From: Douglas Bagnall Date: Sat, 15 Jul 2023 10:49:22 +0000 (+1200) Subject: lib/fuzzing: add fuzzer for arbitrary token/sd access checks X-Git-Tag: talloc-2.4.1~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb2bed3899b12ba90050d9530f4909175954b147;p=thirdparty%2Fsamba.git lib/fuzzing: add fuzzer for arbitrary token/sd access checks The token and descriptor are stored in NDR format; for this purpose we add a new IDL struct containing this pair (along with a desired access mask). An upcoming commit will show how to collect seeds for this fuzzer. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/lib/fuzzing/fuzz_security_token_vs_descriptor.c b/lib/fuzzing/fuzz_security_token_vs_descriptor.c new file mode 100644 index 00000000000..4f96590de92 --- /dev/null +++ b/lib/fuzzing/fuzz_security_token_vs_descriptor.c @@ -0,0 +1,60 @@ +/* + Fuzz a security token and descriptor through an access check + Copyright (C) Catalyst IT 2023 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "replace.h" +#include "librpc/gen_ndr/ndr_security.h" +#include "libcli/security/security.h" +#include "fuzzing/fuzzing.h" + + +int LLVMFuzzerInitialize(int *argc, char ***argv) +{ + return 0; +} + + +int LLVMFuzzerTestOneInput(uint8_t *input, size_t len) +{ + TALLOC_CTX *mem_ctx = NULL; + struct security_token_descriptor_fuzzing_pair p = {0}; + enum ndr_err_code ndr_err; + uint32_t access_granted; + + DATA_BLOB blob = { + .data = input, + .length = len + }; + + mem_ctx = talloc_new(NULL); + + ndr_err = ndr_pull_struct_blob( + &blob, mem_ctx, &p, + (ndr_pull_flags_fn_t)ndr_pull_security_token_descriptor_fuzzing_pair); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + goto end; + } + se_access_check(&p.sd, + &p.token, + p.access_desired, + &access_granted); + +end: + talloc_free(mem_ctx); + return 0; +} diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build index 2326cb60f95..52607455b06 100644 --- a/lib/fuzzing/wscript_build +++ b/lib/fuzzing/wscript_build @@ -132,6 +132,12 @@ bld.SAMBA_BINARY('fuzz_stable_sort_r', deps='fuzzing stable_sort afl-fuzz-main', fuzzer=True) +bld.SAMBA_BINARY('fuzz_security_token_vs_descriptor', + source='fuzz_security_token_vs_descriptor.c', + deps='fuzzing samba-security afl-fuzz-main', + fuzzer=True) + + # The fuzz_type and fuzz_function parameters make the built # fuzzer take the same input as ndrdump and so the same that # could be sent to the client or server as the stub data. diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index eacef0309c4..b699355d776 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -678,6 +678,12 @@ interface security lsa_SystemAccessModeFlags rights_mask; } security_token; + typedef [public] struct { + security_token token; + security_descriptor sd; + uint32 access_desired; + } security_token_descriptor_fuzzing_pair; + /* This is not yet sent over the network, but is simply defined in IDL */ typedef [public] struct { uid_t uid;