Welcome! Log In Create A New Profile

Advanced

[njs] Fixed fuzzing target bug introduced in 4d4657128baf (0.7.1).

Dmitry Volyntsev
January 11, 2022 08:06AM
details: https://hg.nginx.org/njs/rev/abbf77fcd111
branches:
changeset: 1799:abbf77fcd111
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Tue Jan 11 13:02:33 2022 +0000
description:
Fixed fuzzing target bug introduced in 4d4657128baf (0.7.1).

Previously, njs_process_script() took vm pointer from console object,
but after 4d4657128baf the object is not initialized in
LLVMFuzzerTestOneInput().

The fix is to always pass vm pointer explicitly.

This also closes #456 issue on Github.

diffstat:

src/njs_shell.c | 29 +++++++++++++++++------------
1 files changed, 17 insertions(+), 12 deletions(-)

diffs (105 lines):

diff -r 9b112a44e540 -r abbf77fcd111 src/njs_shell.c
--- a/src/njs_shell.c Wed Dec 29 18:26:40 2021 +0000
+++ b/src/njs_shell.c Tue Jan 11 13:02:33 2022 +0000
@@ -88,8 +88,8 @@ typedef struct {
static njs_int_t njs_console_init(njs_vm_t *vm, njs_console_t *console);
static njs_int_t njs_externals_init(njs_vm_t *vm);
static njs_vm_t *njs_create_vm(njs_opts_t *opts, njs_vm_opt_t *vm_options);
-static njs_int_t njs_process_script(njs_opts_t *opts,
- njs_console_t *console, const njs_str_t *script);
+static njs_int_t njs_process_script(njs_vm_t *vm, njs_opts_t *opts,
+ void *runtime, const njs_str_t *script);

#ifndef NJS_FUZZER_TARGET

@@ -307,7 +307,7 @@ main(int argc, char **argv)
if (vm != NULL) {
command.start = (u_char *) opts.command;
command.length = njs_strlen(opts.command);
- ret = njs_process_script(&opts, vm_options.external, &command);
+ ret = njs_process_script(vm, &opts, vm_options.external, &command);
njs_vm_destroy(vm);
}

@@ -612,7 +612,7 @@ njs_process_file(njs_opts_t *opts, njs_v
}
}

- ret = njs_process_script(opts, vm_options->external, &script);
+ ret = njs_process_script(vm, opts, vm_options->external, &script);
if (ret != NJS_OK) {
ret = NJS_ERROR;
goto done;
@@ -662,7 +662,6 @@ LLVMFuzzerTestOneInput(const uint8_t* da
vm_options.init = 1;
vm_options.backtrace = 0;
vm_options.ops = &njs_console_ops;
- vm_options.external = &njs_console;

vm = njs_create_vm(&opts, &vm_options);

@@ -670,7 +669,7 @@ LLVMFuzzerTestOneInput(const uint8_t* da
script.length = size;
script.start = (u_char *) data;

- (void) njs_process_script(&opts, vm_options.external, &script);
+ (void) njs_process_script(vm, &opts, NULL, &script);
njs_vm_destroy(vm);
}

@@ -834,12 +833,20 @@ njs_output(njs_opts_t *opts, njs_vm_t *v


static njs_int_t
-njs_process_events(njs_console_t *console)
+njs_process_events(void *runtime)
{
njs_ev_t *ev;
njs_queue_t *events;
+ njs_console_t *console;
njs_queue_link_t *link;

+ if (runtime == NULL) {
+ njs_stderror("njs_process_events(): no runtime\n");
+ return NJS_ERROR;
+ }
+
+ console = runtime;
+
events = &console->posted_events;

for ( ;; ) {
@@ -863,14 +870,12 @@ njs_process_events(njs_console_t *consol


static njs_int_t
-njs_process_script(njs_opts_t *opts, njs_console_t *console,
+njs_process_script(njs_vm_t *vm, njs_opts_t *opts, void *runtime,
const njs_str_t *script)
{
u_char *start, *end;
- njs_vm_t *vm;
njs_int_t ret;

- vm = console->vm;
start = script->start;
end = start + script->length;

@@ -897,7 +902,7 @@ njs_process_script(njs_opts_t *opts, njs
break;
}

- ret = njs_process_events(console);
+ ret = njs_process_events(runtime);
if (njs_slow_path(ret != NJS_OK)) {
njs_stderror("njs_process_events() failed\n");
ret = NJS_ERROR;
@@ -962,7 +967,7 @@ njs_interactive_shell(njs_opts_t *opts,
if (line.length != 0) {
add_history((char *) line.start);

- njs_process_script(opts, vm_options->external, &line);
+ njs_process_script(vm, opts, vm_options->external, &line);
}

/* editline allocs a new buffer every time. */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed fuzzing target bug introduced in 4d4657128baf (0.7.1).

Dmitry Volyntsev 98 January 11, 2022 08:06AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 47
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready