isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Perform matching in fuzz_sudoers for inputs that parse correctly.

Browse Source 
The fuzzer now exercised the normal match code as well as the
pseudo-command (list, validate, etc) match code.
Privileges are also listed for well-formed sudoers file.
This commit is contained in:
Todd C. Miller
2021-02-21 14:59:29 -07:00
parent 921097cb67
commit df42c0c1d2
2 changed files with 107 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
plugins/sudoers/Makefile.in
View File

@@ -246,7 +246,8 @@ FUZZ_POLICY_OBJS = fuzz_policy.o editor.lo env.lo env_pattern.lo gc.lo \
FUZZ_POLICY_CORPUS = $(srcdir)/regress/corpus/policy/policy.* FUZZ_POLICY_CORPUS = $(srcdir)/regress/corpus/policy/policy.*
FUZZ_SUDOERS_OBJS = fuzz_sudoers.o locale.lo stubs.o sudo_printf.o FUZZ_SUDOERS_OBJS = file.lo fuzz_sudoers.o fmtsudoers.lo parse.lo locale.lo \
stubs.o sudo_printf.o
FUZZ_SUDOERS_CORPUS = $(top_srcdir)/examples/sudoers \ FUZZ_SUDOERS_CORPUS = $(top_srcdir)/examples/sudoers \
$(srcdir)/regress/sudoers/*.in $(srcdir)/regress/sudoers/*.in

107
plugins/sudoers/regress/fuzz/fuzz_sudoers.c
View File

@@ -16,8 +16,10 @@
#include <config.h> #include <config.h>
#include <stdarg.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#if defined(HAVE_STDINT_H) #if defined(HAVE_STDINT_H)
@@ -28,9 +30,13 @@
#include "sudoers.h" #include "sudoers.h"
static int fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[], struct sudo_conv_reply replies[], struct sudo_conv_callback *callback);
/* Required to link with parser. */ /* Required to link with parser. */
struct sudo_user sudo_user; struct sudo_user sudo_user;
struct passwd *list_pw; struct passwd *list_pw;
sudo_conv_t sudo_conv = fuzz_conversation;
bool sudoers_recovery = true;
FILE * FILE *
open_sudoers(const char *file, bool doedit, bool *keepopen) open_sudoers(const char *file, bool doedit, bool *keepopen)
@@ -43,6 +49,74 @@ open_sudoers(const char *file, bool doedit, bool *keepopen)
return NULL; return NULL;
} }
static int
fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
{
int n;
for (n = 0; n < num_msgs; n++) {
const struct sudo_conv_message *msg = &msgs[n];
FILE *fp = stdout;
switch (msg->msg_type & 0xff) {
case SUDO_CONV_PROMPT_ECHO_ON:
case SUDO_CONV_PROMPT_MASK:
case SUDO_CONV_PROMPT_ECHO_OFF:
/* input not supported */
return -1;
case SUDO_CONV_ERROR_MSG:
fp = stderr;
FALLTHROUGH;
case SUDO_CONV_INFO_MSG:
if (msg->msg != NULL) {
size_t len = strlen(msg->msg);
if (len == 0)
break;
if (fwrite(msg->msg, 1, len, fp) == 0 || fputc('\n', fp) == EOF)
return -1;
}
break;
default:
return -1;
}
}
return 0;
}
bool
set_perms(int perm)
{
return true;
}
bool
restore_perms(void)
{
return true;
}
bool
sudo_nss_can_continue(struct sudo_nss *nss, int match)
{
return true;
}
bool
log_warningx(int flags, const char *fmt, ...)
{
va_list ap;
/* Just display on stderr. */
va_start(ap, fmt);
sudo_vwarnx_nodebug(fmt, ap);
va_end(ap);
return true;
}
static FILE * static FILE *
open_data(const uint8_t *data, size_t size) open_data(const uint8_t *data, size_t size)
{ {
@@ -69,9 +143,13 @@ open_data(const uint8_t *data, size_t size)
#endif #endif
} }
extern struct sudo_nss sudo_nss_file;
int int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
struct sudoers_parse_tree parse_tree;
FILE *fp; FILE *fp;
/* Don't waste time fuzzing tiny inputs. */ /* Don't waste time fuzzing tiny inputs. */
@@ -82,16 +160,41 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (fp == NULL) if (fp == NULL)
return 0; return 0;
/* Parser needs user_shost for the %h escape in @include expansion. */ /* The minimum needed to perform matching. */
user_host = user_shost = "localhost"; user_host = user_shost = user_runhost = user_srunhost = "localhost";
user_name = "nobody";
user_cmnd = "/usr/bin/id";
user_args = "-u";
user_base = "id";
sudo_user.pw = sudo_getpwnam("root");
runas_pw = sudo_getpwnam("root");
/* Only one sudoers source, the sudoers file itself. */
TAILQ_INSERT_TAIL(&snl, &sudo_nss_file, entries);
init_parse_tree(&parse_tree, user_host, user_shost);
sudo_nss_file.parse_tree = &parse_tree;
/* Initialize defaults and parse sudoers. */ /* Initialize defaults and parse sudoers. */
init_defaults(); init_defaults();
init_parser("sudoers", false, true); init_parser("sudoers", false, true);
sudoersrestart(fp); sudoersrestart(fp);
sudoersparse(); sudoersparse();
reparent_parse_tree(&parse_tree);
if (!parse_error) {
/* Match command against parsed policy. */
int cmnd_status;
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, false);
/* Match again as a pseudo-command (list, validate, etc). */
sudoers_lookup(&snl, sudo_user.pw, &cmnd_status, true);
/* Display privileges. */
display_privs(&snl, sudo_user.pw, false);
}
/* Cleanup. */ /* Cleanup. */
free_parse_tree(&parse_tree);
init_parser(NULL, false, true); init_parser(NULL, false, true);
fclose(fp); fclose(fp);