mirror of https://github.com/google/oss-fuzz.git
Delete Symlink Detection from syssan (#10479)
I don't have time to work on it, and deploying it seriously breaks libfuzzer on CF.
This commit is contained in:
jonathanmetzman
GitHub
parent
3d45ccbed2
commit
a836616877
|
|
@ -2,8 +2,7 @@
|
|||
CXX = clang++
|
||||
CFLAGS = -std=c++17 -Wall -Wextra -O3 -g3 -Werror
|
||||
|
||||
|
||||
all: SystemSan target target_file target_dns target_evil_link
|
||||
all: SystemSan target target_file target_dns
|
||||
|
||||
SystemSan: SystemSan.cpp inspect_dns.cpp inspect_utils.cpp
|
||||
$(CXX) $(CFLAGS) -lpthread -o $@ $^
|
||||
|
|
@ -21,9 +20,6 @@ target_file: target_file.cpp
|
|||
target_dns: target_dns.cpp
|
||||
$(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^
|
||||
|
||||
target_evil_link: target_evil_link.cpp
|
||||
$(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^
|
||||
|
||||
test: all vuln.dict
|
||||
./SystemSan ./target -dict=vuln.dict
|
||||
./SystemSan ./target_file -dict=vuln.dict
|
||||
|
|
@ -42,4 +38,4 @@ node-shell-quote-v1.7.3:
|
|||
docker run -t systemsan_node-shell-quote:latest;
|
||||
|
||||
clean:
|
||||
rm -f SystemSan /tmp/tripwire target target_file target_dns target_evil_link
|
||||
rm -f SystemSan /tmp/tripwire target target_file target_dns
|
||||
|
|
|
|||
|
|
@ -32,8 +32,6 @@
|
|||
#include <syscall.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
#include <algorithm>
|
||||
#include <filesystem>
|
||||
#include <fstream>
|
||||
#include <iostream>
|
||||
#include <map>
|
||||
|
|
@ -88,11 +86,6 @@ std::map<pid_t, ThreadParent> root_pids;
|
|||
// Assuming the longest pathname is "/bin/bash".
|
||||
constexpr int kShellPathnameLength = 20;
|
||||
|
||||
std::string kEvilLinkBombfile = "/tmp/evil-link-bombfile";
|
||||
std::string kEvilLinkBombfileContents = "initial";
|
||||
const std:: string kEvilLinkError = "Symbolic link followed";
|
||||
const size_t kPathMax = 4096;
|
||||
|
||||
// Syntax error messages of each shell.
|
||||
const std::map<std::string, std::set<std::string>> kShellSyntaxErrors = {
|
||||
{"bash",
|
||||
|
|
@ -169,10 +162,8 @@ std::string read_string(pid_t pid, unsigned long reg, unsigned long length) {
|
|||
return "";
|
||||
}
|
||||
|
||||
auto location = std::find(memory.begin(), memory.end(), static_cast<std::byte>(NULL));
|
||||
size_t str_length = location - memory.begin();
|
||||
std::string content(reinterpret_cast<char *>(memory.data()),
|
||||
std::min(str_length, length));
|
||||
std::min(memory.size(), length));
|
||||
return content;
|
||||
}
|
||||
|
||||
|
|
@ -329,59 +320,6 @@ void inspect_for_arbitrary_file_open(pid_t pid, const user_regs_struct ®s) {
|
|||
}
|
||||
}
|
||||
|
||||
std::string read_evil_link_bombfile() {
|
||||
const std::ifstream bombfile(kEvilLinkBombfile,
|
||||
std::ios_base::binary);
|
||||
if (bombfile.fail())
|
||||
return "";
|
||||
std::stringstream stream;
|
||||
stream << bombfile.rdbuf();
|
||||
return stream.str();
|
||||
}
|
||||
|
||||
// https://oss-fuzz.com/testcase-detail/4882113260552192
|
||||
void report_bug_in_process(std::string bug_type, pid_t pid) {
|
||||
std::cerr << "===BUG DETECTED: " << bug_type << "===" << std::endl;
|
||||
tgkill(root_pids[pid].parent_tid, pid, SIGABRT);
|
||||
}
|
||||
|
||||
void inspect_for_evil_link(pid_t pid, const user_regs_struct ®s) {
|
||||
(void) regs;
|
||||
std::string contents = read_evil_link_bombfile();
|
||||
if ((contents.compare(kEvilLinkBombfileContents)) != 0) {
|
||||
|
||||
report_bug_in_process(kEvilLinkError, pid);
