From 1c56d501098f5559c7b97b693dd9be0a01bdfdc9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 16 Mar 2018 12:02:54 +0100
Subject: [PATCH] fuzz: add test case for oss-fuzz #6897 and a work-around

The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.

The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.
---
 src/basic/cgroup-util.c                                   | 8 ++++++++
 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897        | 4 ++++
 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx | 4 ++++
 test/fuzz-regressions/meson.build                         | 2 ++
 4 files changed, 18 insertions(+)
 create mode 100644 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
 create mode 100644 test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx

diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index c0962f288f..68ff8ff5a9 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -1977,6 +1977,14 @@ int cg_slice_to_path(const char *unit, char **ret) {
                 _cleanup_free_ char *escaped = NULL;
                 char n[dash - p + sizeof(".slice")];
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+                /* msan doesn't instrument stpncpy, so it thinks
+                 * n is later used unitialized:
+                 * https://github.com/google/sanitizers/issues/926
+                 */
+                zero(n);
+#endif
+
                 /* Don't allow trailing or double dashes */
                 if (IN_SET(dash[1], 0, '-'))
                         return -EINVAL;
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897 b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
new file mode 100644
index 0000000000..742fd9bfeb
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=%H.slice
+TemporaryFileSystem=%c
\ No newline at end of file
diff --git a/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
new file mode 100644
index 0000000000..126678e76c
--- /dev/null
+++ b/test/fuzz-regressions/fuzz-unit-file/oss-fuzz-6897-evverx
@@ -0,0 +1,4 @@
+service
+[Service]
+Slice=abc-def.slice
+TemporaryFileSystem=%c
diff --git a/test/fuzz-regressions/meson.build b/test/fuzz-regressions/meson.build
index c1ea229a24..d36a3574e6 100644
--- a/test/fuzz-regressions/meson.build
+++ b/test/fuzz-regressions/meson.build
@@ -35,4 +35,6 @@ fuzz_regression_tests = '''
         fuzz-unit-file/oss-fuzz-6917
         fuzz-unit-file/oss-fuzz-6892
         fuzz-unit-file/oss-fuzz-6908
+        fuzz-unit-file/oss-fuzz-6897
+        fuzz-unit-file/oss-fuzz-6897-evverx
 '''.split()
-- 
2.25.1