cryptsetup: craft a unique ID with the source device #17

haraldh · 2015-06-02T13:51:40Z

If cryptsetup is called with a source device as argv[3], then craft the
ID for the password agent with a unique device path.

If possible "/dev/block/:" is used, otherwise the original
argv[3] is used.

This enables password agents like petera [1] to provide a password
according to the source device. The original ID did not carry enough
information and was more targeted for a human readable string, which
is specified in the "Message" field anyway.

With this patch the ID of the ask.XXX ini file looks like this:
ID=cryptsetup:/dev/block/:

[1] https://github.com/npmccallum/petera

If cryptsetup is called with a source device as argv[3], then craft the ID for the password agent with a unique device path. If possible "/dev/block/<maj>:<min>" is used, otherwise the original argv[3] is used. This enables password agents like petera [1] to provide a password according to the source device. The original ID did not carry enough information and was more targeted for a human readable string, which is specified in the "Message" field anyway. With this patch the ID of the ask.XXX ini file looks like this: ID=cryptsetup:/dev/block/<maj>:<min> [1] https://github.com/npmccallum/petera

haraldh · 2015-06-02T14:29:42Z

@mezcalero : does it satisfy your coding style now?

haraldh · 2015-06-05T11:07:33Z

obsoleted by #77

Fixes: Message: Process 806 (systemd-importd) of user 0 dumped core. Stack trace of thread 806: #0 0x00007f5eaeff7227 raise (libc.so.6) #1 0x00007f5eaeff8e8a abort (libc.so.6) #2 0x000055b6d3418f4f log_assert_failed (systemd-importd) #3 0x000055b6d3409daf safe_close (systemd-importd) #4 0x000055b6d33c25ea closep (systemd-importd) #5 0x000055b6d33c38d9 setup_machine_directory (systemd-importd) #6 0x000055b6d33b8536 method_pull_tar_or_raw (systemd-importd) #7 0x000055b6d33ed097 method_callbacks_run (systemd-importd) #8 0x000055b6d33ef929 object_find_and_run (systemd-importd) #9 0x000055b6d33eff6b bus_process_object (systemd-importd) #10 0x000055b6d3447f77 process_message (systemd-importd) #11 0x000055b6d344815a process_running (systemd-importd) #12 0x000055b6d3448a10 bus_process_internal (systemd-importd) #13 0x000055b6d3448ae1 sd_bus_process (systemd-importd) #14 0x000055b6d3449779 time_callback (systemd-importd) #15 0x000055b6d3454ff4 source_dispatch (systemd-importd) #16 0x000055b6d34562b9 sd_event_dispatch (systemd-importd) #17 0x000055b6d34566f8 sd_event_run (systemd-importd) #18 0x000055b6d33ba72a bus_event_loop_with_idle (systemd-importd) #19 0x000055b6d33b95bc manager_run (systemd-importd) #20 0x000055b6d33b9766 main (systemd-importd) #21 0x00007f5eaefe2a00 __libc_start_main (libc.so.6) #22 0x000055b6d33b5569 _start (systemd-importd)

This makes systemctl robust regarding journal truncation. This is a follow-up for 2cf4172 Fixes: Core was generated by `./systemctl status systemd-journald'. Program terminated with signal SIGBUS, Bus error. PID 8569 - core TID 8569: #0 0x00007f246cc89ed6 __memcmp_sse4_1 #1 0x0000557ebbc6f42c journal_file_init_header #2 0x0000557ebbc77262 journal_file_open #3 0x0000557ebbc42999 file_type_wanted #4 0x0000557ebbc42e08 add_any_file #5 0x0000557ebbc43832 add_directory #6 0x0000557ebbc4401c add_root_directory #7 0x0000557ebbc442e9 add_root_directory #8 0x0000557ebbc446fc add_search_paths #9 0x0000557ebbbacb5e show_journal_by_unit #10 0x0000557ebbb8376d print_status_info #11 0x0000557ebbb86a0b show_one #12 0x0000557ebbb87954 show #13 0x0000557ebbc20b1f dispatch_verb #14 0x0000557ebbb90615 systemctl_main #15 0x0000557ebbb9159f main #16 0x00007f246cb3e731 __libc_start_main #17 0x0000557ebbb75ae9 _start

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 #2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 #3 0x55637c758c77 in strv_freep src/basic/strv.h:37 #4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) #20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 #2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 #3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 #4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) #1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 #2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 #3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 #4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 #18 0x55637c6a2194 in main src/core/main.c:1920 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015

Drop autotools support

Fixes: ``` touch hola.service systemctl link $(pwd)/hola.service $(pwd)/hola.service ``` ``` ==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd): #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83 systemd#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89 systemd#3 0x55637c758c77 in strv_freep src/basic/strv.h:37 systemd#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) systemd#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339) 0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573) freed by thread T0 (systemd) here: #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00) systemd#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630 systemd#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602 systemd#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996 systemd#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) previously allocated by thread T0 (systemd) here: #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160) systemd#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552 systemd#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578 systemd#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600 systemd#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969 systemd#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001 systemd#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418 systemd#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255 systemd#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371 systemd#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563 systemd#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605 systemd#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837 systemd#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856 systemd#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126 systemd#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268 systemd#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627 systemd#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686 systemd#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274 systemd#18 0x55637c6a2194 in main src/core/main.c:1920 systemd#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400) SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free ==1==ABORTING ``` Closes systemd#5015 (cherry picked from commit 8af35ba) Related: #1409997

Fuzzing with AddressSanitizer reports an error here: ==11==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe53f5497d8 at pc 0x7fe53ef055c9 bp 0x7ffd344e9380 sp 0x7ffd344e9378 READ of size 4 at 0x7fe53f5497d8 thread T0 SCARINESS: 27 (4-byte-read-global-buffer-overflow-far-from-bounds) #0 0x7fe53ef055c8 in bus_error_name_to_errno /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 #1 0x7fe53ef0577b in bus_error_setfv /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:274:17 #2 0x7fe53ef0595a in sd_bus_error_setf /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:284:21 #3 0x561059 in manager_load_unit_prepare /work/build/../../src/systemd/src/core/manager.c #4 0x560680 in manager_load_unit /work/build/../../src/systemd/src/core/manager.c:1773:13 #5 0x5d49a6 in unit_add_dependency_by_name /work/build/../../src/systemd/src/core/unit.c:2882:13 #6 0x538996 in config_parse_unit_deps /work/build/../../src/systemd/src/core/load-fragment.c:152:21 #7 0x6db771 in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:155:32 #8 0x6d697e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:273:16 #9 0x6d5c48 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:390:21 #10 0x535678 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-unit-file.c:41:16 #11 0x73bd60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13 #12 0x73a39f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:442:3 #13 0x73d9bc in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:650:19 #14 0x73fa05 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:773:5 #15 0x71f75d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6 #16 0x71285c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #17 0x7fe53da0482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x430e68 in _start (/out/fuzz-unit-file+0x430e68) 0x7fe53f5497d8 is located 8 bytes to the right of global variable 'bus_common_errors' defined in '../../src/systemd/src/libsystemd/sd-bus/bus-common-errors.c:28:51' (0x7fe53f549300) of size 1232 SUMMARY: AddressSanitizer: global-buffer-overflow /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-error.c:118:24 in bus_error_name_to_errno Shadow bytes around the buggy address: 0x0ffd27ea12a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea12e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ffd27ea12f0: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9 0x0ffd27ea1300: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ffd27ea1310: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ffd27ea1320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea1330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd27ea1340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11==ABORTING but I think it's a false positive because of our low-level magic in how this area is constructed.

