Fix libFuzzer minimization command line parsing, should be able to process special chars like (

[evverx]

I downloaded a reproducer testcase from https://oss-fuzz.com/download?testcase_id=5146387221315584 (related to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547) and noticed that it was much larger than it should have been so by manually running the fuzz target with -minimize_crash=1 I managed to reduce the size from 4333 bytes to just 128 bytes.

It seems the testcase wasn't minimized because "LibFuzzer minimization failed" (which is strange in the sense that the bug was found with honggfuzz as far as I can see):

[2020-05-26 12:58:23 UTC] oss-fuzz-linux-zone3-host-swn3-6: Fuzz task : Fuzzer honggfuzz_systemd_fuzz-netdev-parser generated testcase crashed in 4736 seconds (r202005260645).
[2020-05-26 13:21:10 UTC] oss-fuzz-linux-zone1-host-v84z-8: Minimize task started.
[2020-05-26 13:21:46 UTC] oss-fuzz-linux-zone1-host-v84z-8: Minimize task errored out: LibFuzzer minimization failed.
[2020-05-26 13:23:39 UTC] oss-fuzz-linux-zone1-host-v84z-8: Regression task started.

[inferno-chromium]

Looks like honggfuzz is creating filenames with special chars, which later confused libFuzzer minimizer. Looking into a fix.

INFO: Seed: 4195786247
INFO: Loaded 2 modules   (74152 inline 8-bit counters): 55106 [0x7f473a517060, 0x7f473a5247a2), 19046 [0xb58420, 0xb5ce86), 
INFO: Loaded 2 PC tables (74152 PCs): 55106 [0x7f473a5247a8,0x7f473a5fbbc8), 19046 [0xb5ce88,0xba74e8), 
CRASH_MIN: minimizing crash input: '/SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz' (4333 bytes)
CRASH_MIN: executing: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_de63b71f16a30e45dc2ea3edcd6a924885950338/revisions/fuzz-netdev-parser -max_total_time=295 -artifact_prefix=/tmp/ /SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz 2>&1
sh: 1: Syntax error: "(" unexpected
CRASH_MIN: '/SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz' (4333 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_de63b71f16a30e45dc2ea3edcd6a924885950338/revisions/fuzz-netdev-parser -max_total_time=295 -artifact_prefix=/tmp/ /SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz -minimize_crash_internal_step=1 -exact_artifact_path=/minimized_crash 2>&1
sh: 1: Syntax error: "(" unexpected
*********************************
No such directory: /minimized_crash; exiting

[jonathanmetzman]

It might be worth fixing this bug in libFuzzer:
https://github.com/llvm/llvm-project/blob/23bee0b0cf7a1af084ea06f2b7dfde1767837084/compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp#L25

[inferno-chromium]

@robertswiecki - is it possible to get rid of these special chars/instructions in filenames - "mov____(%rdi),%r12" in "/SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz"
We shouldn't be creating filenames with these chars in first place, thoughts ?

[jonathanmetzman]

@morehouse do you think this should be fixed in libFuzzer? I think ExecuteCommand calls system which breaks if bash interprets the filename as something other than the argument to libFuzzer.

[robertswiecki]

You can compile it with -D_HF_LINUX_NO_BFD

But overall it might be good whatever other component which breaks upon non-standard (yet allowed) filename chars :)

[morehouse]

@morehouse do you think this should be fixed in libFuzzer? I think ExecuteCommand calls system which breaks if bash interprets the filename as something other than the argument to libFuzzer.

I'd say fix it in libFuzzer if the fix there is easy enough... A couple ideas that might be easy fixes:

• Adding -- before filenames.
• Single-quoting filenames.

[evverx]

It seems when honggfuzz is used testcases aren't minimized at all but in https://oss-fuzz.com/testcase-detail/5757581015646208 (which was found with libFuzzer as far as I can see) the minimized testcase is suspiciously large as well. Its size can be reduced from 384 KB to 131 bytes manually.

[inferno-chromium]

It seems when honggfuzz is used testcases aren't minimized at all but in https://oss-fuzz.com/testcase-detail/5757581015646208 (which was found with libFuzzer as far as I can see) the minimized testcase is suspiciously large as well. Its size can be reduced from 384 KB to 131 bytes manually.

How long did your minimization take. We do minimization 5 rounds, 10 min each. Maybe we need less rounds and more per minimization time. Thoughts ?

[evverx]

It took about 3 and a half minutes to minimize it from 384 KB to 122 bytes. I ran the fuzzer with -minimize_crash=1 -runs=50000 and manually interrupted it when the testcase was good enough.

