From cc17c3e21dfc88f5344696b53686b233f4419c28 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 21 Jul 2023 10:51:29 +1200 Subject: [PATCH] lib/fuzzing: adjust access-check seed patch Now that access_check.c includes headers for conditional ACEs, the patch should take that into account. Also, we check for a talloc failure. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- .../patches/collect-access-check-seeds.txt | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/fuzzing/patches/collect-access-check-seeds.txt b/lib/fuzzing/patches/collect-access-check-seeds.txt index 75e2b29226b..db85f40c22f 100644 --- a/lib/fuzzing/patches/collect-access-check-seeds.txt +++ b/lib/fuzzing/patches/collect-access-check-seeds.txt @@ -1,4 +1,4 @@ -From bf2adac3a271fae551a726dc21dc9111bd7320be Mon Sep 17 00:00:00 2001 +From b461fdf28c71b54ad5ebe663ea09212856e61973 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Mon, 17 Jul 2023 16:17:16 +1200 Subject: [PATCH 1/2] libcli/security: save access check attempts for fuzz @@ -36,23 +36,23 @@ down much, but it will capture your SIDs and ACLs. Signed-off-by: Douglas Bagnall --- - libcli/security/access_check.c | 76 ++++++++++++++++++++++++++++++++++ - 1 file changed, 76 insertions(+) + libcli/security/access_check.c | 79 ++++++++++++++++++++++++++++++++++ + 1 file changed, 79 insertions(+) diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c -index 81bacc90e78..9c3e4cfe966 100644 +index 1364a15f4dd..d79a247455a 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c -@@ -24,6 +24,8 @@ - #include "replace.h" - #include "lib/util/debug.h" +@@ -26,6 +26,8 @@ #include "libcli/security/security.h" + #include "librpc/gen_ndr/conditional_ace.h" + #include "libcli/security/conditional_ace.h" +#include "ndr/libndr.h" +#include "gen_ndr/ndr_security.h" /* Map generic access rights to object specific rights. This technique is used to give meaning to assigning read, write, execute and all access to -@@ -103,6 +105,74 @@ void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mappi +@@ -105,6 +107,77 @@ void se_map_standard(uint32_t *access_mask, const struct standard_mapping *mappi } } @@ -101,6 +101,9 @@ index 81bacc90e78..9c3e4cfe966 100644 + } + } + tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return false; ++ } + + n++; + ndr_err = ndr_push_struct_blob( @@ -127,7 +130,7 @@ index 81bacc90e78..9c3e4cfe966 100644 /* perform a SEC_FLAG_MAXIMUM_ALLOWED access check */ -@@ -115,6 +185,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, +@@ -117,6 +190,8 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd, bool have_owner_rights_ace = false; unsigned i; @@ -136,7 +139,7 @@ index 81bacc90e78..9c3e4cfe966 100644 if (sd->dacl == NULL) { if (security_token_has_sid(token, sd->owner_sid)) { switch (implicit_owner_rights) { -@@ -211,6 +283,8 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor +@@ -222,6 +297,8 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor bool am_owner = false; bool have_owner_rights_ace = false; @@ -145,7 +148,7 @@ index 81bacc90e78..9c3e4cfe966 100644 *access_granted = access_desired; bits_remaining = access_desired; -@@ -528,6 +602,8 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd +@@ -613,6 +690,8 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd uint32_t bits_remaining; struct dom_sid self_sid; @@ -158,7 +161,7 @@ index 81bacc90e78..9c3e4cfe966 100644 2.34.1 -From d79328bdac90ed16b9162cbfe10a4ed8bedbc073 Mon Sep 17 00:00:00 2001 +From 12bf242cece202658fe61f1c7408709d092632ea Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Tue, 18 Jul 2023 16:07:11 +1200 Subject: [PATCH 2/2] scripts: a script for deduplicating fuzz-seeds