This is an archive of the discontinued LLVM Phabricator instance.

Differential D82685

[libFuzzer] Rewrite Linux's ExecuteCommand to use fork-exec instead of system().
AbandonedPublic

Authored by Dor1s on Jun 26 2020, 1:48 PM.

Details

Reviewers
morehouse
metzman
kcc
Summary

User may pass testcases with weird filesnames (e.g. from other fuzzing
engines) which may result in a shell injection via system() calls when
ExecuteCommand() method is called with a bad file path.

https://github.com/google/oss-fuzz/issues/3886

Diff Detail

Event Timeline

Dor1s created this revision.Jun 26 2020, 1:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 26 2020, 1:48 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Dor1s marked an inline comment as done.Jun 26 2020, 1:50 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerCommand.h
72

I certainly think it's not good to have platform-specific thing here, but the other solution I had in mind was to get rid of system(), which would be a significant refactoring.

Any other ideas are welcome!

Harbormaster failed remote builds in B61987: Diff 273830!Jun 26 2020, 3:10 PM
morehouse added inline comments.Jun 29 2020, 10:27 AM
compiler-rt/lib/fuzzer/FuzzerCommand.h
72

Can we refactor this into the platform-specific files?

175

Nit: let's not change this whitespace (same below)

metzman added a comment.Jun 29 2020, 11:39 AM

Thanks!

compiler-rt/lib/fuzzer/FuzzerCommand.h
72

Is the branching even necessary what's wrong with doing quotes for both?

Also, are we sure this method will catch all cases? What if there are quotes in the name of the file?

I think ideally we would replace system with a call that runs a shell command that doesn't have a problem parsing args (e.g. if this were os.system in python I'd replace with subprocess.run), but that may be too much effort.

Dor1s marked 2 inline comments as done.Jun 29 2020, 4:06 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerCommand.h
72

I've started it initially but then it seemed like too much code. Will give another try.

72

It errors out on Windows with single quotes :/

Right, using e.g. execv would be much better, but it feels like too much unnecessary effort at this point. I don't think sane users supply files with weird symbols in names.

Dor1s updated this revision to Diff 274658.Jun 30 2020, 5:19 PM
Dor1s marked 4 inline comments as done.

split the implementation into platform specific files

Herald added a subscriber: phosek. · View Herald TranscriptJun 30 2020, 5:19 PM
Dor1s added a comment.Jun 30 2020, 5:21 PM

I've split the implementation into platform specific files, but I still don't like it. Plus, as Jonathan mentioned, it still has edge cases e.g. if a filename has a single quote. I'll give a shot at refactoring ExecuteCommand into fork-exec. It looks like I need to re-write only Posix implementation, as Fuchsia is already doing good and Windows is less prone to such issues due to its more restrictive file naming.

So, don't review this yet :)

compiler-rt/lib/fuzzer/FuzzerCommand.h
175

oops

Harbormaster failed remote builds in B62435: Diff 274658!Jun 30 2020, 6:28 PM
Dor1s updated this revision to Diff 274910.Jul 1 2020, 1:51 PM

Re-write to use fork-exec instead of system() on Linux.

Dor1s retitled this revision from [libFuzzer] Add Command::addPathArgument method to wrap bad paths with quotes. to [libFuzzer] Rewrite Linux's ExecuteCommand to use fork-exec instead of system()..Jul 1 2020, 1:52 PM
Dor1s added a reviewer: kcc.
Dor1s removed a subscriber: kcc.

Ready for review, PTAL.

Harbormaster failed remote builds in B62574: Diff 274910!Jul 1 2020, 3:09 PM
Dor1s added a comment.Jul 1 2020, 3:23 PM

Ready for review, PTAL.

False start, looks like this needs more changes.

Dor1s added a comment.Jul 1 2020, 4:05 PM

Should be better now, ready for review again :)

morehouse added inline comments.Jul 1 2020, 4:55 PM
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
41 ↗(On Diff #274910)

This isn't quite right. We still want the 2>&1 behavior when there isn't an output file.

Dor1s updated this revision to Diff 274960.Jul 1 2020, 5:01 PM

Updated the version of ExecuteCommand with piped output.

Dor1s marked 2 inline comments as done.Jul 1 2020, 5:02 PM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
41 ↗(On Diff #274910)

oops, just noticed that my last uploading got stuck on pre-submit linter -- please see lines 45-46, that case is addressed now too

Harbormaster failed remote builds in B62600: Diff 274960!Jul 1 2020, 5:50 PM
morehouse added inline comments.Jul 6 2020, 9:40 AM
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
42 ↗(On Diff #274960)

I think we can remove this and just do:

if (Cmd.hasOutputFile()) {
  ...
}
if (Cmd.isOutAndErrCombined())
  dup2(1, 2);
68 ↗(On Diff #274960)

If Cmd already has an output file, we should probably just use that one.

kcc added a comment.Jul 6 2020, 10:54 AM

My preference would be to reject weird file names instead of adding this extra complexity.

Dor1s marked an inline comment as done.Jul 6 2020, 11:24 AM
In D82685#2133565, @kcc wrote:

My preference would be to reject weird file names instead of adding this extra complexity.

so we'll have a list of allowed (or disallowed) characters and error out if any of the arguments passed do not comply?

kcc added a comment.Jul 6 2020, 11:25 AM
In D82685#2133646, @Dor1s wrote:
In D82685#2133565, @kcc wrote:

My preference would be to reject weird file names instead of adding this extra complexity.

so we'll have a list of allowed (or disallowed) characters and error out if any of the arguments passed do not comply?

yep.

Dor1s marked an inline comment as done.Jul 6 2020, 11:26 AM
Dor1s added inline comments.
compiler-rt/lib/fuzzer/FuzzerUtilLinux.cpp
42 ↗(On Diff #274960)

I thought the same but it didn't seem to work! Will double check again if we decide to proceed with this change.

Dor1s abandoned this revision.Jul 10 2020, 3:31 PM

Alright, we've ended up disabling that behavior in honggfuzz build, so I'll just close this CL for now.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
12 lines
8 lines
2 lines
5 lines
1 line
test/
fuzzer/
4 lines

Diff 273830

compiler-rt/lib/fuzzer/FuzzerCommand.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Linespublic:
const Vector<std::string> &getArguments() const { return Args; } const Vector<std::string> &getArguments() const { return Args; }
// Adds the given argument before "-ignore_remaining_args=1", or at the end // Adds the given argument before "-ignore_remaining_args=1", or at the end
// if that flag isn't present. // if that flag isn't present.
void addArgument(const std::string &Arg) { void addArgument(const std::string &Arg) {
Args.insert(endMutableArgs(), Arg); Args.insert(endMutableArgs(), Arg);
} }
// Add the given path argument before "-ignore_remaining_args=1", or at the
// end if that flag isn't present.
void addPathArgument(const std::string &Path) {
#ifdef LIBFUZZER_WINDOWS
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

I certainly think it's not good to have platform-specific thing here, but the other solution I had in mind was to get rid of system(), which would be a significant refactoring.

Any other ideas are welcome!

Dor1s: I certainly think it's not good to have platform-specific thing here, but the other solution I…
morehouseUnsubmitted
Done
ReplyInline Actions

Can we refactor this into the platform-specific files?

morehouse: Can we refactor this into the platform-specific files?
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

I've started it initially but then it seemed like too much code. Will give another try.

Dor1s: I've started it initially but then it seemed like too much code. Will give another try.
metzmanUnsubmitted
Done
ReplyInline Actions

Is the branching even necessary what's wrong with doing quotes for both?

Also, are we sure this method will catch all cases? What if there are quotes in the name of the file?

I think ideally we would replace system with a call that runs a shell command that doesn't have a problem parsing args (e.g. if this were os.system in python I'd replace with subprocess.run), but that may be too much effort.

metzman: Is the branching even necessary what's wrong with doing quotes for both? Also, are we sure…
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

It errors out on Windows with single quotes :/

Right, using e.g. execv would be much better, but it feels like too much unnecessary effort at this point. I don't think sane users supply files with weird symbols in names.

Dor1s: It errors out on Windows with single quotes :/ Right, using e.g. `execv` would be much better…
addArgument(Path);
#else
// Wrap the path with single quotes to avoid shell injection into system().
addArgument("'" + Path + "'");
#endif // LIBFUZZER_WINDOWS
}
// Adds all given arguments before "-ignore_remaining_args=1", or at the end // Adds all given arguments before "-ignore_remaining_args=1", or at the end
// if that flag isn't present. // if that flag isn't present.
void addArguments(const Vector<std::string> &ArgsToAdd) { void addArguments(const Vector<std::string> &ArgsToAdd) {
Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end()); Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end());
} }
// Removes the given argument from the command argument list. Ignores any // Removes the given argument from the command argument list. Ignores any
// occurrences after "-ignore_remaining_args=1", if present. // occurrences after "-ignore_remaining_args=1", if present.
▲ Show 20 LinesShow All 90 Lines▼ Show 20 Linesprivate:
Vector<std::string> Args; Vector<std::string> Args;
// True indicates stderr is redirected to stdout. // True indicates stderr is redirected to stdout.
bool CombinedOutAndErr; bool CombinedOutAndErr;
// If not empty, stdout is redirected to the named file. // If not empty, stdout is redirected to the named file.
std::string OutputFile; std::string OutputFile;
}; };
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: let's not change this whitespace (same below)

morehouse: Nit: let's not change this whitespace (same below)
Dor1sAuthorUnsubmitted
Done
ReplyInline Actions

oops

Dor1s: oops
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_COMMAND_H #endif // LLVM_FUZZER_COMMAND_H

compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.cpp

Show First 20 LinesShow All 260 Lines▼ Show 20 Lines for (auto &F : CorporaFiles) {
// Data flow collection may fail if we request too many DFSan tags at once. // Data flow collection may fail if we request too many DFSan tags at once.
// So, we start from requesting all tags in range [0,Size) and if that fails // So, we start from requesting all tags in range [0,Size) and if that fails
// we then request tags in [0,Size/2) and [Size/2, Size), and so on. // we then request tags in [0,Size/2) and [Size/2, Size), and so on.
// Function number => DFT. // Function number => DFT.
auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File))); auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));
std::unordered_map<size_t, Vector<uint8_t>> DFTMap; std::unordered_map<size_t, Vector<uint8_t>> DFTMap;
std::unordered_set<std::string> Cov; std::unordered_set<std::string> Cov;
Command Cmd; Command Cmd;
Cmd.addArgument(DFTBinary); Cmd.addPathArgument(DFTBinary);
Cmd.addArgument(F.File); Cmd.addPathArgument(F.File);
Cmd.addArgument(OutPath); Cmd.addPathArgument(OutPath);
Printf("CMD: %s\n", Cmd.toString().c_str()); Printf("CMD: %s\n", Cmd.toString().c_str());
ExecuteCommand(Cmd); ExecuteCommand(Cmd);
} }
// Write functions.txt if it's currently empty or doesn't exist. // Write functions.txt if it's currently empty or doesn't exist.
auto FunctionsTxtPath = DirPlusFile(DirPath, kFunctionsTxt); auto FunctionsTxtPath = DirPlusFile(DirPath, kFunctionsTxt);
if (FileToString(FunctionsTxtPath).empty()) { if (FileToString(FunctionsTxtPath).empty()) {
Command Cmd; Command Cmd;
Cmd.addArgument(DFTBinary); Cmd.addPathArgument(DFTBinary);
Cmd.setOutputFile(FunctionsTxtPath); Cmd.setOutputFile(FunctionsTxtPath);
ExecuteCommand(Cmd); ExecuteCommand(Cmd);
} }
return 0; return 0;
} }
} // namespace fuzzer } // namespace fuzzer

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 393 Lines▼ Show 20 Linesint MinimizeCrashInput(const Vector<std::string> &Args,
std::string CurrentFilePath = InputFilePath; std::string CurrentFilePath = InputFilePath;
while (true) { while (true) {
Unit U = FileToVector(CurrentFilePath); Unit U = FileToVector(CurrentFilePath);
Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n", Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
CurrentFilePath.c_str(), U.size()); CurrentFilePath.c_str(), U.size());
Command Cmd(BaseCmd); Command Cmd(BaseCmd);
Cmd.addArgument(CurrentFilePath); Cmd.addPathArgument(CurrentFilePath);
Printf("CRASH_MIN: executing: %s\n", Cmd.toString().c_str()); Printf("CRASH_MIN: executing: %s\n", Cmd.toString().c_str());
std::string CmdOutput; std::string CmdOutput;
bool Success = ExecuteCommand(Cmd, &CmdOutput); bool Success = ExecuteCommand(Cmd, &CmdOutput);
if (Success) { if (Success) {
Printf("ERROR: the input %s did not crash\n", CurrentFilePath.c_str()); Printf("ERROR: the input %s did not crash\n", CurrentFilePath.c_str());
exit(1); exit(1);
} }
▲ Show 20 LinesShow All 449 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerFork.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Lines if (!Seeds.empty()) {
Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath); Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
} }
Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log"); Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId)); Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId)); Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge"); Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
Job->JobId = JobId; Job->JobId = JobId;
Cmd.addPathArgument(Job->CorpusDir);
Cmd.addArgument(Job->CorpusDir);
Cmd.addFlag("features_dir", Job->FeaturesDir); Cmd.addFlag("features_dir", Job->FeaturesDir);
for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) { for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) {
RmDirRecursive(D); RmDirRecursive(D);
MkDir(D); MkDir(D);
} }
Cmd.setOutputFile(Job->LogPath); Cmd.setOutputFile(Job->LogPath);
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Linesstruct GlobalEnv {
void CollectDFT(const std::string &InputPath) { void CollectDFT(const std::string &InputPath) {
if (DataFlowBinary.empty()) return; if (DataFlowBinary.empty()) return;
if (!FilesWithDFT.insert(InputPath).second) return; if (!FilesWithDFT.insert(InputPath).second) return;
Command Cmd(Args); Command Cmd(Args);
Cmd.removeFlag("fork"); Cmd.removeFlag("fork");
Cmd.removeFlag("runs"); Cmd.removeFlag("runs");
Cmd.addFlag("data_flow_trace", DFTDir); Cmd.addFlag("data_flow_trace", DFTDir);
Cmd.addArgument(InputPath); Cmd.addPathArgument(InputPath);
for (auto &C : CorpusDirs) // Remove all corpora from the args. for (auto &C : CorpusDirs) // Remove all corpora from the args.
Cmd.removeArgument(C); Cmd.removeArgument(C);
Cmd.setOutputFile(DirPlusFile(TempDir, "dft.log")); Cmd.setOutputFile(DirPlusFile(TempDir, "dft.log"));
Cmd.combineOutAndErr(); Cmd.combineOutAndErr();
// Printf("CollectDFT: %s\n", Cmd.toString().c_str()); // Printf("CollectDFT: %s\n", Cmd.toString().c_str());
ExecuteCommand(Cmd); ExecuteCommand(Cmd);
} }
▲ Show 20 LinesShow All 161 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtil.h

Show First 20 LinesShow All 99 Lines▼ Show 20 Linesinline uint8_t *RoundUpByPage(uint8_t *P) {
return reinterpret_cast<uint8_t *>(X); return reinterpret_cast<uint8_t *>(X);
} }
inline uint8_t *RoundDownByPage(uint8_t *P) { inline uint8_t *RoundDownByPage(uint8_t *P) {
uintptr_t X = reinterpret_cast<uintptr_t>(P); uintptr_t X = reinterpret_cast<uintptr_t>(P);
size_t Mask = PageSize() - 1; size_t Mask = PageSize() - 1;
X = X & ~Mask; X = X & ~Mask;
return reinterpret_cast<uint8_t *>(X); return reinterpret_cast<uint8_t *>(X);
} }
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_UTIL_H #endif // LLVM_FUZZER_UTIL_H

compiler-rt/test/fuzzer/minimize_crash.test

Show All 9 Lines
RUN: rm %t.dir/not_minimal_crash %t.exact_minimized_path RUN: rm %t.dir/not_minimal_crash %t.exact_minimized_path
RUN: echo -n 'abcd*xyz' > %t.dir/not_minimal_crash RUN: echo -n 'abcd*xyz' > %t.dir/not_minimal_crash
RUN: %run %t-SingleByteInputTest -minimize_crash=1 %t.dir/not_minimal_crash -exact_artifact_path=%t.exact_minimized_path 2>&1 | FileCheck %s --check-prefix=MIN1 RUN: %run %t-SingleByteInputTest -minimize_crash=1 %t.dir/not_minimal_crash -exact_artifact_path=%t.exact_minimized_path 2>&1 | FileCheck %s --check-prefix=MIN1
MIN1: Test unit written to {{.*}}exact_minimized_path MIN1: Test unit written to {{.*}}exact_minimized_path
MIN1: Test unit written to {{.*}}exact_minimized_path MIN1: Test unit written to {{.*}}exact_minimized_path
MIN1: INFO: The input is small enough, exiting MIN1: INFO: The input is small enough, exiting
MIN1: CRASH_MIN: failed to minimize beyond {{.*}}exact_minimized_path (1 bytes), exiting MIN1: CRASH_MIN: failed to minimize beyond {{.*}}exact_minimized_path (1 bytes), exiting
RUN: echo -n 'Hi!AAA' > '%t.dir/bad;(%file)name'
RUN: %run %t-NullDerefTest -minimize_crash=1 '%t.dir/bad;(%file)name' -max_total_time=2 2>&1 | FileCheck %s --check-prefix=BAD_FILENAME
BAD_FILENAME: failed to minimize beyond