Bug Summary

File:build-scan/../src/fuzz/fuzz-compress.c
Warning:line 61, column 17
Potential leak of memory pointed to by 'buf'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name fuzz-compress.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -menable-no-infs -menable-no-nans -menable-unsafe-fp-math -fno-signed-zeros -mreassociate -freciprocal-math -fdenormal-fp-math=preserve-sign,preserve-sign -ffp-contract=fast -fno-rounding-math -ffast-math -ffinite-math-only -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/lib64/clang/12.0.0 -include config.h -I fuzz-compress.p -I . -I .. -I src/basic -I ../src/basic -I src/shared -I ../src/shared -I src/systemd -I ../src/systemd -I src/journal -I ../src/journal -I src/journal-remote -I ../src/journal-remote -I src/nspawn -I ../src/nspawn -I src/resolve -I ../src/resolve -I src/timesync -I ../src/timesync -I ../src/time-wait-sync -I src/login -I ../src/login -I src/udev -I ../src/udev -I src/libudev -I ../src/libudev -I src/core -I ../src/core -I ../src/libsystemd/sd-bus -I ../src/libsystemd/sd-device -I ../src/libsystemd/sd-hwdb -I ../src/libsystemd/sd-id128 -I ../src/libsystemd/sd-netlink -I ../src/libsystemd/sd-network -I src/libsystemd-network -I ../src/libsystemd-network -I src/fuzz -I ../src/fuzz -D _FILE_OFFSET_BITS=64 -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/12.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wwrite-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/mrc0mmand/repos/@redhat-plumbers/systemd-rhel8/build-scan -ferror-limit 19 -fvisibility hidden -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -analyzer-output=html -faddrsig -o /tmp/scan-build-2021-07-16-221226-1465241-1 -x c ../src/fuzz/fuzz-compress.c
1/* SPDX-License-Identifier: LGPL-2.1+ */
2
3#include <errno(*__errno_location ()).h>
4
5#include "alloc-util.h"
6#include "compress.h"
7#include "fuzz.h"
8
9static int compress(int alg,
10 const void *src, uint64_t src_size,
11 void *dst, size_t dst_alloc_size, size_t *dst_size) {
12
13 if (alg == OBJECT_COMPRESSED_LZ4)
14 return compress_blob_lz4(src, src_size, dst, dst_alloc_size, dst_size);
15 if (alg == OBJECT_COMPRESSED_XZ)
16 return compress_blob_xz(src, src_size, dst, dst_alloc_size, dst_size);
17 return -EOPNOTSUPP95;
18}
19
20typedef struct header {
21 uint32_t alg:2; /* We have only two compression algorithms so far, but we might add
22 * more in the future. Let's make this a bit wider so our fuzzer
23 * cases remain stable in the future. */
24 uint32_t sw_len;
25 uint32_t sw_alloc;
26 uint32_t reserved[3]; /* Extra space to keep fuzz cases stable in case we need to
27 * add stuff in the future. */
28 uint8_t data[];
29} header;
30
31int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
32 _cleanup_free___attribute__((cleanup(freep))) void *buf = NULL((void*)0), *buf2 = NULL((void*)0);
33 int r;
34
35 if (size < offsetof(header, data)__builtin_offsetof(header, data) + 1)
1
Assuming the condition is false
2
Taking false branch
36 return 0;
37
38 const header *h = (struct header*) data;
39 const size_t data_len = size - offsetof(header, data)__builtin_offsetof(header, data);
40
41 int alg = h->alg;
42
43 /* We don't want to fill the logs with messages about parse errors.
