summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2023-05-06 02:53:26 +0200
committerGitHub <noreply@github.com>2023-05-06 02:53:26 +0200
commit8069cdc7e7531f8d76714fc6ea939ad28e7ff44c (patch)
treeda8b034056d69ec070877f951e98b48bef921b03 /src
parentzsh: remove usage of PREFIX in _systemctl (diff)
parenttest: add a test case for #27521 (diff)
downloadsystemd-8069cdc7e7531f8d76714fc6ea939ad28e7ff44c.tar.xz
systemd-8069cdc7e7531f8d76714fc6ea939ad28e7ff44c.zip
Merge pull request #27527 from mrc0mmand/fuzz-manager-serialize
core: a couple of follow-ups for issues found by fuzz-manager-serialize
Diffstat (limited to 'src')
-rw-r--r--src/core/socket.c240
-rw-r--r--src/core/unit.c4
-rw-r--r--src/shared/fdset.c14
3 files changed, 167 insertions, 91 deletions
diff --git a/src/core/socket.c b/src/core/socket.c
index 891276fd50..0fd1ad144b 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -2597,6 +2597,7 @@ static int socket_serialize(Unit *u, FILE *f, FDSet *fds) {
static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
Socket *s = SOCKET(u);
+ int r;
assert(u);
assert(key);
@@ -2651,124 +2652,183 @@ static int socket_deserialize_item(Unit *u, const char *key, const char *value,
s->control_command = s->exec_command[id];
}
} else if (streq(key, "fifo")) {
- int fd, skip = 0;
+ _cleanup_free_ char *fdv = NULL;
+ bool found = false;
+ int fd;
- if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
log_unit_debug(u, "Failed to parse fifo value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- p->type == SOCKET_FIFO &&
- path_equal_or_files_same(p->path, value+skip, 0)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching fifo socket found: %s", value+skip);
+ return 0;
}
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid fifo value: %s", fdv);
+ return 0;
+ }
+
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ p->type == SOCKET_FIFO &&
+ path_equal_or_files_same(p->path, value, 0)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching fifo socket found: %s", value);
+
} else if (streq(key, "special")) {
- int fd, skip = 0;
+ _cleanup_free_ char *fdv = NULL;
+ bool found = false;
+ int fd;
- if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
log_unit_debug(u, "Failed to parse special value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- p->type == SOCKET_SPECIAL &&
- path_equal_or_files_same(p->path, value+skip, 0)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching special socket found: %s", value+skip);
+ return 0;
+ }
+
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid special value: %s", fdv);
+ return 0;
}
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ p->type == SOCKET_SPECIAL &&
+ path_equal_or_files_same(p->path, value, 0)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching special socket found: %s", value);
+
} else if (streq(key, "mqueue")) {
- int fd, skip = 0;
+ _cleanup_free_ char *fdv = NULL;
+ bool found = false;
+ int fd;
- if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
log_unit_debug(u, "Failed to parse mqueue value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- p->type == SOCKET_MQUEUE &&
- streq(p->path, value+skip)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching mqueue socket found: %s", value+skip);
+ return 0;
+ }
+
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid mqueue value: %s", fdv);
+ return 0;
}
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ p->type == SOCKET_MQUEUE &&
+ streq(p->path, value)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching mqueue socket found: %s", value);
+
} else if (streq(key, "socket")) {
- int fd, type, skip = 0;
+ _cleanup_free_ char *fdv = NULL, *typev = NULL;
+ bool found = false;
+ int fd, type;
- if (sscanf(value, "%i %i %n", &fd, &type, &skip) < 2 || fd < 0 || type < 0 || !fdset_contains(fds, fd))
- log_unit_debug(u, "Failed to parse socket value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- socket_address_is(&p->address, value+skip, type)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching %s socket found: %s",
- socket_address_type_to_string(type), value+skip);
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
+ log_unit_debug(u, "Failed to parse socket fd from value: %s", value);
+ return 0;
+ }
+
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid socket fd: %s", fdv);
+ return 0;
+ }
+
+ r = extract_first_word(&value, &typev, NULL, 0);
+ if (r <= 0) {
+ log_unit_debug(u, "Failed to parse socket type from value: %s", value);
+ return 0;
+ }
+
+ if (safe_atoi(typev, &type) < 0 || type < 0) {
+ log_unit_debug(u, "Invalid socket type: %s", typev);
+ return 0;
}
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ socket_address_is(&p->address, value, type)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching %s socket found: %s",
+ socket_address_type_to_string(type), value);
+
} else if (streq(key, "netlink")) {
- int fd, skip = 0;
+ _cleanup_free_ char *fdv = NULL;
+ bool found = false;
+ int fd;
- if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
log_unit_debug(u, "Failed to parse socket value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- socket_address_is_netlink(&p->address, value+skip)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching netlink socket found: %s", value+skip);
+ return 0;
}
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid socket value: %s", fdv);
+ return 0;
+ }
+
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ socket_address_is_netlink(&p->address, value)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching netlink socket found: %s", value);
+
} else if (streq(key, "ffs")) {
- int fd, skip = 0;
+ _cleanup_free_ char *fdv = NULL;
+ bool found = false;
+ int fd;
- if (sscanf(value, "%i %n", &fd, &skip) < 1 || fd < 0 || !fdset_contains(fds, fd))
+ r = extract_first_word(&value, &fdv, NULL, 0);
+ if (r <= 0) {
log_unit_debug(u, "Failed to parse ffs value: %s", value);
- else {
- bool found = false;
-
- LIST_FOREACH(port, p, s->ports)
- if (p->fd < 0 &&
- p->type == SOCKET_USB_FUNCTION &&
- path_equal_or_files_same(p->path, value+skip, 0)) {
- p->fd = fdset_remove(fds, fd);
- found = true;
- break;
- }
- if (!found)
- log_unit_debug(u, "No matching ffs socket found: %s", value+skip);
+ return 0;
+ }
+
+ fd = parse_fd(fdv);
+ if (fd < 0 || !fdset_contains(fds, fd)) {
+ log_unit_debug(u, "Invalid ffs value: %s", fdv);
+ return 0;
}
+ LIST_FOREACH(port, p, s->ports)
+ if (p->fd < 0 &&
+ p->type == SOCKET_USB_FUNCTION &&
+ path_equal_or_files_same(p->path, value, 0)) {
+ p->fd = fdset_remove(fds, fd);
+ found = true;
+ break;
+ }
+ if (!found)
+ log_unit_debug(u, "No matching ffs socket found: %s", value);
+
} else
log_unit_debug(UNIT(s), "Unknown serialization key: %s", key);
diff --git a/src/core/unit.c b/src/core/unit.c
index c7635a291c..4e9ae6148f 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -6162,7 +6162,9 @@ int activation_details_deserialize(const char *key, const char *value, Activatio
return -EINVAL;
t = unit_type_from_string(value);
- if (t == _UNIT_TYPE_INVALID)
+ /* The activation details vtable has defined ops only for path
+ * and timer units */
+ if (!IN_SET(t, UNIT_PATH, UNIT_TIMER))
return -EINVAL;
*details = malloc0(activation_details_vtable[t]->object_size);
diff --git a/src/shared/fdset.c b/src/shared/fdset.c
index d816a3e4ef..2138ffcdb9 100644
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@@ -77,6 +77,10 @@ int fdset_put(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX)
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
+
return set_put(MAKE_SET(s), FD_TO_PTR(fd));
}
@@ -115,6 +119,12 @@ bool fdset_contains(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX) {
+ log_debug("Refusing invalid fd: %d", fd);
+ return false;
+ }
+
return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
}
@@ -122,6 +132,10 @@ int fdset_remove(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX)
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
+
return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 09:51:38 +0100