1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

103 Commits

Author SHA1 Message Date
Andreas Schneider
d0b2c27d2f lib:fuzzing: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andrew Bartlett
e36a4149d8 librpc/idl: Remove DCOM and WMI IDL
As hinted in f2416493c0 the DCOM and WMI
IDL is now unused.  These generate code with PIDL, costing a small
amount of build time but more importantly are fuzzed, which costs an
ongoing amount of CPU time as oss-fuzz tries to find parsing issues.

We do not need to continue this waste, and these can be restored
if this effort is ever to start again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Douglas Bagnall
f050124a96 lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
If this patch is applied, and an environment variable is set, all
access_check calls will be recorded as seeds for
fuzz_security_token_vs_descriptor. See the patch for details.

You probably will never want to apply this patch, but it is here just
in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
9ea606dad1 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
89b02bad3e lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
This of course doesn't exercise the object tree or default SID code,
but it still covers a lot to the *_ds access_check functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
eb2bed3899 lib/fuzzing: add fuzzer for arbitrary token/sd access checks
The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).

An upcoming commit will show how to collect seeds for this fuzzer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
5ad28bd760 lib/fuzzing: add fuzz_sddl_access_check
This fuzzer parses SDDL into a security descriptor and runs an access
check on it using a known security token. This is purely for crash
detection -- we don't know enough to assert whether the check should
succeed or not.

The seed strings used are compatible with those of fuzz_sddl_parse --
anything found by fuzz_sddl_parse is worth trying as a seed here, and
vice versa.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
9ab0d65fc0 lib/fuzzing: add fuzzer for sddl_parse
Apart from catching crashes in the actual parsing, we abort if the SD
we end up with will not round trip back through SDDL to an identical
SD.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Andreas Schneider
1bfa2c2938 lib:fuzzing: Fix code spelling
Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-03 03:56:35 +00:00
Douglas Bagnall
e7489be7be fuzz: fix lzxpress plain round-trip fuzzer
The 'compressed' string can be about 9/8 the size of the decompressed
string, but we didn't allow enough memory in the fuzz target for that.
Then when it failed, we didn't check.

Credit to OSSFuzz.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-19 22:32:35 +00:00
Douglas Bagnall
e58e993504 fuzz: add fuzz_lzxpress_huffman_round_trip
This compresses some data, decompresses it, and asserts that the
result is identical to the original string.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-12-01 22:56:39 +00:00
Douglas Bagnall
307aded670 fuzz: add fuzz_lzxpress_huffman_compress
This differs from fuzz_lzxpress_huffman_round_trip (next commit) in
that the output buffer might be too small for the compressed data, in
which case we want to see an error and not a crash.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-12-01 22:56:39 +00:00
Douglas Bagnall
cda3c1a227 fuzz: add fuzz_lzxpress_huffman_decompress
Most strings will not successfully decompress, which is OK. What we
care about of course is memory safety.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-12-01 22:56:39 +00:00
Douglas Bagnall
e24efb88ef fuzz: add fuzzers for stable_sort
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-12-01 22:56:39 +00:00
Andreas Schneider
233a0cd6de lib:fuzzing: Fix shellcheck errors in build_samba.sh
lib/fuzzing/oss-fuzz/build_samba.sh:24:27: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-08-17 10:08:35 +00:00
Douglas Bagnall
8a91ffa6bd fuzz: add lzxpress compress/decompress round-trip
We say it is an error to end up at a different result.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-05-12 02:22:35 +00:00
Douglas Bagnall
6c9fd8fbdb fuzz: add fuzz_lzxpress_compress
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-05-12 02:22:35 +00:00
Stefan Metzmacher
10d69da1d3 lib/fuzzing/README.md: don't use waf directly
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-29 22:32:32 +00:00
Andreas Schneider
1e88064170 lib:fuzzing: Reformat shell scripts
shfmt -f lib/fuzzing/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-02-24 09:15:34 +00:00
Volker Lendecke
a7c65958a1 s3:rpc_server: Activate samba-dcerpcd
This is the big switch to use samba-dcerpcd for the RPC services in
source3/. It is a pretty big and unordered patch, but I don't see a
good way to split this up into more manageable pieces without
sacrificing bisectability even more. Probably I could cut out a few
small ones, but a major architechtural switch like this will always be
messy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Andreas Schneider
fc69206f8b lib:fuzzing: Fix quoting of --fuzz-target-ldflags
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Oct  4 11:36:06 UTC 2021 on sn-devel-184
2021-10-04 11:36:06 +00:00
Uri Simchoni
4f300d672a fuzzing/oss-fuzz: strip RUNPATH from dependencies
Strip all RUNPATH headers from all dependency shared objects that
we copy to the fuzzing target, as those libraries aren't placed
in their original place.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-09 00:53:54 +00:00
Uri Simchoni
f94b1d3b31 fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
Add a linker flag to generate fuzzer binaries with an RPATH
header instead of RUNPATH.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-09 00:53:54 +00:00
Uri Simchoni
541f9ee5ab fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
Remove what appears to be a copy+paste error in one place, and
explain that RPATH/RUNPATH is set by the linker, not by chrpath
utility.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-09 00:53:54 +00:00
Uri Simchoni
2fe8d3eeac fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
Update the build_image.sh script to install Ubuntu 20.04 packages
instead of Ubuntu 16.04 on the oss-fuzz container - this will
allow the oss-fuzz container to be based on Ubuntu 20.04.

REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-09 00:53:54 +00:00
Douglas Bagnall
16c28b367d fuzz: add fuzz_parse_lpq_entry
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 04:16:34 +00:00
Douglas Bagnall
0cb833b32c fuzz: fix multiple comment headers
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 04:16:34 +00:00
Samuel Cabrero
49a0f6170b oss-fuzz: Update build script to be compatible with rpm distros
The /etc/default/locale file does not exists in the rpm family distros
so the do_build.sh script failed with:

./lib/fuzzing/oss-fuzz/do_build.sh: line 31: /etc/default/locale: No
such file or directory

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Apr  6 15:54:54 UTC 2021 on sn-devel-184
2021-04-06 15:54:54 +00:00
Douglas Bagnall
fb229276e4 fuzz:afl main: run the initialisation function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Douglas Bagnall
e0dd4d0ac0 fuzz: add a LLVMFuzzerInitialize() to all fuzzers
To compile the AFL binaries, we need every fuzzer to have a consistent
set of functions. Some fuzzers require the initialize function, so all
the rest must have an empty one.

AFL binaires are handy for testing the fuzz results in a less magical
environment than libfuzzer/honggfuzz give you.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Douglas Bagnall
17602fefde fuzz:afl main: add a diagnostic message
LLVMFuzzerTestOneInput() NEVER returns non-zero, but if it does, we might as well
know what made it do so

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Douglas Bagnall
c9f51f1672 fuzz/afl main: don't treat fuzzer as fuzzee
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Andrew Bartlett
8f66ce0a3d oss-fuzz: Add very verbose explaination for RPATH vs RUNPATH
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct 23 00:33:57 UTC 2020 on sn-devel-184
2020-10-23 00:33:57 +00:00
Andrew Bartlett
a57702db1d oss-fuzz: Always run the check, even on the oss-fuzz platform
It is much harder to determine why we get messages like
    Step #6: Error occured while running fuzz_reg_parse:
    Step #6: /workspace/out/coverage/fuzz_reg_parse: error while loading shared libraries: libavahi-common.so.3: cannot open shared object file: No such file or directory
instead this detects the failure to use RPATH (which is
strictly required instead of the modern RUNPATH)
otherwise.

We do this by creating a new build_samba.sh after renaming
build_samba.sh to do_build.sh because this is what oss-fuzz
runs, meaning we don't need to coordinate a MR there as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 23:08:31 +00:00
Andrew Bartlett
b5f8073431 oss-fuzz: update comment to reference RPATH for the static-ish binaries
We strictly require RPATH, so fix the comment to avoid mentioning
the modern RUNPATH which is almost but not entirely similar.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 23:08:31 +00:00
Andrew Bartlett
c03a265030 oss-fuzz: standardise on RPATH for the static-ish binaries
This includes a revert of commit e60df21499.

We strictly require RPATH, not the modern RUNPATH for the behaviour
we need in oss-fuzz, which is that not just the first line of dependencies
but the full set of libraries used by the program are looked for in the
'$ORIGIN/lib' directory.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Oct 22 14:10:04 UTC 2020 on sn-devel-184
2020-10-22 14:10:04 +00:00
Andrew Bartlett
048725080b fuzzing: Improve robustness and documentation of the ldd-base library copy
This tries to make progress towards understanding why we sometime see errors like
Step #6: Error occured while running fuzz_reg_parse:
Step #6: /workspace/out/coverage/fuzz_reg_parse: error while loading shared libraries: libavahi-common.so.3: cannot open shared object file: No such file or directory

in the previously failing coverage builds.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-22 12:47:37 +00:00
Andrew Bartlett
d031391bed fuzzing: Fix the oss-fuzz coverage build
It was long thought that the issue here was that no seed corpus was
provided, but actually the issue is that to obtain coverage output
just as we already know for gcc gcov, you must provide fuzzing flags
to both the compile and link phase.

Thankfully clang as a linker does not mind the strange non-linker options
from $COVERAGE_FLAGS.

REF: https://stackoverflow.com/questions/56112019/clang-does-not-generate-profraw-file-when-linking-manually
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19495#c48

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 21 23:07:37 UTC 2020 on sn-devel-184
2020-10-21 23:07:37 +00:00
Douglas Bagnall
9dfeb81d08 fuzz/oss-fuzz/build_samba: fetch fuzz seeds
There is a git repository at
https://gitlab.com/samba-team/samba-fuzz-seeds that contains the
seeds. When the master branch of that repository is updated, a CI job
runs that creates a zip file of all the seeds as an artifact. That zip
file is downloaded and unpacked by oss_fuzz/build_samba. The contents
of that zip are further zips that contain the seeds for each fuzzing
binary; these are placed next to the binaries in the manner that
oss-fuzz expects.

That is, beside 'fuzz_foo', we put 'fuzz_foo_seed_corpus.zip' which
contains a pile of fuzz_foo seeds.

There may be times when a new fuzz target does not have a seed corpus,
and times when a removed fuzz target leaves behind a seed corpus.
This is OK, so we don't insist on an exact match between the target
names and the zip names, only that there is some overlap.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 21 03:47:35 UTC 2020 on sn-devel-184
2020-10-21 03:47:35 +00:00
Douglas Bagnall
6d388da765 fuzz/oss-fuzz/build-samba: note the calling site
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-21 02:28:38 +00:00
Douglas Bagnall
be51499f7d fuzzing/README: link to wiki
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-21 02:28:38 +00:00
Douglas Bagnall
930695b04d fuzz_dcerpc_parse_binding: don't leak
Also, by not tallocing at all in the too-long case, we can short
circuit quicker.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 20 02:26:40 UTC 2020 on sn-devel-184
2020-10-20 02:26:40 +00:00
Douglas Bagnall
2541f67c67 fuzz: add fuzz_cli_credentials_parse_string
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Douglas Bagnall
e721dfc833 fuzz: add fuzz_dcerpc_parse_binding
We parse a binding and do a few tricks with it, including turning it
into a tower and back.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:39 +00:00
Andrew Bartlett
e60df21499 oss-fuzz: standardise on RUNPATH for the static-ish binaries
We use ld.bfd for the coverage builds, rather than the faster ld.gold.

We run the oss-fuzz autobuild target on Ubuntu 16.04 to more closely
mirror the environment provided by the Google oss-fuzz build
container.

On Ubuntu 16.04, when linking with ld.bfd built binaries get a RPATH,
but builds in Ubuntu 18.04 and those using ld.gold get a RUNPATH.

Just convert them all to RUNPATH to make the check_build.sh test (run
by the oss-fuzz autobuild target) easier.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-09-11 03:43:40 +00:00
Andrew Bartlett
830c020645 oss-fuzz: Ensure a UTF8 locale is set for the samba build
This ensures that LANG=en_US.UTF8 is set, which
Samba's build system needs to operate in UTF8 mode.

The change to use flex to generate code meant that this
difference between GitLab CI and oss-fuzz was exposed.

REF: https://github.com/google/oss-fuzz/pull/4366

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 26 03:20:46 UTC 2020 on sn-devel-184
2020-08-26 03:20:45 +00:00
Andrew Bartlett
49f58b2b09 oss-fuzz: Try harder to ensure we always fail fast
During a previous attempt to fix the LANG= issue I changed
the script invocation to be via a shell, so the set -x et al
ensures these are always in place and we fail fast
rather than failures only being detected by lack of output.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-26 01:57:33 +00:00
Douglas Bagnall
326bc84c0d oss-fuzz: use uninstrumented dynamic python
We can't link to the instrumented statically built Python, so instead
we use the system Python in the docker image.

REF: https://github.com/google/oss-fuzz/issues/4223
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22618
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14451

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Gary Lockyer
3149ea0a8a CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Gary Lockyer
f467727db5 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:31 +00:00