lib/fuzzing: add fuzzer for arbitrary token/sd access checks

The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).

An upcoming commit will show how to collect seeds for this fuzzer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/fuzzing/fuzz_security_token_vs_descriptor.c b/lib/fuzzing/fuzz_security_token_vs_descriptor.c
new file mode 100644 (file)
index 0000000..4f96590
--- /dev/null
+++ b/lib/fuzzing/fuzz_security_token_vs_descriptor.c
@@ -0,0 +1,60 @@
+/*
+  Fuzz a security token and descriptor through an access check
+  Copyright (C) Catalyst IT 2023
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
+#include "fuzzing/fuzzing.h"
+
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+       return 0;
+}
+
+
+int LLVMFuzzerTestOneInput(uint8_t *input, size_t len)
+{
+       TALLOC_CTX *mem_ctx = NULL;
+       struct security_token_descriptor_fuzzing_pair p = {0};
+       enum ndr_err_code ndr_err;
+       uint32_t access_granted;
+
+       DATA_BLOB blob = {
+               .data = input,
+               .length = len
+       };
+
+       mem_ctx = talloc_new(NULL);
+
+       ndr_err = ndr_pull_struct_blob(
+               &blob, mem_ctx, &p,
+               (ndr_pull_flags_fn_t)ndr_pull_security_token_descriptor_fuzzing_pair);
+
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               goto end;
+       }
+       se_access_check(&p.sd,
+                       &p.token,
+                       p.access_desired,
+                       &access_granted);
+
+end:
+       talloc_free(mem_ctx);
+       return 0;
+}

diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index 2326cb60f95d39645662e4e09fe7c0aa0aac3fab..52607455b06df03bc7c7a0e964f680b31a6de838 100644 (file)
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -132,6 +132,12 @@ bld.SAMBA_BINARY('fuzz_stable_sort_r',
                  deps='fuzzing stable_sort afl-fuzz-main',
                  fuzzer=True)
 
+bld.SAMBA_BINARY('fuzz_security_token_vs_descriptor',
+                 source='fuzz_security_token_vs_descriptor.c',
+                 deps='fuzzing samba-security afl-fuzz-main',
+                 fuzzer=True)
+
+
 # The fuzz_type and fuzz_function parameters make the built
 # fuzzer take the same input as ndrdump and so the same that
 # could be sent to the client or server as the stub data.

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index eacef0309c4614f12e835e561ed35997fac61dbd..b699355d77690181c4c79212ad2af4c5265fdb2c 100644 (file)
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -678,6 +678,12 @@ interface security
                lsa_SystemAccessModeFlags rights_mask;
        } security_token;
 
+        typedef [public] struct {
+                security_token token;
+                security_descriptor sd;
+                uint32 access_desired;
+        } security_token_descriptor_fuzzing_pair;
+
        /* This is not yet sent over the network, but is simply defined in IDL */
        typedef [public] struct {
                uid_t uid;