CI: bring CodeQL, ASan/UBsan, radamsa and dfuzzer #1

evverx · 2022-12-01T23:06:09Z

No description provided.

to prevent issues like avahi#375

``` ==21635==ERROR: LeakSanitizer: detected memory leaks Direct leak of 512 byte(s) in 1 object(s) allocated from: #0 0x7fe7a9c0d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fe7a8de42da in xmalloc /home/runner/work/avahi/avahi/avahi-common/malloc.c:68 #2 0x7fe7a8de43e2 in avahi_malloc /home/runner/work/avahi/avahi/avahi-common/malloc.c:107 #3 0x7fe7a9971577 in avahi_dns_packet_new /home/runner/work/avahi/avahi/avahi-core/dns.c:53 #4 0x7fe7a99719f4 in avahi_dns_packet_new_query /home/runner/work/avahi/avahi/avahi-core/dns.c:69 #5 0x55ec50f60916 in main /home/runner/work/avahi/avahi/avahi-core/dns-spin-test.c:109 #6 0x7fe7a8f6bd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) SUMMARY: AddressSanitizer: 512 byte(s) leaked in 1 allocation(s). FAIL dns-spin-test (exit status: 1) ```

CodeQL seems to somehow trip on them.

``` ==21635==ERROR: LeakSanitizer: detected memory leaks Direct leak of 512 byte(s) in 1 object(s) allocated from: #0 0x7fe7a9c0d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fe7a8de42da in xmalloc /home/runner/work/avahi/avahi/avahi-common/malloc.c:68 #2 0x7fe7a8de43e2 in avahi_malloc /home/runner/work/avahi/avahi/avahi-common/malloc.c:107 #3 0x7fe7a9971577 in avahi_dns_packet_new /home/runner/work/avahi/avahi/avahi-core/dns.c:53 #4 0x7fe7a99719f4 in avahi_dns_packet_new_query /home/runner/work/avahi/avahi/avahi-core/dns.c:69 #5 0x55ec50f60916 in main /home/runner/work/avahi/avahi/avahi-core/dns-spin-test.c:109 #6 0x7fe7a8f6bd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) SUMMARY: AddressSanitizer: 512 byte(s) leaked in 1 allocation(s). FAIL dns-spin-test (exit status: 1) ```

Fixes: ``` ==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 READ of size 1110 at 0x7f9e76f14c16 thread T0 #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 ``` and ``` fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. ==101571== ERROR: libFuzzer: deadly signal #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 ``` It's a follow-up to 94cb648

It fixes the crash spotted avahi#490 (comment). The fuzz target was updated to exercise those code paths (among other things). Without this commit it crashes with ``` fuzz-consume-record: malloc.c:250: void *avahi_memdup(const void *, size_t): Assertion `s' failed. ==72869== ERROR: libFuzzer: deadly signal #0 0x5031b5 in __sanitizer_print_stack_trace (avahi/out/fuzz-consume-record+0x5031b5) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #1 0x45cd6c in fuzzer::PrintStackTrace() (avahi/out/fuzz-consume-record+0x45cd6c) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #2 0x441c47 in fuzzer::Fuzzer::CrashCallback() (out/fuzz-consume-record+0x441c47) (BuildId: 69840d811c9ba9f74eea21e34786a2005c5dcc06) #3 0x7f189e97ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #4 0x7f189e9cf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #5 0x7f189e97eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #6 0x7f189e96787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #7 0x7f189e96779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #8 0x7f189e977186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: 3ebe8d97a0ed3e1f13476a02665c5a9442adcd78) #9 0x557bfc in avahi_memdup avahi/avahi-common/malloc.c:250:5 #10 0x54895c in avahi_record_copy avahi/avahi-core/rr.c:469:45 ```

