1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

120 Commits

Author SHA1 Message Date
Andrew Bartlett
a57702db1d oss-fuzz: Always run the check, even on the oss-fuzz platform
It is much harder to determine why we get messages like
    Step #6: Error occured while running fuzz_reg_parse:
    Step #6: /workspace/out/coverage/fuzz_reg_parse: error while loading shared libraries: libavahi-common.so.3: cannot open shared object file: No such file or directory
instead this detects the failure to use RPATH (which is
strictly required instead of the modern RUNPATH)
otherwise.

We do this by creating a new build_samba.sh after renaming
build_samba.sh to do_build.sh because this is what oss-fuzz
runs, meaning we don't need to coordinate a MR there as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 23:08:31 +00:00
Andrew Bartlett
b5f8073431 oss-fuzz: update comment to reference RPATH for the static-ish binaries
We strictly require RPATH, so fix the comment to avoid mentioning
the modern RUNPATH which is almost but not entirely similar.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 23:08:31 +00:00
Andrew Bartlett
c03a265030 oss-fuzz: standardise on RPATH for the static-ish binaries
This includes a revert of commit e60df21499.

We strictly require RPATH, not the modern RUNPATH for the behaviour
we need in oss-fuzz, which is that not just the first line of dependencies
but the full set of libraries used by the program are looked for in the
'$ORIGIN/lib' directory.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Oct 22 14:10:04 UTC 2020 on sn-devel-184
2020-10-22 14:10:04 +00:00
Andrew Bartlett
048725080b fuzzing: Improve robustness and documentation of the ldd-base library copy
This tries to make progress towards understanding why we sometime see errors like
Step #6: Error occured while running fuzz_reg_parse:
Step #6: /workspace/out/coverage/fuzz_reg_parse: error while loading shared libraries: libavahi-common.so.3: cannot open shared object file: No such file or directory

in the previously failing coverage builds.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 12:47:37 +00:00
Andrew Bartlett
d031391bed fuzzing: Fix the oss-fuzz coverage build
It was long thought that the issue here was that no seed corpus was
provided, but actually the issue is that to obtain coverage output
just as we already know for gcc gcov, you must provide fuzzing flags
to both the compile and link phase.

Thankfully clang as a linker does not mind the strange non-linker options
from $COVERAGE_FLAGS.

REF: https://stackoverflow.com/questions/56112019/clang-does-not-generate-profraw-file-when-linking-manually
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19495#c48

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 21 23:07:37 UTC 2020 on sn-devel-184
2020-10-21 23:07:37 +00:00
Douglas Bagnall
9dfeb81d08 fuzz/oss-fuzz/build_samba: fetch fuzz seeds
There is a git repository at
https://gitlab.com/samba-team/samba-fuzz-seeds that contains the
seeds. When the master branch of that repository is updated, a CI job
runs that creates a zip file of all the seeds as an artifact. That zip
file is downloaded and unpacked by oss_fuzz/build_samba. The contents
of that zip are further zips that contain the seeds for each fuzzing
binary; these are placed next to the binaries in the manner that
oss-fuzz expects.

That is, beside 'fuzz_foo', we put 'fuzz_foo_seed_corpus.zip' which
contains a pile of fuzz_foo seeds.

There may be times when a new fuzz target does not have a seed corpus,
and times when a removed fuzz target leaves behind a seed corpus.
This is OK, so we don't insist on an exact match between the target
names and the zip names, only that there is some overlap.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 21 03:47:35 UTC 2020 on sn-devel-184
2020-10-21 03:47:35 +00:00
Douglas Bagnall
6d388da765 fuzz/oss-fuzz/build-samba: note the calling site
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-21 02:28:38 +00:00
Douglas Bagnall
be51499f7d fuzzing/README: link to wiki
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-21 02:28:38 +00:00
Douglas Bagnall
930695b04d fuzz_dcerpc_parse_binding: don't leak
Also, by not tallocing at all in the too-long case, we can short
circuit quicker.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 20 02:26:40 UTC 2020 on sn-devel-184
2020-10-20 02:26:40 +00:00
Douglas Bagnall
2541f67c67 fuzz: add fuzz_cli_credentials_parse_string
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Douglas Bagnall
e721dfc833 fuzz: add fuzz_dcerpc_parse_binding
We parse a binding and do a few tricks with it, including turning it
into a tower and back.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:39 +00:00
Andrew Bartlett
e60df21499 oss-fuzz: standardise on RUNPATH for the static-ish binaries
We use ld.bfd for the coverage builds, rather than the faster ld.gold.

We run the oss-fuzz autobuild target on Ubuntu 16.04 to more closely
mirror the environment provided by the Google oss-fuzz build
container.

On Ubuntu 16.04, when linking with ld.bfd built binaries get a RPATH,
but builds in Ubuntu 18.04 and those using ld.gold get a RUNPATH.

Just convert them all to RUNPATH to make the check_build.sh test (run
by the oss-fuzz autobuild target) easier.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-09-11 03:43:40 +00:00
Andrew Bartlett
830c020645 oss-fuzz: Ensure a UTF8 locale is set for the samba build
This ensures that LANG=en_US.UTF8 is set, which
Samba's build system needs to operate in UTF8 mode.

The change to use flex to generate code meant that this
difference between GitLab CI and oss-fuzz was exposed.

REF: https://github.com/google/oss-fuzz/pull/4366

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 26 03:20:46 UTC 2020 on sn-devel-184
2020-08-26 03:20:45 +00:00
Andrew Bartlett
49f58b2b09 oss-fuzz: Try harder to ensure we always fail fast
During a previous attempt to fix the LANG= issue I changed
the script invocation to be via a shell, so the set -x et al
ensures these are always in place and we fail fast
rather than failures only being detected by lack of output.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-26 01:57:33 +00:00
Douglas Bagnall
326bc84c0d oss-fuzz: use uninstrumented dynamic python
We can't link to the instrumented statically built Python, so instead
we use the system Python in the docker image.

REF: https://github.com/google/oss-fuzz/issues/4223
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22618
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14451

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Gary Lockyer
3149ea0a8a CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Gary Lockyer
f467727db5 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:31 +00:00
Gary Lockyer
2ba2ce40f9 fuzzing: ndr set global_max_recursion.
Set global_max_recursion to 128, to ensure the fuzzer does not trip the
ASAN maximum stack depth which seems to be about 256?

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Douglas Bagnall
6c7b722b3f fuzz_oLschema2ldif: check multiple possible NULLs
Address sanitizer will object to a theoretically possible NULL dereference
so we can't ignore these checks in set-up.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 17 14:33:18 UTC 2020 on sn-devel-184
2020-01-17 14:33:18 +00:00
Douglas Bagnall
6786ec2c96 fuzzing: check for NULL on ldb_init()
We simply return 0 because failure here is not a problem with the code we
are actually trying to fuzz. Without this asan is unhappy.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-01-17 12:59:35 +00:00
Douglas Bagnall
0fcc2e9319 fuzz: add nmblib/parse_packet target
We want to ensure that parse_packet() can parse a packet without
crashing, and that that parsed packet won't cause trouble further down
the line.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Jan 15 21:24:31 UTC 2020 on sn-devel-184
2020-01-15 21:24:31 +00:00
Douglas Bagnall
f4bafcca86 fuzz: ldb binary decode/enode
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-15 19:58:41 +00:00
Douglas Bagnall
da4786003f fuzz: add ldb ldif fuzzer
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-15 19:58:41 +00:00
Douglas Bagnall
13bd82db64 fuzz: ldb_dn parsing
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-01-15 19:58:41 +00:00
Douglas Bagnall
beb386b584 fuzz: add a fuzzer for parsing ldb controls
We have had issues here in the past.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jan 12 21:21:30 UTC 2020 on sn-devel-184
2020-01-12 21:21:30 +00:00
Douglas Bagnall
1d35962128 fuzz_ldap_decode: do not print to stdout
The fuzzer doesn't care and it slows things down

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-01-12 19:50:37 +00:00
Douglas Bagnall
e1c6e7d18b decode_ndr_X_crash: always find pipe in honggfuzz file
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-01-12 19:50:37 +00:00
Andrew Bartlett
5eac5813cc lib/fuzzing and librpc: Do not generate fuzzers for pointless targets
We need to focus the fuzzing effort on reachable code, and these IDL
are just historical artifacts, many are entirely [todo] and have
no samba client nor server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
bbc4ebbcaf lib/fuzzer: Allow coverage build for oss-fuzz
This still does not seem to be enough but it is one step towards a working
coverage build.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
5a989d6670 lib/fuzzing: Allow load of fuzz inputs as files on the command line
This is easier to put under gdb.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
66d12eb98a lib/fuzzing: Initialise st buffer in fuzz_ndr_X
An NDR pull of a function will fill in either the in. or out.
elements of this structure, but never both.

However, some structures have size_is() in the out. that reference
the in. elements.  This is the reason for the --context-file option
in ndrdump.

We have a special handler in the fuzzing case embedded in the
pidl-generated output to cope with this, by filling in pointers
for elements declared [ref,in] but it relies on the in-side
(at least) of the buffer being zeroed.

So zero the buffer before we start.  Sadly this means things
like valgrind can not find a use of uninitialised data, but that
is a price we have to pay.

Credit to OSS-Fuzz

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
545711ffea lib/fuzzing: Fix argument order to ldb_filter_from_tree in fuzz_ldb_parse_tree
Found by the oss-fuzz CI tooling.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 11 04:21:28 UTC 2019 on sn-devel-184
2019-12-11 04:21:28 +00:00
Andrew Bartlett
e6fc8e79ae lib/fuzzing: Split up automatically build fuzzers into TYPE_{IN,OUT,STRUCT}
The advise is that a fuzz target should be as small as possible
so we split this up.  Splitting up by function would build too
many fuzzers, but this should help a little.

See for example:
https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#large-apis

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
6e5aefc2d3 lib/fuzzing: Ensure mem_ctx is freed each time fuzz_ldb_parse_tree is run
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
0be0c044b6 autobuild: extend autobuild with samba-fuzz job to build the fuzzers in AFL mode using oss-fuzz scripts
This helps ensure the build_samba.sh file keeps working and the fuzzers build
(because they are excluded from the main build).

This is not in the default autobuild because it uses too much
space on sn-devel (4GB).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
8b06cabc7d bootstrap: Add chrpath as a required package
This is used to test build.sh, part of the oss-fuzz integration, and so also that we
correctly build our fuzzers.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 10 09:15:43 UTC 2019 on sn-devel-184
2019-12-10 09:15:43 +00:00
Andrew Bartlett
4c8388fb19 lib/fuzzing Truncate the original files after RUNPATH manipulation in build.sh
This saves space on the rackspace runners in particular.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
5e5d18c5b1 lib/fuzzing Add comments to explain RUNPATH manipulation in build.sh
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
5bb9ecdf15 lib/fuzzing: Support an oss-fuzz build with either address or undefined behaviour sanitizers
Add handler for $SANITIZER in build.sh

This allows a build with the undefined behaviour sanitizer.

Otherwise we fail the oss-fuzz CI because the UBSan build links with ASan.

Once this in in then https://github.com/google/oss-fuzz/pull/3094
can be merged to oss-fuzz.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
f79caf3b6b lib/fuzzing: Remove oss-fuzz build.sh stub from the Samba repo
We need to ship the stub build.sh in the oss-fuzz repo, not ours.
This is because otherwise the travis CI checks skip the build
(it thinks we are not set up yet, or have been disabled).

