This is an archive of the discontinued LLVM Phabricator instance.

Differential D82685

[libFuzzer] Rewrite Linux's ExecuteCommand to use fork-exec instead of system().
AbandonedPublic

Authored by Dor1s on Jun 26 2020, 1:48 PM.

Details

Reviewers
morehouse
metzman
kcc
Summary

User may pass testcases with weird filesnames (e.g. from other fuzzing
engines) which may result in a shell injection via system() calls when
ExecuteCommand() method is called with a bad file path.

https://github.com/google/oss-fuzz/issues/3886

Diff Detail

Event Timeline

Dor1s created this revision.Jun 26 2020, 1:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 26 2020, 1:48 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Dor1s marked an inline comment as done.Jun 26 2020, 1:50 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerCommand.h
72 ↗(On Diff #273830)

I certainly think it's not good to have platform-specific thing here, but the other solution I had in mind was to get rid of system(), which would be a significant refactoring.

Any other ideas are welcome!

Harbormaster failed remote builds in B61987: Diff 273830!Jun 26 2020, 3:10 PM
morehouse added inline comments.Jun 29 2020, 10:27 AM
compiler-rt/lib/fuzzer/FuzzerCommand.h
72 ↗(On Diff #273830)

Can we refactor this into the platform-specific files?

175 ↗(On Diff #273830)

Nit: let's not change this whitespace (same below)

metzman added a comment.Jun 29 2020, 11:39 AM

Thanks!

compiler-rt/lib/fuzzer/FuzzerCommand.h
72 ↗(On Diff #273830)

Is the branching even necessary what's wrong with doing quotes for both?

Also, are we sure this method will catch all cases? What if there are quotes in the name of the file?

I think ideally we would replace system with a call that runs a shell command that doesn't have a problem parsing args (e.g. if this were os.system in python I'd replace with subprocess.run), but that may be too much effort.

Dor1s marked 2 inline comments as done.Jun 29 2020, 4:06 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerCommand.h
72 ↗(On Diff #273830)

I've started it initially but then it seemed like too much code. Will give another try.

72 ↗(On Diff #273830)

It errors out on Windows with single quotes :/

Right, using e.g. execv would be much better, but it feels like too much unnecessary effort at this point. I don't think sane users supply files with weird symbols in names.

Dor1s updated this revision to Diff 274658.Jun 30 2020, 5:19 PM
Dor1s marked 4 inline comments as done.

split the implementation into platform specific files

Herald added a subscriber: phosek. · View Herald TranscriptJun 30 2020, 5:19 PM
Dor1s added a comment.Jun 30 2020, 5:21 PM

I've split the implementation into platform specific files, but I still don't like it. Plus, as Jonathan mentioned, it still has edge cases e.g. if a filename has a single quote. I'll give a shot at refactoring ExecuteCommand into fork-exec. It looks like I need to re-write only Posix implementation, as Fuchsia is already doing good and Windows is less prone to such issues due to its more restrictive file naming.

So, don't review this yet :)

compiler-rt/lib/fuzzer/FuzzerCommand.h
175 ↗(On Diff #273830)

oops

Harbormaster failed remote builds in B62435: Diff 274658!Jun 30 2020, 6:28 PM
Dor1s updated this revision to Diff 274910.Jul 1 2020, 1:51 PM

Re-write to use fork-exec instead of system() on Linux.

Dor1s retitled this revision from [libFuzzer] Add Command::addPathArgument method to wrap bad paths with quotes. to [libFuzzer] Rewrite Linux's ExecuteCommand to use fork-exec instead of system()..Jul 1 2020, 1:52 PM
Dor1s added a reviewer: kcc.
Dor1s removed a subscriber: kcc.

Ready for review, PTAL.

Harbormaster failed remote builds in B62574: Diff 274910!Jul 1 2020, 3:09 PM
Dor1s added a comment.Jul 1 2020, 3:23 PM

Ready for review, PTAL.

False start, looks like this needs more changes.

Dor1s added a comment.Jul 1 2020, 4:05 PM

Should be better now, ready for review again :)

morehouse added inline comments.Jul 1 2020, 4:55 PM
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
41

This isn't quite right. We still want the 2>&1 behavior when there isn't an output file.

Dor1s updated this revision to Diff 274960.Jul 1 2020, 5:01 PM

Updated the version of ExecuteCommand with piped output.

Dor1s marked 2 inline comments as done.Jul 1 2020, 5:02 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
41

oops, just noticed that my last uploading got stuck on pre-submit linter -- please see lines 45-46, that case is addressed now too

Harbormaster failed remote builds in B62600: Diff 274960!Jul 1 2020, 5:50 PM
morehouse added inline comments.Jul 6 2020, 9:40 AM
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
42

I think we can remove this and just do:

if (Cmd.hasOutputFile()) {
  ...
}
if (Cmd.isOutAndErrCombined())
  dup2(1, 2);
68

If Cmd already has an output file, we should probably just use that one.

kcc added a comment.Jul 6 2020, 10:54 AM

My preference would be to reject weird file names instead of adding this extra complexity.

Dor1s marked an inline comment as done.Jul 6 2020, 11:24 AM
In D82685#2133565, @kcc wrote:

My preference would be to reject weird file names instead of adding this extra complexity.

so we'll have a list of allowed (or disallowed) characters and error out if any of the arguments passed do not comply?

kcc added a comment.Jul 6 2020, 11:25 AM
In D82685#2133646, @Dor1s wrote:
In D82685#2133565, @kcc wrote:

My preference would be to reject weird file names instead of adding this extra complexity.

so we'll have a list of allowed (or disallowed) characters and error out if any of the arguments passed do not comply?

yep.

Dor1s marked an inline comment as done.Jul 6 2020, 11:26 AM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
42

I thought the same but it didn't seem to work! Will double check again if we decide to proceed with this change.

Dor1s abandoned this revision.Jul 10 2020, 3:31 PM

Alright, we've ended up disabling that behavior in honggfuzz build, so I'll just close this CL for now.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
1 line
14 lines
54 lines
14 lines
test/
fuzzer/
9 lines

Diff 274960

compiler-rt/lib/fuzzer/FuzzerFork.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Lines if (!Seeds.empty()) {
Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath); Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
} }
Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log"); Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId)); Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId)); Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge"); Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
Job->JobId = JobId; Job->JobId = JobId;
Cmd.addArgument(Job->CorpusDir); Cmd.addArgument(Job->CorpusDir);
Cmd.addFlag("features_dir", Job->FeaturesDir); Cmd.addFlag("features_dir", Job->FeaturesDir);
for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) { for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) {
RmDirRecursive(D); RmDirRecursive(D);
MkDir(D); MkDir(D);
} }
▲ Show 20 LinesShow All 242 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtilDarwin.cpp

Show First 20 LinesShow All 151 Lines▼ Show 20 Lines if (ActiveThreadCount == 0) {
} }
if (FailedRestore) if (FailedRestore)
ProcessStatus = -1; ProcessStatus = -1;
} }
} }
return ProcessStatus; return ProcessStatus;
} }
// Return true on success, false otherwise.
bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
FILE *Pipe = popen(Cmd.toString().c_str(), "r");
if (!Pipe)
return false;
if (CmdOutput) {
char TmpBuffer[128];
while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
CmdOutput->append(TmpBuffer);
}
return pclose(Pipe) == 0;
}
void DiscardOutput(int Fd) { void DiscardOutput(int Fd) {
FILE* Temp = fopen("/dev/null", "w"); FILE* Temp = fopen("/dev/null", "w");
if (!Temp) if (!Temp)
return; return;
dup2(fileno(Temp), Fd); dup2(fileno(Temp), Fd);
fclose(Temp); fclose(Temp);
} }
} // namespace fuzzer } // namespace fuzzer
#endif // LIBFUZZER_APPLE #endif // LIBFUZZER_APPLE

compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp

Show All 15 Lines
#include <sys/types.h> #include <sys/types.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <unistd.h> #include <unistd.h>
namespace fuzzer { namespace fuzzer {
int ExecuteCommand(const Command &Cmd) { int ExecuteCommand(const Command &Cmd) {
std::string CmdLine = Cmd.toString(); int ExitCode, ProcessStatus = 0;
int exit_code = system(CmdLine.c_str()); pid_t Pid = fork();
if (WIFEXITED(exit_code))
return WEXITSTATUS(exit_code); if (Pid == 0) { // Child process. Execute the given command here.
return exit_code; auto Args = Cmd.getArguments();
Vector<const char *> Argv(Args.size() + 1, nullptr);
std::transform(
Args.begin(), Args.end(), Argv.begin(),
[](const std::string &S) -> auto { return S.c_str(); });
if (Cmd.hasOutputFile()) {
FILE *OutputFile = fopen(Cmd.getOutputFile().c_str(), "w");
if (!OutputFile)
return -1;
dup2(fileno(OutputFile), 1);
if (Cmd.isOutAndErrCombined())
morehouseUnsubmitted
Done
ReplyInline Actions

This isn't quite right. We still want the 2>&1 behavior when there isn't an output file.

morehouse: This isn't quite right. We still want the `2>&1` behavior when there isn't an output file.
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

oops, just noticed that my last uploading got stuck on pre-submit linter -- please see lines 45-46, that case is addressed now too

Dor1s: oops, just noticed that my last uploading got stuck on pre-submit linter -- please see lines 45…
dup2(fileno(OutputFile), 2);
morehouseUnsubmitted
Not Done
ReplyInline Actions

I think we can remove this and just do:

if (Cmd.hasOutputFile()) {
  ...
}
if (Cmd.isOutAndErrCombined())
  dup2(1, 2);
morehouse: I think we can remove this and just do: ``` if (Cmd.hasOutputFile()) { ... } if (Cmd.
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

I thought the same but it didn't seem to work! Will double check again if we decide to proceed with this change.

