 21 byte(s)? exc_page_fault+0x7f/0x180 [ 43.259446] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 43.259901] RiIP: 0033:0x7f357nb8f3ad4 1 objec[ 43.260354] Ctode: 48 89 (f7 0f 05 c3 sf3 0f 1e fa b8 3b 00 00 00) 0f 05 c3 0f 1f 4 0 00 f3 0f 1e fa 50 58 b8 e7 00 00 00 48 83 ec 08 48 63 ff 0f 051 [ 43.262581] RSP: 002b:00007ffc25872440 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 a RBX: 00007f357be9b218 RCX: 00007f357b8f3ad4m:ffd [ 43.264512] RDX: 0000000000000001 RSI: 00007f357b933b63 RDI: 0000000000000001 [ 43.265355] RBP: 00007f357be9b218 R08: efffffffffffffff R09: 00007ffc258721ef [ 43.266191] R10: 000000000000003f R11: 0000000000000202 R12: 00000fe6ae9e0000 [ 43.266891] R13: 00007f3574f00000 R14: 0000000000000000 R15: 0000000000000007 [ 43.267517] </TASK> #0 0x7f357b8814a8 in strdup (/lib64/libasan.so.8+0x814a8) (BuildId: e5f0a0d511a659fbc47bf41072869139cb2db47f) #1 0x7f3578d43317 in cg_path_decode_unit ../src/basic/cgroup-util.c:1132 #2 0x7f3578d43936 in cg_path_get_unit ../src/basic/cgroup-util.c:1190 #3 0x7f3578d440f6 in cg_pid_get_unit ../src/basic/cgroup-util.c:1234 #4 0x7f35789263d7 in bus_log_caller ../src/shared/bus-util.c:734 #5 0x7f357a9cf10a in method_reload ../src/core/dbus-manager.c:1621 #6 0x7f3578f77497 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7f3578f80dd8 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7f3578f82487 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7f3578fe41f1 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3007 #10 0x7f3578fe477b in process_running ../src/libsystemd/sd-bus/sd-bus.c:3049 #11 0x7f3578fe75d1 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3269 #12 0x7f3578fe776e in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3296 #13 0x7f3578feaedc in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3638 #14 0x7f35791c2f68 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7f35791cc6f9 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7f35791cd830 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7f357abcd572 in manager_loop ../src/core/manager.c:3244 #18 0x41db21 in invoke_main_loop ../src/core/main.c:1960 #19 0x426615 in main ../src/core/main.c:3125 #20 0x7f3577c49b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #21 0x7f3577c49c0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #22 0x408494 in _start (/usr/lib/systemd/systemd+0x408494) (BuildId: fe61e1b0f00b6a36aa34e707a98c15c52f6b960a) SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). [ 43.295912] Kernel Offset: 0x7000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 43.297036] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Originally noticed in #28579.

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 systemd#1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 systemd#2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 systemd#3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 systemd#4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 systemd#5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 systemd#6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 systemd#7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) systemd#8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) systemd#9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ``` (cherry picked from commit 9f804ab) (cherry picked from commit a11a949) (cherry picked from commit 4551936) (cherry picked from commit 0e711b7)

fuzzers randomly fail with the following: ``` ==172==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f41169cb39b in update_argv /work/build/../../src/systemd/src/basic/argv-util.c:96:13 #1 0x7f41169cb39b in rename_process /work/build/../../src/systemd/src/basic/argv-util.c:210:16 #2 0x7f4116b6824e in safe_fork_full /work/build/../../src/systemd/src/basic/process-util.c:1516:21 #3 0x7f4116bffa36 in safe_fork /work/build/../../src/systemd/src/basic/process-util.h:191:16 #4 0x7f4116bffa36 in parse_timestamp /work/build/../../src/systemd/src/basic/time-util.c:1047:13 #5 0x4a61e6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-time-util.c:16:16 #6 0x4c4a13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x4c41fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #8 0x4c58c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #9 0x4c6595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #10 0x4b58ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #11 0x4def52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7f4115ea3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340) #13 0x41f5ad in _start (build-out/fuzz-time-util+0x41f5ad) DEDUP_TOKEN: update_argv--rename_process--safe_fork_full Uninitialized value was created by an allocation of 'fv' in the stack frame of function 'have_effective_cap' #0 0x7f41169d3540 in have_effective_cap /work/build/../../src/systemd/src/basic/capability-util.c:21 ```

When assert_return() is critical, the following assertion is triggered on exit: --- #0 0x00007f8b1f6b0884 in __pthread_kill_implementation () from target:/lib64/libc.so.6 #1 0x00007f8b1f65fafe in raise () from target:/lib64/libc.so.6 #2 0x00007f8b1f64887f in abort () from target:/lib64/libc.so.6 #3 0x00007f8b208d02d6 in log_assert_failed (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:948 #4 0x00007f8b208d0457 in log_assert_failed_return (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:967 #5 0x00007f8b20c7d102 in sd_event_add_io (e=0x617000000080, ret=0x60c000000a20, fd=11, events=1, callback=0x7dfd85 <ipv4acd_on_packet>, userdata=0x60c000000a00) at ../src/libsystemd/sd-event/sd-event.c:1252 #6 0x00000000007e3934 in sd_ipv4acd_start (acd=0x60c000000a00, reset_conflicts=true) at ../src/libsystemd-network/sd-ipv4acd.c:597 #7 0x00000000007e72b9 in ipv4ll_start_internal (ll=0x6080000006a0, reset_generation=true) at ../src/libsystemd-network/sd-ipv4ll.c:278 #8 0x00000000007e7462 in sd_ipv4ll_start (ll=0x6080000006a0) at ../src/libsystemd-network/sd-ipv4ll.c:298 #9 0x00000000006047a1 in dhcp4_handler (client=0x617000000400, event=0, userdata=0x61a000000680) at ../src/network/networkd-dhcp4.c:1183 #10 0x000000000075b1ed in client_notify (client=0x617000000400, event=0) at ../src/libsystemd-network/sd-dhcp-client.c:783 #11 0x000000000075bf8d in client_stop (client=0x617000000400, error=0) at ../src/libsystemd-network/sd-dhcp-client.c:821 #12 0x000000000077710f in sd_dhcp_client_stop (client=0x617000000400) at ../src/libsystemd-network/sd-dhcp-client.c:2388 #13 0x000000000065cdd1 in link_stop_engines (link=0x61a000000680, may_keep_dhcp=true) at ../src/network/networkd-link.c:336 #14 0x000000000041f214 in manager_free (m=0x618000000080) at ../src/network/networkd-manager.c:613 #15 0x00000000004124e3 in manager_freep (p=0x7f8b1c800040) at ../src/network/networkd-manager.h:128 #16 0x00000000004139f6 in run (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:24 #17 0x0000000000413b20 in main (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:119 --- Prompted by #30049 (comment).

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f013205fafe in raise () from /lib64/libc.so.6 #2 0x00007f013204887f in abort () from /lib64/libc.so.6 #3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 #4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 #5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 #6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 #7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 #8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 #9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 #10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 #11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 #12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by #30049 (comment).

Avoid passing a NULL message to sd_bus_message_is_signal(), to not trip over an assertion: [ 132.869436] H testsuite-82.sh[614]: + systemctl --no-block --check-inhibitors=yes soft-reboot [ 132.967386] H systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 133.018292] H systemd[1]: Starting inhibit.service... [ 133.122610] H systemd[1]: Started systemd-coredump@0-665-0.service. [ 133.163643] H systemd[1]: Started inhibit.service. [ 133.206836] H testsuite-82.sh[614]: + exec sleep infinity [ 133.236762] H systemd-logind[611]: The system will reboot now! [ 135.891607] H systemd-coredump[667]: [🡕] Process 663 (busctl) of user 0 dumped core. Stack trace of thread 663: #0 0x00007f2ec45e6acf raise (libc.so.6 + 0x4eacf) #1 0x00007f2ec45b9ea5 abort (libc.so.6 + 0x21ea5) #2 0x00007f2ec4b5c9a6 log_assert_failed (libsystemd-shared-255.so + 0x1ff9a6) #3 0x00007f2ec4b5dca5 log_assert_failed_return (libsystemd-shared-255.so + 0x200ca5) #4 0x00007f2ec4bb3df6 sd_bus_message_is_signal (libsystemd-shared-255.so + 0x256df6) #5 0x000000000040e478 monitor (busctl + 0xe478) #6 0x000000000040e82f verb_monitor (busctl + 0xe82f) #7 0x00007f2ec4b202cb dispatch_verb (libsystemd-shared-255.so + 0x1c32cb) #8 0x00000000004074fa busctl_main (busctl + 0x74fa) #9 0x0000000000407525 run (busctl + 0x7525) #10 0x000000000040ff67 main (busctl + 0xff67) #11 0x00007f2ec45d2d85 __libc_start_main (libc.so.6 + 0x3ad85) #12 0x00000000004044be _start (busctl + 0x44be) ELF object binary architecture: AMD x86-64 [ 136.141152] H dbus-daemon[634]: [system] Monitoring connection :1.2 closed. [ 136.152233] H systemd[1]: busctl.service: Main process exited, code=dumped, status=6/ABRT [ 136.153996] H systemd[1]: busctl.service: Failed with result 'core-dump'. The asertion in question: Assertion 'm' failed at src/libsystemd/sd-bus/bus-message.c:1015, function sd_bus_message_is_signal(). Aborting. We can get a NULL message here through sd_bus_process() -> bus_process_internal() -> process_running(), so let's handle this case appropriately.

