Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/3860-ldap-fuzzer'

Browse source 
* origin/topic/awelzel/3860-ldap-fuzzer:
  Bump auxil/spicy to latest development snapshot
  spicy/runtime-support: Switch ParameterMismatch::_fmt to static
  coverage/lcov_html: Ignore testing/btest/.tmp
  cirrus: Do not disable Spicy for sanitizer builds
  ldap: Avoid unset m$opcode
  fuzzers: Add LDAP fuzzing
This commit is contained in:
Arne Welzel 2024-08-06 20:08:37 +02:00
commit c845c7cce0
10 changed files with 55 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.cirrus.yml
View file

@ -14,9 +14,9 @@ config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WOR
no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache --enable-werror ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache --enable-werror tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
resources_template: &RESOURCES_TEMPLATE resources_template: &RESOURCES_TEMPLATE
cpu: *CPUS cpu: *CPUS

42
CHANGES
View file

@ -1,3 +1,45 @@
7.1.0-dev.99 | 2024-08-06 20:08:37 +0200
* Bump auxil/spicy to latest development snapshot (Arne Welzel, Corelight)
* spicy/runtime-support: Switch ParameterMismatch::_fmt to static (Arne Welzel, Corelight)
UBSAN's vptr sanitize isn't happy with the call to _fmt()
in its member initializer list.
$ zeek -r Traces/ssh/single-conn.trace .tmp/spicy.event-args-mismatch/test.hlto .tmp/spicy.event-args-mismatch/event-args-mismatch.zeek
<...>/src/include/zeek/spicy/runtime-support.h:80:29: runtime error: member call on address 0x511000369540 which does not point to an object of type 'zeek::spicy::rt::ParameterMismatch'
0x511000369540: note: object has invalid vptr
00 00 00 00 be be be be be be be be be be be be be be be be be be be be be be be be be be be be
^~~~~~~~~~~~~~~~~~~~~~~
invalid vptr
#0 0x7f9c9977b019 in zeek::spicy::rt::ParameterMismatch::ParameterMismatch(std::basic_string_view<char, std::char_traits<char>>, zeek::IntrusivePtr<zeek::Type> const&, std::basic_string_view<char, std::char_traits<char>>) <...>/src/include/zeek/spicy/runtime-support.h:80:29
#1 0x7f9c9977a6a2 in zeek::spicy::rt::to_val(hilti::rt::Bytes const&, zeek::IntrusivePtr<zeek::Type> const&) <...>/src/include/zeek/spicy/runtime-support.h:562:15
* coverage/lcov_html: Ignore testing/btest/.tmp (Arne Welzel, Corelight)
gcda/gcno files in the btest/.tmp directory are from .htlo files
referencing ephemeral cc files. No need to include these.
* cirrus: Do not disable Spicy for sanitizer builds (Arne Welzel, Corelight)
* ldap: Avoid unset m$opcode (Arne Welzel, Corelight)
Initial fuzzing caused a bind response to arrive before a bind request,
resulting in an unset field expression error:
expression error in base/protocols/ldap/main.zeek, line 270: field value missing (LDAP::m$opcode)
Prevent this by ensuring m$opcode is set and raising instead.
* GH-3860: fuzzers: Add LDAP fuzzing (Arne Welzel, Corelight)
LDAP supports both, UDP and TCP as separate analyzers. The corpus
is identical, however. Started to hit the TLS analyzer fairly
quickly, too.
Closes #3860
7.1.0-dev.92 | 2024-08-06 09:01:40 -0700 7.1.0-dev.92 | 2024-08-06 09:01:40 -0700
* Don't install empty ZAM directories (Tim Wojtulewicz, Corelight) * Don't install empty ZAM directories (Tim Wojtulewicz, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.92 7.1.0-dev.99

2
auxil/spicy

@ -1 +1 @@
Subproject commit 4c5c26bf34c2cf2cedf56270e84f1271fcf94465 Subproject commit 7cddc357ff83175984e19037f1f8062a69cf2030

4
scripts/base/protocols/ldap/main.zeek
View file

@ -229,6 +229,10 @@ event LDAP::message(c: connection,
fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP"); fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
} }
m$opcode = opcode_str;
} else if ( ! m?$opcode ) {
# This can happen if we see a bind response before the bind request.
Reporter::conn_weird("LDAP_bind_without_opcode", c, fmt("%s: %s", message_id, opcode_str), "LDAP");
m$opcode = opcode_str; m$opcode = opcode_str;
} }

2
src/fuzzers/CMakeLists.txt
View file

@ -107,6 +107,8 @@ add_generic_analyzer_fuzz_target(dhcp udp)
add_generic_analyzer_fuzz_target(dnp3_tcp) add_generic_analyzer_fuzz_target(dnp3_tcp)
add_generic_analyzer_fuzz_target(dtls udp) add_generic_analyzer_fuzz_target(dtls udp)
add_generic_analyzer_fuzz_target(irc) add_generic_analyzer_fuzz_target(irc)
add_generic_analyzer_fuzz_target(ldap_udp udp)
add_generic_analyzer_fuzz_target(ldap_tcp tcp)
add_generic_analyzer_fuzz_target(modbus) add_generic_analyzer_fuzz_target(modbus)
add_generic_analyzer_fuzz_target(mqtt) add_generic_analyzer_fuzz_target(mqtt)
add_generic_analyzer_fuzz_target(mysql) add_generic_analyzer_fuzz_target(mysql)

BIN
src/fuzzers/corpora/ldap_tcp-corpus.zip Normal file
View file

Binary file not shown.

BIN
src/fuzzers/corpora/ldap_udp-corpus.zip Normal file
View file

Binary file not shown.

2
src/spicy/runtime-support.h
View file

@ -80,7 +80,7 @@ public:
: ParameterMismatch(_fmt(have, want)) {} : ParameterMismatch(_fmt(have, want)) {}
private: private:
std::string _fmt(const std::string_view& have, const TypePtr& want) { static std::string _fmt(const std::string_view& have, const TypePtr& want) {
ODesc d; ODesc d;
want->Describe(&d); want->Describe(&d);
return hilti::rt::fmt("cannot convert Spicy value of type '%s' to Zeek value of type '%s'", have, return hilti::rt::fmt("cannot convert Spicy value of type '%s' to Zeek value of type '%s'", have,

2
testing/coverage/lcov_html.sh
View file

@ -116,7 +116,7 @@ verify_run "which lcov" \
# 4. Create a "tracefile" through lcov, which is necessary to create output later on. # 4. Create a "tracefile" through lcov, which is necessary to create output later on.
echo -n "Creating tracefile for output generation... " echo -n "Creating tracefile for output generation... "
verify_run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE" verify_run "lcov --no-external --capture --directory . --exclude 'testing/btest/.tmp/*' --output-file $COVERAGE_FILE"
# 5. Remove a number of 3rdparty and "extra" files that shouldn't be included in the # 5. Remove a number of 3rdparty and "extra" files that shouldn't be included in the
# Zeek coverage numbers. # Zeek coverage numbers.