MS: 1 EraseBytes-; base unit: 0000000000000000000000000000000000000000
0x5b,0x4c,0x32,0x54,0x50,0x5d,0xa,0x52,0x65,0x6d,0x6f,0x74,0x65,0x3d,0x31,0x2e,0x30,0x2e,0x32,0x2e,0x39,0xa,0x5b,0x4c,0x32,0x54,0x50,0x53,0x65,0x73,0x73,0x69,0x6f,0x6e,0x5d,0xa,0x53,0x65,0x73,0x73,0x69,0x6f,0x6e,0x49,0x64,0x3d,0xa,0x5b,0x4c,0x32,0x54,0x50,0x5d,0xa,0x50,0x65,0x65,0x72,0x54,0x75,0x6e,0x6e,0x65,0x6c,0x49,0x64,0x3d,0x32,0x0,0x5b,0x4e,0x65,0x74,0x44,0x65,0x76,0x5d,0xa,0x4b,0x69,0x6e,0x64,0x3d,0x6c,0x32,0x74,0x70,0xa,0x5b,0x4c,0x32,0x54,0x50,0x5d,0xa,0x54,0x75,0x6e,0x6e,0x65,0x6c,0x49,0x64,0x3d,0x34,0x0,0x5b,0x4e,0x65,0x74,0x44,0x65,0x76,0x5d,0xa,0x4e,0x61,0x6d,0x65,0x3d,0x3d,0x0,
[L2TP]\x0aRemote=1.0.2.9\x0a[L2TPSession]\x0aSessionId=\x0a[L2TP]\x0aPeerTunnelId=2\x00[NetDev]\x0aKind=l2tp\x0a[L2TP]\x0aTunnelId=4\x00[NetDev]\x0aName==\x00
artifact_prefix='./'; Test unit written to ./minimized-from-47070c3c816a20e75bb38fbce69a684d9319f3da
Base64: W0wyVFBdClJlbW90ZT0xLjAuMi45CltMMlRQU2Vzc2lvbl0KU2Vzc2lvbklkPQpbTDJUUF0KUGVlclR1bm5lbElkPTIAW05ldERldl0KS2luZD1sMnRwCltMMlRQXQpUdW5uZWxJZD00AFtOZXREZXZdCk5hbWU9PQA=
*********************************
CRASH_MIN: minimizing crash input: './minimized-from-47070c3c816a20e75bb38fbce69a684d9319f3da' (122 bytes)
CRASH_MIN: executing: ./out/fuzz-netdev-parser -runs=50000 ./minimized-from-47070c3c816a20e75bb38fbce69a684d9319f3da >/tmp/libFuzzerTemp.8708.txt 2>&1
CRASH_MIN: './minimized-from-47070c3c816a20e75bb38fbce69a684d9319f3da' (122 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: ./out/fuzz-netdev-parser -runs=50000 ./minimized-from-47070c3c816a20e75bb38fbce69a684d9319f3da -minimize_crash_internal_step=1 -exact_artifact_path=./minimized-from-288d476141272b20dd1f17be1282977dd3c6b22b >/tmp/libFuzzerTemp.8708.txt 2>&1
^CINFO: Seed: 2922133299
INFO: Loaded 2 modules   (200036 inline 8-bit counters): 136786 [0x7f0bc19cf250, 0x7f0bc19f08a2), 63250 [0xae3350, 0xaf2a62),
INFO: Loaded 2 PC tables (200036 PCs): 136786 [0x7f0bc19f08a8,0x7f0bc1c06dc8), 63250 [0xaf2a68,0xbe9b88),
INFO: Starting MinimizeCrashInputInternalStep: 122
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 122 bytes
#2048	pulse  exec/s: 682 rss: 127Mb
#4096	pulse  exec/s: 585 rss: 198Mb
#8192	pulse  exec/s: 546 rss: 338Mb
==9760== libFuzzer: run interrupted; exiting
*********************************
No such directory: ./minimized-from-288d476141272b20dd1f17be1282977dd3c6b22b; exiting

real	3m25.953s
user	1m18.782s
sys	1m38.814s

[inferno-chromium]

@evverx - can you try without -runs=50000, maybe that is the issue, i dont think we add that, and maybe that decreases good repro chances (-runs is like retry :)

[inferno-chromium]

ah wait

-minimize_crash
If 1, minimizes the provided crash input. Use with -runs=N or -max_total_time=N to limit the number of attempts.

runs is just total number of runs, that shouldnt impact this. Let me try redo task just to see if it gets minimized properly.