==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88 READ of size 1 at 0x60200055fa9c thread T0 #0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29 #1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13 #2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29 #3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13 #4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21 #5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21 #6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21 #7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21 #8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9 #9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9 #10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 #11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3 #12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19 #13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5 #14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 #15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928)

Since 205c085, Xorg (libinput) dumps core: ``` systemd-coredump[655]: Process 604 (Xorg) of user 0 dumped core. Stack trace of thread 610: #0 0x00007fc3aa21feab raise (libc.so.6) #1 0x00007fc3aa20a5b9 abort (libc.so.6) #2 0x00000000005a01a0 OsAbort (Xorg) #3 0x000000000047926c ddxGiveUp (Xorg) #4 0x00000000005a5cc8 AbortServer (Xorg) #5 0x00000000005a6b5d FatalError (Xorg) #6 0x000000000059d4e3 OsSigHandler (Xorg) #7 0x00007fc3aa5b9fb0 __restore_rt (libpthread.so.0) #8 0x00007fc3aa21feab raise (libc.so.6) #9 0x00007fc3aa20a5b9 abort (libc.so.6) #10 0x00007fc3ac9edd15 log_assert_failed_realm.constprop.56.cold.0 (libudev.so.1) #11 0x00007fc3ac9efe3f hashmap_free_no_clear (libudev.so.1) #12 0x00007fc3ac9f3311 hashmap_free_free_free (libudev.so.1) #13 0x00007fc3ac9fbe40 sd_device_unref (libudev.so.1) #14 0x00007fc3aca0094d udev_device_unref (libudev.so.1) #15 0x00007fc3a1efce39 evdev_device_destroy (libinput.so.10) #16 0x00007fc3a1ef6f05 libinput_device_unref (libinput.so.10) #17 0x00007fc3a1ef87c3 libinput_event_destroy (libinput.so.10) #18 0x00007fc3a2143d30 xf86libinput_read_input (libinput_drv.so) #19 0x000000000059b8b7 InputReady (Xorg) #20 0x000000000059ded1 ospoll_wait (Xorg) #21 0x000000000059b6fe InputThreadDoWork (Xorg) #22 0x00007fc3aa5af594 start_thread (libpthread.so.0) #23 0x00007fc3aa2e2e6f __clone (libc.so.6) Stack trace of thread 604: #0 0x00007fc3aa2e318f epoll_wait (libc.so.6) #1 0x000000000059de8b ospoll_wait (Xorg) #2 0x0000000000596efc WaitForSomething (Xorg) #3 0x0000000000434c20 Dispatch (Xorg) #4 0x0000000000438f26 dix_main (Xorg) #5 0x00007fc3aa20c11b __libc_start_main (libc.so.6) #6 0x000000000042290a _start (Xorg) ``` This makes Hashmap or Set in libsystemd or libudev not use mempool. Fixes the above issue.

This function returns 0 on success and a negative value on failure. On success, it writes the parsed action to the addressed passed in its third argument. `bus_set_transient_emergency_action` does this: r = parse_emergency_action(s, system, &v); if (v < 0) // handle failure However, `v` is not updated if the function fails, and this should be checking `r` instead of `v`. The result of this is that if an invalid failure (or success) action is specified, systemd ends up creating the unit anyway and then misbehaves if it tries to run the failure action because the action value comes from uninitialized stack data. In my case, this resulted in a failed assertion: Program received signal SIGABRT, Aborted. 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 (gdb) bt #0 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 systemd#1 0x00007fe52cc8b672 in abort () from /snap/usr/lib/libc.so.6 systemd#2 0x00007fe52d66f169 in log_assert_failed_realm (realm=LOG_REALM_SYSTEMD, text=0x56177ab8e000 "action < _EMERGENCY_ACTION_MAX", file=0x56177ab8dfb8 "../src/core/emergency-action.c", line=33, func=0x56177ab8e2b0 <__PRETTY_FUNCTION__.14207> "emergency_action") at ../src/basic/log.c:795 systemd#3 0x000056177aa98cf4 in emergency_action (m=0x56177c992cb0, action=2059118610, options=(unknown: 0), reboot_arg=0x0, exit_status=1, reason=0x7ffdd2df4290 "unit run-u0.service failed") at ../src/core/emergency-action.c:33 systemd#4 0x000056177ab2b739 in unit_notify (u=0x56177c9eb340, os=UNIT_ACTIVE, ns=UNIT_FAILED, flags=(unknown: 0)) at ../src/core/unit.c:2504 systemd#5 0x000056177aaf62ed in service_set_state (s=0x56177c9eb340, state=SERVICE_FAILED) at ../src/core/service.c:1104 systemd#6 0x000056177aaf8a29 in service_enter_dead (s=0x56177c9eb340, f=SERVICE_SUCCESS, allow_restart=true) at ../src/core/service.c:1712 systemd#7 0x000056177aaf9233 in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1854 systemd#8 0x000056177aaf921b in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGTERM, f=SERVICE_SUCCESS) at ../src/core/service.c:1852 systemd#9 0x000056177aaf8eb3 in service_enter_stop_post (s=0x56177c9eb340, f=SERVICE_SUCCESS) at ../src/core/service.c:1788 systemd#10 0x000056177aaf91eb in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1850 systemd#11 0x000056177aaf91bc in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGTERM, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1848 systemd#12 0x000056177aaf9759 in service_enter_running (s=0x56177c9eb340, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1941 systemd#13 0x000056177ab005b7 in service_sigchld_event (u=0x56177c9eb340, pid=112, code=1, status=1) at ../src/core/service.c:3296 systemd#14 0x000056177aad84b5 in manager_invoke_sigchld_event (m=0x56177c992cb0, u=0x56177c9eb340, si=0x7ffdd2df48f0) at ../src/core/manager.c:2444 systemd#15 0x000056177aad88df in manager_dispatch_sigchld (source=0x56177c994710, userdata=0x56177c992cb0) at ../src/core/manager.c:2508 systemd#16 0x00007fe52d72f807 in source_dispatch (s=0x56177c994710) at ../src/libsystemd/sd-event/sd-event.c:2846 systemd#17 0x00007fe52d730f7d in sd_event_dispatch (e=0x56177c993530) at ../src/libsystemd/sd-event/sd-event.c:3229 systemd#18 0x00007fe52d73142e in sd_event_run (e=0x56177c993530, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3286 systemd#19 0x000056177aad9f71 in manager_loop (m=0x56177c992cb0) at ../src/core/manager.c:2906 systemd#20 0x000056177aa7c876 in invoke_main_loop (m=0x56177c992cb0, ret_reexecute=0x7ffdd2df4bff, ret_retval=0x7ffdd2df4c04, ret_shutdown_verb=0x7ffdd2df4c58, ret_fds=0x7ffdd2df4c70, ret_switch_root_dir=0x7ffdd2df4c48, ret_switch_root_init=0x7ffdd2df4c50, ret_error_message=0x7ffdd2df4c60) at ../src/core/main.c:1792 systemd#21 0x000056177aa7f251 in main (argc=2, argv=0x7ffdd2df4e78) at ../src/core/main.c:2573 Fix this by checking the correct variable.

This function returns 0 on success and a negative value on failure. On success, it writes the parsed action to the address passed in its third argument. `bus_set_transient_emergency_action` does this: r = parse_emergency_action(s, system, &v); if (v < 0) // handle failure However, `v` is not updated if the function fails, and this should be checking `r` instead of `v`. The result of this is that if an invalid failure (or success) action is specified, systemd ends up creating the unit anyway and then misbehaves if it tries to run the failure action because the action value comes from uninitialized stack data. In my case, this resulted in a failed assertion: Program received signal SIGABRT, Aborted. 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 (gdb) bt #0 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 systemd#1 0x00007fe52cc8b672 in abort () from /snap/usr/lib/libc.so.6 systemd#2 0x00007fe52d66f169 in log_assert_failed_realm (realm=LOG_REALM_SYSTEMD, text=0x56177ab8e000 "action < _EMERGENCY_ACTION_MAX", file=0x56177ab8dfb8 "../src/core/emergency-action.c", line=33, func=0x56177ab8e2b0 <__PRETTY_FUNCTION__.14207> "emergency_action") at ../src/basic/log.c:795 systemd#3 0x000056177aa98cf4 in emergency_action (m=0x56177c992cb0, action=2059118610, options=(unknown: 0), reboot_arg=0x0, exit_status=1, reason=0x7ffdd2df4290 "unit run-u0.service failed") at ../src/core/emergency-action.c:33 systemd#4 0x000056177ab2b739 in unit_notify (u=0x56177c9eb340, os=UNIT_ACTIVE, ns=UNIT_FAILED, flags=(unknown: 0)) at ../src/core/unit.c:2504 systemd#5 0x000056177aaf62ed in service_set_state (s=0x56177c9eb340, state=SERVICE_FAILED) at ../src/core/service.c:1104 systemd#6 0x000056177aaf8a29 in service_enter_dead (s=0x56177c9eb340, f=SERVICE_SUCCESS, allow_restart=true) at ../src/core/service.c:1712 systemd#7 0x000056177aaf9233 in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1854 systemd#8 0x000056177aaf921b in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGTERM, f=SERVICE_SUCCESS) at ../src/core/service.c:1852 systemd#9 0x000056177aaf8eb3 in service_enter_stop_post (s=0x56177c9eb340, f=SERVICE_SUCCESS) at ../src/core/service.c:1788 systemd#10 0x000056177aaf91eb in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1850 systemd#11 0x000056177aaf91bc in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGTERM, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1848 systemd#12 0x000056177aaf9759 in service_enter_running (s=0x56177c9eb340, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1941 systemd#13 0x000056177ab005b7 in service_sigchld_event (u=0x56177c9eb340, pid=112, code=1, status=1) at ../src/core/service.c:3296 systemd#14 0x000056177aad84b5 in manager_invoke_sigchld_event (m=0x56177c992cb0, u=0x56177c9eb340, si=0x7ffdd2df48f0) at ../src/core/manager.c:2444 systemd#15 0x000056177aad88df in manager_dispatch_sigchld (source=0x56177c994710, userdata=0x56177c992cb0) at ../src/core/manager.c:2508 systemd#16 0x00007fe52d72f807 in source_dispatch (s=0x56177c994710) at ../src/libsystemd/sd-event/sd-event.c:2846 systemd#17 0x00007fe52d730f7d in sd_event_dispatch (e=0x56177c993530) at ../src/libsystemd/sd-event/sd-event.c:3229 systemd#18 0x00007fe52d73142e in sd_event_run (e=0x56177c993530, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3286 systemd#19 0x000056177aad9f71 in manager_loop (m=0x56177c992cb0) at ../src/core/manager.c:2906 systemd#20 0x000056177aa7c876 in invoke_main_loop (m=0x56177c992cb0, ret_reexecute=0x7ffdd2df4bff, ret_retval=0x7ffdd2df4c04, ret_shutdown_verb=0x7ffdd2df4c58, ret_fds=0x7ffdd2df4c70, ret_switch_root_dir=0x7ffdd2df4c48, ret_switch_root_init=0x7ffdd2df4c50, ret_error_message=0x7ffdd2df4c60) at ../src/core/main.c:1792 systemd#21 0x000056177aa7f251 in main (argc=2, argv=0x7ffdd2df4e78) at ../src/core/main.c:2573 Fix this by checking the correct variable.

This function returns 0 on success and a negative value on failure. On success, it writes the parsed action to the address passed in its third argument. `bus_set_transient_emergency_action` does this: r = parse_emergency_action(s, system, &v); if (v < 0) // handle failure However, `v` is not updated if the function fails, and this should be checking `r` instead of `v`. The result of this is that if an invalid failure (or success) action is specified, systemd ends up creating the unit anyway and then misbehaves if it tries to run the failure action because the action value comes from uninitialized stack data. In my case, this resulted in a failed assertion: Program received signal SIGABRT, Aborted. 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 (gdb) bt #0 0x00007fe52cca0d7f in raise () from /snap/usr/lib/libc.so.6 #1 0x00007fe52cc8b672 in abort () from /snap/usr/lib/libc.so.6 #2 0x00007fe52d66f169 in log_assert_failed_realm (realm=LOG_REALM_SYSTEMD, text=0x56177ab8e000 "action < _EMERGENCY_ACTION_MAX", file=0x56177ab8dfb8 "../src/core/emergency-action.c", line=33, func=0x56177ab8e2b0 <__PRETTY_FUNCTION__.14207> "emergency_action") at ../src/basic/log.c:795 #3 0x000056177aa98cf4 in emergency_action (m=0x56177c992cb0, action=2059118610, options=(unknown: 0), reboot_arg=0x0, exit_status=1, reason=0x7ffdd2df4290 "unit run-u0.service failed") at ../src/core/emergency-action.c:33 #4 0x000056177ab2b739 in unit_notify (u=0x56177c9eb340, os=UNIT_ACTIVE, ns=UNIT_FAILED, flags=(unknown: 0)) at ../src/core/unit.c:2504 #5 0x000056177aaf62ed in service_set_state (s=0x56177c9eb340, state=SERVICE_FAILED) at ../src/core/service.c:1104 #6 0x000056177aaf8a29 in service_enter_dead (s=0x56177c9eb340, f=SERVICE_SUCCESS, allow_restart=true) at ../src/core/service.c:1712 #7 0x000056177aaf9233 in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1854 #8 0x000056177aaf921b in service_enter_signal (s=0x56177c9eb340, state=SERVICE_FINAL_SIGTERM, f=SERVICE_SUCCESS) at ../src/core/service.c:1852 #9 0x000056177aaf8eb3 in service_enter_stop_post (s=0x56177c9eb340, f=SERVICE_SUCCESS) at ../src/core/service.c:1788 #10 0x000056177aaf91eb in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGKILL, f=SERVICE_SUCCESS) at ../src/core/service.c:1850 #11 0x000056177aaf91bc in service_enter_signal (s=0x56177c9eb340, state=SERVICE_STOP_SIGTERM, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1848 #12 0x000056177aaf9759 in service_enter_running (s=0x56177c9eb340, f=SERVICE_FAILURE_EXIT_CODE) at ../src/core/service.c:1941 #13 0x000056177ab005b7 in service_sigchld_event (u=0x56177c9eb340, pid=112, code=1, status=1) at ../src/core/service.c:3296 #14 0x000056177aad84b5 in manager_invoke_sigchld_event (m=0x56177c992cb0, u=0x56177c9eb340, si=0x7ffdd2df48f0) at ../src/core/manager.c:2444 #15 0x000056177aad88df in manager_dispatch_sigchld (source=0x56177c994710, userdata=0x56177c992cb0) at ../src/core/manager.c:2508 #16 0x00007fe52d72f807 in source_dispatch (s=0x56177c994710) at ../src/libsystemd/sd-event/sd-event.c:2846 #17 0x00007fe52d730f7d in sd_event_dispatch (e=0x56177c993530) at ../src/libsystemd/sd-event/sd-event.c:3229 #18 0x00007fe52d73142e in sd_event_run (e=0x56177c993530, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3286 #19 0x000056177aad9f71 in manager_loop (m=0x56177c992cb0) at ../src/core/manager.c:2906 #20 0x000056177aa7c876 in invoke_main_loop (m=0x56177c992cb0, ret_reexecute=0x7ffdd2df4bff, ret_retval=0x7ffdd2df4c04, ret_shutdown_verb=0x7ffdd2df4c58, ret_fds=0x7ffdd2df4c70, ret_switch_root_dir=0x7ffdd2df4c48, ret_switch_root_init=0x7ffdd2df4c50, ret_error_message=0x7ffdd2df4c60) at ../src/core/main.c:1792 #21 0x000056177aa7f251 in main (argc=2, argv=0x7ffdd2df4e78) at ../src/core/main.c:2573 Fix this by checking the correct variable.

We would not send the property because we'd call sd_bus_get_current_message() which would return NULL. If there is no message, we cannot support /self or /auto, but things are still OK if a path with a session name is given. Traceback when the issue is triggered: #2 we'd call sd_bus_get_current_message() here, which would return NULL, and session_object_find() would immediately return 0. #3 0x00000000004289b7 in session_object_find (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x9efda0 "org.freedesktop.login1.Session", userdata=0x9852f0, found=0x7ffe3e975fe8, error=0x7ffe3e9760b0) at ../src/login/logind-session-dbus.c:620 #4 0x00007ff74bfdde39 in node_vtable_get_userdata (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", c=0x9f6d58, userdata=0x7ffe3e976070, error=0x7ffe3e9760b0) at ../src/libsystemd/sd-bus/bus-objects.c:37 #5 0x00007ff74bfe49af in emit_properties_changed_on_interface (bus=0x9f1110, prefix=0xa133a0 "/org/freedesktop/login1/session", path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x43f9f8 "org.freedesktop.login1.Session", require_fallback=true, found_interface=0x7ffe3e976163, names=0x7ffe3e9761b0) at ../src/libsystemd/sd-bus/bus-objects.c:2088 #6 0x00007ff74bfe56a4 in sd_bus_emit_properties_changed_strv (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x43f9f8 "org.freedesktop.login1.Session", names=0x7ffe3e9761b0) at ../src/libsystemd/sd-bus/bus-objects.c:2291 #7 0x00000000004292ea in session_send_changed (s=0xa16e10, properties=0x43ee27 "Active") at ../src/login/logind-session-dbus.c:730 #8 0x0000000000424cd7 in seat_set_active (s=0x9ee280, session=0xa16e10) at ../src/login/logind-seat.c:249 #9 0x00000000004251cf in seat_active_vt_changed (s=0x9ee280, vtnr=3) at ../src/login/logind-seat.c:361 #10 0x000000000042547b in seat_read_active_vt (s=0x9ee280) at ../src/login/logind-seat.c:395 #11 0x000000000040ab5c in manager_dispatch_console (s=0x9f0320, fd=8, revents=8, userdata=0x9852f0) at ../src/login/logind.c:588 #12 0x00007ff74c042d5f in source_dispatch (s=0x9f0320) at ../src/libsystemd/sd-event/sd-event.c:2828 #13 0x00007ff74c04469f in sd_event_dispatch (e=0x9ef340) at ../src/libsystemd/sd-event/sd-event.c:3241 #14 0x00007ff74c044b58 in sd_event_run (e=0x9ef340, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3299 #15 0x000000000040d7e8 in manager_run (m=0x9852f0) at ../src/login/logind.c:1186 #16 0x000000000040db58 in run (argc=1, argv=0x7ffe3e976728) at ../src/login/logind.c:1234 #17 0x000000000040dc30 in main (argc=1, argv=0x7ffe3e976728) at ../src/login/logind.c:1244 Fixes systemd#13437. Bug introduced in 3b92c08.

We would not send the property because we'd call sd_bus_get_current_message() which would return NULL. If there is no message, we cannot support /self or /auto, but things are still OK if a path with a session name is given. Traceback when the issue is triggered: #2 we'd call sd_bus_get_current_message() here, which would return NULL, and session_object_find() would immediately return 0. #3 0x00000000004289b7 in session_object_find (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x9efda0 "org.freedesktop.login1.Session", userdata=0x9852f0, found=0x7ffe3e975fe8, error=0x7ffe3e9760b0) at ../src/login/logind-session-dbus.c:620 #4 0x00007ff74bfdde39 in node_vtable_get_userdata (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", c=0x9f6d58, userdata=0x7ffe3e976070, error=0x7ffe3e9760b0) at ../src/libsystemd/sd-bus/bus-objects.c:37 #5 0x00007ff74bfe49af in emit_properties_changed_on_interface (bus=0x9f1110, prefix=0xa133a0 "/org/freedesktop/login1/session", path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x43f9f8 "org.freedesktop.login1.Session", require_fallback=true, found_interface=0x7ffe3e976163, names=0x7ffe3e9761b0) at ../src/libsystemd/sd-bus/bus-objects.c:2088 #6 0x00007ff74bfe56a4 in sd_bus_emit_properties_changed_strv (bus=0x9f1110, path=0xa160b0 "/org/freedesktop/login1/session/c2", interface=0x43f9f8 "org.freedesktop.login1.Session", names=0x7ffe3e9761b0) at ../src/libsystemd/sd-bus/bus-objects.c:2291 #7 0x00000000004292ea in session_send_changed (s=0xa16e10, properties=0x43ee27 "Active") at ../src/login/logind-session-dbus.c:730 #8 0x0000000000424cd7 in seat_set_active (s=0x9ee280, session=0xa16e10) at ../src/login/logind-seat.c:249 #9 0x00000000004251cf in seat_active_vt_changed (s=0x9ee280, vtnr=3) at ../src/login/logind-seat.c:361 #10 0x000000000042547b in seat_read_active_vt (s=0x9ee280) at ../src/login/logind-seat.c:395 #11 0x000000000040ab5c in manager_dispatch_console (s=0x9f0320, fd=8, revents=8, userdata=0x9852f0) at ../src/login/logind.c:588 #12 0x00007ff74c042d5f in source_dispatch (s=0x9f0320) at ../src/libsystemd/sd-event/sd-event.c:2828 #13 0x00007ff74c04469f in sd_event_dispatch (e=0x9ef340) at ../src/libsystemd/sd-event/sd-event.c:3241 #14 0x00007ff74c044b58 in sd_event_run (e=0x9ef340, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:3299 #15 0x000000000040d7e8 in manager_run (m=0x9852f0) at ../src/login/logind.c:1186 #16 0x000000000040db58 in run (argc=1, argv=0x7ffe3e976728) at ../src/login/logind.c:1234 #17 0x000000000040dc30 in main (argc=1, argv=0x7ffe3e976728) at ../src/login/logind.c:1244 Fixes #13437. Bug introduced in 3b92c08.

… DST change If we tested a candidate time that would fall onto the DST change, and we realized that it is now a valid time ('cause the given "hour" is missing), we would jump to to beginning of the next bigger time period, i.e. the next day. mktime_or_timegm() already tells us what the next valid time is, so let's reuse this, and continue the calculations at this point. This should allow us to correctly jump over DST changes, but also leap seconds and similar. It should be OK even multiple days were removed from calendar, similarly to the Gregorian-Julian transition. By reusing the information from normalization, we don't have to make assumptions what the next valid time is. Fixes systemd#13745. $ TZ=Australia/Sydney faketime '2019-10-06 01:50' build/systemd-analyze calendar 0/1:0/1 --iterations 20 | grep Iter Iter. #2: Sun 2019-10-06 01:52:00 AEST Iter. #3: Sun 2019-10-06 01:53:00 AEST Iter. #4: Sun 2019-10-06 01:54:00 AEST Iter. #5: Sun 2019-10-06 01:55:00 AEST Iter. #6: Sun 2019-10-06 01:56:00 AEST Iter. #7: Sun 2019-10-06 01:57:00 AEST Iter. #8: Sun 2019-10-06 01:58:00 AEST Iter. #9: Sun 2019-10-06 01:59:00 AEST Iter. #10: Sun 2019-10-06 03:00:00 AEDT Iter. #11: Sun 2019-10-06 03:01:00 AEDT Iter. #12: Sun 2019-10-06 03:02:00 AEDT Iter. #13: Sun 2019-10-06 03:03:00 AEDT Iter. #14: Sun 2019-10-06 03:04:00 AEDT Iter. #15: Sun 2019-10-06 03:05:00 AEDT Iter. #16: Sun 2019-10-06 03:06:00 AEDT Iter. #17: Sun 2019-10-06 03:07:00 AEDT Iter. #18: Sun 2019-10-06 03:08:00 AEDT Iter. #19: Sun 2019-10-06 03:09:00 AEDT Iter. #20: Sun 2019-10-06 03:10:00 AEDT $ TZ=Australia/Sydney faketime 2019-10-06 build/systemd-analyze calendar 2/4:30 --iterations=3 Original form: 2/4:30 Normalized form: *-*-* 02/4:30:00 Next elapse: Sun 2019-10-06 06:30:00 AEDT (in UTC): Sat 2019-10-05 19:30:00 UTC From now: 5h 29min left Iter. #2: Sun 2019-10-06 10:30:00 AEDT (in UTC): Sat 2019-10-05 23:30:00 UTC From now: 9h left Iter. #3: Sun 2019-10-06 14:30:00 AEDT (in UTC): Sun 2019-10-06 03:30:00 UTC From now: 13h left

As it might hide a possible allocation error since it uses the returns_nonnull attribute: AddressSanitizer:DEADLYSIGNAL ================================================================= ==8==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f317897db8d bp 0x7ffd436fe9a0 sp 0x7ffd436fe970 T0) ==8==The signal is caused by a WRITE memory access. ==8==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f317897db8d in source_new /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1214:18 #1 0x7f317897e68c in sd_event_add_time /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:1417:13 #2 0x7f317897a0f6 in event_reset_time /work/build/../../src/systemd/src/libsystemd/sd-event/event-util.c:68:21 #3 0x4e2c8e in client_initialize_time_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1366:13 #4 0x4eb0fd in client_initialize_events /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1380:9 #5 0x4eb0fd in client_start_delayed /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1410:16 #6 0x4e30aa in client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:1415:16 #7 0x4e30aa in sd_dhcp_client_start /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp-client.c:2045:13 #8 0x4e700e in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-client.c:73:15 #9 0x5062f8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-client+0x5062f8) #10 0x525283 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x524a6a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x526139 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x526e05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x51616f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x516a38 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x506555 in main (/build/fuzz-dhcp-client+0x506555) #17 0x7f3177ce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #18 0x420c4d in _start (/build/fuzz-dhcp-client+0x420c4d) Found by Nallocfuzz.

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 #15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 #16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) #17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) #24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz.

Otherwise we might hit an assertion during cleanup if the following mmap_cache_new() call fails: Assertion 'p->n_ref > 0' failed at src/journal-remote/journal-remote-write.c:80, function writer_unref(). Aborting. ==2069==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000815 (pc 0x7f39dcd0200b bp 0x7ffe2fe24db0 sp 0x7ffe2fe24b60 T0) SCARINESS: 10 (signal) #0 0x7f39dcd0200b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #1 0x7f39dcce1858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x7f39dd747e49 in log_assert_failed /work/build/../../src/systemd/src/basic/log.c:940:9 #3 0x4e4431 in writer_unref /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:80:1 #4 0x4e3fd5 in writer_unrefp /work/build/../../src/systemd/src/journal-remote/journal-remote-write.h:27:1 #5 0x4e3fd5 in writer_new /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:56:1 #6 0x4e04bc in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:125:21 #7 0x4e0e0b in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:181:13 #8 0x4e0e0b in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:233:13 #9 0x4df99f in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/journal-remote/fuzz-journal-remote.c:54:9 #10 0x4e8f48 in NaloFuzzerTestOneInput (/build/fuzz-journal-remote+0x4e8f48) #11 0x507f53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x50773a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x508e09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #14 0x509ad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #15 0x4f8e3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x4f9708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #17 0x4e91c5 in main (/build/fuzz-journal-remote+0x4e91c5) #18 0x7f39dcce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #19 0x420bcd in _start (/build/fuzz-journal-remote+0x420bcd) DEDUP_TOKEN: raise--abort--log_assert_failed AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in raise Found by Nallocufzz.

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 #18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 #19 0x4252e0 in main ../src/core/main.c:3072 #20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 #15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04) (cherry picked from commit c786122)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) #17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a)

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) systemd#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 systemd#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 systemd#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 systemd#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 systemd#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 systemd#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 systemd#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 systemd#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 systemd#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 systemd#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 systemd#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 systemd#14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 systemd#1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) systemd#2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 systemd#3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 systemd#4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 systemd#5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 systemd#6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 systemd#7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 systemd#8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 systemd#9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) systemd#10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf)

Otherwise we might hit an assertion during cleanup if the following mmap_cache_new() call fails: Assertion 'p->n_ref > 0' failed at src/journal-remote/journal-remote-write.c:80, function writer_unref(). Aborting. ==2069==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000815 (pc 0x7f39dcd0200b bp 0x7ffe2fe24db0 sp 0x7ffe2fe24b60 T0) SCARINESS: 10 (signal) #0 0x7f39dcd0200b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#1 0x7f39dcce1858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#2 0x7f39dd747e49 in log_assert_failed /work/build/../../src/systemd/src/basic/log.c:940:9 systemd#3 0x4e4431 in writer_unref /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:80:1 systemd#4 0x4e3fd5 in writer_unrefp /work/build/../../src/systemd/src/journal-remote/journal-remote-write.h:27:1 systemd#5 0x4e3fd5 in writer_new /work/build/../../src/systemd/src/journal-remote/journal-remote-write.c:56:1 systemd#6 0x4e04bc in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:125:21 systemd#7 0x4e0e0b in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:181:13 systemd#8 0x4e0e0b in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:233:13 systemd#9 0x4df99f in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/journal-remote/fuzz-journal-remote.c:54:9 systemd#10 0x4e8f48 in NaloFuzzerTestOneInput (/build/fuzz-journal-remote+0x4e8f48) systemd#11 0x507f53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#12 0x50773a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#13 0x508e09 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#14 0x509ad5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#15 0x4f8e3f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#16 0x4f9708 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#17 0x4e91c5 in main (/build/fuzz-journal-remote+0x4e91c5) systemd#18 0x7f39dcce3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) systemd#19 0x420bcd in _start (/build/fuzz-journal-remote+0x420bcd) DEDUP_TOKEN: raise--abort--log_assert_failed AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) in raise Found by Nallocufzz. (cherry picked from commit d3d8597)

This wrapper is used in situations where we don't care about *San reports, we just want to make things work. However, with enabled LSan we might trigger some bogus reports we're definitely not interested in, causing unexpected test fails. Spotted on C8S in TEST-34-DYNAMICUSERMIGRATE: ``` [10654.804162] testsuite-34.sh[56]: + systemctl start testservice-34-check-writable.service Starting testservice-34-check-writable.service... [10655.055969] bash[546]: + set -o pipefail [10655.056127] bash[546]: + declare -a writable_dirs [10655.056234] bash[546]: + readarray -t writable_dirs [10655.060838] bash[548]: ++ find / '(' -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc -o -path /sys/devices/system/cpu ')' -prune -o -type d -writable -print [10655.061534] bash[549]: ++ sort -u [10655.688740] bash[547]: ================================================================= [10655.689075] bash[547]: ==547==ERROR: LeakSanitizer: detected memory leaks [10655.689246] bash[547]: Direct leak of 112 byte(s) in 1 object(s) allocated from: [10655.743851] bash[547]: #0 0x7ffff752d364 (/usr/lib64/clang/14.0.0/lib/libclang_rt.asan-powerpc64le.so+0x13d364) (BuildId: 321f4ed1caea6a1a4c37f9272e07275cf16f034d) [10655.744060] bash[547]: #1 0x1000b5d20 in xmalloc (/usr/bin/bash+0xb5d20) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744224] bash[547]: #2 0x100083338 (/usr/bin/bash+0x83338) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744393] bash[547]: #3 0x10008847c (/usr/bin/bash+0x8847c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744552] bash[547]: #4 0x1000af6ec in redirection_expand (/usr/bin/bash+0xaf6ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744728] bash[547]: #5 0x1000b005c (/usr/bin/bash+0xb005c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.744886] bash[547]: #6 0x1000b1388 in do_redirections (/usr/bin/bash+0xb1388) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745051] bash[547]: #7 0x100050484 (/usr/bin/bash+0x50484) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745208] bash[547]: #8 0x100052160 in execute_command_internal (/usr/bin/bash+0x52160) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745376] bash[547]: #9 0x100052a10 in execute_command_internal (/usr/bin/bash+0x52a10) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745536] bash[547]: #10 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745711] bash[547]: #11 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.745870] bash[547]: #12 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746038] bash[547]: #13 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746198] bash[547]: #14 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746367] bash[547]: systemd#15 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746548] bash[547]: systemd#16 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746741] bash[547]: systemd#17 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.746897] bash[547]: systemd#18 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747067] bash[547]: systemd#19 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747227] bash[547]: systemd#20 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747414] bash[547]: systemd#21 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747573] bash[547]: systemd#22 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747741] bash[547]: systemd#23 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.747896] bash[547]: systemd#24 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748064] bash[547]: systemd#25 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748225] bash[547]: systemd#26 0x100053e38 in execute_command (/usr/bin/bash+0x53e38) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748390] bash[547]: systemd#27 0x1000529d8 in execute_command_internal (/usr/bin/bash+0x529d8) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748553] bash[547]: systemd#28 0x1000bf91c in parse_and_execute (/usr/bin/bash+0xbf91c) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748717] bash[547]: systemd#29 0x1000311ec (/usr/bin/bash+0x311ec) (BuildId: da38eb38f6870bdc2a6ef51c52aa6ce20921fe40) [10655.748883] bash[547]: Direct leak of 17 byte(s) in 1 object(s) allocated from: ... ``` (cherry picked from commit b8dd276)

Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 systemd#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) systemd#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) systemd#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING (cherry picked from commit f4e5c04) (cherry picked from commit c786122) (cherry picked from commit d45301d)

==5==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4a2056 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x5180a9 in malloc (/build/fuzz-resource-record+0x5180a9) #2 0x4f7182 in dns_packet_extend /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:371:36 #3 0x4f8b8b in dns_packet_append_uint8 /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:433:13 #4 0x4f8b8b in dns_packet_append_name /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:597:13 #5 0x4f8f16 in dns_packet_append_key /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:622:13 #6 0x4fa9a0 in dns_packet_append_rr /work/build/../../src/systemd/src/resolve/resolved-dns-packet.c:883:13 #7 0x4eb00c in dns_resource_record_to_wire_format /work/build/../../src/systemd/src/resolve/resolved-dns-rr.c:1224:13 #8 0x4df7be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/resolve/fuzz-resource-record.c:32:16 #9 0x518428 in NaloFuzzerTestOneInput (/build/fuzz-resource-record+0x518428) #10 0x537433 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #11 0x536c1a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #12 0x5382e9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #13 0x538fb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #14 0x52831f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#15 0x528be8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#16 0x5186a5 in main (/build/fuzz-resource-record+0x5186a5) systemd#17 0x7f991fab8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_malloc--malloc--dns_packet_extend SUMMARY: AddressSanitizer: 4096 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit b453ebf) (cherry picked from commit 9dde31a) (cherry picked from commit 06b4e1f)