All the functions receiving service names expect them to be UTF-8. When they aren't those functions can crash. For example here's how avahi_alternative_service_name crashed without this patch: ``` alternative-test: alternative.c:44: drop_incomplete_utf8: Assertion `*e & 128' failed. #0 0x00007ffff76b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff765fafe in raise () from /lib64/libc.so.6 #2 0x00007ffff764887f in abort () from /lib64/libc.so.6 #3 0x00007ffff764879b in __assert_fail_base.cold () from /lib64/libc.so.6 #4 0x00007ffff7658187 in __assert_fail () from /lib64/libc.so.6 #5 0x000000000040257b in drop_incomplete_utf8 (c=0x60200003bed0 "\301\n") at alternative.c:44 #6 0x00000000004033b2 in avahi_alternative_service_name (s=0x40ff00 "\301\n") at alternative.c:184 #7 0x000000000040b722 in main (argc=1, argv=0x7fffffffe1c8) at alternative-test.c:91 ``` The test is added to make sure avahi_alternative_service_name no longer crashes. The fuzz target is updated to make sure avahi_alternative_service_name can withstand all sorts of service names.

When avahi-daemon fails under ASan/UBSan the tests trying to reach it via D-Bus start to fail too with cryptic error messages and without ASan reports it's hard to tell what exactly fails. This patch is prompted by avahi#551 where the smoke test failed with ``` ** (process:23892): WARNING **: 10:26:43.529: Error initializing Avahi: Daemon not running glib-integration: client.c:626: void avahi_client_free(AvahiClient *): Assertion `client' failed. ``` without any way to figure out what went wrong. With this patch applied the following backtrace would have been shown: ``` avahi-daemon[23694]: browse.c: Found CNAME loop on interface 2, proto 1, query cname0.local IN AAAA avahi-daemon[23694]: browse.c: Found CNAME loop on interface 2, proto 1, query cname0.local IN AAAA avahi-daemon[23694]: ================================================================= avahi-daemon[23694]: ==23694==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000000f70 at pc 0x7f5aac154542 bp 0x7ffe59141be0 sp 0x7ffe59141bd8 avahi-daemon[23694]: READ of size 4 at 0x60b000000f70 thread T0 avahi-daemon[23694]: #0 0x7f5aac154541 in lookup_multicast_callback /home/runner/work/avahi/avahi/avahi-core/browse.c:268:12 avahi-daemon[23694]: #1 0x7f5aac1bfa0a in avahi_multicast_lookup_engine_notify /home/runner/work/avahi/avahi/avahi-core/multicast-lookup.c:317:21 avahi-daemon[23694]: #2 0x7f5aac115808 in avahi_cache_update /home/runner/work/avahi/avahi/avahi-core/cache.c:363:13 avahi-daemon[23694]: #3 0x7f5aac0e9621 in handle_response_packet /home/runner/work/avahi/avahi/avahi-core/server.c:720:21 avahi-daemon[23694]: #4 0x7f5aac0e3cf6 in dispatch_packet /home/runner/work/avahi/avahi/avahi-core/server.c:1032:9 avahi-daemon[23694]: #5 0x7f5aac0e2116 in mcast_socket_event /home/runner/work/avahi/avahi/avahi-core/server.c:1093:13 avahi-daemon[23694]: #6 0x7f5aac464b6c in avahi_simple_poll_dispatch /home/runner/work/avahi/avahi/avahi-common/simple-watch.c:585:13 avahi-daemon[23694]: #7 0x7f5aac4651a8 in avahi_simple_poll_iterate /home/runner/work/avahi/avahi/avahi-common/simple-watch.c:605:14 avahi-daemon[23694]: #8 0x5592a3ed3884 in run_server /home/runner/work/avahi/avahi/avahi-daemon/main.c:1279:18 avahi-daemon[23694]: #9 0x5592a3ec4132 in main /home/runner/work/avahi/avahi/avahi-daemon/main.c:1708:13 avahi-daemon[23694]: #10 0x7f5aabc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 avahi-daemon[23694]: #11 0x7f5aabc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3 avahi-daemon[23694]: #12 0x5592a3e05054 in _start (/usr/sbin/avahi-daemon+0x71054) (BuildId: 0aa9e5ea43ef010d5f42e9109eabd1434ff1b3db) ... ```

Those strings are consumed in various places and it's generally expected that they are UTF-8. It's prompted by an issue where python scripts threw the UnicodeDecodeError exception trying to parse the output of avahi-browse -arp. The fuzz target fails on architectures where char is unsigned (like aarch64 for example): ``` fuzz-strlst: fuzz/fuzz-strlst.c:40: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_utf8_valid(t)' failed. ==26== ERROR: libFuzzer: deadly signal #0 0x4a38f8 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3 #1 0x44d350 in fuzzer::PrintStackTrace() cxa_noexception.cpp #2 0x436728 in fuzzer::Fuzzer::CrashCallback() cxa_noexception.cpp #3 0x5500834ffc (/usr/lib/aarch64-linux-gnu/ld-2.31.so+0x23ffc) #4 0x550099cd74 in raise (/lib/aarch64-linux-gnu/libc.so.6+0x33d74) #5 0x5500989aa8 in abort (/lib/aarch64-linux-gnu/libc.so.6+0x20aa8) #6 0x550099648c (/lib/aarch64-linux-gnu/libc.so.6+0x2d48c) #7 0x55009964f0 in __assert_fail (/lib/aarch64-linux-gnu/libc.so.6+0x2d4f0) #8 0x4a4e70 in LLVMFuzzerTestOneInput /src/avahi/fuzz/fuzz-strlst.c:40:9 `` but it shouldn't break anything because currently it's run on x86_64/i386 only on a regular basis. It should help to catch bugs/regressions though.

evverx force-pushed the CI branch 4 times, most recently from fdf1b36 to 997a4a2 Compare December 1, 2022 23:40

evverx mentioned this pull request Dec 1, 2022

Create luciano-codeql.yml avahi/avahi#382

Closed

CI: add CodeQL

bf3b51c

evverx force-pushed the CI branch from 997a4a2 to bf3b51c Compare December 1, 2022 23:55

CI: build avahi with gcc and clang and run the unit tests

31acb93

evverx force-pushed the CI branch 3 times, most recently from e5415c8 to 6610e50 Compare December 2, 2022 05:03

CI: fuzz DBus interfaces with dfuzzer

5a1fd09

to prevent issues like avahi#375

evverx force-pushed the CI branch 3 times, most recently from 2e3bdbc to 8a98c73 Compare December 2, 2022 05:30

CI: bring ASAN/UBSan

cf92178

evverx force-pushed the CI branch from 8a98c73 to cf92178 Compare December 2, 2022 05:34

evverx force-pushed the CI branch from 5981fdb to 0b1efb7 Compare December 2, 2022 06:12

evverx force-pushed the CI branch from 0b1efb7 to b1ac7da Compare December 2, 2022 06:21

evverx force-pushed the CI branch from b1ac7da to 1e743cc Compare December 2, 2022 06:27

evverx force-pushed the CI branch from 1e743cc to d675d72 Compare December 2, 2022 06:35

evverx changed the title ~~CI: add CodeQL~~ CI: bring CodeQL, ASan/UBsan and dfuzzer Dec 2, 2022

evverx force-pushed the CI branch 3 times, most recently from f382cbe to 54d6e1c Compare December 2, 2022 07:07

evverx force-pushed the CI branch 2 times, most recently from c513e30 to 6caf956 Compare December 4, 2022 21:22

CI: build coverage reports

0805856

evverx force-pushed the CI branch 10 times, most recently from 2c8aa0c to 65dc453 Compare December 5, 2022 02:06

evverx added 3 commits December 5, 2022 03:16

CI: delete dfuzzer and radamsa build directories

6d6b49b

CodeQL seems to somehow trip on them.

CI: try to analyze C# code

f0c449a

tests: run more unit tests automatically

07faeb7

evverx force-pushed the CI branch from 65dc453 to 07faeb7 Compare December 5, 2022 03:17

evverx added 2 commits December 5, 2022 03:32

CI: build tests on Packit

8b618e1

CI: run the unit tests on Packit as well

4fa48d3

evverx closed this Feb 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CI: bring CodeQL, ASan/UBsan, radamsa and dfuzzer #1

CI: bring CodeQL, ASan/UBsan, radamsa and dfuzzer #1

Uh oh!

Uh oh!

Uh oh!

CI: bring CodeQL, ASan/UBsan, radamsa and dfuzzer #1

CI: bring CodeQL, ASan/UBsan, radamsa and dfuzzer #1

Uh oh!

Conversation

Uh oh!

Uh oh!