From a836616877c21d912e9f0e4633b016975f651db6 Mon Sep 17 00:00:00 2001 From: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com> Date: Wed, 7 Jun 2023 21:23:57 -0400 Subject: [PATCH] Delete Symlink Detection from syssan (#10479) I don't have time to work on it, and deploying it seriously breaks libfuzzer on CF. --- infra/experimental/SystemSan/Makefile | 8 +- infra/experimental/SystemSan/SystemSan.cpp | 74 +------------------ .../experimental/SystemSan/inspect_utils.cpp | 2 +- .../SystemSan/target_evil_link.cpp | 39 ---------- 4 files changed, 4 insertions(+), 119 deletions(-) delete mode 100644 infra/experimental/SystemSan/target_evil_link.cpp diff --git a/infra/experimental/SystemSan/Makefile b/infra/experimental/SystemSan/Makefile index 4c24a849f..04db9976e 100644 --- a/infra/experimental/SystemSan/Makefile +++ b/infra/experimental/SystemSan/Makefile @@ -2,8 +2,7 @@ CXX = clang++ CFLAGS = -std=c++17 -Wall -Wextra -O3 -g3 -Werror - -all: SystemSan target target_file target_dns target_evil_link +all: SystemSan target target_file target_dns SystemSan: SystemSan.cpp inspect_dns.cpp inspect_utils.cpp $(CXX) $(CFLAGS) -lpthread -o $@ $^ @@ -21,9 +20,6 @@ target_file: target_file.cpp target_dns: target_dns.cpp $(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^ -target_evil_link: target_evil_link.cpp - $(CXX) $(CFLAGS) -fsanitize=address,fuzzer -o $@ $^ - test: all vuln.dict ./SystemSan ./target -dict=vuln.dict ./SystemSan ./target_file -dict=vuln.dict @@ -42,4 +38,4 @@ node-shell-quote-v1.7.3: docker run -t systemsan_node-shell-quote:latest; clean: - rm -f SystemSan /tmp/tripwire target target_file target_dns target_evil_link + rm -f SystemSan /tmp/tripwire target target_file target_dns diff --git a/infra/experimental/SystemSan/SystemSan.cpp b/infra/experimental/SystemSan/SystemSan.cpp index 17a84b82b..27e8795c5 100644 --- a/infra/experimental/SystemSan/SystemSan.cpp +++ b/infra/experimental/SystemSan/SystemSan.cpp @@ -32,8 +32,6 @@ #include #include -#include -#include #include #include #include @@ -88,11 +86,6 @@ std::map root_pids; // Assuming the longest pathname is "/bin/bash". constexpr int kShellPathnameLength = 20; -std::string kEvilLinkBombfile = "/tmp/evil-link-bombfile"; -std::string kEvilLinkBombfileContents = "initial"; -const std:: string kEvilLinkError = "Symbolic link followed"; -const size_t kPathMax = 4096; - // Syntax error messages of each shell. const std::map> kShellSyntaxErrors = { {"bash", @@ -169,10 +162,8 @@ std::string read_string(pid_t pid, unsigned long reg, unsigned long length) { return ""; } - auto location = std::find(memory.begin(), memory.end(), static_cast(NULL)); - size_t str_length = location - memory.begin(); std::string content(reinterpret_cast(memory.data()), - std::min(str_length, length)); + std::min(memory.size(), length)); return content; } @@ -329,59 +320,6 @@ void inspect_for_arbitrary_file_open(pid_t pid, const user_regs_struct ®s) { } } -std::string read_evil_link_bombfile() { - const std::ifstream bombfile(kEvilLinkBombfile, - std::ios_base::binary); - if (bombfile.fail()) - return ""; - std::stringstream stream; - stream << bombfile.rdbuf(); - return stream.str(); -} - -// https://oss-fuzz.com/testcase-detail/4882113260552192 -void report_bug_in_process(std::string bug_type, pid_t pid) { - std::cerr << "===BUG DETECTED: " << bug_type << "===" << std::endl; - tgkill(root_pids[pid].parent_tid, pid, SIGABRT); -} - -void inspect_for_evil_link(pid_t pid, const user_regs_struct ®s) { - (void) regs; - std::string contents = read_evil_link_bombfile(); - if ((contents.compare(kEvilLinkBombfileContents)) != 0) { - - report_bug_in_process(kEvilLinkError, pid); - } -} - -void evil_openat_hook(pid_t pid, const user_regs_struct ®s) { - std::string path = read_string(pid, regs.rsi, kPathMax); - if (!path.length()) { - return; - } - if (std::filesystem::exists(path)) - return; - size_t slash_idx = path.rfind('/'); - if (slash_idx == std::string::npos) - return; - - std::string dir = path.substr(0, slash_idx); - if ((dir.compare("/tmp")) != 0) - return; - - std::string command = "rm -f " + path + " && ln -s " + kEvilLinkBombfile + " " + path; - std::cout << "COMMAND " << command << std::endl; - system(command.c_str()); -} - -void initialize_evil_link_bombfile() { - std::string command = ("printf " + kEvilLinkBombfileContents + " > " + - kEvilLinkBombfile); - std::cout << "COMMAND " << command << std::endl; - system(command.c_str()); - system(("cat " + kEvilLinkBombfile).c_str()); -} - int trace(std::map pids) { unsigned long exit_status = 0; while (!pids.empty()) { @@ -485,13 +423,6 @@ int trace(std::map pids) { if (regs.orig_rax == __NR_openat) { // TODO(metzman): Re-enable this once we have config/flag support. // inspect_for_arbitrary_file_open(pid, regs); - evil_openat_hook(pid, regs); - } - - if (regs.orig_rax == __NR_close) { - // TODO(metzman): Re-enable this once we have config/flag support. - // inspect_for_arbitrary_file_open(pid, regs); - inspect_for_evil_link(pid, regs); } if (regs.orig_rax == __NR_write && @@ -530,9 +461,6 @@ int main(int argc, char **argv) { fatal_log("Expecting at least one arguments, received %d", argc - 1); } - - initialize_evil_link_bombfile(); - // Create an executable tripwire file, as programs may check for existence // before actually calling exec. std::ofstream tripwire(kTripWire); diff --git a/infra/experimental/SystemSan/inspect_utils.cpp b/infra/experimental/SystemSan/inspect_utils.cpp index 47f4b43ad..713d61d75 100644 --- a/infra/experimental/SystemSan/inspect_utils.cpp +++ b/infra/experimental/SystemSan/inspect_utils.cpp @@ -53,7 +53,7 @@ std::vector read_memory(pid_t pid, unsigned long long address, void report_bug(std::string bug_type, pid_t tid) { // Report the bug found based on the bug code. - std::cerr << "===BUG DETECTED: " << bug_type << "===" << std::endl; + std::cerr << "===BUG DETECTED: " << bug_type.c_str() << "===\n"; // Rely on sanitizers/libFuzzer to produce a stacktrace by sending SIGABRT // to the root process. // Note: this may not be reliable or consistent if shell injection happens diff --git a/infra/experimental/SystemSan/target_evil_link.cpp b/infra/experimental/SystemSan/target_evil_link.cpp deleted file mode 100644 index 5010919fc..000000000 --- a/infra/experimental/SystemSan/target_evil_link.cpp +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2022 Google LLC - - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - - * http://www.apache.org/licenses/LICENSE-2.0 - - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -*/ -/* A sample target program under test, - * /tmp/tripwire or other commands will be injected into its shell command */ - -#include -#include -#include -#include - -extern "C" int LLVMFuzzerTestOneInput(char* data, size_t size) { - std::string str(data, size); - std::string path = "/tmp/zzf79"; - std::cout << "INPUT" << str << std::endl; - FILE *fp = fopen(path.c_str(), "w"); - if (!fp) { - std::cout << "NONNE" << std::endl; - return 0; - } - std::string contents = "hello"; - fwrite(contents.data(), 1, contents.size(), fp); - if (fp) { - fclose(fp); - } - return 0; -}