[PATCH 2/2] libselinux/fuzz: handle inputs with trailing data

Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> · Wed, 8 Jan 2025 17:31:48 +0100

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Handle the case where either separated trailing input is empty or non-
existent by initializing the size to 0 and only call related code on
non-zero size.

Fixes: 8997f543 ("libselinux: add selabel_file(5) fuzzer")
Reported-by: oss-fuzz (issue 388319478)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 .../fuzz/selabel_file_compiled-fuzzer.c       | 67 ++++++++++++-------
 1 file changed, 41 insertions(+), 26 deletions(-)

diff --git a/libselinux/fuzz/selabel_file_compiled-fuzzer.c b/libselinux/fuzz/selabel_file_compiled-fuzzer.c
index 09fbddd1..51fffcda 100644
--- a/libselinux/fuzz/selabel_file_compiled-fuzzer.c
+++ b/libselinux/fuzz/selabel_file_compiled-fuzzer.c
@@ -95,7 +95,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	uint8_t control;
 	uint8_t *fcontext_data1 = NULL, *fcontext_data2 = NULL, *fcontext_data3 = NULL;
 	char *key = NULL;
-	size_t fcontext_data1_len, fcontext_data2_len, fcontext_data3_len, key_len;
+	size_t fcontext_data1_len, fcontext_data2_len = 0, fcontext_data3_len = 0, key_len;
 	bool partial, find_all;
 	mode_t mode;
 	int rc;
@@ -141,11 +141,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	sep = memmem(data, size, separator, 4);
 	if (sep) {
 		fcontext_data2_len = sep - data;
-		fcontext_data2 = malloc(fcontext_data2_len);
-		if (!fcontext_data2)
-			goto cleanup;
+		if (fcontext_data2_len) {
+			fcontext_data2 = malloc(fcontext_data2_len);
+			if (!fcontext_data2)
+				goto cleanup;
+
+			memcpy(fcontext_data2, data, fcontext_data2_len);
+		}
 
-		memcpy(fcontext_data2, data, fcontext_data2_len);
 		data += fcontext_data2_len + 4;
 		size -= fcontext_data2_len + 4;
 	}
@@ -153,11 +156,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	sep = memmem(data, size, separator, 4);
 	if (sep) {
 		fcontext_data3_len = sep - data;
-		fcontext_data3 = malloc(fcontext_data3_len);
-		if (!fcontext_data3)
-			goto cleanup;
+		if (fcontext_data3_len) {
+			fcontext_data3 = malloc(fcontext_data3_len);
+			if (!fcontext_data3)
+				goto cleanup;
+
+			memcpy(fcontext_data3, data, fcontext_data3_len);
+		}
 
-		memcpy(fcontext_data3, data, fcontext_data3_len);
 		data += fcontext_data3_len + 4;
 		size -= fcontext_data3_len + 4;
 	}
@@ -202,29 +208,38 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	}
 
 	fclose(fp);
+	fp = NULL;
 
-	fp = convert_data(fcontext_data2, fcontext_data2_len);
-	if (!fp)
-		goto cleanup;
+	if (fcontext_data2_len) {
+		fp = convert_data(fcontext_data2, fcontext_data2_len);
+		if (!fp)
+			goto cleanup;
 
-	errno = 0;
-	rc = load_mmap(fp, fcontext_data2_len, &rec, MEMFD_FILE_NAME, 1);
-	if (rc) {
-		assert(errno != 0);
-		goto cleanup;
+		errno = 0;
+		rc = load_mmap(fp, fcontext_data2_len, &rec, MEMFD_FILE_NAME, 1);
+		if (rc) {
+			assert(errno != 0);
+			goto cleanup;
+		}
+
+		fclose(fp);
+		fp = NULL;
 	}
 
-	fclose(fp);
+	if (fcontext_data3_len) {
+		fp = convert_data(fcontext_data3, fcontext_data3_len);
+		if (!fp)
+			goto cleanup;
 
-	fp = convert_data(fcontext_data3, fcontext_data3_len);
-	if (!fp)
-		goto cleanup;
+		errno = 0;
+		rc = load_mmap(fp, fcontext_data3_len, &rec, MEMFD_FILE_NAME, 2);
+		if (rc) {
+			assert(errno != 0);
+			goto cleanup;
+		}
 
-	errno = 0;
-	rc = load_mmap(fp, fcontext_data3_len, &rec, MEMFD_FILE_NAME, 2);
-	if (rc) {
-		assert(errno != 0);
-		goto cleanup;
+		fclose(fp);
+		fp = NULL;
 	}
 
 	sort_specs(&sdata);
-- 
2.47.1