44 * Disable most logging if not running standalone */
45 if (!getenv("SYSTEMD_LOG_LEVEL"))
3
Assuming the condition is false
4
Taking false branch
46 log_set_max_level(LOG_CRIT)log_set_max_level_realm(LOG_REALM_SYSTEMD, (2));
47
48 log_info("Using compression %s, data size=%zu",({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/fuzz/fuzz-compress.c", 50, __func__, "Using compression %s, data size=%zu"
, object_compressed_to_string(alg) ?: "(none)", data_len) : -
abs(_e); })
5
Assuming the condition is false
6
'?' condition is false
49 object_compressed_to_string(alg) ?: "(none)",({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/fuzz/fuzz-compress.c", 50, __func__, "Using compression %s, data size=%zu"
, object_compressed_to_string(alg) ?: "(none)", data_len) : -
abs(_e); })
50 data_len)({ int _level = (((6))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/fuzz/fuzz-compress.c", 50, __func__, "Using compression %s, data size=%zu"
, object_compressed_to_string(alg) ?: "(none)", data_len) : -
abs(_e); });
51
52 buf = malloc(MAX(size, 128u)__extension__ ({ const typeof((size)) __unique_prefix_A6 = ((
size)); const typeof((128u)) __unique_prefix_B7 = ((128u)); __unique_prefix_A6
> __unique_prefix_B7 ? __unique_prefix_A6 : __unique_prefix_B7
; })); /* Make the buffer a bit larger for very small data */
7
Assuming '__unique_prefix_A0' is <= '__unique_prefix_B1'
8
'?' condition is false
9
Memory is allocated
53 if (!buf) {
10
Assuming 'buf' is non-null
11
Taking false branch
54 log_oom()log_oom_internal(LOG_REALM_SYSTEMD, "../src/fuzz/fuzz-compress.c"
, 54, __func__);
55 return 0;
56 }
57
58 size_t csize;
59 r = compress(alg, h->data, data_len, buf, size, &csize);
60 if (r
11.1
'r' is < 0
 < 0) {
12
Taking true branch
61 log_error_errno(r, "Compression failed: %m")({ int _level = ((3)), _e = ((r)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/fuzz/fuzz-compress.c", 61, __func__, "Compression failed: %m"
) : -abs(_e); });
13
Potential leak of memory pointed to by 'buf'
62 return 0;
63 }
64
65 log_debug("Compressed %zu bytes to → %zu bytes", data_len, csize)({ int _level = (((7))), _e = ((0)), _realm = (LOG_REALM_SYSTEMD
); (log_get_max_level_realm(_realm) >= ((_level) & 0x07
)) ? log_internal_realm(((_realm) << 10 | (_level)), _e
, "../src/fuzz/fuzz-compress.c", 65, __func__, "Compressed %zu bytes to → %zu bytes"
, data_len, csize) : -abs(_e); });
66
67 size_t sw_alloc = MAX(h->sw_alloc, 1u)__extension__ ({ const typeof((h->sw_alloc)) __unique_prefix_A8
= ((h->sw_alloc)); const typeof((1u)) __unique_prefix_B9 =
((1u)); __unique_prefix_A8 > __unique_prefix_B9 ? __unique_prefix_A8
: __unique_prefix_B9; });
68 buf2 = malloc(sw_alloc);
69 if (!buf) {
70 log_oom()log_oom_internal(LOG_REALM_SYSTEMD, "../src/fuzz/fuzz-compress.c"
, 70, __func__);
71 return 0;
72 }
73
74 size_t sw_len = MIN(data_len - 1, h->sw_len)__extension__ ({ const typeof((data_len - 1)) __unique_prefix_A10
= ((data_len - 1)); const typeof((h->sw_len)) __unique_prefix_B11
= ((h->sw_len)); __unique_prefix_A10 < __unique_prefix_B11
? __unique_prefix_A10 : __unique_prefix_B11; });
75
76 r = decompress_startswith(alg, buf, csize, &buf2, &sw_alloc, h->data, sw_len, h->data[sw_len]);
77 assert_se(r > 0)do { if ((__builtin_expect(!!(!(r > 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("r > 0"), "../src/fuzz/fuzz-compress.c"
, 77, __PRETTY_FUNCTION__); } while (0);
78
79 return 0;
80}