sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code
e61ddeef4c
samba-mirror/lib/fuzzing/decode_ndr_X_crash

138 lines
4.0 KiB
Plaintext
Raw Normal View History

fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
#!/usr/bin/env python3
#
# Interpret a file that crashes an fuzz_ndr_X binary.
#
# Copyright (C) Catalyst IT Ltd. 2019
import sys
import os
from base64 import b64encode
import struct
import argparse
fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report In theory, you should be able to run honggfuzz and go $ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:57:02 +03:00
import re
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
TYPE_MASK = 3
TYPES = ['struct', 'in', 'out']
FLAGS = [
(4, 'ndr64', '--ndr64'),
]
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
def print_if_verbose(*args, **kwargs):
if verbose:
print(*args, **kwargs)
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
def process_one_file(f):
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
print_if_verbose(f.name)
print_if_verbose('-' * len(f.name))
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
b = f.read()
flags, function = struct.unpack('<HH', b[:4])
if opnum is not None and opnum != function:
return
t = TYPES[flags & TYPE_MASK]
if ndr_type and ndr_type != t:
return
payload = b[4:]
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
data64 = b64encode(payload).decode('utf-8')
cmd = ['bin/ndrdump',
pipe,
str(function),
t,
'--base64-input',
'--input', data64,
]
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
for flag, name, option in FLAGS:
if flags & flag:
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
print_if_verbose("flag: %s" % name)
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
cmd.append(option)
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
print_if_verbose("length: %d\n" % len(payload))
print(' '.join(cmd))
print_if_verbose()
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-p', '--pipe', default='$PIPE',
help='pipe name (for output command line)')
parser.add_argument('-t', '--type', default=None, choices=TYPES,
help='restrict to this type')
parser.add_argument('-o', '--opnum', default=None, type=int,
help='restrict to this function/struct number')
fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report In theory, you should be able to run honggfuzz and go $ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:57:02 +03:00
parser.add_argument('FILES', nargs='*', default=(),
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
help="read from these files")
parser.add_argument('-k', '--ignore-errors', action='store_true',
help='do not stop on errors')
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
parser.add_argument('-v', '--verbose', action='store_true',
help='say more')
fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report In theory, you should be able to run honggfuzz and go $ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:57:02 +03:00
parser.add_argument('-H', '--honggfuzz-file',
help="extract crashes from this honggfuzz report")
fuzz/decode_ndr_X_crash: -f to filter crashes by regex If you go: $ ./lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ_REPORT.txt -f 'SIG[^V]' > ./crash.sh you will get all the crashes and not the timeouts (which have SIGVTALARM). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-06 01:10:05 +03:00
parser.add_argument('-f', '--crash-filter',
help="only print crashes matching this rexexp")
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
args = parser.parse_args()
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
global pipe, opnum, ndr_type, verbose
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
pipe = args.pipe
opnum = args.opnum
ndr_type = args.type
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
verbose = args.verbose
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
if not args.FILES and not args.honggfuzz_file:
parser.print_usage()
sys.exit(1)
for fn in args.FILES:
fuzz/decode_ndr_X_crash: -f to filter crashes by regex If you go: $ ./lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ_REPORT.txt -f 'SIG[^V]' > ./crash.sh you will get all the crashes and not the timeouts (which have SIGVTALARM). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-06 01:10:05 +03:00
if args.crash_filter is not None:
if not re.search(args.crash_filter, fn):
print_if_verbose(f"skipping {fn}")
continue
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
try:
if fn == '-':
process_one_file(sys.stdin)
else:
with open(fn, 'rb') as f:
process_one_file(f)
except Exception:
lib/fuzzing/decode_ndr_X: print less by default, avoid pipe ndrdump can now take base64 input directly. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:35:40 +03:00
print_if_verbose("Error processing %s\n" % fn)
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
if args.ignore_errors:
continue
raise
fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report In theory, you should be able to run honggfuzz and go $ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:57:02 +03:00
if args.honggfuzz_file:
print_if_verbose(f"looking at {args.honggfuzz_file}")
with open(args.honggfuzz_file) as f:
pipe = None
crash = None
for line in f:
m = re.match(r'^\s*fuzzTarget\s*:\s*bin/fuzz_ndr_(\w+)\s*$', line)
if m:
pipe = m.group(1)
print_if_verbose(f"found pipe {pipe}")
m = re.match(r'^FUZZ_FNAME: (\S+)$', line)
if m:
crash = m.group(1)
fuzz/decode_ndr_X_crash: -f to filter crashes by regex If you go: $ ./lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ_REPORT.txt -f 'SIG[^V]' > ./crash.sh you will get all the crashes and not the timeouts (which have SIGVTALARM). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-06 01:10:05 +03:00
if args.crash_filter is not None:
if not re.search(args.crash_filter, crash):
print_if_verbose(f"skipping {crash}")
pipe = None
crash = None
continue
fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report In theory, you should be able to run honggfuzz and go $ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-04 01:57:02 +03:00
print_if_verbose(f"found crash {crash}")
if pipe is not None and crash is not None:
with open(crash, 'rb') as f:
process_one_file(f)
pipe = None
crash = None
fuzzing: Add script decode_ndr_X_crash to decode crash results This interprets a file that crashes an fuzz_ndr_X binary Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-05 04:26:56 +03:00
main()
Copy Permalink