Dor1s: I thought the same but it didn't seem to work! Will double check again if we decide to proceed…
fclose(OutputFile);
} else if (Cmd.isOutAndErrCombined())
dup2(1, 2);
exit(execvp(Argv[0], const_cast<char *const *>(Argv.data())));
} else if (Pid > 0) { // Parent process. Wait for the child's exit code.
Pid = waitpid(Pid, &ProcessStatus, 0);
if (Pid == -1)
ExitCode = -1;
else
ExitCode = ProcessStatus;
} else {
ExitCode = -1;
}
if (WIFEXITED(ExitCode))
return WEXITSTATUS(ExitCode);
return ExitCode;
}
// Return true on success, false otherwise.
bool ExecuteCommand(const Command &BaseCmd, std::string *CmdOutput) {
Lint: Pre-merge checks
Inline Actions

clang-tidy: warning: invalid case style for function 'ExecuteCommand' [readability-identifier-naming]
not useful

Lint: Pre-merge checks: clang-tidy: warning: invalid case style for function 'ExecuteCommand' [readability-identifier…
auto LogFilePath = TempPath("SimPopenOut", ".txt");
Command Cmd(BaseCmd);
Cmd.setOutputFile(LogFilePath);
morehouseUnsubmitted
Not Done
ReplyInline Actions

If Cmd already has an output file, we should probably just use that one.

morehouse: If `Cmd` already has an output file, we should probably just use that one.
int Ret = ExecuteCommand(Cmd);
*CmdOutput = FileToString(LogFilePath);
RemoveFile(LogFilePath);
return Ret == 0;
} }
void DiscardOutput(int Fd) { void DiscardOutput(int Fd) {
FILE* Temp = fopen("/dev/null", "w"); FILE* Temp = fopen("/dev/null", "w");
if (!Temp) if (!Temp)
return; return;
dup2(fileno(Temp), Fd); dup2(fileno(Temp), Fd);
fclose(Temp); fclose(Temp);
} }
} // namespace fuzzer } // namespace fuzzer
#endif #endif

compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp

Show First 20 LinesShow All 80 Lines▼ Show 20 Linesstatic void SetSigaction(int signum,
sigact.sa_flags = SA_SIGINFO; sigact.sa_flags = SA_SIGINFO;
sigact.sa_sigaction = callback; sigact.sa_sigaction = callback;
if (sigaction(signum, &sigact, 0)) { if (sigaction(signum, &sigact, 0)) {
Printf("libFuzzer: sigaction failed with %d\n", errno); Printf("libFuzzer: sigaction failed with %d\n", errno);
exit(1); exit(1);
} }
} }
// Return true on success, false otherwise.
bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
FILE *Pipe = popen(Cmd.toString().c_str(), "r");
if (!Pipe)
return false;
if (CmdOutput) {
char TmpBuffer[128];
while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
CmdOutput->append(TmpBuffer);
}
return pclose(Pipe) == 0;
}
void SetTimer(int Seconds) { void SetTimer(int Seconds) {
struct itimerval T { struct itimerval T {
{Seconds, 0}, { Seconds, 0 } {Seconds, 0}, { Seconds, 0 }
}; };
if (setitimer(ITIMER_REAL, &T, nullptr)) { if (setitimer(ITIMER_REAL, &T, nullptr)) {
Printf("libFuzzer: setitimer failed with %d\n", errno); Printf("libFuzzer: setitimer failed with %d\n", errno);
exit(1); exit(1);
} }
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/minimize_crash_with_bad_filename.test

  • This file was added.
// Test verifies that libFuzzer handles filenames that may break shell commands.
UNSUPPORTED: darwin, windows
RUN: %cpp_compiler %S/NullDerefTest.cpp -o %t-NullDerefTest
RUN: mkdir -p %t.dir
RUN: echo -n 'Hi!AAA' > '%t.dir/bad;(%file)name'
RUN: %run %t-NullDerefTest -minimize_crash=1 '%t.dir/bad;(%file)name' -max_total_time=2 2>&1 | FileCheck %s --check-prefix=BAD_FILENAME
BAD_FILENAME: failed to minimize beyond