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 #4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 #5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 #6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 #7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 #8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 #9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 #10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 #11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 #12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 #13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 #14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 #15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 #16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: #30618

Since libfuzzer feeds a single fuzzing process with multiple inputs, we might carry over arg_transport from a previous invocation, tripping over the assert in acquire_bus(): +----------------------------------------Release Build Stacktrace----------------------------------------+ Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==2739==ERROR: AddressSanitizer: ABRT on unknown address 0x00000ab3 (pc 0xf7f52509 bp 0xffdf74cc sp 0xffdf74b0 T0) SCARINESS: 10 (signal) #0 0xf7f52509 in linux-gate.so.1 #1 0xf703b415 in raise #2 0xf70233f6 in abort #3 0xf772ac0a in log_assert_failed systemd/src/basic/log.c:968:9 #4 0xf77300d5 in log_assert_failed_return systemd/src/basic/log.c:987:17 #5 0xf7432bbf in bus_connect_transport systemd/src/shared/bus-util.c:284:9 #6 0x818cd17 in acquire_bus systemd/src/systemctl/systemctl-util.c:53:29 #7 0x815fd3c in help_boot_loader_entry systemd/src/systemctl/systemctl-logind.c:431:13 #8 0x819ca87 in systemctl_parse_argv systemd/src/systemctl/systemctl.c:863:37 #9 0x8197632 in systemctl_dispatch_parse_argv systemd/src/systemctl/systemctl.c:1137:16 #10 0x813328d in LLVMFuzzerTestOneInput systemd/src/systemctl/fuzz-systemctl-parse-argv.c:54:13 #11 0x81bbe7e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x81bb5b8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x81bd42d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #14 0x81bd62e in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #15 0x81ac84c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x81d65c7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #17 0xf7024ed4 in __libc_start_main #18 0x806bdb5 in _start Resolves: #30802

Spotted while fuzzing systemd#27890. ================================================================= ==908098==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f4efe6d81f5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xd81f5) (BuildId: dc689b05ca2577037af24700212bb5cce1f91c8a) systemd#1 0x7f4efb8e3ace in greedy_realloc ../src/basic/alloc-util.c:70 systemd#2 0x7f4efb93b713 in extract_first_word ../src/basic/extract-word.c:62 systemd#3 0x7f4efb970d50 in set_put_strsplit ../src/basic/hashmap.c:1902 systemd#4 0x7f4efd76c27e in exec_context_deserialize ../src/core/execute-serialize.c:3341 systemd#5 0x7f4efd778dcb in exec_deserialize ../src/core/execute-serialize.c:4122 systemd#6 0x4032c0 in LLVMFuzzerTestOneInput ../src/core/fuzz-execute-serialize.c:60 systemd#7 0x403c58 in main ../src/fuzz/fuzz-main.c:50 systemd#8 0x7f4efecccb49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#9 0x7f4efecccc0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#10 0x402344 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-san/fuzz-execute-serialize+0x402344) (BuildId: 195f382cf1e39b9ba48d6dcf5a90f786d72837a8) SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Aborted (core dumped) ==911550==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x4df281 in strdup (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x4df281) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#1 0x7fe4ae2b38fc in _set_put_strndup_full /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/basic/hashmap.c:1868:21 systemd#2 0x7fe4b0bad897 in exec_context_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:3914:29 systemd#3 0x7fe4b0b80592 in exec_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:4109:13 systemd#4 0x531d0f in LLVMFuzzerTestOneInput /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/fuzz-execute-serialize.c:59:16 systemd#5 0x440594 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440594) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#6 0x43f9b9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x43f9b9) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#7 0x440fd5 in fuzzer::Fuzzer::MutateAndTestOne() (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440fd5) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#8 0x441955 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x441955) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#9 0x42e151 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x42e151) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#10 0x45a916 in main (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x45a916) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#11 0x7fe4ac449b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#12 0x7fe4ac449c0a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#13 0x422b74 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x422b74) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit 9b41270)

When built with ACL support, we might be processing a tmpfiles entry where there's no cause for us to call parse_acls_from_arg, then we get to the end of parse_line without having ever populated i.{acl_access, acl_default}. Then we pass a null pointer into acl_free(). From UBSAN w/ GCC 13.0.0_pre20230101: ``` $ systemd-tmpfiles --clean /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer #0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44 systemd#1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855 systemd#2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158 systemd#3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897 systemd#4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985 systemd#5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157 systemd#6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218 systemd#7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289) systemd#8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344) systemd#9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900) ``` (cherry picked from commit 9f804ab)

+ machinectl image-status container1 container1 container0 container1 container2 container3 container4 ================================================================= ==1354==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4704 byte(s) in 6 object(s) allocated from: #0 0x7fc3670ba097 in calloc (/lib64/libasan.so.8+0xba097) systemd#1 0x7fc365e91e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 systemd#2 0x7fc365e92dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 systemd#3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 systemd#4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 systemd#5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#9 0x413b76 in show_image ../src/machine/machinectl.c:1014 systemd#10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 systemd#12 0x42ebbd in run ../src/machine/machinectl.c:3006 systemd#13 0x42ece3 in main ../src/machine/machinectl.c:3009 systemd#14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 666 byte(s) in 6 object(s) allocated from: #0 0x7fc3670b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) systemd#1 0x7fc365f09822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 systemd#2 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#3 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#4 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#5 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#6 0x413b76 in show_image ../src/machine/machinectl.c:1014 systemd#7 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#8 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 systemd#9 0x42ebbd in run ../src/machine/machinectl.c:3006 systemd#10 0x42ece3 in main ../src/machine/machinectl.c:3009 systemd#11 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 12 byte(s) in 6 object(s) allocated from: #0 0x7fc36707243b in strdup (/lib64/libasan.so.8+0x7243b) systemd#1 0x7fc365ec1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 systemd#2 0x7fc365e93586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 systemd#3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 systemd#4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 systemd#5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#9 0x413b76 in show_image ../src/machine/machinectl.c:1014 systemd#10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981 systemd#12 0x42ebbd in run ../src/machine/machinectl.c:3006 systemd#13 0x42ece3 in main ../src/machine/machinectl.c:3009 systemd#14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 5382 byte(s) leaked in 18 allocation(s). (cherry picked from commit 4b6ce58) (cherry picked from commit e6a7195)

+ machinectl status long-running long-running long-running ================================================================= ==986==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1568 byte(s) in 2 object(s) allocated from: #0 0x7fe57caba097 in calloc (/lib64/libasan.so.8+0xba097) systemd#1 0x7fe57b891e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372 systemd#2 0x7fe57b892dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421 systemd#3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 systemd#4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 systemd#5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#9 0x40f71c in show_machine ../src/machine/machinectl.c:713 systemd#10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 systemd#12 0x42ebf9 in run ../src/machine/machinectl.c:3005 systemd#13 0x42ed1f in main ../src/machine/machinectl.c:3008 systemd#14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 234 byte(s) in 2 object(s) allocated from: #0 0x7fe57cab95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5) systemd#1 0x7fe57b909822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214 systemd#2 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#3 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#4 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#5 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#6 0x40f71c in show_machine ../src/machine/machinectl.c:713 systemd#7 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#8 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 systemd#9 0x42ebf9 in run ../src/machine/machinectl.c:3005 systemd#10 0x42ed1f in main ../src/machine/machinectl.c:3008 systemd#11 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Indirect leak of 4 byte(s) in 2 object(s) allocated from: #0 0x7fe57ca7243b in strdup (/lib64/libasan.so.8+0x7243b) systemd#1 0x7fe57b8c1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125 systemd#2 0x7fe57b893586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443 systemd#3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165 systemd#4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294 systemd#5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082 systemd#6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483 systemd#7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183 systemd#8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109 systemd#9 0x40f71c in show_machine ../src/machine/machinectl.c:713 systemd#10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103 systemd#11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980 systemd#12 0x42ebf9 in run ../src/machine/machinectl.c:3005 systemd#13 0x42ed1f in main ../src/machine/machinectl.c:3008 systemd#14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 1806 byte(s) leaked in 6 allocation(s). (cherry picked from commit efdaa92) (cherry picked from commit 4d29f74)

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) systemd#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 systemd#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 systemd#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 systemd#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 systemd#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 systemd#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 systemd#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 systemd#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 systemd#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 systemd#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 systemd#14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04) (cherry picked from commit c786122)

