diff --git a/go.mod b/go.mod index b0e1eb09b..e838e8714 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( dario.cat/mergo v1.0.0 - github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // replaced; see replace rules for actual version used. + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 github.com/Microsoft/go-winio v0.6.1 github.com/Microsoft/hcsshim v0.10.0 @@ -140,7 +140,3 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) - -// Fork will be merged later but may impact other go-fuzz-headers consumers: -// https://github.com/containerd/containerd/pull/7957#pullrequestreview-1244814968 -replace github.com/AdaLogics/go-fuzz-headers => github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf diff --git a/go.sum b/go.sum index cd03833ae..a5058cd00 100644 --- a/go.sum +++ b/go.sum @@ -44,10 +44,11 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20210715213245-6c3934b029d8/go.mod h1:CzsSbkDixRphAF5hS6wbMKq0eI6ccJRb7/A0M6JBnwg= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf h1:EamsQRRH14elXDAofrOK5Ja6fDTJSrbKstpr1grrGX4= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf/go.mod h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U= github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= @@ -894,7 +895,6 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= @@ -1312,7 +1312,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/integration/client/go.mod b/integration/client/go.mod index c38aa8897..2ee5e1acf 100644 --- a/integration/client/go.mod +++ b/integration/client/go.mod @@ -3,7 +3,7 @@ module github.com/containerd/containerd/integration/client go 1.19 require ( - github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // replaced; see replace rules for actual version used. + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 github.com/Microsoft/hcsshim v0.10.0 github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 github.com/containerd/cgroups/v3 v3.0.2 @@ -30,7 +30,6 @@ require ( github.com/containerd/console v1.0.3 // indirect github.com/containerd/fifo v1.1.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect @@ -77,7 +76,3 @@ require ( // in the "require" section above are still taken into account for version // resolution if newer. replace github.com/containerd/containerd => ../../ - -// Fork will be merged later but may impact other go-fuzz-headers consumers: -// https://github.com/containerd/containerd/pull/7957#pullrequestreview-1244814968 -replace github.com/AdaLogics/go-fuzz-headers => github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf diff --git a/integration/client/go.sum b/integration/client/go.sum index 1f3df7c68..54e60bf21 100644 --- a/integration/client/go.sum +++ b/integration/client/go.sum @@ -726,10 +726,11 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20221206110420-d395f97c4830/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf h1:EamsQRRH14elXDAofrOK5Ja6fDTJSrbKstpr1grrGX4= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf/go.mod h1:0vOOKsOMKPThRu9lQMAxcQ8D60f8U+wHXl07SyUw0+U= github.com/Azure/azure-sdk-for-go v56.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= @@ -939,7 +940,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ= github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s= diff --git a/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go b/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go index ee373ed28..adfeedf5e 100644 --- a/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go +++ b/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go @@ -25,11 +25,10 @@ import ( "os" "path/filepath" "reflect" + "strconv" "strings" "time" "unsafe" - - securejoin "github.com/cyphar/filepath-securejoin" ) var ( @@ -412,26 +411,27 @@ func (f *ConsumeFuzzer) GetUint64() (uint64, error) { } func (f *ConsumeFuzzer) GetBytes() ([]byte, error) { - if f.position >= f.dataTotal { - return nil, errors.New("not enough bytes to create byte array") - } - length, err := f.GetUint32() + var length uint32 + var err error + length, err = f.GetUint32() if err != nil { return nil, errors.New("not enough bytes to create byte array") } - if f.position+length > MaxTotalLen { - return nil, errors.New("created too large a string") + + if length == 0 { + length = 30 + } + bytesLeft := f.dataTotal - f.position + if bytesLeft <= 0 { + return nil, errors.New("not enough bytes to create byte array") + } + + // If the length is the same as bytes left, we will not overflow + // the remaining bytes. + if length != bytesLeft { + length = length % bytesLeft } byteBegin := f.position - if byteBegin >= f.dataTotal { - return nil, errors.New("not enough bytes to create byte array") - } - if length == 0 { - return nil, errors.New("zero-length is not supported") - } - if byteBegin+length-1 >= f.dataTotal { - return nil, errors.New("not enough bytes to create byte array") - } if byteBegin+length < byteBegin { return nil, errors.New("numbers overflow") } @@ -505,7 +505,8 @@ func returnTarBytes(buf []byte) ([]byte, error) { func setTarHeaderFormat(hdr *tar.Header, f *ConsumeFuzzer) error { ind, err := f.GetInt() if err != nil { - return err + hdr.Format = tar.FormatGNU + //return nil } switch ind % 4 { case 0: @@ -566,54 +567,9 @@ func setTarHeaderTypeflag(hdr *tar.Header, f *ConsumeFuzzer) error { return nil } -func tooSmallFileBody(length uint32) bool { - if length < 2 { - return true - } - if length < 4 { - return true - } - if length < 10 { - return true - } - if length < 100 { - return true - } - if length < 500 { - return true - } - if length < 1000 { - return true - } - if length < 2000 { - return true - } - if length < 4000 { - return true - } - if length < 8000 { - return true - } - if length < 16000 { - return true - } - if length < 32000 { - return true - } - if length < 64000 { - return true - } - if length < 128000 { - return true - } - if length < 264000 { - return true - } - return false -} - func (f *ConsumeFuzzer) createTarFileBody() ([]byte, error) { - length, err := f.GetUint32() + return f.GetBytes() + /*length, err := f.GetUint32() if err != nil { return nil, errors.New("not enough bytes to create byte array") } @@ -641,14 +597,15 @@ func (f *ConsumeFuzzer) createTarFileBody() ([]byte, error) { return nil, errors.New("numbers overflow") } f.position = byteBegin + length - return f.data[byteBegin:f.position], nil + return f.data[byteBegin:f.position], nil*/ } // getTarFileName is similar to GetString(), but creates string based // on the length of f.data to reduce the likelihood of overflowing // f.data. func (f *ConsumeFuzzer) getTarFilename() (string, error) { - length, err := f.GetUint32() + return f.GetString() + /*length, err := f.GetUint32() if err != nil { return "nil", errors.New("not enough bytes to create string") } @@ -673,7 +630,12 @@ func (f *ConsumeFuzzer) getTarFilename() (string, error) { return "nil", errors.New("numbers overflow") } f.position = byteBegin + length - return string(f.data[byteBegin:f.position]), nil + return string(f.data[byteBegin:f.position]), nil*/ +} + +type TarFile struct { + Hdr *tar.Header + Body []byte } // TarBytes returns valid bytes for a tar archive @@ -682,29 +644,38 @@ func (f *ConsumeFuzzer) TarBytes() ([]byte, error) { if err != nil { return nil, err } + var tarFiles []*TarFile + tarFiles = make([]*TarFile, 0) - var buf bytes.Buffer - tw := tar.NewWriter(&buf) - defer tw.Close() - - const maxNoOfFiles = 1000 + const maxNoOfFiles = 100 for i := 0; i < numberOfFiles%maxNoOfFiles; i++ { - filename, err := f.getTarFilename() + var filename string + var filebody []byte + var sec, nsec int + var err error + + filename, err = f.getTarFilename() if err != nil { - return returnTarBytes(buf.Bytes()) + var sb strings.Builder + sb.WriteString("file-") + sb.WriteString(strconv.Itoa(i)) + filename = sb.String() } - filebody, err := f.createTarFileBody() + filebody, err = f.createTarFileBody() if err != nil { - return returnTarBytes(buf.Bytes()) + var sb strings.Builder + sb.WriteString("filebody-") + sb.WriteString(strconv.Itoa(i)) + filebody = []byte(sb.String()) } - sec, err := f.GetInt() + sec, err = f.GetInt() if err != nil { - return returnTarBytes(buf.Bytes()) + sec = 1672531200 // beginning of 2023 } - nsec, err := f.GetInt() + nsec, err = f.GetInt() if err != nil { - return returnTarBytes(buf.Bytes()) + nsec = 1703980800 // end of 2023 } hdr := &tar.Header{ @@ -714,21 +685,83 @@ func (f *ConsumeFuzzer) TarBytes() ([]byte, error) { ModTime: time.Unix(int64(sec), int64(nsec)), } if err := setTarHeaderTypeflag(hdr, f); err != nil { - return returnTarBytes(buf.Bytes()) + return []byte(""), err } if err := setTarHeaderFormat(hdr, f); err != nil { - return returnTarBytes(buf.Bytes()) + return []byte(""), err } - if err := tw.WriteHeader(hdr); err != nil { - return returnTarBytes(buf.Bytes()) - } - if _, err := tw.Write(filebody); err != nil { - return returnTarBytes(buf.Bytes()) + tf := &TarFile{ + Hdr: hdr, + Body: filebody, } + tarFiles = append(tarFiles, tf) + } + + var buf bytes.Buffer + tw := tar.NewWriter(&buf) + defer tw.Close() + + for _, tf := range tarFiles { + tw.WriteHeader(tf.Hdr) + tw.Write(tf.Body) } return buf.Bytes(), nil } +// This is similar to TarBytes, but it returns a series of +// files instead of raw tar bytes. The advantage of this +// api is that it is cheaper in terms of cpu power to +// modify or check the files in the fuzzer with TarFiles() +// because it avoids creating a tar reader. +func (f *ConsumeFuzzer) TarFiles() ([]*TarFile, error) { + numberOfFiles, err := f.GetInt() + if err != nil { + return nil, err + } + var tarFiles []*TarFile + tarFiles = make([]*TarFile, 0) + + const maxNoOfFiles = 100 + for i := 0; i < numberOfFiles%maxNoOfFiles; i++ { + filename, err := f.getTarFilename() + if err != nil { + return tarFiles, err + } + filebody, err := f.createTarFileBody() + if err != nil { + return tarFiles, err + } + + sec, err := f.GetInt() + if err != nil { + return tarFiles, err + } + nsec, err := f.GetInt() + if err != nil { + return tarFiles, err + } + + hdr := &tar.Header{ + Name: filename, + Size: int64(len(filebody)), + Mode: 0o600, + ModTime: time.Unix(int64(sec), int64(nsec)), + } + if err := setTarHeaderTypeflag(hdr, f); err != nil { + hdr.Typeflag = tar.TypeReg + } + if err := setTarHeaderFormat(hdr, f); err != nil { + return tarFiles, err // should not happend + } + tf := &TarFile{ + Hdr: hdr, + Body: filebody, + } + tarFiles = append(tarFiles, tf) + } + return tarFiles, nil +} + // CreateFiles creates pseudo-random files in rootDir. // It creates subdirs and places the files there. // It is the callers responsibility to ensure that @@ -755,10 +788,10 @@ func (f *ConsumeFuzzer) CreateFiles(rootDir string) error { return errors.New("could not get fileName") } } - fullFilePath, err := securejoin.SecureJoin(rootDir, fileName) - if err != nil { - return err + if strings.Contains(fileName, "..") || (len(fileName) > 0 && fileName[0] == 47) || strings.Contains(fileName, "\\") { + continue } + fullFilePath := filepath.Join(rootDir, fileName) // Find the subdirectory of the file if subDir := filepath.Dir(fileName); subDir != "" && subDir != "." { @@ -766,20 +799,14 @@ func (f *ConsumeFuzzer) CreateFiles(rootDir string) error { if strings.Contains(subDir, "../") || (len(subDir) > 0 && subDir[0] == 47) || strings.Contains(subDir, "\\") { continue } - dirPath, err := securejoin.SecureJoin(rootDir, subDir) - if err != nil { - continue - } + dirPath := filepath.Join(rootDir, subDir) if _, err := os.Stat(dirPath); os.IsNotExist(err) { err2 := os.MkdirAll(dirPath, 0o777) if err2 != nil { continue } } - fullFilePath, err = securejoin.SecureJoin(dirPath, fileName) - if err != nil { - continue - } + fullFilePath = filepath.Join(dirPath, fileName) } else { // Create symlink createSymlink, err := f.GetBool() diff --git a/vendor/modules.txt b/vendor/modules.txt index d210dfbbe..0dbd9f36e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,8 +1,8 @@ # dario.cat/mergo v1.0.0 ## explicit; go 1.13 dario.cat/mergo -# github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 => github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf -## explicit; go 1.18 +# github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 +## explicit; go 1.20 github.com/AdaLogics/go-fuzz-headers # github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 ## explicit; go 1.18 @@ -825,4 +825,3 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.3.0 ## explicit; go 1.12 sigs.k8s.io/yaml -# github.com/AdaLogics/go-fuzz-headers => github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230111232327-1f10f66a31bf