Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Print sanitizer stacktrace for execSan bugs. (#7782) 

Send SIGABRT to the root process being fuzzed to generate a stacktrace.

Also distinguish between syscall enter and exit.
This commit is contained in:
Oliver Chang 2022-06-01 08:57:27 +10:00 committed by GitHub
parent a4befa22a0
commit 2af5e25a48
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
infra/experimental/sanitizers/ExecSan/Makefile
View File

@ -8,7 +8,7 @@ execSan: execSan.cpp
$(CXX) $(CFLAGS) -lpthread -o $@ $^ $(CXX) $(CFLAGS) -lpthread -o $@ $^
target: target.cpp target: target.cpp
$(CXX) $(CFLAGS) -fsanitize=fuzzer -o $@ $^ $(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^
test: all vuln.dict test: all vuln.dict
./execSan ./target -dict=vuln.dict ./execSan ./target -dict=vuln.dict

57
infra/experimental/sanitizers/ExecSan/execSan.cpp
View File

@ -33,10 +33,8 @@
#include <fstream> #include <fstream>
#include <string> #include <string>
#include <map>
#include <vector> #include <vector>
#include <set>
const std::string kTripWire = "/tmp/tripwire";
#define DEBUG_LOGS 0 #define DEBUG_LOGS 0
@ -57,6 +55,19 @@ const std::string kTripWire = "/tmp/tripwire";
exit(EXIT_FAILURE); \ exit(EXIT_FAILURE); \
} while (0) } while (0)
// The magic string that we'll use to detect full control over the command
// executed.
const std::string kTripWire = "/tmp/tripwire";
// The PID of the root process we're fuzzing.
pid_t g_root_pid;
struct Tracee {
pid_t pid;
bool syscall_enter = true;
Tracee(pid_t pid) : pid(pid) {}
};
pid_t run_child(char **argv) { pid_t run_child(char **argv) {
// Run the program under test with its args as a child process // Run the program under test with its args as a child process
pid_t pid = fork(); pid_t pid = fork();
@ -65,7 +76,7 @@ pid_t run_child(char **argv) {
fatal_log("Fork failed: %s", strerror(errno)); fatal_log("Fork failed: %s", strerror(errno));
case 0: case 0:
raise(SIGSTOP); raise(SIGSTOP);
execv(argv[1], argv + 1); execv(argv[0], argv);
fatal_log("execv: %s", strerror(errno)); fatal_log("execv: %s", strerror(errno));
} }
return pid; return pid;
@ -97,20 +108,25 @@ void inspect(pid_t pid, const user_regs_struct &regs) {
memory.data()), std::min(memory.size(), kTripWire.length())); memory.data()), std::min(memory.size(), kTripWire.length()));
debug_log("inspecting"); debug_log("inspecting");
if (path == kTripWire) { if (path == kTripWire) {
kill(pid, SIGKILL);
fprintf(stderr, "===BUG DETECTED: Shell injection===\n"); fprintf(stderr, "===BUG DETECTED: Shell injection===\n");
// TODO: Get/print stacktrace. // Rely on sanitizers/libFuzzer to produce a stacktrace by sending SIGABRT
_exit(1); // to the root process.
// Note: this may not be reliable or consistent if shell injection happens
// in an async way.
kill(g_root_pid, SIGABRT);
_exit(0);
} }
} }
void trace(std::set<pid_t> pids) { void trace(std::map<pid_t, Tracee> pids) {
while (!pids.empty()) { while (!pids.empty()) {
std::vector<pid_t> new_pids; std::vector<pid_t> new_pids;
auto it = pids.begin(); auto it = pids.begin();
while (it != pids.end()) { while (it != pids.end()) {
auto pid = *it; auto pid = it->first;
auto &tracee = it->second;
int status = 0; int status = 0;
int result = waitpid(pid, &status, __WALL | WNOHANG); int result = waitpid(pid, &status, __WALL | WNOHANG);
@ -161,21 +177,24 @@ void trace(std::set<pid_t> pids) {
} }
if (is_syscall) { if (is_syscall) {
// TODO: distinguish between syscall enter and exit.
user_regs_struct regs; user_regs_struct regs;
if (ptrace(PTRACE_GETREGS, pid, 0, &regs) == -1) { if (ptrace(PTRACE_GETREGS, pid, 0, &regs) == -1) {
debug_log("ptrace(PTRACE_GETREGS, %d): %s", pid, strerror(errno)); debug_log("ptrace(PTRACE_GETREGS, %d): %s", pid, strerror(errno));
continue; continue;
} }
if (regs.orig_rax == __NR_execve) { if (tracee.syscall_enter) {
inspect(pid, regs); if (regs.orig_rax == __NR_execve) {
inspect(pid, regs);
}
} }
// TODO: Check for commands with invalid syntax passed to /bin/sh and // TODO: Check for commands with invalid syntax passed to /bin/sh and
// other shells. // other shells.
// TODO: It's possible the process we're fuzzing can communicate with // TODO: It's possible the process we're fuzzing can communicate with
// another process to execute code. Our check wouldn't catch this // another process to execute code. Our check wouldn't catch this
// currently. // currently.
tracee.syscall_enter = !tracee.syscall_enter;
} }
debug_log("tracing %d %d", pid, sig); debug_log("tracing %d %d", pid, sig);
@ -187,7 +206,9 @@ void trace(std::set<pid_t> pids) {
++it; ++it;
} }
pids.insert(new_pids.begin(), new_pids.end()); for (const auto &pid : new_pids) {
pids.emplace(pid, Tracee(pid));
}
} }
} }
@ -202,11 +223,10 @@ int main(int argc, char **argv) {
tripwire.close(); tripwire.close();
chmod(kTripWire.c_str(), 0755); chmod(kTripWire.c_str(), 0755);
pid_t pid = run_child(argv); pid_t pid = run_child(argv + 1);
long options = long options =
PTRACE_O_EXITKILL PTRACE_O_TRACESYSGOOD
| PTRACE_O_TRACESYSGOOD
| PTRACE_O_TRACEFORK | PTRACE_O_TRACEFORK
| PTRACE_O_TRACEVFORK | PTRACE_O_TRACEVFORK
| PTRACE_O_TRACECLONE; | PTRACE_O_TRACECLONE;
@ -223,7 +243,8 @@ int main(int argc, char **argv) {
fatal_log("ptrace(PTRACE_SYSCALL): %s", strerror(errno)); fatal_log("ptrace(PTRACE_SYSCALL): %s", strerror(errno));
} }
std::set<pid_t> pids; g_root_pid = pid;
pids.insert(pid); std::map<pid_t, Tracee> pids;
pids.emplace(pid, Tracee(pid));
trace(pids); trace(pids);
} }