ovs/tests/fuzz-regression-list.at

TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5112775280951296])
TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5457710546944000])
TEST_FUZZ_REGRESSION([json_parser_fuzzer-4790908707930112])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4584019764183040])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4671928750702592])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4730143510626304])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4854119633256448])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5070973479944192])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5072291707748352])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5147430386401280])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5168455220199424])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5190507327127552])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5204186701496320])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5394482341085184])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5395207246839808])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5647458888581120])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5674119268925440])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5674419757252608])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5677588436484096])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5706562554298368])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
tests: Add regression tests for all the bugs found by oss-fuzz so far. This will make it harder for bugs found by oss-fuzz to reappear. Signed-off-by: Ben Pfaff <blp@ovn.org> Tested-by: Yifeng Sun <pkusunyifeng@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 2018-08-30 13:58:50 -07:00			`TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5112775280951296])`
			`TEST_FUZZ_REGRESSION([flow_extract_fuzzer-5457710546944000])`
			`TEST_FUZZ_REGRESSION([json_parser_fuzzer-4790908707930112])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4584019764183040])`
ofp-monitor: Fix abort on malformed flow update event. nx_to_ofp_flow_update_event() aborts the execution if incorrect event is passed, so checking has to be done before conversion in order to avoid the crash while decoding malformed flow update message: ==397030==ERROR: AddressSanitizer: ABRT on unknown address 0x... ) 0 0x7fd26688418b in raise 1 0x7fd266863858 in abort 2 0x6a6cbd in nx_to_ofp_flow_update_event lib/ofp-monitor.c:399:9 3 0x6a6cbd in ofputil_decode_flow_update lib/ofp-monitor.c:856:25 4 0x56491d in ofp_print_flow_monitor_reply lib/ofp-print.c:779:22 5 0x55f0a0 in ofp_to_string__ lib/ofp-print.c:1154:16 6 0x55f0a0 in ofp_to_string lib/ofp-print.c:1244:21 7 0x5603a5 in ofp_print lib/ofp-print.c:1288:28 Credit to OSS-Fuzz. Additionally removed the extra 'reply' word from the error message, since ofpraw_get_name(raw) already has one. Fixes: c3e64047d1cc ("ofp-monitor: Support flow monitoring for OpenFlow 1.3, 1.4+.") Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47112 Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2022-04-29 19:21:23 +02:00			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4671928750702592])`
tests: Add regression tests for all the bugs found by oss-fuzz so far. This will make it harder for bugs found by oss-fuzz to reappear. Signed-off-by: Ben Pfaff <blp@ovn.org> Tested-by: Yifeng Sun <pkusunyifeng@gmail.com> Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 2018-08-30 13:58:50 -07:00			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4730143510626304])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-4854119633256448])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5070973479944192])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5072291707748352])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5147430386401280])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5168455220199424])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5190507327127552])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5204186701496320])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5394482341085184])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5395207246839808])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5647458888581120])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5674119268925440])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5674419757252608])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5677588436484096])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5706562554298368])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])`
			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])`
ofp-actions: Fix use-after-free while decoding RAW_ENCAP. While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate ofpbuf if there is no enough space left. However, function 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap' structure leading to write-after-free and incorrect decoding. ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408 WRITE of size 2 at 0x60600000011a thread T0 #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20 #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16 #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21 #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13 #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12 #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17 #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13 #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16 #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21 #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28 #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9 #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17 #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5 #13 0x5391ae in main utilities/ovs-ofctl.c:179:9 #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081) #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed) Fix that by getting a new pointer before using. Credit to OSS-Fuzz. Fuzzer regression test will fail only with AddressSanitizer enabled. Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 Fixes: f839892a206a ("OF support and translation of generic encap and decap") Acked-by: William Tu <u9012063@gmail.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2021-02-16 23:27:30 +01:00			`TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])`