|
||||
}
|
||||
}
|
||||
|
||||
void evil_openat_hook(pid_t pid, const user_regs_struct ®s) {
|
||||
std::string path = read_string(pid, regs.rsi, kPathMax);
|
||||
if (!path.length()) {
|
||||
return;
|
||||
}
|
||||
if (std::filesystem::exists(path))
|
||||
return;
|
||||
size_t slash_idx = path.rfind('/');
|
||||
if (slash_idx == std::string::npos)
|
||||
return;
|
||||
|
||||
std::string dir = path.substr(0, slash_idx);
|
||||
if ((dir.compare("/tmp")) != 0)
|
||||
return;
|
||||
|
||||
std::string command = "rm -f " + path + " && ln -s " + kEvilLinkBombfile + " " + path;
|
||||
std::cout << "COMMAND " << command << std::endl;
|
||||
system(command.c_str());
|
||||
}
|
||||
|
||||
void initialize_evil_link_bombfile() {
|
||||
std::string command = ("printf " + kEvilLinkBombfileContents + " > " +
|
||||
kEvilLinkBombfile);
|
||||
std::cout << "COMMAND " << command << std::endl;
|
||||
system(command.c_str());
|
||||
system(("cat " + kEvilLinkBombfile).c_str());
|
||||
}
|
||||
|
||||
int trace(std::map<pid_t, Tracee> pids) {
|
||||
unsigned long exit_status = 0;
|
||||
while (!pids.empty()) {
|
||||
|
|
@ -485,13 +423,6 @@ int trace(std::map<pid_t, Tracee> pids) {
|
|||
if (regs.orig_rax == __NR_openat) {
|
||||
// TODO(metzman): Re-enable this once we have config/flag support.
|
||||
// inspect_for_arbitrary_file_open(pid, regs);
|
||||
evil_openat_hook(pid, regs);
|
||||
}
|
||||
|
||||
if (regs.orig_rax == __NR_close) {
|
||||
// TODO(metzman): Re-enable this once we have config/flag support.
|
||||
// inspect_for_arbitrary_file_open(pid, regs);
|
||||
inspect_for_evil_link(pid, regs);
|
||||
}
|
||||
|
||||
if (regs.orig_rax == __NR_write &&
|
||||
|
|
@ -530,9 +461,6 @@ int main(int argc, char **argv) {
|
|||
fatal_log("Expecting at least one arguments, received %d", argc - 1);
|
||||
}
|
||||
|
||||
|
||||
initialize_evil_link_bombfile();
|
||||
|
||||
// Create an executable tripwire file, as programs may check for existence
|
||||
// before actually calling exec.
|
||||
std::ofstream tripwire(kTripWire);
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ std::vector<std::byte> read_memory(pid_t pid, unsigned long long address,
|
|||
|
||||
void report_bug(std::string bug_type, pid_t tid) {
|
||||
// Report the bug found based on the bug code.
|
||||
std::cerr << "===BUG DETECTED: " << bug_type << "===" << std::endl;
|
||||
std::cerr << "===BUG DETECTED: " << bug_type.c_str() << "===\n";
|
||||
// Rely on sanitizers/libFuzzer to produce a stacktrace by sending SIGABRT
|
||||
// to the root process.
|
||||
// Note: this may not be reliable or consistent if shell injection happens
|
||||
|
|
|
|||
|
|
@ -1,39 +0,0 @@
|
|||
/*
|
||||
* Copyright 2022 Google LLC
|
||||
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
/* A sample target program under test,
|
||||
* /tmp/tripwire or other commands will be injected into its shell command */
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string>
|
||||
#include <iostream>
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(char* data, size_t size) {
|
||||
std::string str(data, size);
|
||||
std::string path = "/tmp/zzf79";
|
||||
std::cout << "INPUT" << str << std::endl;
|
||||
FILE *fp = fopen(path.c_str(), "w");
|
||||
if (!fp) {
|
||||
std::cout << "NONNE" << std::endl;
|
||||
return 0;
|
||||
}
|
||||
std::string contents = "hello";
|
||||
fwrite(contents.data(), 1, contents.size(), fp);
|
||||
if (fp) {
|
||||
fclose(fp);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
Loading…
Reference in New Issue