Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGQ9bdyZJmC_94EzSxxnogq8Z213LbgEOPE6==7KHNfTuCUSUQ@mail.gmail.com>
Date: Fri, 20 Mar 2015 17:06:18 -0700
From: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>, musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Fri, Mar 20, 2015 at 4:52 PM, Szabolcs Nagy <nsz@...t70.net> wrote:
> * Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-20 13:17:47 -0700]:
>> Following the discussion at the glibc mailing list
>> (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html)
>> I've tried to fuzz musl regcomp and the first bug popped up quickly.
>> Please let me know if you would be interested in adding the fuzzer
>> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
>> to the musl testing process.
>>
>
> (now with correct To: header)
>
>
> (1) the clean approach would be to have a way to build an
> instrumented libc and a separate set of test cases for
> various libc apis that the fuzzer could use.

Correct. Building libc.a is simple:
CC="clang -fsanitize=address -fsanitize-coverage=3 " ./configure && make -j
But then I don't know how to properly link libc.a to a test case.
How do you usually link tests with libc.a on x86_64 linux?

>
> (2) the other approach is to cut parts of the libc out
> (the parsers often don't depend on too much libc internals)
> and build them with whatever runtime the fuzzer needs

That's exactly what I did. Not optimal, I agree.

>
> the question is how hard it is to do (1) ?
>
> i assume asan is non-trivial to set up for that (or is it
> enough to replace malloc calls? and some startup logic?)

asan replaces malloc and a few more libc functions.
It works with various different libcs, so there is a good chance that
it will work here with no or minimal changes.

>
> at first it is ok if the fuzzer only catches crashing bugs
> so if that's easy to do i'd go for that.
>
> for (1) i can write the test cases and adjust the musl build
> system, but i dont know how much difficulty should i expect
>
> thanks

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.