Binary policy read fuzzer

SELinuxProject / selinux

This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs and patches should be submitted to selinux@vger.kernel.org

Other

1.35k stars 360 forks source link

Binary policy read fuzzer #316

Closed cgzones closed 2 years ago

cgzones commented 3 years ago

Introduce a libfuzz1 based fuzzer testing the parsing of a binary policy.

Build the fuzzer in the oss-fuzz script.

Additionally fix several reported issues.

@evverx @fishilico

evverx commented 3 years ago

CIFuzz failed due to https://github.com/google/clusterfuzz/pull/2471 as far as I can tell. The next push should trigger CIFuzz without that bug I think

evverx commented 3 years ago

The next push should trigger CIFuzz without that bug I think

Unfortunately, it seems the latest version of libClusterFuzz hasn't been released yet. Until it's updated on OSS-Fuzz/CIFuzz that issue can be "fixed" temporarily by reverting the commit where report-unreproducible-crashes is set to true.

evverx commented 3 years ago

On a somewhat related note, I think your gmail address should be added to https://github.com/google/oss-fuzz/blob/master/projects/selinux/project.yaml so that you could have access to bug reports. If you don't want to sign their CLA I can open a PR there. Just let me know what you think. Thanks!

evverx commented 3 years ago

that issue can be "fixed" temporarily by reverting the commit where report-unreproducible-crashes is set to true

To judge from https://github.com/SELinuxProject/selinux/pull/318, with that commit reverted and secilc-fuzzer_seed_corpus.zip copied to binpolicy-fuzzer_seed_corpus.zip, CIFuzz got past secilc-fuzzer and managed to trigger three new issues as far as I can see.

evverx commented 3 years ago

Now that https://github.com/google/oss-fuzz/pull/6574 is merged I think it should be safe to bring that commit back.

cgzones commented 3 years ago

@evverx I noticed the step Build Fuzzers is taking more than 3 minutes due to the command apt-get install -y bison flex gawk gettext make libaudit-dev libbz2-dev libcap-dev libcap-ng-dev libglib2.0-dev libpcre3-dev xmlto (https://github.com/google/oss-fuzz/blob/fd15c6d57aa13667af2521daf6167a2d8cd2ecb7/projects/selinux/Dockerfile#L19). Is there a more suitable base image pre-containing more of the required packages or would adding the apt-get option --no-install-recommends reduce the amount of installed packages?

evverx commented 3 years ago

@cgzones OSS-Fuzz provides the "base-builder" image on top of which all the projects are built. I think --no-install-recommends would be the only way to speed up that step.

ghost commented 3 years ago

cgzones @.***> writes:

@evverx I noticed the step Build Fuzzers is taking more than 3 minutes due to the command apt-get install -y bison flex gawk gettext make libaudit-dev libbz2-dev libcap-dev libcap-ng-dev libglib2.0-dev libpcre3-dev xmlto (https://github.com/google/oss-fuzz/blob/fd15c6d57aa13667af2521daf6167a2d8cd2ecb7/projects/selinux/Dockerfile#L19).

Is there a more suitable base image pre-containing more of the required packages or would adding the apt-get option --no-install-recommends reduce the amount of installed packages?

-yy implies --no-install-recommends

xmlto probably pulls in a lot of stuff and afaik you only need that for building secilc man pages unfortunately that is implied with make install (but a make secilc does not require xmlto). If this is just about libsepol then I suspect one might be able to exclude a bunch of those build deps.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

-- gpg --locate-keys @.*** Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift

cgzones commented 3 years ago

-yy implies --no-install-recommends xmlto probably pulls in a lot of stuff and afaik you only need that for building secilc man pages unfortunately that is implied with make install (but a make secilc does not require xmlto). If this is just about libsepol then I suspect one might be able to exclude a bunch of those build deps.

Then we can probably get rid of some dependencies and also convert

make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" install

into

make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" libsepol.a

since we link statically anyway.

edit: seems without the install target it gets quite complicated to compile the fuzzers with the development headers instead of the system ones (thus the current approach is simpler).

ghost commented 3 years ago

cgzones @.***> writes:

-yy implies --no-install-recommends xmlto probably pulls in a lot of stuff and afaik you only need that for building secilc man pages unfortunately that is implied with make install (but a make secilc does not require xmlto). If this is just about libsepol then I suspect one might be able to exclude a bunch of those build deps.

Then we can probably get rid of some dependencies and also convert

make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" install

into

make -C libsepol V=1 LD_SONAME_FLAGS='-soname,$(LIBSO),--version-script=$(LIBMAP)' -j"$(nproc)" libsepol.a

since we link statically anyway.

i meant -qq instead of -yy by the way. --no-install-recommends alone should already speed things up considerably. but yes no point in installing build deps you do not need.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

-- gpg --locate-keys @.*** Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift

evverx commented 3 years ago

I opened https://github.com/google/oss-fuzz/pull/6586 where --no-install-recommends is passed to apt-get and xmlto is no longer installed. By the looks of it it seems to be working.

evverx commented 3 years ago

@cgzones while I'm at it I can add your email address to https://github.com/google/oss-fuzz/blob/master/projects/selinux/project.yaml if it's fine by you.

cgzones commented 3 years ago

while I'm at it I can add your email address to https://github.com/google/oss-fuzz/blob/master/projects/selinux/project.yaml if it's fine by you.

I'll ask the maintainers if it's ok for them once this patch-set is about to be merged.

evverx commented 2 years ago

@cgzones it seems OSS-Fuzz started reporting bugs found by the fuzzer: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42697

==462==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000050a2f0 bp 0x7fff482b9050 sp 0x7fff482b8f40 T0)
--
  | ==462==The signal is caused by a READ memory access.
  | ==462==Hint: address points to the zero page.
  | SCARINESS: 10 (null-deref)
  | #0 0x50a2f0 in build_type_map selinux/libsepol/src/optimize.c:107:33
  | #1 0x50a2f0 in policydb_optimize selinux/libsepol/src/optimize.c:441:13
  | #2 0x4e12f3 in LLVMFuzzerTestOneInput selinux/libsepol/fuzz/binpolicy-fuzzer.c:42:10
  | #3 0x4d725b in main
  | #4 0x7f69776920b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
  | #5 0x41d4ed in _start