Fuzzing: Difference between revisions
(Created page with " A placeholder page for hints on fuzzing Samba.") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Oss-fuzz reproduction steps= |
|||
==fuzz_ndr_X== |
|||
A placeholder page for hints on fuzzing Samba. |
|||
If the failure is in a tool named fuzz_ndr_* then it is possible to translate this failure into an ndrdump command. The $PIPE below is eg drsuapi from fuzz_ndr_drsuapi_TYPE_OUT, the $FILE is the file provided by oss-fuzz. |
|||
[https://git.samba.org/?p=samba.git;a=blob;f=lib/fuzzing/decode_ndr_X_crash lib/fuzzing/decode_ndr_X_crash] -p $PIPE $FILE |
|||
This may allow the failure to be debugged without needing a recompile to a fuzzing build and makes it easy to incorporate into the testsuite. |
|||
==Other fuzzers (or where ndrdump does not reproduce)== |
|||
For other fuzzers, build Samba for fuzzing. See [https://gitlab.com/samba-team/samba/blob/master/lib/fuzzing/README.md lib/fuzzing/README.md] for instructions on how to build Samba for fuzzing. |
|||
If neither AFL or hongfuzz is available locally, '''you can still build using --enable-afl''' and this will produce a normal binary. |
|||
Either way, the result of these builds are a series of fuzz_ binaries in bin/ that will take the failing input in stdin. |
|||
=Developing new fuzzers= |
|||
Please do help develop new fuzzers! The Samba Team can collaborate with you in private in the early stages if your work is finding security-releavent issues easily before we merge the fuzzer for running by the public and on oss-fuzz. |
|||
=Fixing fuzzing bugs= |
|||
==Determine security impact== |
|||
If there is security impact from the fuzzing result, please follow the [[Samba Security Process]] |
|||
==Add test cases== |
|||
Remember to add a testcase to the appropriate part of samba if possible when fixing the bug. |
|||
===ndrdump reproducable failures=== |
|||
Currently failures that can be reproduced with ndrdump are being added to [https://git.samba.org/?p=samba.git;a=blob;f=python/samba/tests/blackbox/ndrdump.py python/samba/tests/blackbox/ndrdump.py] |
|||
===Other failures=== |
|||
Please find an appropriate part of the existing testsuite to extend, and build a framework if needed. This may see excessive, but where one bug is found, others will follow and it makes it easier in the long run. |
Revision as of 22:32, 12 December 2019
Oss-fuzz reproduction steps
fuzz_ndr_X
If the failure is in a tool named fuzz_ndr_* then it is possible to translate this failure into an ndrdump command. The $PIPE below is eg drsuapi from fuzz_ndr_drsuapi_TYPE_OUT, the $FILE is the file provided by oss-fuzz.
lib/fuzzing/decode_ndr_X_crash -p $PIPE $FILE
This may allow the failure to be debugged without needing a recompile to a fuzzing build and makes it easy to incorporate into the testsuite.
Other fuzzers (or where ndrdump does not reproduce)
For other fuzzers, build Samba for fuzzing. See lib/fuzzing/README.md for instructions on how to build Samba for fuzzing.
If neither AFL or hongfuzz is available locally, you can still build using --enable-afl and this will produce a normal binary.
Either way, the result of these builds are a series of fuzz_ binaries in bin/ that will take the failing input in stdin.
Developing new fuzzers
Please do help develop new fuzzers! The Samba Team can collaborate with you in private in the early stages if your work is finding security-releavent issues easily before we merge the fuzzer for running by the public and on oss-fuzz.
Fixing fuzzing bugs
Determine security impact
If there is security impact from the fuzzing result, please follow the Samba Security Process
Add test cases
Remember to add a testcase to the appropriate part of samba if possible when fixing the bug.
ndrdump reproducable failures
Currently failures that can be reproduced with ndrdump are being added to python/samba/tests/blackbox/ndrdump.py
Other failures
Please find an appropriate part of the existing testsuite to extend, and build a framework if needed. This may see excessive, but where one bug is found, others will follow and it makes it easier in the long run.