==8036==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3 #1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1) #2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13 #3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38 #4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13 #5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16 #6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13 #7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13 #8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16 #9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45 #10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16 #11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13 #12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24 #13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16 #14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21 systemd#15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16 systemd#16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208) systemd#17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 systemd#18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 systemd#19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 systemd#20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 systemd#21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 systemd#22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 systemd#23 0x4df485 in main (/build/fuzz-unit-file+0x4df485) systemd#24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Found by Nallocfuzz. (cherry picked from commit 6c13a39) (cherry picked from commit b4c9a9b) (cherry picked from commit 6b8b0f5)

==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 17 byte(s) in 1 object(s) allocated from: #0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b) #1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386 #2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460 #3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473 #4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025 #5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112 #6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011 #10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053 #11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273 #12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300 #13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642 #14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 systemd#15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 systemd#16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 systemd#17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242 systemd#18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937 systemd#19 0x4252e0 in main ../src/core/main.c:3072 systemd#20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s). (cherry picked from commit f8b21a0) (cherry picked from commit 98d2a09) (cherry picked from commit e94157e)

When exiting PID 1 we most likely don't have stdio/stdout open, so the final LSan check would not print any actionable information and would just crash PID 1 leading up to a kernel panic, which is a bit annoying. Let's instead attempt to open /dev/console, and if we succeed redirect LSan's report there. The result is a bit messy, as it's slightly interleaved with the kernel panic, but it's definitely better than not having the stack trace at all: [ OK ] Reached target final.target. [ OK ] Finished systemd-poweroff.service. [ OK ] Reached target poweroff.target. ================================================================= 3 1m 43.251782] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 43.252838] CPU: 2 PID: 1 Comm: systemd Not tainted 6.4.12-200.fc38.x86_64 #1 ==[1==ERR O R :4 3Le.a2k53562] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 [ 43.254683] Call Trace: [ 43.254911] <TASK> [ 43.255107] dump_stack_lvl+0x47/0x60 S[ a 43.n2555i05] panic+t0x192/0x350 izer[ :43.255966 ] do_exit+0x990/0xdb10 etec[ 43.256504] do_group_exit+0x31/0x80 [ 43.256889] __x64_sys_exit_group+0x18/0x20 [ 43.257288] do_syscall_64+0x60/0x90 o_user_mod leaks[ 43.257618] ? syscall_exit_t +0x2b/0x40 [ 43.258411] ? do_syscall_64+0x6c/0x90 1mDirect le[ 43.258755] ak of 21 byte(s)? exc_page_fault+0x7f/0x180 [ 43.259446] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 43.259901] RiIP: 0033:0x7f357nb8f3ad4 1 objec[ 43.260354] Ctode: 48 89 (f7 0f 05 c3 sf3 0f 1e fa b8 3b 00 00 00) 0f 05 c3 0f 1f 4 0 00 f3 0f 1e fa 50 58 b8 e7 00 00 00 48 83 ec 08 48 63 ff 0f 051 [ 43.262581] RSP: 002b:00007ffc25872440 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 a RBX: 00007f357be9b218 RCX: 00007f357b8f3ad4m:ffd [ 43.264512] RDX: 0000000000000001 RSI: 00007f357b933b63 RDI: 0000000000000001 [ 43.265355] RBP: 00007f357be9b218 R08: efffffffffffffff R09: 00007ffc258721ef [ 43.266191] R10: 000000000000003f R11: 0000000000000202 R12: 00000fe6ae9e0000 [ 43.266891] R13: 00007f3574f00000 R14: 0000000000000000 R15: 0000000000000007 [ 43.267517] </TASK> #0 0x7f357b8814a8 in strdup (/lib64/libasan.so.8+0x814a8) (BuildId: e5f0a0d511a659fbc47bf41072869139cb2db47f) #1 0x7f3578d43317 in cg_path_decode_unit ../src/basic/cgroup-util.c:1132 #2 0x7f3578d43936 in cg_path_get_unit ../src/basic/cgroup-util.c:1190 #3 0x7f3578d440f6 in cg_pid_get_unit ../src/basic/cgroup-util.c:1234 #4 0x7f35789263d7 in bus_log_caller ../src/shared/bus-util.c:734 #5 0x7f357a9cf10a in method_reload ../src/core/dbus-manager.c:1621 #6 0x7f3578f77497 in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406 #7 0x7f3578f80dd8 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319 #8 0x7f3578f82487 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439 #9 0x7f3578fe41f1 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3007 #10 0x7f3578fe477b in process_running ../src/libsystemd/sd-bus/sd-bus.c:3049 #11 0x7f3578fe75d1 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3269 #12 0x7f3578fe776e in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3296 #13 0x7f3578feaedc in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3638 #14 0x7f35791c2f68 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187 #15 0x7f35791cc6f9 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808 #16 0x7f35791cd830 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869 #17 0x7f357abcd572 in manager_loop ../src/core/manager.c:3244 #18 0x41db21 in invoke_main_loop ../src/core/main.c:1960 #19 0x426615 in main ../src/core/main.c:3125 #20 0x7f3577c49b49 in __libc_start_call_main (/lib64/libc.so.6+0x27b49) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #21 0x7f3577c49c0a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x27c0a) (BuildId: 245240a31888ad5c11bbc55b18e02d87388f59a9) #22 0x408494 in _start (/usr/lib/systemd/systemd+0x408494) (BuildId: fe61e1b0f00b6a36aa34e707a98c15c52f6b960a) SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). [ 43.295912] Kernel Offset: 0x7000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 43.297036] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Originally noticed in #28579.

When assert_return() is critical, the following assertion is triggered on exit: --- #0 0x00007f8b1f6b0884 in __pthread_kill_implementation () from target:/lib64/libc.so.6 #1 0x00007f8b1f65fafe in raise () from target:/lib64/libc.so.6 #2 0x00007f8b1f64887f in abort () from target:/lib64/libc.so.6 #3 0x00007f8b208d02d6 in log_assert_failed (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:948 #4 0x00007f8b208d0457 in log_assert_failed_return (text=0x7f8b210009e0 "e->state != SD_EVENT_FINISHED", file=0x7f8b20fff403 "src/libsystemd/sd-event/sd-event.c", line=1252, func=0x7f8b21004400 <__func__.154> "sd_event_add_io") at ../src/basic/log.c:967 #5 0x00007f8b20c7d102 in sd_event_add_io (e=0x617000000080, ret=0x60c000000a20, fd=11, events=1, callback=0x7dfd85 <ipv4acd_on_packet>, userdata=0x60c000000a00) at ../src/libsystemd/sd-event/sd-event.c:1252 #6 0x00000000007e3934 in sd_ipv4acd_start (acd=0x60c000000a00, reset_conflicts=true) at ../src/libsystemd-network/sd-ipv4acd.c:597 #7 0x00000000007e72b9 in ipv4ll_start_internal (ll=0x6080000006a0, reset_generation=true) at ../src/libsystemd-network/sd-ipv4ll.c:278 #8 0x00000000007e7462 in sd_ipv4ll_start (ll=0x6080000006a0) at ../src/libsystemd-network/sd-ipv4ll.c:298 #9 0x00000000006047a1 in dhcp4_handler (client=0x617000000400, event=0, userdata=0x61a000000680) at ../src/network/networkd-dhcp4.c:1183 #10 0x000000000075b1ed in client_notify (client=0x617000000400, event=0) at ../src/libsystemd-network/sd-dhcp-client.c:783 #11 0x000000000075bf8d in client_stop (client=0x617000000400, error=0) at ../src/libsystemd-network/sd-dhcp-client.c:821 #12 0x000000000077710f in sd_dhcp_client_stop (client=0x617000000400) at ../src/libsystemd-network/sd-dhcp-client.c:2388 #13 0x000000000065cdd1 in link_stop_engines (link=0x61a000000680, may_keep_dhcp=true) at ../src/network/networkd-link.c:336 #14 0x000000000041f214 in manager_free (m=0x618000000080) at ../src/network/networkd-manager.c:613 #15 0x00000000004124e3 in manager_freep (p=0x7f8b1c800040) at ../src/network/networkd-manager.h:128 #16 0x00000000004139f6 in run (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:24 #17 0x0000000000413b20 in main (argc=1, argv=0x7ffffe4522e8) at ../src/network/networkd.c:119 --- Prompted by #30049 (comment).

Since libfuzzer feeds a single fuzzing process with multiple inputs, we might carry over arg_transport from a previous invocation, tripping over the assert in acquire_bus(): +----------------------------------------Release Build Stacktrace----------------------------------------+ Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Aborting. AddressSanitizer:DEADLYSIGNAL ================================================================= ==2739==ERROR: AddressSanitizer: ABRT on unknown address 0x00000ab3 (pc 0xf7f52509 bp 0xffdf74cc sp 0xffdf74b0 T0) SCARINESS: 10 (signal) #0 0xf7f52509 in linux-gate.so.1 #1 0xf703b415 in raise #2 0xf70233f6 in abort #3 0xf772ac0a in log_assert_failed systemd/src/basic/log.c:968:9 #4 0xf77300d5 in log_assert_failed_return systemd/src/basic/log.c:987:17 #5 0xf7432bbf in bus_connect_transport systemd/src/shared/bus-util.c:284:9 #6 0x818cd17 in acquire_bus systemd/src/systemctl/systemctl-util.c:53:29 #7 0x815fd3c in help_boot_loader_entry systemd/src/systemctl/systemctl-logind.c:431:13 #8 0x819ca87 in systemctl_parse_argv systemd/src/systemctl/systemctl.c:863:37 #9 0x8197632 in systemctl_dispatch_parse_argv systemd/src/systemctl/systemctl.c:1137:16 #10 0x813328d in LLVMFuzzerTestOneInput systemd/src/systemctl/fuzz-systemctl-parse-argv.c:54:13 #11 0x81bbe7e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #12 0x81bb5b8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #13 0x81bd42d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7 #14 0x81bd62e in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3 #15 0x81ac84c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #16 0x81d65c7 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #17 0xf7024ed4 in __libc_start_main #18 0x806bdb5 in _start Resolves: #30802

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5 (cherry picked from commit 842a674)

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5 (cherry picked from commit 842a674)

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: systemd#1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: systemd#1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: systemd#1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: systemd#2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: systemd#3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: systemd#4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: systemd#5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: systemd#6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: systemd#7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: systemd#8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: systemd#9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: systemd#10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: systemd#11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: systemd#12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: systemd#13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: systemd#14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: systemd#15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: systemd#16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: systemd#17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: systemd#18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: systemd#19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: systemd#20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: systemd#22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5

All other usages of sd_varlink_call* do not free the json return parameter, and it is owned by the varlink object instead. Do the same here. TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08 TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds)) TEST-54-CREDS.sh[1074]: #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 TEST-54-CREDS.sh[1074]: #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1 TEST-54-CREDS.sh[1074]: #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1 TEST-54-CREDS.sh[1074]: #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #17 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8) TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25 TEST-54-CREDS.sh[1074]: #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1 TEST-54-CREDS.sh[1074]: #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1 TEST-54-CREDS.sh[1074]: #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #14 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here: TEST-54-CREDS.sh[1074]: #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e) TEST-54-CREDS.sh[1074]: #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16 TEST-54-CREDS.sh[1074]: #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13 TEST-54-CREDS.sh[1074]: #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29 TEST-54-CREDS.sh[1074]: #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16 TEST-54-CREDS.sh[1074]: #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16 TEST-54-CREDS.sh[1074]: #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13 TEST-54-CREDS.sh[1074]: #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13 TEST-54-CREDS.sh[1074]: #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21 TEST-54-CREDS.sh[1074]: #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16 TEST-54-CREDS.sh[1074]: #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13 TEST-54-CREDS.sh[1074]: #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13 TEST-54-CREDS.sh[1074]: #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29 TEST-54-CREDS.sh[1074]: #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16 TEST-54-CREDS.sh[1074]: #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29 TEST-54-CREDS.sh[1074]: #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13 TEST-54-CREDS.sh[1074]: #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21 TEST-54-CREDS.sh[1074]: #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13 TEST-54-CREDS.sh[1074]: #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13 TEST-54-CREDS.sh[1074]: #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13 TEST-54-CREDS.sh[1074]: #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05) TEST-54-CREDS.sh[1074]: #22 0x55cf8ca41cb4 (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222) TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address: TEST-54-CREDS.sh[1074]: 0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 TEST-54-CREDS.sh[1074]: 0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd TEST-54-CREDS.sh[1074]: 0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: 0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes): TEST-54-CREDS.sh[1074]: Addressable: 00 TEST-54-CREDS.sh[1074]: Partially addressable: 01 02 03 04 05 06 07 TEST-54-CREDS.sh[1074]: Heap left redzone: fa TEST-54-CREDS.sh[1074]: Freed heap region: fd TEST-54-CREDS.sh[1074]: Stack left redzone: f1 TEST-54-CREDS.sh[1074]: Stack mid redzone: f2 TEST-54-CREDS.sh[1074]: Stack right redzone: f3 TEST-54-CREDS.sh[1074]: Stack after return: f5 TEST-54-CREDS.sh[1074]: Stack use after scope: f8 TEST-54-CREDS.sh[1074]: Global redzone: f9 TEST-54-CREDS.sh[1074]: Global init order: f6 TEST-54-CREDS.sh[1074]: Poisoned by user: f7 TEST-54-CREDS.sh[1074]: Container overflow: fc TEST-54-CREDS.sh[1074]: Array cookie: ac TEST-54-CREDS.sh[1074]: Intra object redzone: bb TEST-54-CREDS.sh[1074]: ASan internal: fe TEST-54-CREDS.sh[1074]: Left alloca redzone: ca TEST-54-CREDS.sh[1074]: Right alloca redzone: cb Follow-up for 2c3cbc5 (cherry picked from commit 842a674) (cherry picked from commit b342fb5)