Whoopsie. ================================================================= ==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658 READ of size 8 at 0x00000051d0b8 thread T0 #0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347 systemd#1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838 systemd#2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 systemd#3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905 systemd#4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 systemd#5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030 systemd#6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 systemd#7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198 systemd#8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 systemd#9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 systemd#10 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284) 0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8 0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch Shadow bytes around the buggy address: 0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9 0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3789231==ABORTING (cherry picked from commit 525c3e3) (cherry picked from commit b8ed816)

We can't dereference the variant object directly, as it might be a magic object (which has an address on a faulting page); use json_variant_is_sensitive() instead that handles this case. For example, with an empty array: ==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0) ==1547789==The signal is caused by a READ memory access. ==1547789==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190 systemd#1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 systemd#2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 systemd#3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 systemd#4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400 systemd#5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 systemd#6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 systemd#7 0x40691c in main ../src/fuzz/fuzz-main.c:50 systemd#8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv ==1547789==ABORTING Or with an empty string in an array: ../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment 0x000000000007: note: pointer points here <memory cannot be printed> #0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202 systemd#1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173 systemd#2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 systemd#3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428 systemd#4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400 systemd#5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187 systemd#6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23 systemd#7 0x40691c in main ../src/fuzz/fuzz-main.c:50 systemd#8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in Note: this happens only if json_variant_copy() in json_variant_set_source() fails. Found by Nallocfuzz. (cherry picked from commit 909eb4c) (cherry picked from commit 58c1816)

If we fail to combine the new entry with a previous one, or update it in the hashmap, we might later on attempt a double-free: ================================================================= ==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0: SCARINESS: 42 (double-free) #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33 systemd#2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17 systemd#3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24 systemd#4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1 systemd#5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd) DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free 0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0) freed by thread T0 here: #0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 systemd#1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22 systemd#2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1 systemd#3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_free--freep--finish_item previously allocated by thread T0 here: #0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539) systemd#2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15 systemd#3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28 systemd#4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45 systemd#5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16 systemd#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8) systemd#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35) systemd#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--memdup SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free Found by Nallocfuzz. (cherry picked from commit ac874b8) (cherry picked from commit b1663b8)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) systemd#2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 systemd#3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 systemd#4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 systemd#5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 systemd#6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 systemd#7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 systemd#8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 systemd#9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) systemd#10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a)

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 systemd#1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) systemd#2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 systemd#3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 systemd#4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 systemd#5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 systemd#6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 systemd#7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 systemd#8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 systemd#9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 systemd#10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 systemd#11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 systemd#12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 systemd#13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 systemd#14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 systemd#15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 systemd#16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) systemd#17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) systemd#24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit 6c13a39) (cherry picked from commit b4c9a9b)

If we fail any allocation prior adding the lease to the server lease hashmap. ==2103==ERROR: LeakSanitizer: detected memory leaks Direct leak of 128 byte(s) in 2 object(s) allocated from: #0 0x4a203e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 systemd#1 0x4f6341 in calloc (/build/fuzz-dhcp-server+0x4f6341) systemd#2 0x4ec818 in add_lease /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:26:9 systemd#3 0x4ec2bf in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:75:9 systemd#4 0x4f68a8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-server+0x4f68a8) systemd#5 0x5158b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#6 0x51509a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#7 0x516769 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#8 0x517435 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#9 0x50679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#10 0x507068 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#11 0x4f6b25 in main (/build/fuzz-dhcp-server+0x4f6b25) systemd#12 0x7f16084e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_calloc--calloc--add_lease SUMMARY: AddressSanitizer: 128 byte(s) leaked in 2 allocation(s). Found by Nallocufzz. (cherry picked from commit aca607d) (cherry picked from commit 18e08a4)

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) systemd#1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 systemd#2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 systemd#3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 systemd#4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 systemd#5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 systemd#6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 systemd#7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 systemd#8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 systemd#9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 systemd#10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 systemd#11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 systemd#12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 systemd#13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 systemd#14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 systemd#15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 systemd#16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 systemd#17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 systemd#18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 systemd#19 0x4252e0 in main ../src/core/main.c:3072 systemd#20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit f8b21a0) (cherry picked from commit 98d2a09)