[evverx]

@inferno-chromium looks like the task failed:

[2020-05-29 20:24:17 UTC] *: Redo task(s): minimize
[2020-05-29 20:26:24 UTC] oss-fuzz-linux-zone1-host-v337-10: Minimize task started.
[2020-05-29 20:28:36 UTC] oss-fuzz-linux-zone1-host-v337-10: Minimize task errored out: LibFuzzer minimization failed.

I was going to restart it but decided not to so as not to mess something up

[inferno-chromium]

basically libfuzzer minimization does not account for crash signature when minimizing. When it minimizes something and we retry and if crash signature does not match, we ignore it. I think it makes sense to ignore smaller testcase if crash stack changes ? Can you try that locally minimized version and see if stack is exactly the same.

E 2020-05-29T20:28:36.729215816Z LibFuzzer minimization failed (testcase 5757581015646208, job libfuzzer_msan_systemd). 
I 2020-05-29T20:28:36.728223337Z Updated testcase 5757581015646208 (bug 22736). 
W 2020-05-29T20:28:36.655456506Z Ignoring unrelated crash.
State: l2tp_session_free
l2tp_tunnel_done
netdev_free
 (expected network_config_compare_func
base_bucket_scan
internal_hashmap_remove
)
Security: True (expected True)
Output: Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/minijail0 -f /tmp/tmput8mwo0v -U -m '0 1337 1' -T static -c 0 -n -v -p -l -I -k proc,/proc,proc,1 -P /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpr2tutuv8 -b /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpt2c_69qt,/tmp,1 -b /lib,/lib,0 -b /lib32,/lib32,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 -b /usr/lib32,/usr/lib32,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/out,0 /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=60 -runs=100 /cdf518f0663d374504eb3f4d1cdbf6ac6f04f2e2ff89715130b8f7c5a78e6f0f
Bot: oss-fuzz-linux-zone1-host-v337-10
Time ran: 1.8291327953338623

INFO: Seed: 1242779591
INFO: Loaded 2 modules   (74223 inline 8-bit counters): 55136 [0x7f8194cc7619, 0x7f8194cd4d79), 19087 [0xd38f08, 0xd3d997),
INFO: Loaded 2 PC tables (74223 PCs): 55136 [0x7f8194cd4d80,0x7f8194dac380), 19087 [0xd3d998,0xd88288),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /cdf518f0663d374504eb3f4d1cdbf6ac6f04f2e2ff89715130b8f7c5a78e6f0f
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef4fd in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edacf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ef in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7469 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc2e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6600 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a63f6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7f81931a982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x42a958 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser+0x42a958)

  Uninitialized value was created by a heap deallocation
    #0 0x450fb9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4be in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eedd2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6a6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63c1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7f81931a982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Exiting

 
I 2020-05-29T20:28:36.654591087Z Crash stacktrace comparison skipped. 
I 2020-05-29T20:28:36.653370880Z Crash occurred in 1.8291327953338623 seconds (round 1). State:
l2tp_session_free
l2tp_tunnel_done
netdev_free
 
I 2020-05-29T20:28:12.780524553Z Minimizing round 5. 
W 2020-05-29T20:28:12.779375713Z Ignoring unrelated crash.
State: l2tp_session_free
l2tp_tunnel_done
netdev_free
 (expected network_config_compare_func
base_bucket_scan
internal_hashmap_remove
)
Security: True (expected True)
Output: Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/minijail0 -f /tmp/tmpmveqvnyj -U -m '0 1337 1' -T static -c 0 -n -v -p -l -I -k proc,/proc,proc,1 -P /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpszsxzy5u -b /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpn7aq1is7,/tmp,1 -b /lib,/lib,0 -b /lib32,/lib32,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 -b /usr/lib32,/usr/lib32,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/out,0 /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=60 -runs=100 /f581ca16843a6777a6c0601ba35915056f04f2e2ff89715130b8f7c5a78e6f0f
Bot: oss-fuzz-linux-zone1-host-v337-10
Time ran: 1.8268311023712158

INFO: Seed: 1218905807
INFO: Loaded 2 modules   (74223 inline 8-bit counters): 55136 [0x7fd66d611619, 0x7fd66d61ed79), 19087 [0xd38f08, 0xd3d997),
INFO: Loaded 2 PC tables (74223 PCs): 55136 [0x7fd66d61ed80,0x7fd66d6f6380), 19087 [0xd3d998,0xd88288),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /f581ca16843a6777a6c0601ba35915056f04f2e2ff89715130b8f7c5a78e6f0f
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef4fd in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edacf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ef in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7469 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc2e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6600 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a63f6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7fd66baf382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x42a958 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser+0x42a958)