When check_access() was added, the callback data parameter was changed from a pointer to a double pointer, resulting in a crash when it is accessed when logging an error: #0 __internal_syscall_cancel (a1=a1@entry=0, a2=a2@entry=0, a3=a3@entry=140726176497168, a4=a4@entry=4, a5=a5@entry=0, a6=a6@entry=0, nr=247) at ./nptl/cancellation.c:44 #1 0x00007f5d0ec996ad in __syscall_cancel (a1=a1@entry=0, a2=a2@entry=0, a3=a3@entry=140726176497168, a4=a4@entry=4, a5=a5@entry=0, a6=a6@entry=0, nr=247) at ./nptl/cancellation.c:75 #2 0x00007f5d0ed047ab in __waitid (idtype=idtype@entry=P_ALL, id=id@entry=0, infop=infop@entry=0x7ffd5dc2be10, options=options@entry=4) at ../sysdeps/unix/sysv/linux/waitid.c:29 #3 0x00007f5d0f044412 in freeze () at ../src/basic/process-util.c:2039 #4 0x00005568f181bc2a in freeze_or_exit_or_reboot () at ../src/core/crash-handler.c:55 #5 0x00005568f181be82 in crash (sig=<optimized out>, siginfo=<optimized out>, context=<optimized out>) at ../src/core/crash-handler.c:184 #6 <signal handler called> #7 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76 #8 0x00007f5d0ec6e300 in __printf_buffer (buf=buf@entry=0x7ffd5dc2ca90, format=0x7f5d0f196e60 "%s: Failed to acquire credentials: %m", ap=0x7ffd5dc2d3d0, mode_flags=2) at ./stdio-common/vfprintf-process-arg.c:435 #9 0x00007f5d0ec91daf in __vsnprintf_internal (string=string@entry=0x7ffd5dc2cb70 "", maxlen=maxlen@entry=2048, format=format@entry=0x7f5d0f196e60 "%s: Failed to acquire credentials: %m", args=args@entry=0x7ffd5dc2d3d0, mode_flags=mode_flags@entry=2) at ./libio/vsnprintf.c:96 #10 0x00007f5d0ed27044 in ___vsnprintf_chk (s=s@entry=0x7ffd5dc2cb70 "", maxlen=maxlen@entry=2048, flag=flag@entry=1, slen=slen@entry=2048, format=format@entry=0x7f5d0f196e60 "%s: Failed to acquire credentials: %m", ap=ap@entry=0x7ffd5dc2d3d0) at ./debug/vsnprintf_chk.c:34 #11 0x00007f5d0f02de59 in vsnprintf (__s=0x7ffd5dc2cb70 "", __n=2048, __fmt=0x7f5d0f196e60 "%s: Failed to acquire credentials: %m", __ap=0x7ffd5dc2d3d0) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:100 #12 log_internalv (level=7, error=-9, file=0x7f5d0f196643 "src/libsystemd/sd-varlink/sd-varlink.c", line=2853, func=0x7f5d0f1d5ca0 <__func__.62> "sd_varlink_get_peer_uid", format=0x7f5d0f196e60 "%s: Failed to acquire credentials: %m", ap=0x7ffd5dc2d3d0) at ../src/basic/log.c:865 #13 0x00007f5d0f02ded5 in log_internalv (level=<optimized out>, error=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>, format=<optimized out>, ap=0x7ffd5dc2d3d0) at ../src/basic/log.c:868 #14 0x00007f5d0f02df67 in log_internal (level=<optimized out>, error=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>, format=<optimized out>) at ../src/basic/log.c:882 #15 0x00007f5d0f10a135 in sd_varlink_get_peer_uid (v=0x7f5d0f5ab110 <__func__.44>, ret=ret@entry=0x7ffd5dc2d4f0) at ../src/libsystemd/sd-varlink/sd-varlink.c:2853 #16 0x00007f5d0f50c29e in audit_callback (auditdata=0x7ffd5dc2d698, cls=<optimized out>, msgbuf=0x55692366e77d "", msgbufsize=995) at ../src/core/selinux-access.c:65 #17 0x00007f5d0f716079 in avc_suppl_audit (ptr=0x7ffd5dc2d698, class=95, buf=<optimized out>, len=<optimized out>) at ./src/avc_internal.h:101 #18 avc_audit (ssid=0x5569237f2890, tsid=0x556922d7f4b0, tclass=<optimized out>, requested=<optimized out>, avd=<optimized out>, result=0, a=0x7ffd5dc2d698) at ./src/avc.c:721 #19 0x00007f5d0f716367 in avc_has_perm (ssid=0x5569237f2890, tsid=0x556922d7f4b0, tclass=tclass@entry=95, requested=4, aeref=aeref@entry=0x0, auditdata=auditdata@entry=0x7ffd5dc2d698) at ./src/avc.c:836 #20 0x00007f5d0f718b0a in selinux_check_access (scon=scon@entry=0x55692384cbc0 "system_u:system_r:policykit_t:s0", tcon=tcon@entry=0x556922c98a20 "system_u:object_r:systemd_networkd_unit_t:s0", class=class@entry=0x7f5d0f580b9e "service", perm=perm@entry=0x7f5d0f580cc0 "status", aux=aux@entry=0x7ffd5dc2d698) at ./src/checkAccess.c:64 #21 0x00007f5d0f50bf7e in check_access (scon=0x55692384cbc0 "system_u:system_r:policykit_t:s0", tcon=0x556922c98a20 "system_u:object_r:systemd_networkd_unit_t:s0", tclass=0x7f5d0f580b9e "service", permission=permission@entry=0x7f5d0f580cc0 "status", audit_info=<optimized out>, audit_info@entry=0x7ffd5dc2d720, error=error@entry=0x7ffd5dc2d880) at ../src/core/selinux-access.c:229 #22 0x00007f5d0f5100a1 in mac_selinux_access_check_bus_internal (message=<optimized out>, unit=<optimized out>, permission=0x7f5d0f580cc0 "status", function=0x7f5d0f5ab110 <__func__.44> "method_get_unit_by_pidfd", error=0x7ffd5dc2d880) at ../src/core/selinux-access.c:329 #23 0x00007f5d0f4a024b in method_get_unit_by_pidfd (message=0x5569236d9010, userdata=<optimized out>, error=0x7ffd5dc2d880) at ../src/core/dbus-manager.c:657 #24 0x00007f5d0f0c9bd0 in method_callbacks_run (bus=0x5569238684e0, m=0x5569236d9010, c=<optimized out>, require_fallback=false, found_object=0x7ffd5dc2d947) at ../src/libsystemd/sd-bus/bus-objects.c:413 #25 object_find_and_run (bus=bus@entry=0x5569238684e0, m=m@entry=0x5569236d9010, p=<optimized out>, require_fallback=require_fallback@entry=false, found_object=found_object@entry=0x7ffd5dc2d947) at ../src/libsystemd/sd-bus/bus-objects.c:1323 #26 0x00007f5d0f0cafa2 in bus_process_object (bus=0x5569238684e0, m=0x5569236d9010) at ../src/libsystemd/sd-bus/bus-objects.c:1443 #27 0x00007f5d0f0d8c3e in process_message (bus=0x5569238684e0, m=0x5569236d9010) at ../src/libsystemd/sd-bus/sd-bus.c:3006 #28 process_running (bus=0x5569238684e0, ret=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:3048 #29 bus_process_internal (bus=bus@entry=0x5569238684e0, ret=ret@entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:3275 #30 0x00007f5d0f0d9099 in sd_bus_process (bus=bus@entry=0x5569238684e0, ret=ret@entry=0x0) at ../src/libsystemd/sd-bus/sd-bus.c:3302 #31 0x00007f5d0f0db3ec in io_callback (s=<optimized out>, fd=<optimized out>, revents=<optimized out>, userdata=0x5569238684e0) at ../src/libsystemd/sd-bus/sd-bus.c:3643 #32 0x00007f5d0f0a53d9 in source_dispatch (s=s@entry=0x5569236dea60) at ../src/libsystemd/sd-event/sd-event.c:4163 #33 0x00007f5d0f0a563d in sd_event_dispatch (e=<optimized out>, e@entry=0x5569232f6c00) at ../src/libsystemd/sd-event/sd-event.c:4782 #34 0x00007f5d0f0a6d38 in sd_event_run (e=<optimized out>, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:4843 #35 0x00007f5d0f4f7871 in manager_loop (m=m@entry=0x5569232f8250) at ../src/core/manager.c:3310 #36 0x00005568f181517d in invoke_main_loop (m=0x5569232f8250, saved_rlimit_nofile=0x7ffd5dc2dcb0, saved_rlimit_memlock=0x7ffd5dc2dca0, ret_retval=<synthetic pointer>, ret_fds=0x7ffd5dc2dc78, ret_switch_root_dir=<synthetic pointer>, ret_switch_root_init=<synthetic pointer>, ret_error_message=0x7ffd5dc2dc90) at ../src/core/main.c:2140 #37 main (argc=<optimized out>, argv=0x7ffd5dc2dfe8) at ../src/core/main.c:3351 Follow-up for fe3f2ac

haraldh closed this Jun 5, 2015

crrodriguez mentioned this pull request Jun 8, 2015

util:bind_remount_recursive() fix "use after free" #96

Merged

keszybz referenced this pull request in keszybz/systemd May 25, 2017

Merge pull request #17 from keszybz/drop-autotools

69d53cd

Drop autotools support

mdrslmr mentioned this pull request Nov 14, 2017

systemd-logind's IP sandbox breaks nss-nis and suchlike #7074

Closed

haraldh deleted the [email protected] branch July 21, 2018 07:23

alexzk1 mentioned this pull request Nov 28, 2018

Broken journals because of power loss. #10965

Closed

keszybz mentioned this pull request Sep 2, 2019

logind: fix property emission on Sessions #13454

Merged

keszybz mentioned this pull request Oct 29, 2019

calendarspec: fix calculation of timespec iterations that fall onto a DST change #13872

Merged

hijacked mentioned this pull request Jun 11, 2024

systemd-networkd Could not set DHCPv4 address: Connection timed out #33278

Closed

jurekb mentioned this pull request Feb 2, 2025

systemd[703]: Assertion 'path_is_absolute(p)' failed at src/basic/chase.c:648, function chase(). Aborting. #36242

Closed

syedire mentioned this pull request Sep 16, 2025

Failed to send WATCHDOG=1 notification message: Transport endpoint is not connected #38945

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

cryptsetup: craft a unique ID with the source device #17

cryptsetup: craft a unique ID with the source device #17

Uh oh!

haraldh commented Jun 2, 2015

Uh oh!

haraldh commented Jun 2, 2015

Uh oh!

haraldh commented Jun 5, 2015

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

Uh oh!

cryptsetup: craft a unique ID with the source device #17

cryptsetup: craft a unique ID with the source device #17

Uh oh!

Conversation

haraldh commented Jun 2, 2015

Uh oh!

haraldh commented Jun 2, 2015

Uh oh!

haraldh commented Jun 5, 2015

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant