libubox/tests/cram/test_blobmsg_parse.t, branch master

tests: add fuzzer seed file for crash in blob_len

2020-05-26T07:48:07Z

Following regression was introduced in commit 5e75160f4878 ("blobmsg: fix attrs iteration in the blobmsg_check_array_len()"): Thread 1 "test-fuzz" received signal SIGSEGV, Segmentation fault. in blob_len (attr=0x6020000100d4) at libubox/blob.h:102 102 return (be32_to_cpu(attr->id_len) & BLOB_ATTR_LEN_MASK) - sizeof(struct blob_attr); blob_len (attr=0x6020000100d4) at /libubox/blob.h:102 blob_raw_len (attr=0x6020000100d4) at /libubox/blob.h:111 blob_pad_len (attr=0x6020000100d4) at /libubox/blob.h:120 blobmsg_check_array_len (attr=0x6020000000d0, type=0, blob_len=10) at /libubox/blobmsg.c:145 fuzz_blobmsg_parse (data=0x6020000000d0 "\001\004", size=10) at /libubox/tests/fuzz/test-fuzz.c:57 Signed-off-by: Petr Štetiar

blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes

2020-01-20T15:54:10Z

Fix out of bounds read in blobmsg_parse and blobmsg_check_name. The out of bounds read happens because blob_attr and blobmsg_hdr have flexible array members, whose size is 0 in the corresponding sizeofs. For example the __blob_for_each_attr macro checks whether rem >= sizeof(struct blob_attr). However, what LibFuzzer discovered was, if the input data was only 4 bytes, the data would be casted to blob_attr, and later on blob_data(attr) would be called even though attr->data was empty. The same issue could appear with data larger than 4 bytes, where data wasn't empty, but contained only the start of the blobmsg_hdr struct, and blobmsg_hdr name was empty. The bugs were discovered by fuzzing blobmsg_parse and blobmsg_array_parse with LibFuzzer. CC: Luka Perkov Reviewed-by: Jo-Philipp Wich Signed-off-by: Juraj Vijtiuk [refactored some checks, added fuzz inputs, adjusted unit test results] Signed-off-by: Petr Štetiar

tests: add test cases for blobmsg parsing

2019-12-25T09:31:58Z

Increasing test coverage. Signed-off-by: Petr Štetiar