  Uninitialized value was created by a heap deallocation
    #0 0x450fb9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4be in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eedd2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6a6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63c1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7fd66baf382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Exiting

 
I 2020-05-29T20:28:12.778412767Z Crash stacktrace comparison skipped. 
I 2020-05-29T20:28:12.777551472Z Crash occurred in 1.8268311023712158 seconds (round 1). State:
l2tp_session_free
l2tp_tunnel_done
netdev_free
 
I 2020-05-29T20:28:05.849559840Z Minimizing round 4. 
W 2020-05-29T20:28:05.848879171Z Ignoring unrelated crash.
State: l2tp_session_free
l2tp_tunnel_done
netdev_free
 (expected network_config_compare_func
base_bucket_scan
internal_hashmap_remove
)
Security: True (expected True)
Output: Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/minijail0 -f /tmp/tmplsbwoxkl -U -m '0 1337 1' -T static -c 0 -n -v -p -l -I -k proc,/proc,proc,1 -P /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpexxgb7xd -b /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpaa1hrxw4,/tmp,1 -b /lib,/lib,0 -b /lib32,/lib32,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 -b /usr/lib32,/usr/lib32,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/out,0 /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=60 -runs=100 /ef4c36c7a2c67e38490502278b4812746f04f2e2ff89715130b8f7c5a78e6f0f
Bot: oss-fuzz-linux-zone1-host-v337-10
Time ran: 1.8019485473632812

INFO: Seed: 1211999960
INFO: Loaded 2 modules   (74223 inline 8-bit counters): 55136 [0x7fe6e9add619, 0x7fe6e9aead79), 19087 [0xd38f08, 0xd3d997),
INFO: Loaded 2 PC tables (74223 PCs): 55136 [0x7fe6e9aead80,0x7fe6e9bc2380), 19087 [0xd3d998,0xd88288),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /ef4c36c7a2c67e38490502278b4812746f04f2e2ff89715130b8f7c5a78e6f0f
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef4fd in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edacf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ef in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7469 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc2e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6600 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a63f6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7fe6e7fbf82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x42a958 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser+0x42a958)

  Uninitialized value was created by a heap deallocation
    #0 0x450fb9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4be in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eedd2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6a6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63c1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7fe6e7fbf82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Exiting

 
I 2020-05-29T20:28:05.846384234Z Crash stacktrace comparison skipped. 
I 2020-05-29T20:28:05.845547155Z Crash occurred in 1.8019485473632812 seconds (round 1). State:
l2tp_session_free
l2tp_tunnel_done
netdev_free
 
I 2020-05-29T20:27:56.923955782Z Minimizing round 3. 
W 2020-05-29T20:27:56.923356335Z Ignoring unrelated crash.
State: l2tp_session_free
l2tp_tunnel_done
netdev_free
 (expected network_config_compare_func
base_bucket_scan
internal_hashmap_remove
)
Security: True (expected True)
Output: Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/minijail0 -f /tmp/tmpz_yldxi2 -U -m '0 1337 1' -T static -c 0 -n -v -p -l -I -k proc,/proc,proc,1 -P /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmp4fxfmiqj -b /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmp1mesiyak,/tmp,1 -b /lib,/lib,0 -b /lib32,/lib32,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 -b /usr/lib32,/usr/lib32,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/out,0 /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=60 -runs=100 /0614bad5bd94e5df820343867c3d813d6f04f2e2ff89715130b8f7c5a78e6f0f
Bot: oss-fuzz-linux-zone1-host-v337-10
Time ran: 1.8589019775390625

INFO: Seed: 1203017892
INFO: Loaded 2 modules   (74223 inline 8-bit counters): 55136 [0x7f9584ac1619, 0x7f9584aced79), 19087 [0xd38f08, 0xd3d997),
INFO: Loaded 2 PC tables (74223 PCs): 55136 [0x7f9584aced80,0x7f9584ba6380), 19087 [0xd3d998,0xd88288),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /0614bad5bd94e5df820343867c3d813d6f04f2e2ff89715130b8f7c5a78e6f0f
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef4fd in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edacf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ef in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7469 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc2e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6600 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a63f6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7f9582fa382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x42a958 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser+0x42a958)

  Uninitialized value was created by a heap deallocation
    #0 0x450fb9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4be in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eedd2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6a6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63c1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7f9582fa382f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Exiting

 
I 2020-05-29T20:27:56.922466932Z Crash stacktrace comparison skipped. 
I 2020-05-29T20:27:56.921620283Z Crash occurred in 1.8589019775390625 seconds (round 1). State:
l2tp_session_free
l2tp_tunnel_done
netdev_free
 
I 2020-05-29T20:27:42.886900359Z Minimizing round 2. 
W 2020-05-29T20:27:42.886318062Z Ignoring unrelated crash.
State: l2tp_session_free
l2tp_tunnel_done
netdev_free
 (expected network_config_compare_func
base_bucket_scan
internal_hashmap_remove
)
Security: True (expected True)
Output: Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/minijail0 -f /tmp/tmp5r7su4f2 -U -m '0 1337 1' -T static -c 0 -n -v -p -l -I -k proc,/proc,proc,1 -P /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmp6d80cdqr -b /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-246334/tmpxgg6ye8j,/tmp,1 -b /lib,/lib,0 -b /lib32,/lib32,0 -b /lib64,/lib64,0 -b /usr/lib,/usr/lib,0 -b /usr/lib32,/usr/lib32,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,0 -b /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions,/out,0 /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=60 -runs=100 /9c6d054fc142b77e9358f993648300cb6f04f2e2ff89715130b8f7c5a78e6f0f
Bot: oss-fuzz-linux-zone1-host-v337-10
Time ran: 1.9359266757965088

INFO: Seed: 1189006239
INFO: Loaded 2 modules   (74223 inline 8-bit counters): 55136 [0x7fe5ad729619, 0x7fe5ad736d79), 19087 [0xd38f08, 0xd3d997),
INFO: Loaded 2 PC tables (74223 PCs): 55136 [0x7fe5ad736d80,0x7fe5ad80e380), 19087 [0xd3d998,0xd88288),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /9c6d054fc142b77e9358f993648300cb6f04f2e2ff89715130b8f7c5a78e6f0f
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef4fd in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edacf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ef in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7469 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc2e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6600 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a63f6 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7fe5abc0b82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x42a958 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_systemd_51c8b794cfaad5e5fa22044d2c9d4cb97d349941/revisions/fuzz-netdev-parser+0x42a958)

  Uninitialized value was created by a heap deallocation
    #0 0x450fb9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4be in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eedd2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6a6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63c1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81c09d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a76f8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bb5cf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a6870 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7fe5abc0b82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Exiting

 
I 2020-05-29T20:27:42.885079724Z Crash stacktrace comparison skipped. 
I 2020-05-29T20:27:42.883577437Z Crash occurred in 1.9359266757965088 seconds (round 1). State:
l2tp_session_free
l2tp_tunnel_done
netdev_free
 
I 2020-05-29T20:27:36.975603370Z Minimizing round 1. 
  undefined

[evverx]

Interestingly, the backtraces are the same most of the time

$ sudo ./infra/helper.py reproduce systemd fuzz-netdev-parser ../systemd/minimized-from-fdd4888848e235fdf2fec8d98c6709fe7d0dcdd8
Running: docker run --rm --privileged -i -v /home/vagrant/oss-fuzz/build/out/systemd:/out -v /home/vagrant/systemd/minimized-from-fdd4888848e235fdf2fec8d98c6709fe7d0dcdd8:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce fuzz-netdev-parser -runs=100
+ DEBUGGER=
+ FUZZER=fuzz-netdev-parser
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ cd /out
+ /out/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase
INFO: Seed: 2057262700
INFO: Loaded 2 modules   (74289 inline 8-bit counters): 55175 [0x7f58a76537f9, 0x7f58a7660f80), 19114 [0xd3afb8, 0xd3fa62),
INFO: Loaded 2 PC tables (74289 PCs): 55175 [0x7f58a7660f80,0x7f58a77387f0), 19114 [0xd3fa68,0xd8a508),
/out/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /testcase
==6==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef50d in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edadf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ff in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7479 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc3e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6610 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a6406 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7f58a5b3382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x42a968 in _start (/out/fuzz-netdev-parser+0x42a968)

DEDUP_TOKEN: l2tp_session_free--l2tp_tunnel_done--netdev_free
  Uninitialized value was created by a heap deallocation
    #0 0x450fc9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4ce in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7f58a5b3382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

DEDUP_TOKEN: free--l2tp_session_free--netdev_l2tp_tunnel_verify
SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Unique heap origins: 160
Stack depot allocated bytes: 16320
Unique origin histories: 25
History depot allocated bytes: 600
Exiting

