Merge remote-tracking branch 'origin/topic/awelzel/3860-ldap-fuzzer'

* origin/topic/awelzel/3860-ldap-fuzzer: Bump auxil/spicy to latest development snapshot spicy/runtime-support: Switch ParameterMismatch::_fmt to static coverage/lcov_html: Ignore testing/btest/.tmp cirrus: Do not disable Spicy for sanitizer builds ldap: Avoid unset m$opcode fuzzers: Add LDAP fuzzing
2025-10-02 06:38:20 +00:00 · 2024-08-06 20:08:37 +02:00 · 2024-08-06 20:08:37 +02:00 · c845c7cce0
commit c845c7cce0
parent d52ec28c89 821d460c2e
10 changed files with 55 additions and 7 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -14,9 +14,9 @@ config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WOR
 no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
-asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache
-ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache --enable-werror
-tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache --enable-werror
+asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
+ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
+tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror

 resources_template: &RESOURCES_TEMPLATE
  cpu: *CPUS
--- a/42
+++ b/42
@ -1,3 +1,45 @@
+7.1.0-dev.99 | 2024-08-06 20:08:37 +0200
+
+  * Bump auxil/spicy to latest development snapshot (Arne Welzel, Corelight)
+
+  * spicy/runtime-support: Switch ParameterMismatch::_fmt to static (Arne Welzel, Corelight)
+
+    UBSAN's vptr sanitize isn't happy with the call to _fmt()
+    in its member initializer list.
+
+        $ zeek -r Traces/ssh/single-conn.trace .tmp/spicy.event-args-mismatch/test.hlto .tmp/spicy.event-args-mismatch/event-args-mismatch.zeek
+        <...>/src/include/zeek/spicy/runtime-support.h:80:29: runtime error: member call on address 0x511000369540 which does not point to an object of type 'zeek::spicy::rt::ParameterMismatch'
+        0x511000369540: note: object has invalid vptr
+         00 00 00 00  be be be be be be be be  be be be be be be be be  be be be be be be be be  be be be be
+                      ^~~~~~~~~~~~~~~~~~~~~~~
+                      invalid vptr
+            #0 0x7f9c9977b019 in zeek::spicy::rt::ParameterMismatch::ParameterMismatch(std::basic_string_view<char, std::char_traits<char>>, zeek::IntrusivePtr<zeek::Type> const&, std::basic_string_view<char, std::char_traits<char>>) <...>/src/include/zeek/spicy/runtime-support.h:80:29
+            #1 0x7f9c9977a6a2 in zeek::spicy::rt::to_val(hilti::rt::Bytes const&, zeek::IntrusivePtr<zeek::Type> const&) <...>/src/include/zeek/spicy/runtime-support.h:562:15
+
+  * coverage/lcov_html: Ignore testing/btest/.tmp (Arne Welzel, Corelight)
+
+    gcda/gcno files in the btest/.tmp directory are from .htlo files
+    referencing ephemeral cc files. No need to include these.
+
+  * cirrus: Do not disable Spicy for sanitizer builds (Arne Welzel, Corelight)
+
+  * ldap: Avoid unset m$opcode (Arne Welzel, Corelight)
+
+    Initial fuzzing caused a bind response to arrive before a bind request,
+    resulting in an unset field expression error:
+
+        expression error in base/protocols/ldap/main.zeek, line 270: field value missing (LDAP::m$opcode)
+
+    Prevent this by ensuring m$opcode is set and raising instead.
+
+  * GH-3860: fuzzers: Add LDAP fuzzing (Arne Welzel, Corelight)
+
+    LDAP supports both, UDP and TCP as separate analyzers. The corpus
+    is identical, however. Started to hit the TLS analyzer fairly
+    quickly, too.
+
+    Closes #3860
+
 7.1.0-dev.92 | 2024-08-06 09:01:40 -0700

  * Don't install empty ZAM directories (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.1.0-dev.92
+7.1.0-dev.99
--- a/auxil/spicy
+++ b/auxil/spicy
@ -1 +1 @@
-Subproject commit 4c5c26bf34c2cf2cedf56270e84f1271fcf94465
+Subproject commit 7cddc357ff83175984e19037f1f8062a69cf2030
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -229,6 +229,10 @@ event LDAP::message(c: connection,
                             fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
      }

+      m$opcode = opcode_str;
+    } else if ( ! m?$opcode ) {
+      # This can happen if we see a bind response before the bind request.
+      Reporter::conn_weird("LDAP_bind_without_opcode", c, fmt("%s: %s", message_id, opcode_str), "LDAP");
      m$opcode = opcode_str;
    }

--- a/src/fuzzers/CMakeLists.txt
+++ b/src/fuzzers/CMakeLists.txt
@ -107,6 +107,8 @@ add_generic_analyzer_fuzz_target(dhcp udp)
 add_generic_analyzer_fuzz_target(dnp3_tcp)
 add_generic_analyzer_fuzz_target(dtls udp)
 add_generic_analyzer_fuzz_target(irc)
+add_generic_analyzer_fuzz_target(ldap_udp udp)
+add_generic_analyzer_fuzz_target(ldap_tcp tcp)
 add_generic_analyzer_fuzz_target(modbus)
 add_generic_analyzer_fuzz_target(mqtt)
 add_generic_analyzer_fuzz_target(mysql)
--- a/src/fuzzers/corpora/ldap_tcp-corpus.zip
+++ b/src/fuzzers/corpora/ldap_tcp-corpus.zip
--- a/src/fuzzers/corpora/ldap_udp-corpus.zip
+++ b/src/fuzzers/corpora/ldap_udp-corpus.zip
--- a/src/spicy/runtime-support.h
+++ b/src/spicy/runtime-support.h
@ -80,7 +80,7 @@ public:
        : ParameterMismatch(_fmt(have, want)) {}

 private:
-    std::string _fmt(const std::string_view& have, const TypePtr& want) {
+    static std::string _fmt(const std::string_view& have, const TypePtr& want) {
        ODesc d;
        want->Describe(&d);
        return hilti::rt::fmt("cannot convert Spicy value of type '%s' to Zeek value of type '%s'", have,
--- a/testing/coverage/lcov_html.sh
+++ b/testing/coverage/lcov_html.sh
@ -116,7 +116,7 @@ verify_run "which lcov" \

 # 4. Create a "tracefile" through lcov, which is necessary to create output later on.
 echo -n "Creating tracefile for output generation... "
-verify_run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
+verify_run "lcov --no-external --capture --directory . --exclude 'testing/btest/.tmp/*' --output-file $COVERAGE_FILE"

 # 5. Remove a number of 3rdparty and "extra" files that shouldn't be included in the
 # Zeek coverage numbers.