Commit graph

12 commits

Author SHA1 Message Date
Miklos Vajna
72cfcf7f3e admin_fuzzer: fix too large param to cpu_stats_size setter
Don't pop an empty container, also use stol() so it does not throw
std::out_of_range.

Change-Id: Id81cb00ccfb0ecc234b8f6fa89edf5a0d8c6d353
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92524
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-20 11:18:05 +02:00
Miklos Vajna
ec3341591b clientsession_fuzzer: fix build
Change-Id: If793ad5d23f5b33d92ccfb681b279821f04a362b
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92397
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-17 09:57:15 +02:00
Miklos Vajna
946fa38a22 admin console: fix handling of out of range kill parameter
Catch that, similar to when handling an invalid argument.

Change-Id: I7405355f0b962673069dbd33dbab8c9e3042c4bf
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91794
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-07 09:35:54 +02:00
Miklos Vajna
fc88a872c2 admin console: log when JWTAuth::verify() doesn't have enough tokens
This is no longer a huge problem, but it's still a good idea to return
early in that case.

Found with the recently added admin_fuzzer, when I locally disabled the
StringVector safety checks for test purposes.

(If you view the diff with -U30, then you see that we access tokens[2]
later, so if size is < 3, we should give up.)

Change-Id: I46fc531fb042cc1485a17a9e994ad37e9ff0cd80
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91587
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-03 09:18:18 +02:00
Miklos Vajna
a4e0a00bfe Add an initial libfuzzer based fuzzer for the admin console
Run the actual fuzzer like this:

./admin_fuzzer -max_len=16384 fuzzer/admin-data/

Change-Id: I5891df8033ff1837afce86775ee62447587f2f20
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91504
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-02 12:11:24 +02:00
Miklos Vajna
338a9c5f1d libfuzzer: fix build
After commit e924625cc1 (re-factor: Socket
/ WebSocketHandler., 2020-03-06).

Change-Id: I2c109c26791efa03f54773a3623bcce57b0fb5e6
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90603
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
2020-03-17 10:34:40 +01:00
Miklos Vajna
1bfd7a363d libfuzzer: fix build
After commit f70e627795 (WebSocket -
simplify handleMessage for now., 2020-03-05).

Change-Id: Iac4be94fa1f9b37714329b6b6941c775c3fe1947
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90084
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-03-06 13:27:26 +01:00
Miklos Vajna
d129979822 wsd: fix crash with read-only documents + uno command without param
==15956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007cd2f7 bp 0x7ffe96c7cd70 sp 0x7ffe96c7c4e8 T0)
...
    #7 0x11a9d31 in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:977:27
    #8 0x11925d6 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x19395d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

This seems to be a recurring pattern, I'll consider reworking
LOOLProtocol::tokenize() in a follow-up commit to have a return value
that is safer than std::vector<std::string>.

Change-Id: I0e71214a55af2e71e4787cb0dba0ddf7825bf9d9
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89637
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 17:59:59 +01:00
Miklos Vajna
1016de956a fuzzer: fix OOM with an ever-growing SocketPoll::_newCallbacks
Admin::instance().dumpState(std::cerr) at the end of a run shows:
 Poll [0] - wakeup r: 11 w: 12
        callbacks: 103
        fd      events  rsize   wsize

This is more a problem in the fuzzer itself than in the code, the
unprocessed callbacks reached the intentionally set 2GB limit in about
20 mins, so process them at the end of each run.

Change-Id: Ic12d3e8555417371f4ca44228fc1ff515d704592
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89632
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 15:11:31 +01:00
Miklos Vajna
aefc65465b wsd: fix crash when downloadas has not enough parameters
==11898==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007c4f87 bp 0x7fffe45dfe90 sp 0x7fffe45df608 T0)
==11898==The signal is caused by a READ memory access.
==11898==Hint: address points to the zero page.
    #0 0x7c4f86 in AddressIsPoisoned lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_mapping.h:397
    #1 0x7c4f86 in __asan::QuickCheckForUnpoisonedRegion(unsigned long, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:31
    #2 0x816436 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:834
    #3 0x816d38 in memcmp lode/packages/llvm-472c6ef8b0f53061b049039f9775ab127beafbe4.src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:866
    #4 0x7f1964437595 in std::char_traits<char>::compare(char const*, char const*, unsigned long) lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:310
    #5 0x7f1964437595 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(unsigned long, unsigned long, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const lode/packages/gccbuild/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:1391
    #6 0x18e206d in LOOLProtocol::getTokenString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) common/Protocol.cpp:141:19
    #7 0x117cc0a in ClientSession::filterMessage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const wsd/ClientSession.cpp:940:13
    #8 0x116b832 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:741:14
    #9 0x18f70d0 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:230:13

Change-Id: I0c7da6c02ac62bf0bc99557517fc7c517917046c
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89229
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:34 +01:00
Miklos Vajna
57a35bb96c Add an initial libfuzzer based fuzzer
- target ClientSession::_handleInput(), since crashing there would bring
  down the whole loolwsd (not just a kit process), and it deals with
  input from untrusted users (browsers)

- add a --enable-fuzzers configure switch to build with
  -fsanitize=fuzzer (compared to normal sanitizers build, this is the only
  special flag needed)

- configuring other sanitizers is not done automatically, either use
  --with-sanitizer=... or the environment variables from LODE's sanitizer
  config

- run the actual fuzzer like this:

  ./clientsession_fuzzer -max_len=16384 fuzzer/data/

- note that at least openSUSE Leap 15.1 sadly ships with a clang with
  libfuzzer static libs removed from the package, so you need a
  self-built clang to run the fuzzer (either manual build or one from
  LODE)

- <https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/refs/heads/master/efficient_fuzzing.md#execution-speed>
  suggests that "You should aim for at least 1,000 exec/s from your fuzz
  target locally" (i.e. one run should not take more than 1 ms), so try
  this minimal approach first. The alternative would be to start from the
  existing loolwsd_fuzzer binary, then step by step cut it down to not
  fork(), not do any network traffic, etc -- till it's fast enough that
  the fuzzer can find interesting input

- the various configurations start to be really complex (the matrix is
  just very large), so try to use Util::isFuzzing() for fuzzer-specific
  changes (this is what core.git does as well), and only resort to ifdefs
  for the Util::isFuzzing() itself

Change-Id: I72dc1193b34c93eacb5d8e39cef42387d42bd72f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89226
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:22 +01:00
Miklos Vajna
8d2a8da960 common: fix crash when the version string contains no dot character
==13901==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000904678 bp 0x7ffdb9e21580 sp 0x7ffdb9e21340 T0)
==13901==The signal is caused by a READ memory access.
==13901==Hint: address points to the zero page.
    #0 0x904677 in LOOLProtocol::tokenize[abi:cxx11](char const*, unsigned long, char) common/Protocol.hpp:113:40
    #1 0x898c52 in LOOLProtocol::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char) common/Protocol.hpp:141:16
    #2 0x18dc2d9 in LOOLProtocol::ParseVersion(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) common/Protocol.cpp:35:51
    #3 0x1148824 in ClientSession::_handleInput(char const*, int) wsd/ClientSession.cpp:358:64
    #4 0x18efcb8 in Session::handleMessage(bool, WSOpCode, std::vector<char, std::allocator<char> >&) common/Session.cpp:232:13

Next commit will add the actual simple fuzzer that found this.

Change-Id: I8623b4451a57390f6f84c11084c5a1120a11fcc5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89225
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:11 +01:00