Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,714 Commits 188 Branches 0 Tags 129 MiB
Commit Graph

19 Commits

Author SHA1 Message Date
jonathanmetzman a836616877
Delete Symlink Detection from syssan (#10479) 
I don't have time to work on it, and deploying it seriously breaks
libfuzzer on CF.
 2023-06-07 21:23:57 -04:00
Catena cyber 107f33937f
SystemSan: log correct dns type and class (#9476) 
by skipping final null byte of domain name
 2023-01-23 09:48:14 +11:00
Oliver Chang a366b1c90b
Revert "[SystemSan] Add feature for opting out." (#9386) 
Reverts google/oss-fuzz#9221.

Nothing was setting this yet.
 2023-01-10 13:09:39 +11:00
jonathanmetzman c87906f379
[SystemSan] Add feature for opting out. (#9221) 
Demonstrate usage to stop false postive from happening.
 2022-12-15 14:24:30 -05:00
jonathanmetzman 0303aab0b7
Fix symlink bug detection (#9215) 2022-12-15 08:38:18 -05:00
Jonathan Metzman 2daac734e7 SystemSan: fix compiler errors 2022-12-14 04:51:05 -05:00
jonathanmetzman 91886878b2
SystemSan: POC of symbolic link attack (#9199) 2022-12-14 04:46:51 -05:00
jonathanmetzman 695e99329f
[NFC] Minor SysSan improvements (#9149) 2022-12-14 08:40:06 +11:00
Oliver Chang b8c6748c5e
SystemSan fixes. (#9153) 
Fix multiple bugs with shell detection:
1. We weren't correctly extracting the argument to be passed to
readlink. We needed to take the null terminator into account, as we
extract this string from memory.
2. readlink does **not** null terminate the output. Fix this.
3. `binary_name.compare(0, 2, "sh")` for detecting if the binary is "sh"
was too liberal, and included "shell_injection_poc_fuzzer" because the
prefix matched.

Also reduce some very noisy debug logging.
 2022-12-13 20:32:55 +11:00
Catena cyber a857bfbca0
SystemSan: arbitrary DNS resolution detection (#9119) 
cc @oliverchang @Alan32Liu after #9100 and #8448

After compiling locally, I can see that
`./SystemSan ./target_dns -dict=vuln.dict`
crashes in a few seconds with
```
===BUG DETECTED: Arbitrary domain name resolution===
===Domain resolved: .f.z===
===DNS request type: 0, class: 256===
==315== ERROR: libFuzzer: deadly signal
    #0 0x539131 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x457c48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x43c923 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7fa57940041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #4 0x7fa5793ff7db in send (/lib/x86_64-linux-gnu/libpthread.so.0+0x137db) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #5 0x503ba4 in __interceptor_send /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6802:17
    #6 0x7fa578abf462  (/lib/x86_64-linux-gnu/libresolv.so.2+0xb462) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #7 0x7fa578abbc43 in __res_context_query (/lib/x86_64-linux-gnu/libresolv.so.2+0x7c43) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #8 0x7fa578abc8ed in __res_context_search (/lib/x86_64-linux-gnu/libresolv.so.2+0x88ed) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #9 0x7fa578ad2cc1  (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2cc1) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #10 0x7fa578ad2e8b in _nss_dns_gethostbyname3_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2e8b) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #11 0x7fa578ad2f41 in _nss_dns_gethostbyname2_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2f41) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #12 0x7fa5792fdc9d in gethostbyname2_r (/lib/x86_64-linux-gnu/libc.so.6+0x130c9d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #13 0x7fa5792d179e  (/lib/x86_64-linux-gnu/libc.so.6+0x10479e) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #14 0x7fa5792d2f58 in getaddrinfo (/lib/x86_64-linux-gnu/libc.so.6+0x105f58) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #15 0x4d93ac in getaddrinfo /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2667:13
    #16 0x56c8d9 in LLVMFuzzerTestOneInput /out/SystemSan/target_dns.cpp:35:11
    #17 0x43dec3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #18 0x43d6aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #19 0x43ed79 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #20 0x43fa45 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #21 0x42edaf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #22 0x458402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #23 0x7fa5791f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #24 0x41f7ed in _start (/out/SystemSan/target_dns+0x41f7ed)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CrossOver-ManualDict- DE: "f.z"-; base unit: ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
0x66,0x2e,0x7a,
f.z
artifact_prefix='./'; Test unit written to ./crash-926813b2d6adde373f96a10594a5314951588384
Base64: Zi56
```

You can also try
```
echo -n f.z > toto
./SystemSan ./target_dns toto  
```

Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
 2022-12-06 08:23:32 -05:00
Oliver Chang 298b1fdb3d
Disable arbitrary file read sanitizer. (#9142) 
This is currently too noisy, and may mask our other sanitizers.

We can re-enable this once we have flag/options support.
 2022-12-06 11:54:32 +11:00
jonathanmetzman 569acfaa87
Test SystemSan with Python (#8443) 2022-12-01 15:58:58 +11:00
Oliver Chang 8acb150e82
Revert "SystemSan: arbitrary DNS resolution detection" (#9100) 
Reverts google/oss-fuzz#8448.

Build was broken in several places. 

Even once fixed, the `target_dns` example didn't work.
 2022-12-01 15:08:39 +11:00
Catena cyber 98eda2bc0d
SystemSan: arbitrary DNS resolution detection (#8448) 
cc @oliverchang @jonathanmetzman 

Here is a new bug class for SystemSan : arbitrary DNS resolution (like
in log4j)

What do you think about it ?
 2022-12-01 13:50:15 +11:00
Catena cyber d5dc144ad1
SystemSan: log c_str to avoid additional buffered zeroes (#8826) 
cc @Alan32Liu
 2022-11-10 16:06:07 +11:00
Catena cyber f5f128e131
SystemSan: use tgkill on precise pid (#8615) 
This patch is meant for `tgkill` to use the right thread, so that we get
the right stack trace every time
 2022-10-17 09:28:42 +11:00
Catena cyber aea1b456dd
SysSan: stricter file open detection (#8562) 
cc @oliverchang 

This allows to get rid of false positives such as
https://github.com/google/oss-fuzz/blob/master/projects/phmap/phashmap_fuzz.cc#L33
and others which try to scan non-existing directories such as /config
 2022-09-27 11:13:38 +10:00
Catena cyber ede1cc8a60
SystemSan: more logs for arbitrary file open (#8432) 
cc @oliverchang 

Log the file trying to be opened and the flags (read or write) for
opening the file

Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
 2022-09-12 01:55:03 +00:00
Oliver Chang 5675ec6958
Rename execSan to SystemSan. (#8369) 
* Rename execSan to SystemSan.

All of the bug detectors we've built (or plan to build) relate to system
state.

* fix documentation

* fix more documentation
 2022-08-30 08:40:46 +10:00