Commit graph

12 commits

Author SHA1 Message Date
Miklos Vajna
f569c2b496 log: don't try to get the channel of a non-existing logger
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ic08043dac01b682184ff440b2f7d7f4f3df9522e
2021-07-15 09:01:16 +02:00
Miklos Vajna
8f1621299b wsd: guard against negative counter in loolclient cmd
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: If1b1b515015b8aae01f2d1a6cb6a98426e2b03a8
2021-06-04 14:31:57 +02:00
Miklos Vajna
bc0401fc49 Make sure that double fits into uint64_t
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ic521383f71c1865ae18fc880b79493c52285e29b
2021-05-31 08:54:06 +02:00
Miklos Vajna
7b89ce2961 ClientSession::_handleInput: avoid pointing to a temporary
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I048ce322111029847d78f917f071b1c0854dc116
2021-05-10 12:38:32 +03:00
Miklos Vajna
f77c8076a7 wsd: fix crash on renderfont when the doc broker has no tile cache
Happens when renderfont is called without first loading a document.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I1152d1f4b3f610364e22c406cda5494672f20aed
2020-12-21 10:23:56 +01:00
Miklos Vajna
eb5c86a4d3 DocumentBroker::saveToStorage: guard against nullptr _storage
This can happen on a 'savetostorage' which is after a failed load.

Change-Id: Iad26bf6415c772c8646a119b0454c202873d6860
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
2020-10-26 10:57:23 +01:00
Miklos Vajna
3ce20bae68 DocumentBroker::sendRequestedTiles: avoid nullptr _tileCache
Change-Id: I467c7ca451b4f72f4f1205e965be2dd602d6d69d
2020-10-08 11:59:08 +02:00
Miklos Vajna
2b546f72de document broker: handle tile request without tile cache
Change-Id: I5e0006cde07a84e6553db92627fdab943ac51d04
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/103534
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
2020-09-28 10:50:46 +02:00
Miklos Vajna
d129979822 wsd: fix crash with read-only documents + uno command without param
==15956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007cd2f7 bp 0x7ffe96c7cd70 sp 0x7ffe96c7c4e8 T0)
...
    #7 0x11a9d31 in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:977:27
    #8 0x11925d6 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x19395d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

This seems to be a recurring pattern, I'll consider reworking
LOOLProtocol::tokenize() in a follow-up commit to have a return value
that is safer than std::vector<std::string>.

Change-Id: I0e71214a55af2e71e4787cb0dba0ddf7825bf9d9
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89637
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 17:59:59 +01:00
Miklos Vajna
aefc65465b wsd: fix crash when downloadas has not enough parameters
==11898==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007c4f87 bp 0x7fffe45dfe90 sp 0x7fffe45df608 T0)
==11898==The signal is caused by a READ memory access.
==11898==Hint: address points to the zero page.
    #0 0x7c4f86 in AddressIsPoisoned lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_mapping.h:397
    #1 0x7c4f86 in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:31
    #2 0x816436 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:834
    #3 0x816d38 in memcmp lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:866
    #4 0x7f1964437595 in std::char_traits<char>::compare(char const*, char const*, unsigned long) lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:310
    #5 0x7f1964437595 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(unsigned long, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:1391
    #6 0x18e206d in LOOLProtocol::getTokenString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) common/Protocol.cpp:141:19
    #7 0x117cc0a in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:940:13
    #8 0x116b832 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x18f70d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

Change-Id: I0c7da6c02ac62bf0bc99557517fc7c517917046c
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89229
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:34 +01:00
Miklos Vajna
57a35bb96c Add an initial libfuzzer based fuzzer
- target ClientSession::_handleInput(), since crashing there would bring
  down the whole loolwsd (not just a kit process), and it deals with
  input from untrusted users (browsers)

- add a --enable-fuzzers configure switch to build with
  -fsanitize=fuzzer (compared to normal sanitizers build, this is the only
  special flag needed)

- configuring other sanitizers is not done automatically, either use
  --with-sanitizer=... or the environment variables from LODE's sanitizer
  config

- run the actual fuzzer like this:

  ./clientsession_fuzzer -max_len=16384 fuzzer/data/

- note that at least openSUSE Leap 15.1 sadly ships with a clang with
  libfuzzer static libs removed from the package, so you need a
  self-built clang to run the fuzzer (either manual build or one from
  LODE)

- <https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/refs/heads/master/efficient_fuzzing.md#execution-speed>
  suggests that "You should aim for at least 1,000 exec/s from your fuzz
  target locally" (i.e. one run should not take more than 1 ms), so try
  this minimal approach first. The alternative would be to start from the
  existing loolwsd_fuzzer binary, then step by step cut it down to not
  fork(), not do any network traffic, etc -- till it's fast enough that
  the fuzzer can find interesting input

- the various configurations start to be really complex (the matrix is
  just very large), so try to use Util::isFuzzing() for fuzzer-specific
  changes (this is what core.git does as well), and only resort to ifdefs
  for the Util::isFuzzing() itself

Change-Id: I72dc1193b34c93eacb5d8e39cef42387d42bd72f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89226
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:22 +01:00
Miklos Vajna
8d2a8da960 common: fix crash when the version string contains no dot character
==13901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000904678 bp 0x7ffdb9e21580 sp 0x7ffdb9e21340 T0)
==13901==The signal is caused by a READ memory access.
==13901==Hint: address points to the zero page.
    #0 0x904677 in LOOLProtocol::tokenize[abi:cxx11](char const*, unsigned long, char) common/Protocol.hpp:113:40
    #1 0x898c52 in LOOLProtocol::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char) common/Protocol.hpp:141:16
    #2 0x18dc2d9 in LOOLProtocol::ParseVersion(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) common/Protocol.cpp:35:51
    #3 0x1148824 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:358:64
    #4 0x18efcb8 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:232:13

Next commit will add the actual simple fuzzer that found this.

Change-Id: I8623b4451a57390f6f84c11084c5a1120a11fcc5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89225
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:11 +01:00