Fuzzing

Revision as of 22:32, 12 December 2019 by Abartlet (talk | contribs) (Other fuzzers (or where fuzz_ndr_X does not reproduce))

Oss-fuzz reproduction steps

fuzz_ndr_X

If the failure is in a tool named fuzz_ndr_* then it is possible to translate this failure into an ndrdump command. The $PIPE below is eg drsuapi from fuzz_ndr_drsuapi_TYPE_OUT, the $FILE is the file provided by oss-fuzz.

lib/fuzzing/decode_ndr_X_crash -p $PIPE $FILE

This may allow the failure to be debugged without needing a recompile to a fuzzing build and makes it easy to incorporate into the testsuite.

Other fuzzers (or where ndrdump does not reproduce)

For other fuzzers, build Samba for fuzzing. See lib/fuzzing/README.md for instructions on how to build Samba for fuzzing.

If neither AFL or hongfuzz is available locally, you can still build using --enable-afl and this will produce a normal binary.

Either way, the result of these builds are a series of fuzz_ binaries in bin/ that will take the failing input in stdin.

Developing new fuzzers

Please do help develop new fuzzers! The Samba Team can collaborate with you in private in the early stages if your work is finding security-releavent issues easily before we merge the fuzzer for running by the public and on oss-fuzz.

Fixing fuzzing bugs

Determine security impact

If there is security impact from the fuzzing result, please follow the Samba Security Process

Add test cases

Remember to add a testcase to the appropriate part of samba if possible when fixing the bug.

ndrdump reproducable failures

Currently failures that can be reproduced with ndrdump are being added to python/samba/tests/blackbox/ndrdump.py

Other failures

Please find an appropriate part of the existing testsuite to extend, and build a framework if needed. This may see excessive, but where one bug is found, others will follow and it makes it easier in the long run.