See https://github.com/google/oss-fuzz/pull/3094 for the PR
creating a similar file there.  This is very similar to how
janus-gateway operates, so this is an accepted pattern.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
8382fa6408 oss-fuzz: Align build.sh sh parameters with pattern from the oss-fuzz project
We should run build_samba.sh with -eux to ensure we exit on failure,
refuse to use an unset varible and print the commands we are running.

(The suggested build.sh on the oss-fuzz side uses -eu).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Douglas Bagnall
47c7f54995 fuzz/decode_ndr_X_crash: -f to filter crashes by regex
If you go:

$ ./lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ_REPORT.txt -f 'SIG[^V]' > ./crash.sh

you will get all the crashes and not the timeouts (which have SIGVTALARM).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
1d98ced841 lib/fuzzing: Add mode for the AFL fuzzer
This is helpful for ensuring the fuzzers still compile in autobuild as no
library support is required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
f4ff9a0794 lib/fuzzing: Also confirm we can make a string filter from the parsed tree in fuzz_ldb_parse_tree
This also avoids tree being an unused variable.

This is similar to doing an ndr_push() in ndr_fuzz_X, it
catches some of the cases where the parse is successful but
the application code could misinterpret the structure.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Andrew Bartlett
000d86f537 lib/fuzzing: Tell the compiler we know we are ignoring errors in fuzz_reg_parse
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Andrew Bartlett
a9a8bcf731 lib/fuzzer: Allow building a fuzz binary for just one interface
This helps direct the fuzzer at a particular function that we are concerned about.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Andrew Bartlett
c16e4dcad9 lib/fuzzer: Remove rudundent install=False flag from fuzz_ndr_X build rule
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Andrew Bartlett
6f7a9e8788 lib/fuzzing: Link only the required NDR_ subsystems into ndr_fuzz_X binaries
This reduces the binary size and shows that we are linked against the correct
ndr_table_ global variable.  This might help the fuzzing engine know there
is not much more of the binary to find if unreachable code is not included.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Douglas Bagnall
c35fe03a63 fuzzing/decode_ndr_X: read crashes from a HONGGFUZZ report
In theory, you should be able to run honggfuzz and go

$ lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ-REPORT.txt > crash-crash-crash.sh

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:28 +00:00
Douglas Bagnall
afe866086c lib/fuzzing/decode_ndr_X: print less by default, avoid pipe
ndrdump can now take base64 input directly.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:28 +00:00
Douglas Bagnall
c0043e2352 fuzzing: Add script decode_ndr_X_crash to decode crash results
This interprets a file that crashes an fuzz_ndr_X binary

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:28 +00:00
Douglas Bagnall
7b265830ad lib/fuzzing: add fuzz_ndr_X
This NDR fuzzer links with each "interface" in the IDL files to
create avsingle binary.  This tries to matches what the fuzzing
engines desire.

It started as a copy of ndrdump but very little of that remains
in place.

The fancy build rules try to avoid needing a lof of boilerplate
in the wscript_build files and ensure new fuzzers are generated
and run when new IDL is added automatically.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:28 +00:00
Andrew Bartlett
f8947538b5 lib/fuzzing: Add oss-fuzz info to README.md
Note that Samba has not been accepted yet, but will be soon once some requirements
are addressed per:

https://github.com/google/oss-fuzz/pull/2993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 21 00:45:33 UTC 2019 on sn-devel-184
2019-11-21 00:45:33 +00:00
Andrew Bartlett
cc128c7885 lib/fuzzing/oss-fuzz: copy required libraries to the build target
This is an alternative to static linking as we do not have static source
libraries for all the things we depend on.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-11-20 23:19:36 +00:00
Andrew Bartlett
4946811eb6 lib/fuzzing/oss-fuzz: Install chrpath as we use it in the build.sh script to set -rpath
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-11-20 23:19:35 +00:00
Douglas Bagnall
fbb2377d51 lib/fuzzing/oss-fuzz: Add build_image.sh using Samba's bootstrap tools
Google's oss-fuzz environment is Ubuntu 16.04 based so we can
just use the maintained bootstrap system rather than a manual
package list here that will get out of date.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-20 23:19:35 +00:00
Andrew Bartlett
ec4f6f8fd3 lib/fuzzing/oss-fuzz: add stub build.sh that will not change often
This makes local development of build_samba.sh easier as it will remain in the source tree.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-11-20 23:19:35 +00:00
Andrew Bartlett
f57c0238e9 lib/fuzzing/oss-fuzz: Add build_samba.sh for oss-fuzz
We work hard to put the primary logic for oss-fuzz here, and
where possible into waf, so that only a tiny stub needs to
be maintained in the Google oss-fuzz repo.

This will be called by build.sh (not copied directly because
it is too easy to forget to copy in an updated version when
doing development in the docker image).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-11-20 23:19:35 +00:00
Andrew Bartlett
92ee647858 lib/fuzzing: Use --fuzz-target-ldflags if specified
This makes integration with oss-fuzz possible.  Only the fuzzer binaries should be
linked with libFuzzer, not things like asn1_compile, so this can not be done via
the global ADDITIONAL_LDFLAGS.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-11-20 23:19:35 +00:00
Douglas Bagnall
cb24051097 build: Set fuzzer=True on fuzzer binaries
This ensures that the binaries are the only binaries built
when configured for fuzzing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-20 23:19:35 +00:00
Andrew Bartlett
d6fbfb276c lib/fuzzing: Free memory after successful load in fuzz_tiniparser
Otherwise we have a memory leak and so fail the Google oss-fuzz check_build test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 18 21:02:52 UTC 2019 on sn-devel-184
2019-11-18 21:02:52 +00:00
Andrew Bartlett
43bc0b2c76 lib/fuzzing: Avoid NULL pointer de-ref from 0-length input
fmemopen() does not like 0-length input.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-11-18 19:39:30 +00:00
Michael Hanselmann
c4e902be72 Add fuzzing binary for ldb_parse_tree
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-10-18 07:31:45 +00:00
Michael Hanselmann
de7c78335d Add fuzzing binary for ldap_decode
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-10-18 07:31:45 +00:00
Michael Hanselmann
f9c39237ad Add fuzzing binary for lzxpress
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-10-18 07:31:45 +00:00
Michael Hanselmann
a42a5a42f7 Add fuzzing binary for regfio
Checksums are better ignored during fuzzing, hence a flag is added to
the regfio parser to disable checksums.

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-10-18 07:31:45 +00:00
Michael Hanselmann
e477a94ffd Add fuzzing binary for reg_parse
A temporary file is used to store the fuzzing input.

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2019-10-18 07:31:45 +00:00
Michael Hanselmann
39e2f6d59f Add fuzzing binary for oLschema2ldif
Use the oLschema2ldif library functions introduced in commit
0c7c44a284 to implement a fuzzing utility.

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-08-07 06:07:28 +00:00
Michael Hanselmann
404278d947 Add fuzzing binary for tiniparser
The "tiniparser_load" function is made into a wrapper for the newly
added "tiniparser_load_stream" function which accepts a FILE pointer.
This way no actual files have to be opened for fuzzing (memfd_create(2)
isn't readily available on all systems yet).

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-08-07 06:07:28 +00:00
Michael Hanselmann
dd5f8732d8 Add fuzzing support to build system
LibFuzzer, Honggfuzz and other programs implement simple interfaces for
fuzzing appropriately prepared code. Samba contains quite a lot of
parsing code, often a good target for fuzzing.

With this change the build system is amended to support building fuzzing
binaries (added in later changes).

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-08-07 06:07:28 +00:00