From 10062bbc35a28e95897f66fa5f4991b9b1f9df5d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 16 Mar 2018 11:15:58 +0100
Subject: [PATCH] unit-file: do not allow bogus IOSchedulingClass values

We have only three bits of space, i.e. 8 possible classes. Immediately reject
anything outside of that range. Add the fuzzer test case and an additional
unit test.

oss-fuzz #6908.
---
 src/basic/ioprio.h                            |  9 +++---
 src/basic/process-util.c                      |  2 +-
 src/test/test-process-util.c                  | 28 ++++++++++++++++++-
 .../fuzz-unit-file/oss-fuzz-6908              |  3 ++
 test/fuzz-regressions/meson.build             |  1 +
 5 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6908

diff --git a/src/basic/ioprio.h b/src/basic/ioprio.h
index d8bb6eb497..8fe74f03f8 100644
--- a/src/basic/ioprio.h
+++ b/src/basic/ioprio.h
@@ -10,12 +10,13 @@
 /*
  * Gives us 8 prio classes with 13-bits of data for each class
  */
-#define IOPRIO_BITS             (16)
-#define IOPRIO_CLASS_SHIFT      (13)
-#define IOPRIO_PRIO_MASK        ((1UL << IOPRIO_CLASS_SHIFT) - 1)
+#define IOPRIO_BITS             16
+#define IOPRIO_N_CLASSES        8
+#define IOPRIO_CLASS_SHIFT      13
+#define IOPRIO_PRIO_DATA_MASK   ((1UL << IOPRIO_CLASS_SHIFT) - 1)
 
 #define IOPRIO_PRIO_CLASS(mask) ((mask) >> IOPRIO_CLASS_SHIFT)
-#define IOPRIO_PRIO_DATA(mask)  ((mask) & IOPRIO_PRIO_MASK)
+#define IOPRIO_PRIO_DATA(mask)  ((mask) & IOPRIO_PRIO_DATA_MASK)
 #define IOPRIO_PRIO_VALUE(class, data)  (((class) << IOPRIO_CLASS_SHIFT) | data)
 
 #define ioprio_valid(mask)      (IOPRIO_PRIO_CLASS((mask)) != IOPRIO_CLASS_NONE)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index aa9846db5d..b407db0ee8 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -1466,7 +1466,7 @@ static const char *const ioprio_class_table[] = {
         [IOPRIO_CLASS_IDLE] = "idle"
 };
 
-DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(ioprio_class, int, INT_MAX);
+DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(ioprio_class, int, IOPRIO_N_CLASSES);
 
 static const char *const sigchld_code_table[] = {
         [CLD_EXITED] = "exited",
diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c
index 1a0164e601..f540eeb3b0 100644
--- a/src/test/test-process-util.c
+++ b/src/test/test-process-util.c
@@ -541,8 +541,33 @@ static void test_pid_to_ptr(void) {
 #endif
 }
 
-int main(int argc, char *argv[]) {
+static void test_ioprio_class_from_to_string_one(const char *val, int expected) {
+        assert_se(ioprio_class_from_string(val) == expected);
+        if (expected >= 0) {
+                _cleanup_free_ char *s = NULL;
+                unsigned ret;
+
+                assert_se(ioprio_class_to_string_alloc(expected, &s) == 0);
+                /* We sometimes get a class number and sometimes a number back */
+                assert_se(streq(s, val) ||
+                          safe_atou(val, &ret) == 0);
+        }
+}
 
+static void test_ioprio_class_from_to_string(void) {
+        test_ioprio_class_from_to_string_one("none", IOPRIO_CLASS_NONE);
+        test_ioprio_class_from_to_string_one("realtime", IOPRIO_CLASS_RT);
+        test_ioprio_class_from_to_string_one("best-effort", IOPRIO_CLASS_BE);
+        test_ioprio_class_from_to_string_one("idle", IOPRIO_CLASS_IDLE);
+        test_ioprio_class_from_to_string_one("0", 0);
+        test_ioprio_class_from_to_string_one("1", 1);
+        test_ioprio_class_from_to_string_one("7", 7);
+        test_ioprio_class_from_to_string_one("8", 8);
+        test_ioprio_class_from_to_string_one("9", -1);
+        test_ioprio_class_from_to_string_one("-1", -1);
+}
+
+int main(int argc, char *argv[]) {
         log_set_max_level(LOG_DEBUG);
         log_parse_environment();
         log_open();
@@ -569,6 +594,7 @@ int main(int argc, char *argv[]) {
         test_getpid_measure();
         test_safe_fork();
         test_pid_to_ptr();
+        test_ioprio_class_from_to_string();
 
         return 0;
 }
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6908 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6908
new file mode 100644
index 0000000000..8f2404b136
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6908
@@ -0,0 +1,3 @@
+socket
+[Socket]
+IOSchedulingClass=531473
\ No newline at end of file
diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build
index f9c8e8cd98..c1ea229a24 100644
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@@ -34,4 +34,5 @@ fuzz_regression_tests = '''
         fuzz-unit-file/oss-fuzz-6886
         fuzz-unit-file/oss-fuzz-6917
         fuzz-unit-file/oss-fuzz-6892
+        fuzz-unit-file/oss-fuzz-6908
 '''.split()
-- 
2.25.1