$ sudo ./infra/helper.py reproduce systemd fuzz-netdev-parser ../clusterfuzz-testcase-minimized-fuzz-netdev-parser-5757581015646208
Running: docker run --rm --privileged -i -v /home/vagrant/oss-fuzz/build/out/systemd:/out -v /home/vagrant/clusterfuzz-testcase-minimized-fuzz-netdev-parser-5757581015646208:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce fuzz-netdev-parser -runs=100
+ DEBUGGER=
+ FUZZER=fuzz-netdev-parser
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ cd /out
+ /out/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase
INFO: Seed: 2120618424
INFO: Loaded 2 modules   (74289 inline 8-bit counters): 55175 [0x7f35ccb2d7f9, 0x7f35ccb3af80), 19114 [0xd3afb8, 0xd3fa62),
INFO: Loaded 2 PC tables (74289 PCs): 55175 [0x7f35ccb3af80,0x7f35ccc127f0), 19114 [0xd3fa68,0xd8a508),
/out/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /testcase
==6==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4ef50d in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23
    #1 0x4edadf in l2tp_tunnel_done /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:720:9
    #2 0x4a77ff in netdev_free /work/build/../../src/systemd/src/network/netdev/netdev.c:205:17
    #3 0x4a7479 in netdev_unref /work/build/../../src/systemd/src/network/netdev/netdev.c:210:1
    #4 0x57dc3e in manager_free /work/build/../../src/systemd/src/network/networkd-manager.c:1877:22
    #5 0x4a6610 in manager_freep /work/build/../../src/systemd/src/network/networkd-manager.h:105:1
    #6 0x4a6406 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:25:1
    #7 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #8 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #9 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #10 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #11 0x7f35cb00d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x42a968 in _start (/out/fuzz-netdev-parser+0x42a968)

DEDUP_TOKEN: l2tp_session_free--l2tp_tunnel_done--netdev_free
  Uninitialized value was created by a heap deallocation
    #0 0x450fc9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x4ef4ce in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:53:9
    #2 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #3 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #4 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #5 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #6 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #7 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #8 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #9 0x7f35cb00d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

DEDUP_TOKEN: free--l2tp_session_free--netdev_l2tp_tunnel_verify
SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:46:23 in l2tp_session_free
Unique heap origins: 190
Stack depot allocated bytes: 20712
Unique origin histories: 37
History depot allocated bytes: 888
Exiting

[evverx]

but occasionally with the same testcase (no matter whether it's minimized or not) I can see

$ sudo ./infra/helper.py reproduce systemd fuzz-netdev-parser ../clusterfuzz-testcase-minimized-fuzz-netdev-parser-5757581015646208
Running: docker run --rm --privileged -i -v /home/vagrant/oss-fuzz/build/out/systemd:/out -v /home/vagrant/clusterfuzz-testcase-minimized-fuzz-netdev-parser-5757581015646208:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce fuzz-netdev-parser -runs=100
+ DEBUGGER=
+ FUZZER=fuzz-netdev-parser
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ PATH=/out:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out
+ cd /out
+ /out/fuzz-netdev-parser -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase
INFO: Seed: 2188784923
INFO: Loaded 2 modules   (74289 inline 8-bit counters): 55175 [0x7f6364ec47f9, 0x7f6364ed1f80), 19114 [0xd3afb8, 0xd3fa62),
INFO: Loaded 2 PC tables (74289 PCs): 55175 [0x7f6364ed1f80,0x7f6364fa97f0), 19114 [0xd3fa68,0xd8a508),
/out/fuzz-netdev-parser: Running 1 inputs 100 time(s) each.
Running: /testcase
Uninitialized bytes in __interceptor_strcmp at offset 0 inside [0x702000000c05, 1)
==6==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x611d7f in network_config_compare_func /work/build/../../src/systemd/src/network/networkd-util.c:127:13
    #1 0x7f63647c8758 in base_bucket_scan /work/build/../../src/systemd/src/basic/hashmap.c:1204:29
    #2 0x7f63647ca804 in internal_hashmap_remove /work/build/../../src/systemd/src/basic/hashmap.c:1358:15
    #3 0x4ef581 in ordered_hashmap_remove /work/build/../../src/systemd/src/basic/hashmap.h:196:16
    #4 0x4ef448 in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:47:17
    #5 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #6 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #7 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #8 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #9 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #10 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #11 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #12 0x7f63633a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x42a968 in _start (/out/fuzz-netdev-parser+0x42a968)

DEDUP_TOKEN: network_config_compare_func--base_bucket_scan--internal_hashmap_remove
  Uninitialized value was created by a heap deallocation
    #0 0x450fc9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x612100 in network_config_section_free /work/build/../../src/systemd/src/network/networkd-util.c:152:9
    #2 0x4ef48f in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:49:9
    #3 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #4 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #5 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #6 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #7 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #8 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #9 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #10 0x7f63633a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

DEDUP_TOKEN: free--network_config_section_free--l2tp_session_free
SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/network/networkd-util.c:127:13 in network_config_compare_func
==6==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x894bce in fuzzer::InternalStrnlen2(char const*, char const*) /src/libfuzzer/FuzzerTracePC.cpp:378:18
    #1 0x894a1d in __sanitizer_weak_hook_strcmp /src/libfuzzer/FuzzerTracePC.cpp:617:14
    #2 0x45849f in strcmp /src/llvm-project/compiler-rt/lib/msan/../sanitizer_common/sanitizer_common_interceptors.inc:451:3
    #3 0x611d7f in network_config_compare_func /work/build/../../src/systemd/src/network/networkd-util.c:127:13
    #4 0x7f63647c8758 in base_bucket_scan /work/build/../../src/systemd/src/basic/hashmap.c:1204:29
    #5 0x7f63647ca804 in internal_hashmap_remove /work/build/../../src/systemd/src/basic/hashmap.c:1358:15
    #6 0x4ef581 in ordered_hashmap_remove /work/build/../../src/systemd/src/basic/hashmap.h:196:16
    #7 0x4ef448 in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:47:17
    #8 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #9 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #10 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #11 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #12 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #13 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #14 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #15 0x7f63633a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x42a968 in _start (/out/fuzz-netdev-parser+0x42a968)

DEDUP_TOKEN: fuzzer::InternalStrnlen2(char const*, char const*)--__sanitizer_weak_hook_strcmp--strcmp
  Uninitialized value was created by a heap deallocation
    #0 0x450fc9 in free /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:222:3
    #1 0x612100 in network_config_section_free /work/build/../../src/systemd/src/network/networkd-util.c:152:9
    #2 0x4ef48f in l2tp_session_free /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:49:9
    #3 0x4eede2 in netdev_l2tp_tunnel_verify /work/build/../../src/systemd/src/network/netdev/l2tp-tunnel.c:706:25
    #4 0x4af6b6 in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:738:21
    #5 0x4a63d1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
    #6 0x81d64d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
    #7 0x7a8ca8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
    #8 0x7bcb7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
    #9 0x7a7e20 in main /src/libfuzzer/FuzzerMain.cpp:19:10
    #10 0x7f63633a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

DEDUP_TOKEN: free--network_config_section_free--l2tp_session_free
SUMMARY: MemorySanitizer: use-of-uninitialized-value /src/libfuzzer/FuzzerTracePC.cpp:378:18 in fuzzer::InternalStrnlen2(char const*, char const*)
Unique heap origins: 184
Stack depot allocated bytes: 20112
Unique origin histories: 37
History depot allocated bytes: 888
Exiting

[evverx]

I think it makes sense to ignore smaller testcase if crash stack changes ?

Agreed.

It seems either the fuzz target can trigger different code paths or MSan somehow reports different issues. I'm not sure it has anything to do with OSS-Fuzz.

[evverx]

I think it makes sense to ignore smaller testcase if crash stack changes ?

Agreed.

Though I think with flaky fuzz targets like this another option would be to try to minimize testcases for some time and then pick the smallest one triggering the original issue. I'm not sure whether it's worth it though.

[inferno-chromium]

I think it makes sense to ignore smaller testcase if crash stack changes ?

Agreed.

Though I think with flaky fuzz targets like this another option would be to try to minimize testcases for some time and then pick the smallest one triggering the original issue. I'm not sure whether it's worth it though.

It does that already, it tries 10 different sequential attempts to minimize and saves minimized version if same crash signature occurred or ignore result if it changed. i can completely ignore minimization result for flaky testcases, but i hate wrong results. if we minimized wrong, we cause havoc down the road, like regression testing, etc.

[evverx]

if we minimized wrong, we cause havoc down the road, like regression testing, etc.

I agree but this particular fuzz target can crash differently with the same testcase (making it kind of impossible to get the minimization right) so whatever havoc can be caused will most likely be caused as far as I can tell.

[inferno-chromium]

if we minimized wrong, we cause havoc down the road, like regression testing, etc.

I agree but this particular fuzz target can crash differently with the same testcase (making it kind of impossible to get the minimization right) so whatever havoc can be caused will most likely be caused as far as I can tell.

Have a fix at google/clusterfuzz#1804, will get landed next week after review.

[jonathanmetzman]

I think it makes sense to ignore smaller testcase if crash stack changes ?

Agreed.

Though I think with flaky fuzz targets like this another option would be to try to minimize testcases for some time and then pick the smallest one triggering the original issue. I'm not sure whether it's worth it though.

It does that already, it tries 10 different sequential attempts to minimize and saves minimized version if same crash signature occurred or ignore result if it changed. i can completely ignore minimization result for flaky testcases, but i hate wrong results. if we minimized wrong, we cause havoc down the road, like regression testing, etc.

IMO we should always try to use the original testcase for things like regression/progression. Don't know if we end up with some testcases that are too large to use for this purpose though.

[evverx]

FWIW it appears that fuzz target somehow broke the part of OSS-Fuzz reporting issues (probably as expected). The underlying issue was fixed three days ago and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22736 was verified and closed. 8 minutes later https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22880 was opened and it was open until I manually restarted that task to make sure it was really fixed:

[2020-06-02 13:12:34 UTC] *: Redo task(s): progression
[2020-06-02 13:17:25 UTC] oss-fuzz-linux-zone1-host-v337-7: Progression task started: r202006020345.
[2020-06-02 13:25:23 UTC] oss-fuzz-linux-zone1-host-v337-7: Progression task in-progress: Testing r202005300347 (current range 202005280344:202006020345).
[2020-06-02 13:25:28 UTC] oss-fuzz-linux-zone1-host-v337-7: Progression task in-progress: Testing r202005310341 (current range 202005300347:202006020345).
[2020-06-02 13:33:26 UTC] oss-fuzz-linux-zone1-host-v337-7: Progression task finished: fixed in range r202005300347:202005310341.

[evverx]

It could be that that lag has nothing to do with the flaky backtraces though because another bug (along with three undeduplicated variations) that was fixed yesterday hasn't been closed yet even though according to https://oss-fuzz-build-logs.storage.googleapis.com/index.html#systemd that commit was finally picked up by OSS-Fuzz.

[jonathanmetzman]

@morehouse do you think this should be fixed in libFuzzer? I think ExecuteCommand calls system which breaks if bash interprets the filename as something other than the argument to libFuzzer.

I'd say fix it in libFuzzer if the fix there is easy enough... A couple ideas that might be easy fixes:

• Adding -- before filenames.
• Single-quoting filenames.

I don't know that I have the cycles to do this now. Any chance someone from dynamic-tools could fix this?

[inferno-chromium]

@Dor1s - can you please help to fix this in libFuzzer [see https://github.com//issues/3886#issuecomment-637687216]

[Dor1s]

So the problem is that honggfuzz creates testcases named e.g. /SIGABRT.PC.7ffff76cef07.STACK.16cd11d9f.CODE.-6.ADDR.0.INSTR.mov____(%rdi),%r12.fuzz and libFuzzer's minimize_crash functionality can't handle such filenames?

[inferno-chromium]

yes correct!

[Dor1s]

Single quoting works, but not on Windows. A proper solution would be to get rid of system(), but that seems to involve too much work for now.

I've uploaded https://reviews.llvm.org/D82685, let's see what people think about it.

[Dor1s]

seems like @kcc prefers to reject weird file names :) https://reviews.llvm.org/D82685#2133565

[Dor1s]

@inferno-chromium since you assigned me to fix this, our options now are:

1. change CF to sanitize / rename all inputs passed to libFuzzer
2. convince Kostya to accept my CL

[Dor1s]

If we choose 1), we should probably make honggfuzz not to generate such files. Adding extra complexity specific for honggfuzz -> libFuzzer pipeline in CF also doesn't make much sense.

[inferno-chromium]

We can do that filtering when storing testcase, need to filter absolute path and maybe filter bad chars from file basename from path - https://github.com/google/clusterfuzz/blob/master/src/python/datastore/data_handler.py#L721 ? Can also ask Honggfuzz to also not generate such filenames, whichever you prefer.

[jonathanmetzman]

I'm fine with sanitizing weird filenames on the CF side then. If libFuzzer isn't going to support weird filenames than we should probably always sanitize file inputs to libFuzzer, but a more local/less thorough fix is fine by me.

[Dor1s]

I think sanitization in CF might become a whack-a-mole, as we have multiple sources of testcases, including user provided seed corpora. Since honggfuzz has started causing the problem in the first place, I'd first attempt to convince @robertswiecki to change that behavior or at least provide an option to disable assembly code in the filenames.

Robert, would you be willing to make such a change? :)

[evverx]

at least provide an option to disable assembly code in the filenames

To judge from #3886 (comment), it can be compiled with -D_HF_LINUX_NO_BFD

[Dor1s]

thanks a lot @evverx, that seems great.

FTR, I totally agree that it's better not to use system and string concatenation (so I even prepared the patch), but Kostya didn't want to accept it and so now I'm on the path of the least resistance as I don't want to spend any more time on this :)