Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix msan-problems in fuzzer-environment #129

Merged
merged 1 commit into from
Dec 12, 2023
Merged

Conversation

linderd
Copy link
Contributor

@linderd linderd commented Dec 4, 2023

make msan in libfuzzer-pipeline happy

iked/ikev2_pld.c Outdated Show resolved Hide resolved
@tobhe
Copy link
Member

tobhe commented Dec 4, 2023

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

@linderd
Copy link
Contributor Author

linderd commented Dec 5, 2023

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md:
https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600
for the use of spi32:
https://github.com/linderd/openiked-portable/actions/runs/7082747582/job/19273996029
for spi64 I thought it would also make sense, it looks like the same logic. At first I thought of a bug in the fuzzing harness, but also tried to simply initialize the vars and that worked. But yes, the spi thing looks strange..

@tobhe
Copy link
Member

tobhe commented Dec 5, 2023

Thanks, that explains what's happening!

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md: https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600

So this can't happen normally. ikev2_nat_detection() either returns -1 or initializes md. Since we check for ret == -1 we are good. The parser-libfuzzer test on the other hand has a bug because it defines ikev2_nat_detection() as return 0 and doesn't initialize md, so there is the actual problem. Maybe it should bzero(md, len)?

for the use of spi32: https://github.com/linderd/openiked-portable/actions/runs/7082747582/job/19273996029 for spi64 I thought it would also make sense, it looks like the same logic. At first I thought of a bug in the fuzzing harness, but also tried to simply initialize the vars and that worked. But yes, the spi thing looks strange..

I don't yet fully understand this one. The only possible explanation I can think of is that the memcpy() doesn't copy the necessary amount of bytes to spi32 which gets assigned to rekey->spi and then a second notify of the same type triggers the bug in line 1165 when accessing rekey->spi. But there are length checks that should make sure left is the correct size and buf should not be NULL.

@linderd
Copy link
Contributor Author

linderd commented Dec 5, 2023

Thanks, that explains what's happening!

Do you have a link to the error message? I don't understand how those could ever be used uninitialized.

for the use of md: https://github.com/linderd/openiked-portable/actions/runs/6751828266/job/18356444600

So this can't happen normally. ikev2_nat_detection() either returns -1 or initializes md. Since we check for ret == -1 we are good. The parser-libfuzzer test on the other hand has a bug because it defines ikev2_nat_detection() as return 0 and doesn't initialize md, so there is the actual problem. Maybe it should bzero(md, len)?

makes sense, I fixed that

@linderd linderd force-pushed the master branch 2 times, most recently from b4addb1 to c848d07 Compare December 5, 2023 13:49
@linderd
Copy link
Contributor Author

linderd commented Dec 5, 2023

I wanted to refactor the prepare-steps in test_parser_fuzz.c anyway, so maybe I can find the problem with spi by doing that

@linderd
Copy link
Contributor Author

linderd commented Dec 6, 2023

I don't yet fully understand this one. The only possible explanation I can think of is that the memcpy() doesn't copy the necessary amount of bytes to spi32 which gets assigned to rekey->spi and then a second notify of the same type triggers the bug in line 1165 when accessing rekey->spi. But there are length checks that should make sure left is the correct size and buf should not be NULL.

It is confusing.., I'll try to investigate further on it, maybe I find something. But yes, normally both is checked so it can't happen.

@linderd linderd marked this pull request as draft December 6, 2023 15:08
@linderd
Copy link
Contributor Author

linderd commented Dec 11, 2023

problem found: msan doesn't work well with the used optimization level (O2). With O0 the spi-problem is not reproducible. I'll try to fix that with cmake.

@linderd linderd changed the title avoid use of uninitialized variables in ikev2_pld_notify() fix msan-problems in fuzzer-environment Dec 11, 2023
@linderd linderd force-pushed the master branch 2 times, most recently from 25c3a81 to a50f01d Compare December 11, 2023 15:20
@linderd linderd marked this pull request as ready for review December 11, 2023 22:55
@tobhe
Copy link
Member

tobhe commented Dec 12, 2023

Looks good now, thanks!

@tobhe tobhe merged commit d4fef09 into openiked:master Dec 12, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants