It seems to be failing with
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055f428 bp 0x7ffc3743a170 sp 0x7ffc3743a080 T0)
==13==The signal is caused by a WRITE memory access.
==13==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x55f428 in mnt_table_parse_next /src/util-linux/libmount/src/tab_parse.c:587:6
#1 0x55c200 in __table_parse_stream /src/util-linux/libmount/src/tab_parse.c:737:8
#2 0x55be38 in mnt_table_parse_stream /src/util-linux/libmount/src/tab_parse.c:809:8
#3 0x5511ff in LLVMFuzzerTestOneInput /src/util-linux/libmount/src/fuzz.c:21:16
#4 0x458a31 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:558:15
#5 0x458175 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#6 0x45a117 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:770:7
#7 0x45a319 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:799:3
#8 0x44a055 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:846:6
#9 0x471bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#10 0x7fe3bd93b83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#11 0x41f208 in _start (/out/test_mount_fuzz+0x41f208)
DEDUP_TOKEN: mnt_table_parse_next--__table_parse_stream--mnt_table_parse_stream
```
to make it easier to catch regressions going forward.
It's a follow-up to 678d03cc8a, 9f03ad60e5
and 4bdb681571
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
* 'fuzz' of https://github.com/evverx/util-linux:
tests: pack testcases into zip archives
tests: integrate test_last_fuzz into the testsuite
tests: add a fuzzer for process_wtmp_file
docs: mention OSS-Fuzz and CIFuzz and how to build fuzz targets locally
tools: make it possible to set all the fuzzing flags with config-gen
build-system: make "make distcheck" work
travis: set CXX correctly
travis: turn on --enable-fuzzing-engine
build-sys: add support for --enable-fuzzing-engine
tests: integrate test_mount_fuzz into the testsuite
tests: take exit codes into account
tests: add a fuzzer for mnt_table_parse_stream
We need to skip useless gaps between partition if the gap is no large
enough for a new partition. Unfortunately, the current code checks
size of the gap, but does not care for location of the gap -- this is
good enough for dialog driven partitioning, but it's pretty bad if
start of the partition is explicitly specified (e.g. sfdisk).
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1860461
Signed-off-by: Karel Zak <kzak@redhat.com>
* 'sscanf-specifiers' of https://github.com/evverx/util-linux:
travis: turn off libmount on OSX
cifuzz: turn on MSan
build-system: stop looking for %ms and %as
Now that the absence of the sscanf modifiers no longer prevents Travis from building libmount
automatically it seems util-linux is failing to compile there with
```
In file included from disk-utils/fsck.c:49:
[1m./libmount/src/libmount.h:32:10: [0m[0;1;31mfatal error: [0m[1m'mntent.h' file not found[0m
[0;1;32m ^~~~~~~~~~
[0m1 error generated.
make[2]: *** [disk-utils/fsck-fsck.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
```
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
Looks like those specifiers haven't been used since 6c9ab254ae
(where sscanf was removed) was merged. This should help to get
util-linux to compile with MSan. Currently it's failing with
```
...
configure: error: libmount selected, but required scanf string alloc modifier not available
...
configure:20240: ./conftest
==116617==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x496fd6 in main /home/vagrant/util-linux/conftest.c:171:6
#1 0x7f5eb85ea1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#2 0x41c2cd in _start (/home/vagrant/util-linux/conftest+0x41c2cd)
SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/vagrant/util-linux/conftest.c:171:6 in main
Exiting
configure:20240: $? = 77
...
configure:20265: $? = 0
configure:20265: ./conftest
MemorySanitizer: bad pointer 0x000000496e60
==116627==MemorySanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-9.0.1.src/lib/msan/../sanitizer_common/sanitizer_allocator_secondary.h:177 "((IsAligned(reinterpret_cast<uptr>(p), page_size_))) != (0)" (0x0, 0x0)
#0 0x41d1d8 in MsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/vagrant/util-linux/conftest+0x41d1d8)
#1 0x484e1e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/vagrant/util-linux/conftest+0x484e1e)
#2 0x42066c in __msan::MsanDeallocate(__sanitizer::StackTrace*, void*) (/home/vagrant/util-linux/conftest+0x42066c)
#3 0x424bc9 in free (/home/vagrant/util-linux/conftest+0x424bc9)
#4 0x496fae in main /home/vagrant/util-linux/conftest.c:173:2
#5 0x7f2245f311a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#6 0x41c2cd in _start (/home/vagrant/util-linux/conftest+0x41c2cd)
configure:20265: $? = 77
configure: program exited with status 77
...
| }
configure:22568: result: no
configure:22926: error: libmount selected, but required scanf string alloc modifier not available
```
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
so that the fuzz targets (along with everything else) can be built
and run with:
```
./tools/config-gen fuzz
make check
```
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
In its current form the testsuite isn't suitable for running
fuzz targets because it ignores exit codes and relies solely
on diffs (that unfortunately aren't helpful because the nondeterministic
nature of fuzz targets makes it kind of hard to specify expected output
in advance). This patch is supposed to address the "exit code" issue for now.
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
The fuzzer is supposed to cover `mnt_table_parse_stream`, which is
used by systemd to parse /proc/self/mountinfo. The systemd project
has run into memory leaks there at least twice:
https://github.com/systemd/systemd/pull/12252#issuecomment-482804040https://github.com/systemd/systemd/issues/8504
so it seems to be a good idea to continuously fuzz that particular
function.
The patch can be tested locally by installing clang and running
./tools/oss-fuzz.sh. Currently the fuzzer is failing with
```
=================================================================
==96638==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 216 byte(s) in 1 object(s) allocated from:
#0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77)
#1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25
#2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9
#3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8
#4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16
#5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88)
#6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0)
#7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270)
#8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617)
#9 0x43adbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb)
#10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46)
#11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s).
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
```
Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible
to turn on CIFuzz to make sure the fuzz target can be built and run for some time
without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
Linux kernel assumes only 1KiB extended partition to avoid overlapping
with nested logical partitions. We need to follow this rule for
BLKPG_ADD_PARTITION.
Addresses: https://github.com/karelzak/util-linux/issues/1112
Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak