networkd seems to crash somewhere in macsec_done #15941
Description
It was reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547:
$ cat minimized-from-8671a26d1278372335676f656e34ab3c5f7a3816
[NetDev]
Name=o
Kind=macsec
[MACsecReceiveChannel]
MACAddress=12.0.4
Port=913
[MACsecReceiveChannel]
MACAddress=12.0.4
Port=913
$ sudo UBSAN_OPTIONS=print_stacktrace=1:print_summary=1 ./out/fuzz-netdev-parser minimized-from-8671a26d1278372335676f656e34ab3c5f7a3816
INFO: Seed: 3640808115
INFO: Loaded 2 modules (199842 inline 8-bit counters): 136716 [0x7fec24467db0, 0x7fec244893bc), 63126 [0xadfa90, 0xaef126),
INFO: Loaded 2 PC tables (199842 PCs): 136716 [0x7fec244893c0,0x7fec2469f480), 63126 [0xaef128,0xbe5a88),
./out/fuzz-netdev-parser: Running 1 inputs 1 time(s) each.
Running: minimized-from-8671a26d1278372335676f656e34ab3c5f7a3816
../src/basic/hashmap.c:344:22: runtime error: member access within null pointer of type 'const struct hash_ops'
#0 0x7fec23c41bf6 in base_bucket_hash /home/vagrant/systemd/build/../src/basic/hashmap.c:344:22
#1 0x7fec23c43ba7 in internal_hashmap_remove /home/vagrant/systemd/build/../src/basic/hashmap.c:1357:16
#2 0x5a1dc1 in macsec_receive_channel_free /home/vagrant/systemd/build/../src/network/netdev/macsec.c:105:25
#3 0x59e649 in macsec_done /home/vagrant/systemd/build/../src/network/netdev/macsec.c:1230:9
#4 0x544ca1 in netdev_free /home/vagrant/systemd/build/../src/network/netdev/netdev.c:205:17
#5 0x544359 in netdev_unref /home/vagrant/systemd/build/../src/network/netdev/netdev.c:210:1
#6 0x62f8e9 in manager_free /home/vagrant/systemd/build/../src/network/networkd-manager.c:1877:22
#7 0x543466 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/network/fuzz-netdev-parser.c:25:1
#8 0x44e408 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x44e408)
#9 0x433525 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x433525)
#10 0x43c469 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x43c469)
#11 0x42c4c6 in main (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c4c6)
#12 0x7fec22ef81a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#13 0x42c51d in _start (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c51d)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/basic/hashmap.c:344:22 in
../src/basic/hashmap.c:344:22: runtime error: load of null pointer of type 'const hash_func_t' (aka 'void (*const)(const void *, struct siphash *)')
#0 0x7fec23c41c11 in base_bucket_hash /home/vagrant/systemd/build/../src/basic/hashmap.c:344:22
#1 0x7fec23c43ba7 in internal_hashmap_remove /home/vagrant/systemd/build/../src/basic/hashmap.c:1357:16
#2 0x5a1dc1 in macsec_receive_channel_free /home/vagrant/systemd/build/../src/network/netdev/macsec.c:105:25
#3 0x59e649 in macsec_done /home/vagrant/systemd/build/../src/network/netdev/macsec.c:1230:9
#4 0x544ca1 in netdev_free /home/vagrant/systemd/build/../src/network/netdev/netdev.c:205:17
#5 0x544359 in netdev_unref /home/vagrant/systemd/build/../src/network/netdev/netdev.c:210:1
#6 0x62f8e9 in manager_free /home/vagrant/systemd/build/../src/network/networkd-manager.c:1877:22
#7 0x543466 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/network/fuzz-netdev-parser.c:25:1
#8 0x44e408 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x44e408)
#9 0x433525 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x433525)
#10 0x43c469 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x43c469)
#11 0x42c4c6 in main (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c4c6)
#12 0x7fec22ef81a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#13 0x42c51d in _start (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c51d)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/basic/hashmap.c:344:22 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==5305==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fec23c41ade bp 0x7fff968ae500 sp 0x7fff968ae3e0 T0)
==5305==The signal is caused by a READ memory access.
==5305==Hint: address points to the zero page.
#0 0x7fec23c41add in base_bucket_hash /home/vagrant/systemd/build/../src/basic/hashmap.c:344:22
#1 0x7fec23c43ba7 in internal_hashmap_remove /home/vagrant/systemd/build/../src/basic/hashmap.c:1357:16
#2 0x5a1dc1 in macsec_receive_channel_free /home/vagrant/systemd/build/../src/network/netdev/macsec.c:105:25
#3 0x59e649 in macsec_done /home/vagrant/systemd/build/../src/network/netdev/macsec.c:1230:9
#4 0x544ca1 in netdev_free /home/vagrant/systemd/build/../src/network/netdev/netdev.c:205:17
#5 0x544359 in netdev_unref /home/vagrant/systemd/build/../src/network/netdev/netdev.c:210:1
#6 0x62f8e9 in manager_free /home/vagrant/systemd/build/../src/network/networkd-manager.c:1877:22
#7 0x543466 in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/network/fuzz-netdev-parser.c:25:1
#8 0x44e408 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x44e408)
#9 0x433525 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x433525)
#10 0x43c469 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/out/fuzz-netdev-parser+0x43c469)
#11 0x42c4c6 in main (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c4c6)
#12 0x7fec22ef81a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#13 0x42c51d in _start (/home/vagrant/systemd/out/fuzz-netdev-parser+0x42c51d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/vagrant/systemd/build/../src/basic/hashmap.c:344:22 in base_bucket_hash
==5305==ABORTING
cc @ssahani