File: fuzz_conditional_ace_blob.c

package info (click to toggle)
samba 2%3A4.22.3%2Bdfsg-4
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 185,264 kB
  • sloc: ansic: 1,955,394; python: 269,800; sh: 71,598; xml: 50,288; perl: 36,082; makefile: 6,086; yacc: 4,497; exp: 1,582; cpp: 1,224; lex: 989; awk: 589; java: 119; csh: 58; pascal: 54; sed: 45; asm: 30
file content (167 lines) | stat: -rw-r--r-- 4,484 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
/*
  Fuzz conditional ace decoding and encoding
  Copyright (C) Catalyst IT 2023

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 3 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "replace.h"
#include "libcli/security/security.h"
#include "lib/util/attr.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "libcli/security/conditional_ace.h"
#include "librpc/gen_ndr/conditional_ace.h"
#include "fuzzing/fuzzing.h"


#define MAX_LENGTH (1024 * 1024 - 1)


int LLVMFuzzerInitialize(int *argc, char ***argv)
{
	return 0;
}


int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
{
	TALLOC_CTX *mem_ctx = NULL;
	bool ok;
	struct ace_condition_script *s1 = NULL;
	struct ace_condition_script *s2 = NULL;
	const char *message = NULL;
	size_t message_offset;
	const char *sddl = NULL;
	DATA_BLOB e1, e2;
	size_t length;

	if (len > MAX_LENGTH) {
		return 0;
	}

	/*
	 * In this one we are treating the input data as an ACE blob,
	 * and decoding it into the structure and thence SDDL.
	 *
	 * This doesn't run the conditional ACE, for which we would
	 * need a security token.
	 */

	e1.data = discard_const(input);
	e1.length = len;

	mem_ctx = talloc_new(NULL);

	s1 = parse_conditional_ace(mem_ctx, e1);
	if (s1 == NULL) {
		/* no worries, it was nonsense */
		TALLOC_FREE(mem_ctx);
		return 0;
	}

	/* back to blob form */
	ok = conditional_ace_encode_binary(mem_ctx, s1, &e2);
	if (! ok) {
		if (e1.length == CONDITIONAL_ACE_MAX_LENGTH) {
			/*
			 * This is an edge case where the encoder and
			 * decoder treat the boundary slightly
			 * differently, and the encoder refuses to
			 * encode to the maximum length. This is not
			 * an issue in the real world.
			 */
			TALLOC_FREE(mem_ctx);
			return 0;
		}
		abort();
	}

	if (data_blob_cmp(&e1, &e2) != 0) {
		abort();
	}

	sddl = sddl_from_conditional_ace(mem_ctx, s1);
	if (sddl == NULL) {
		/*
		 * we can't call this a failure, because the blob
		 * could easily have nonsensical programs that the
		 * SDDL decompiler is unwilling to countenance. For
		 * example, it could have an operator that requires
		 * arguments as the first token, when of course the
		 * arguments need to come first.
		 */
		TALLOC_FREE(mem_ctx);
		return 0;
	}

	s2 = ace_conditions_compile_sddl(mem_ctx,
					 ACE_CONDITION_FLAG_ALLOW_DEVICE,
					 sddl,
					 &message,
					 &message_offset,
					 &length);
	if (s2 == NULL) {
		/*
		 * We also don't complain when the SDDL decompiler
		 * produces an uncompilable program, because the
		 * decompiler is meant to be a display tool, not a
		 * verifier in itself.
		 */
		TALLOC_FREE(mem_ctx);
		return 0;
	}

	ok = conditional_ace_encode_binary(mem_ctx, s2, &e2);
	if (! ok) {
		if (len < CONDITIONAL_ACE_MAX_LENGTH / 4) {
			/*
			 * long invalid ACEs can easily result in SDDL that
			 * would compile to an over-long ACE, which fail
			 * accordingly.
			 *
			 * But if the original ACE less than a few thousand
			 * bytes, and it has been serialised into SDDL, that
			 * SDDL should be parsable.
			 */
			abort();
		}
	}

	/*
	 * It would be nice here to go:
	 *
	 * if (data_blob_cmp(&e1, &e2) != 0) {
	 *       abort();
	 * }
	 *
	 * but that isn't really fair. The decompilation into SDDL
	 * does not make thorough sanity checks because that is not
	 * its job -- it is just trying to depict what is there -- and
	 * there are many ambiguous decompilations.
	 *
	 * For example, a blob with a single literal integer token,
	 * say 42, can only really be shown in the SDDL syntax as
	 * "(42)", but when the compiler reads that it knows that a
	 * literal number is invalid except in a RHS argument, so it
	 * assumes "42" is a local attribute name.
	 *
	 * Even if the decompiler was a perfect verifier, a round trip
	 * through SDDL could not be guaranteed because, for example,
	 * an 8 bit integer can only be displayed in SDDL in the form
	 * that compiles to a 64 bit integer.
	 */

	TALLOC_FREE(mem_ctx);
	return 0;
}