mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
b4563a2490
The encoder, being cautious not to overstep the arbitrary 10000 byte boundary, might not encode an exactly 10000 byte condition. This is an off-by-one, but in the safe direction. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224
157 lines
4.0 KiB
C
157 lines
4.0 KiB
C
/*
|
|
Fuzz conditional ace decoding and encoding
|
|
Copyright (C) Catalyst IT 2023
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "replace.h"
|
|
#include "libcli/security/security.h"
|
|
#include "lib/util/attr.h"
|
|
#include "librpc/gen_ndr/ndr_security.h"
|
|
#include "libcli/security/conditional_ace.h"
|
|
#include "librpc/gen_ndr/conditional_ace.h"
|
|
#include "fuzzing/fuzzing.h"
|
|
|
|
|
|
#define MAX_LENGTH (1024 * 1024 - 1)
|
|
|
|
|
|
int LLVMFuzzerInitialize(int *argc, char ***argv)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
|
|
int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
|
|
{
|
|
TALLOC_CTX *mem_ctx = NULL;
|
|
bool ok;
|
|
struct ace_condition_script *s1 = NULL;
|
|
struct ace_condition_script *s2 = NULL;
|
|
const char *message = NULL;
|
|
size_t message_offset;
|
|
const char *sddl = NULL;
|
|
DATA_BLOB e1, e2;
|
|
size_t length;
|
|
|
|
if (len > MAX_LENGTH) {
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* In this one we are treating the input data as an ACE blob,
|
|
* and decoding it into the structure and thence SDDL.
|
|
*
|
|
* This doesn't run the conditional ACE, for which we would
|
|
* need a security token.
|
|
*/
|
|
|
|
e1.data = input;
|
|
e1.length = len;
|
|
|
|
mem_ctx = talloc_new(NULL);
|
|
|
|
s1 = parse_conditional_ace(mem_ctx, e1);
|
|
if (s1 == NULL) {
|
|
/* no worries, it was nonsense */
|
|
TALLOC_FREE(mem_ctx);
|
|
return 0;
|
|
}
|
|
|
|
/* back to blob form */
|
|
ok = conditional_ace_encode_binary(mem_ctx, s1, &e2);
|
|
if (! ok) {
|
|
if (e1.length == CONDITIONAL_ACE_MAX_LENGTH) {
|
|
/*
|
|
* This is an edge case where the encoder and
|
|
* decoder treat the boundary slightly
|
|
* differently, and the encoder refuses to
|
|
* encode to the maximum length. This is not
|
|
* an issue in the real world.
|
|
*/
|
|
TALLOC_FREE(mem_ctx);
|
|
return 0;
|
|
}
|
|
abort();
|
|
}
|
|
|
|
if (data_blob_cmp(&e1, &e2) != 0) {
|
|
abort();
|
|
}
|
|
|
|
sddl = sddl_from_conditional_ace(mem_ctx, s1);
|
|
if (sddl == NULL) {
|
|
/*
|
|
* we can't call this a failure, because the blob
|
|
* could easily have nonsensical programs that the
|
|
* SDDL decompiler is unwilling to countenance. For
|
|
* example, it could have an operator that requires
|
|
* arguments as the first token, when of course the
|
|
* arguments need to come first.
|
|
*/
|
|
TALLOC_FREE(mem_ctx);
|
|
return 0;
|
|
}
|
|
|
|
s2 = ace_conditions_compile_sddl(mem_ctx,
|
|
ACE_CONDITION_FLAG_ALLOW_DEVICE,
|
|
sddl,
|
|
&message,
|
|
&message_offset,
|
|
&length);
|
|
if (s2 == NULL) {
|
|
/*
|
|
* We also don't complain when the SDDL decompiler
|
|
* produces an uncompilable program, because the
|
|
* decompiler is meant to be a display tool, not a
|
|
* verifier in itself.
|
|
*/
|
|
TALLOC_FREE(mem_ctx);
|
|
return 0;
|
|
}
|
|
|
|
ok = conditional_ace_encode_binary(mem_ctx, s2, &e2);
|
|
if (! ok) {
|
|
abort();
|
|
}
|
|
|
|
/*
|
|
* It would be nice here to go:
|
|
*
|
|
* if (data_blob_cmp(&e1, &e2) != 0) {
|
|
* abort();
|
|
* }
|
|
*
|
|
* but that isn't really fair. The decompilation into SDDL
|
|
* does not make thorough sanity checks because that is not
|
|
* its job -- it is just trying to depict what is there -- and
|
|
* there are many ambiguous decompilations.
|
|
*
|
|
* For example, a blob with a single literal integer token,
|
|
* say 42, can only really be shown in the SDDL syntax as
|
|
* "(42)", but when the compiler reads that it knows that a
|
|
* literal number is invalid except in a RHS argument, so it
|
|
* assumes "42" is a local attribute name.
|
|
*
|
|
* Even if the decompiler was a perfect verifier, a round trip
|
|
* through SDDL could not be guaranteed because, for example,
|
|
* an 8 bit integer can only be displayed in SDDL in the form
|
|
* that compiles to a 64 bit integer.
|
|
*/
|
|
|
|
TALLOC_FREE(mem_ctx);
|
|
return 0;
|
|
}
|