1
/*
2
 * Copyright (c) 2021 Todd C. Miller <[email protected]>
3
 *
4
 * Permission to use, copy, modify, and distribute this software for any
5
 * purpose with or without fee is hereby granted, provided that the above
6
 * copyright notice and this permission notice appear in all copies.
7
 *
8
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15
 */
16

17
#include <config.h>
18

19
#include <stdio.h>
20
#include <stdlib.h>
21
#include <fcntl.h>
22
#include <unistd.h>
23
#if defined(HAVE_STDINT_H)
24
# include <stdint.h>
25
#elif defined(HAVE_INTTYPES_H)
26
# include <inttypes.h>
27
#endif
28

29
#include <sudo_compat.h>
30
#include <sudo_debug.h>
31
#include <sudo_eventlog.h>
32
#include <sudo_fatal.h>
33
#include <sudo_iolog.h>
34
#include <sudo_plugin.h>
35
#include <sudo_util.h>
36

37
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
38

39
static FILE *
40
open_data(const uint8_t *data, size_t size)
41
{
42
#ifdef HAVE_FMEMOPEN
43
    /* Operate in-memory. */
44
    return fmemopen((void *)data, size, "r");
45
#else
46
    char tempfile[] = "/tmp/json.XXXXXX";
47
    size_t nwritten;
48
    int fd;
49

50
    /* Use (unlinked) temporary file. */
51
    fd = mkstemp(tempfile);
52
    if (fd == -1)
53
	return NULL;
54
    unlink(tempfile);
55
    nwritten = write(fd, data, size);
56
    if (nwritten != size) {
57
	close(fd);
58
	return NULL;
59
    }
60
    lseek(fd, 0, SEEK_SET);
61
    return fdopen(fd, "r");
62
#endif
63
}
64

65
static int
66
fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
67
    struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
68
{
69
    int n;
70

71
    for (n = 0; n < num_msgs; n++) {
72
	const struct sudo_conv_message *msg = &msgs[n];
73

74
	switch (msg->msg_type & 0xff) {
75
	    case SUDO_CONV_PROMPT_ECHO_ON:
76
	    case SUDO_CONV_PROMPT_MASK:
77
	    case SUDO_CONV_PROMPT_ECHO_OFF:
78
		/* input not supported */
79
		return -1;
80
	    case SUDO_CONV_ERROR_MSG:
81
	    case SUDO_CONV_INFO_MSG:
82
		/* no output for fuzzers */
83
		break;
84
	    default:
85
		return -1;
86
	}
87
    }
88
    return 0;
89
}
90

91
int
92
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
93
{
94
    struct eventlog *evlog = NULL;
95
    FILE *fp;
96

97
    initprogname("fuzz_iolog_json");
98
    if (getenv("SUDO_FUZZ_VERBOSE") == NULL)
99
	sudo_warn_set_conversation(fuzz_conversation);
100

101
    fp = open_data(data, size);
102
    if (fp == NULL)
103
        return 0;
104

105
    /* Parsed contents of an log.json file are stored in evlog. */
106
    evlog = calloc(1, sizeof(*evlog));
107
    if (evlog != NULL) {
108
	evlog->runuid = (uid_t)-1;
109
	evlog->rungid = (gid_t)-1;
110
	evlog->exit_value = -1;
111

112
	/* Try to parse buffer as a JSON-format I/O log info file. */
113
	iolog_parse_loginfo_json(fp, "fuzz.json", evlog);
114
	eventlog_free(evlog);
115
    }
116
    fclose(fp);
117

118
    fflush(stdout);
119

120
    return 0;
121
}
122

123