Provides coverage for systemd#26872. With systemd#26875 reverted: [16444.287652] testsuite-03.sh[71]: + for i in {0..19} [16444.287652] testsuite-03.sh[71]: + systemctl start transaction-cycle0.service [16444.359503] systemd[1]: ================================================================= [16444.360321] systemd[1]: ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6180002e578e at pc 0x7f73b25ec7a6 bp 0x7ffc5531c6f0 sp 0x7ffc5531be68 [16444.360798] systemd[1]: [16444.361044] systemd[1]: READ of size 783 at 0x6180002e578e thread T0 (systemd) [16444.391684] systemd[1]: #0 0x7f73b25ec7a5 (/lib64/libasan.so.5+0x557a5) [16444.392167] systemd[1]: systemd#1 0x7f73b260a1d5 in __interceptor_vasprintf (/lib64/libasan.so.5+0x731d5) [16444.392442] systemd[1]: systemd#2 0x7f73afa1d1e1 in log_format_iovec ../src/basic/log.c:996 [16444.392750] systemd[1]: systemd#3 0x7f73afa1e7b6 in log_struct_internal ../src/basic/log.c:1058 [16444.393101] systemd[1]: systemd#4 0x7f73b1979136 in transaction_verify_order_one ../src/core/transaction.c:392 [16444.393540] systemd[1]: systemd#5 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.393946] systemd[1]: systemd#6 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394262] systemd[1]: systemd#7 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394532] systemd[1]: systemd#8 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 [16444.394812] systemd[1]: systemd#9 0x7f73b197ac82 in transaction_verify_order_one ../src/core/transaction.c:463 ... (cherry picked from commit 0651e71) (cherry picked from commit fdc6ce1)

Spotted while fuzzing systemd#27890. ================================================================= ==908098==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f4efe6d81f5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xd81f5) (BuildId: dc689b05ca2577037af24700212bb5cce1f91c8a) systemd#1 0x7f4efb8e3ace in greedy_realloc ../src/basic/alloc-util.c:70 systemd#2 0x7f4efb93b713 in extract_first_word ../src/basic/extract-word.c:62 systemd#3 0x7f4efb970d50 in set_put_strsplit ../src/basic/hashmap.c:1902 systemd#4 0x7f4efd76c27e in exec_context_deserialize ../src/core/execute-serialize.c:3341 systemd#5 0x7f4efd778dcb in exec_deserialize ../src/core/execute-serialize.c:4122 systemd#6 0x4032c0 in LLVMFuzzerTestOneInput ../src/core/fuzz-execute-serialize.c:60 systemd#7 0x403c58 in main ../src/fuzz/fuzz-main.c:50 systemd#8 0x7f4efecccb49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#9 0x7f4efecccc0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#10 0x402344 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-san/fuzz-execute-serialize+0x402344) (BuildId: 195f382cf1e39b9ba48d6dcf5a90f786d72837a8) SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Aborted (core dumped) ==911550==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x4df281 in strdup (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x4df281) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#1 0x7fe4ae2b38fc in _set_put_strndup_full /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/basic/hashmap.c:1868:21 systemd#2 0x7fe4b0bad897 in exec_context_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:3914:29 systemd#3 0x7fe4b0b80592 in exec_deserialize /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/execute-serialize.c:4109:13 systemd#4 0x531d0f in LLVMFuzzerTestOneInput /home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/../src/core/fuzz-execute-serialize.c:59:16 systemd#5 0x440594 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440594) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#6 0x43f9b9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x43f9b9) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#7 0x440fd5 in fuzzer::Fuzzer::MutateAndTestOne() (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x440fd5) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#8 0x441955 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x441955) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#9 0x42e151 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x42e151) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#10 0x45a916 in main (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x45a916) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) systemd#11 0x7fe4ac449b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#12 0x7fe4ac449c0a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) systemd#13 0x422b74 in _start (/home/mrc0mmand/repos/@systemd/systemd/build-libfuzz/fuzz-execute-serialize+0x422b74) (BuildId: 4e58706e607b8be7972d83c421bc0b625d509ec6) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit 9b41270) (cherry picked from commit 7bd680b) (cherry picked from commit b97ec52)

fuzzers randomly fail with the following: ``` ==172==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f41169cb39b in update_argv /work/build/../../src/systemd/src/basic/argv-util.c:96:13 systemd#1 0x7f41169cb39b in rename_process /work/build/../../src/systemd/src/basic/argv-util.c:210:16 systemd#2 0x7f4116b6824e in safe_fork_full /work/build/../../src/systemd/src/basic/process-util.c:1516:21 systemd#3 0x7f4116bffa36 in safe_fork /work/build/../../src/systemd/src/basic/process-util.h:191:16 systemd#4 0x7f4116bffa36 in parse_timestamp /work/build/../../src/systemd/src/basic/time-util.c:1047:13 systemd#5 0x4a61e6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-time-util.c:16:16 systemd#6 0x4c4a13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#7 0x4c41fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#8 0x4c58c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#9 0x4c6595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#10 0x4b58ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#11 0x4def52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 systemd#12 0x7f4115ea3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340) systemd#13 0x41f5ad in _start (build-out/fuzz-time-util+0x41f5ad) DEDUP_TOKEN: update_argv--rename_process--safe_fork_full Uninitialized value was created by an allocation of 'fv' in the stack frame of function 'have_effective_cap' #0 0x7f41169d3540 in have_effective_cap /work/build/../../src/systemd/src/basic/capability-util.c:21 ``` (cherry picked from commit e521898) (cherry picked from commit 00c146f) (cherry picked from commit 25dcd38)

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 systemd#1 0x00007f013205fafe in raise () from /lib64/libc.so.6 systemd#2 0x00007f013204887f in abort () from /lib64/libc.so.6 systemd#3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 systemd#4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 systemd#5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 systemd#6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 systemd#7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 systemd#8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 systemd#9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 systemd#10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 systemd#11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 systemd#12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by systemd#30049 (comment). (cherry picked from commit a4be4ad) (cherry picked from commit 390e942) (cherry picked from commit 3529def) (cherry picked from commit 8e70e22)

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 systemd#1 0x00007f013205fafe in raise () from /lib64/libc.so.6 systemd#2 0x00007f013204887f in abort () from /lib64/libc.so.6 systemd#3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 systemd#4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 systemd#5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 systemd#6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 systemd#7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 systemd#8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 systemd#9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 systemd#10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 systemd#11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 systemd#12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by systemd#30049 (comment). (cherry picked from commit a4be4ad)

fuzzers randomly fail with the following: ``` ==172==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f41169cb39b in update_argv /work/build/../../src/systemd/src/basic/argv-util.c:96:13 systemd#1 0x7f41169cb39b in rename_process /work/build/../../src/systemd/src/basic/argv-util.c:210:16 systemd#2 0x7f4116b6824e in safe_fork_full /work/build/../../src/systemd/src/basic/process-util.c:1516:21 systemd#3 0x7f4116bffa36 in safe_fork /work/build/../../src/systemd/src/basic/process-util.h:191:16 systemd#4 0x7f4116bffa36 in parse_timestamp /work/build/../../src/systemd/src/basic/time-util.c:1047:13 systemd#5 0x4a61e6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-time-util.c:16:16 systemd#6 0x4c4a13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#7 0x4c41fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#8 0x4c58c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#9 0x4c6595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#10 0x4b58ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#11 0x4def52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 systemd#12 0x7f4115ea3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340) systemd#13 0x41f5ad in _start (build-out/fuzz-time-util+0x41f5ad) DEDUP_TOKEN: update_argv--rename_process--safe_fork_full Uninitialized value was created by an allocation of 'fv' in the stack frame of function 'have_effective_cap' #0 0x7f41169d3540 in have_effective_cap /work/build/../../src/systemd/src/basic/capability-util.c:21 ``` (cherry picked from commit e521898)

By making assert_return() critical, we observe the following: --- Program received signal SIGABRT, Aborted. 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 systemd#1 0x00007f013205fafe in raise () from /lib64/libc.so.6 systemd#2 0x00007f013204887f in abort () from /lib64/libc.so.6 systemd#3 0x00007f01338d02d6 in log_assert_failed ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:948 systemd#4 0x00007f01338d0457 in log_assert_failed_return ( text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, func=0x7f01340045a0 <__func__.148> "sd_event_add_time") at ../src/basic/log.c:967 systemd#5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1399 systemd#6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, callback=0x4625b4 <on_announcement_timeout>, userdata=0x610000007e40) at ../src/libsystemd/sd-event/sd-event.c:1462 systemd#7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 systemd#8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 systemd#9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 systemd#10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 systemd#11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 systemd#12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 --- Prompted by systemd#30049 (comment). (cherry picked from commit a4be4ad) (cherry picked from commit 390e942)

Avoid passing a NULL message to sd_bus_message_is_signal(), to not trip over an assertion: [ 132.869436] H testsuite-82.sh[614]: + systemctl --no-block --check-inhibitors=yes soft-reboot [ 132.967386] H systemd[1]: Created slice system-systemd\x2dcoredump.slice. [ 133.018292] H systemd[1]: Starting inhibit.service... [ 133.122610] H systemd[1]: Started systemd-coredump@0-665-0.service. [ 133.163643] H systemd[1]: Started inhibit.service. [ 133.206836] H testsuite-82.sh[614]: + exec sleep infinity [ 133.236762] H systemd-logind[611]: The system will reboot now! [ 135.891607] H systemd-coredump[667]: [🡕] Process 663 (busctl) of user 0 dumped core. Stack trace of thread 663: #0 0x00007f2ec45e6acf raise (libc.so.6 + 0x4eacf) systemd#1 0x00007f2ec45b9ea5 abort (libc.so.6 + 0x21ea5) systemd#2 0x00007f2ec4b5c9a6 log_assert_failed (libsystemd-shared-255.so + 0x1ff9a6) systemd#3 0x00007f2ec4b5dca5 log_assert_failed_return (libsystemd-shared-255.so + 0x200ca5) systemd#4 0x00007f2ec4bb3df6 sd_bus_message_is_signal (libsystemd-shared-255.so + 0x256df6) systemd#5 0x000000000040e478 monitor (busctl + 0xe478) systemd#6 0x000000000040e82f verb_monitor (busctl + 0xe82f) systemd#7 0x00007f2ec4b202cb dispatch_verb (libsystemd-shared-255.so + 0x1c32cb) systemd#8 0x00000000004074fa busctl_main (busctl + 0x74fa) systemd#9 0x0000000000407525 run (busctl + 0x7525) systemd#10 0x000000000040ff67 main (busctl + 0xff67) systemd#11 0x00007f2ec45d2d85 __libc_start_main (libc.so.6 + 0x3ad85) systemd#12 0x00000000004044be _start (busctl + 0x44be) ELF object binary architecture: AMD x86-64 [ 136.141152] H dbus-daemon[634]: [system] Monitoring connection :1.2 closed. [ 136.152233] H systemd[1]: busctl.service: Main process exited, code=dumped, status=6/ABRT [ 136.153996] H systemd[1]: busctl.service: Failed with result 'core-dump'. The asertion in question: Assertion 'm' failed at src/libsystemd/sd-bus/bus-message.c:1015, function sd_bus_message_is_signal(). Aborting. We can get a NULL message here through sd_bus_process() -> bus_process_internal() -> process_running(), so let's handle this case appropriately. (cherry picked from commit b4a21d5)

Since in that case the event loop is already finished and we'd hit an assertion: [ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service [ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 systemd#1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 systemd#2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 systemd#3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 systemd#4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968 systemd#5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 systemd#6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 systemd#7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 systemd#8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 systemd#9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 systemd#10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 systemd#11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 systemd#12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 systemd#13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 systemd#14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 systemd#15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 systemd#16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 Resolves: systemd#30618 (cherry picked from commit ac1b7b9)

haraldh closed this Jun 3, 2015

crrodriguez mentioned this pull request Jun 8, 2015

util:bind_remount_recursive() fix "use after free" #96

Merged

mischief pushed a commit to mischief/systemd that referenced this pull request Jun 12, 2015

Merge pull request systemd#9 from crawford/v220-xen

8c3488c

rules: whitelist xvd* devices

crrodriguez mentioned this pull request Jun 13, 2015

localectl, loginctl (sd-bus?) memory leak #185

Closed

teg mentioned this pull request Jun 17, 2015

hashmap debugging is not thread-safe #264

Closed

Serafean mentioned this pull request Jan 14, 2016

I/O errors on journal files can make apps using sd-journal SIGBUS (such as qtcreator) #2323

Open

TKSpyrop mentioned this pull request Feb 9, 2016

systemd crash #2558

Closed

lnykryn added a commit to lnykryn/systemd that referenced this pull request Mar 23, 2016

Merge pull request systemd#9 from msekletar/bz1266934

efd69b5

Revert original NPIV support patch, instead use patch from systemd#2731

klement mentioned this pull request Apr 1, 2016

systemd-journal abort when journal capacity exceeded #2924

Closed

2 tasks

hese10 mentioned this pull request Mar 31, 2017

systemd-journald coredump when file system full #5678

Closed

2 tasks

keszybz referenced this pull request in keszybz/systemd May 25, 2017

Merge pull request #9 from zonque/squashfs-align

18410c4

encoder: fix two image size detection issues

ReubenM mentioned this pull request Jul 25, 2017

systemd-resolved coredump several times a day #6456

Closed

mdrslmr mentioned this pull request Nov 14, 2017

systemd-logind's IP sandbox breaks nss-nis and suchlike #7074

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mount: use libmount to monitor mountinfo & utab #9

mount: use libmount to monitor mountinfo & utab #9

haraldh commented Jun 2, 2015

karelzak commented Jun 3, 2015

haraldh commented Jun 3, 2015

mount: use libmount to monitor mountinfo & utab #9

mount: use libmount to monitor mountinfo & utab #9

Conversation

haraldh commented Jun 2, 2015

karelzak commented Jun 3, 2015

haraldh commented Jun 3, 2015