Closed Bug 1474492 Opened 7 years ago Closed 4 years ago

FTPListParser fuzzing target

Categories

(Core Graveyard :: Networking: FTP, defect, P5)

Product:
Core Graveyard
Component:
Networking: FTP
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: u473386, Assigned: u473386)

References

Details

(Keywords: sec-audit, Whiteboard: [necko-triaged])

Attachments

(3 files, 6 obsolete files)

Example for targeting nsFTPDirListingConv
2.43 KB, text/x-c++src
Details
FTPDirListConv
3.31 KB, patch
valentin
: review+
decoder
: superreview+
Details | Diff | Splinter Review
FTPDirListingConv
3.61 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Steps to reproduce: What do you think? It's just a single file that is fuzzed, but please take a look. It's a branch maze. https://dxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/ParseFTPList.cpp I've let it run for a few hours, with no bugs found so far, but coverage is still increasing. Considering that some branches are very difficult for libFuzzer to reach, it may stay busy for weeks to come. Much of the code doesn't seem particularly prone to security bugs, but there are also some memcpys in there, and constructs like this. for (pos = 0; pos < toklen[1]; pos++) *dot++ = *p++; I think it might also be a good target for UBSAN, should support be added.
Attached patch FTPListParser (obsolete) — Splinter Review
Attachment #8990885 - Flags: review?(choller)
Attached patch FTPListParser (obsolete) — Splinter Review
I think the previous patch was malformed.
Attachment #8990885 - Attachment is obsolete: true
Attachment #8990885 - Flags: review?(choller)
Attachment #8990887 - Flags: review?(choller)
(I misread the above code snippet.)
Attached patch FTPListParser-2 (obsolete) — Splinter Review
Attachment #8990887 - Attachment is obsolete: true
Attachment #8990887 - Flags: review?(choller)
Attachment #8991201 - Flags: review?(choller)
Attached patch FTPListParser-3 (obsolete) — Splinter Review
An unrelated file got into FTPListParser-2.
Attachment #8991201 - Attachment is obsolete: true
Attachment #8991201 - Flags: review?(choller)
Attachment #8991216 - Flags: review?(choller)
Comment on attachment 8991216 [details] [diff] [review] FTPListParser-3 I did some brief fuzzing of this code before (local only) and I think it is worth adding a target. However, the functions in nsFTPDirListingConv itself also look complicated enough to target them. Hence, I suggest fuzzing nsFTPDirListingConv itself, rather than just the ParseFTPList function. I did this once before briefly and wrote some code to do it (but I never got around to land it). I can attach my sample code, maybe you can test it and ensure it does what it is supposed to do?
Attachment #8991216 - Flags: review?(choller)
Not sure if this still compiles, some headers might not be required and you might have to check that it really hits the function you originally wanted to target. Let me know if there is any trouble. With this code, also some other converters could be targeted, although they are all pretty simple I think. Thanks for working on this!
Flags: needinfo?(pdknsk)
Thanks, works well. I verified it reaches ParseFTPList. I only made a few minor adjustments. Most of the headers weren't needed.
Flags: needinfo?(pdknsk)
Attached patch FTPDirListConvSplinter Review
Attachment #8991216 - Attachment is obsolete: true
Hi Christian, Should this issue be set on Core: Platform Fuzzing Tea component? If this is not the right component, please update it to the right one.
Flags: needinfo?(choller)
We generally file these bugs in the component that they test, adjusting based on that :)
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking: FTP
Ever confirmed: true
Flags: needinfo?(choller)
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → x86_64
Comment on attachment 8991801 [details] [diff] [review] FTPDirListConv Review of attachment 8991801 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for working on this! From the fuzzing perspective, this looks all correct. Forwarding for a final review to Valentin, so a Necko peer can check on the code itself as well :)
Attachment #8991801 - Flags: superreview+
Attachment #8991801 - Flags: review?(valentin.gosu)
Comment on attachment 8991801 [details] [diff] [review] FTPDirListConv Review of attachment 8991801 [details] [diff] [review]: ----------------------------------------------------------------- Looks great. Thanks! ::: netwerk/streamconv/converters/fuzztest/FTPDirListConv_fuzzer.cpp @@ +15,5 @@ > + > + NS_DECL_ISUPPORTS > + NS_DECL_NSIREQUESTOBSERVER > + > + NS_IMETHODIMP OnDataAvailable(nsIRequest* aRequest, I think this ought to be NS_IMETHOD, without the imp
Attachment #8991801 - Flags: review?(valentin.gosu) → review+
Marking s-s until this has received more fuzzing, so we don't easily expose potential security problems.
Group: core-security-release
Keywords: sec-audit
Do you want to author the patch, or should I do it? I mean you wrote the code basically.
Flags: needinfo?(choller)
Feel free to author the patch, I am currently too busy with the ASan Nightly Project to handle additional code landing :)
Flags: needinfo?(choller)
Attached patch FTPDirListConv-2 (obsolete) — Splinter Review
> I think this ought to be NS_IMETHOD, without the imp Done.
Attached patch FTPDirListConv-3 (obsolete) — Splinter Review
Minor formatting fix.
Attachment #8995441 - Attachment is obsolete: true
First blocking bug from local fuzzing. Assertion failure: CheckCapacity(aLength) (String is too large.), at mozilla-central/xpcom/string/nsTSubstring.h:876 ==3176==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f23cc0fdc15 bp 0x7ffdad88edf0 sp 0x7ffdad88ede0 T0) ==3176==The signal is caused by a WRITE memory access. ==3176==Hint: address points to the zero page. #0 0x7f23cc0fdc14 in nsTSubstring<char>::nsTSubstring(char*, unsigned int, mozilla::detail::StringDataFlags, mozilla::detail::StringClassFlags) mozilla-central/xpcom/string/nsTSubstring.h:876:5 #1 0x7f23cc1127c8 in nsTDependentSubstring<char>::nsTDependentSubstring(char const*, char const*) mozilla-central/xpcom/string/nsTDependentSubstring.cpp:57:5 #2 0x7f23cc115d75 in nsTDependentSubstring<char> const Substring<char>(char const*, char const*) mozilla-central/xpcom/string/nsTDependentSubstring.cpp:92:10 #3 0x7f23ccaad74c in nsFTPDirListingConv::DigestBufferLines(char*, nsTString<char>&) mozilla-central/netwerk/streamconv/converters/nsFTPDirListingConv.cpp:270:37 The problem appears to be that bogus result.fe_fnlen is set in ParseFTPList.
Can you open a bug blocking this one? Mark it s-s so we don't reveal what we are doing in this bug (not because the other bug itself would be s-s). My guess is we need to apply a useful limit to this length.
Depends on: 1478950
(No changes in this patch other than renaming the target to FTPDirListingConv).
Attachment #8995444 - Attachment is obsolete: true
When the blocking bug is fixed, I think this should be good to go. I've been fuzzing locally with its patch, and there were no reports yet. By the way, it's good you suggested fuzzing nsFTPDirListingConv, as just fuzzing FTPListParser wouldn't have found the bug.
Assignee: nobody → pdknsk
Priority: -- → P5
Whiteboard: [necko-triaged]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
See Also: → kill-ftp
Product: Core → Core Graveyard
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: