Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGQ9bdwFPUtWY-Wg5g93oNmSJst+tZmw=75C3jP5aD3aaMJ+jw@mail.gmail.com>
Date: Mon, 23 Mar 2015 08:56:32 -0700
From: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>, Rich Felker <dalias@...c.org>, 
	musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Mon, Mar 23, 2015 at 5:25 AM, Szabolcs Nagy <nsz@...t70.net> wrote:
> * Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-22 22:02:48 -0700]:
>> On Sat, Mar 21, 2015 at 2:03 PM, Szabolcs Nagy <nsz@...t70.net> wrote:
>> > i wrote some trivial test cases for
>> >
>> > __dn_expand
>> > __dns_parse
>> > __pleval
>> > fnmatch
>> > inet_pton
>> > strptime
>>
>> Cool! Is there something you plan to have in the repository or share
>> some other way?
>>
>
> (musl does not have extra tools/docs/tests in the main repo,
> this is what you want eg for toolchain builds and packaging)
>
> but i plan to release the tests somewhere
> (currently they just trivial calls into the relevant libc function)
>
> i don't know what's the best way to fuzz more than one argument
> eg fnmatch(pattern, string, flags)

Yes, splitting the input bytes between the args is the most
straightforward way.
Although sharing the input bytes (e.g. fnmatch(X, X, X[0])) was
surprisingly interesting too.

>
> is it ok to just split the input data between the args?
> (i havent looked under the hood how the fuzzer mutates the input)
>
>> > #27461772       NEW: 548 B: 0 L: 16 S: 22 I: 0  8283::2:2.8.83.3        16: 56 50 56 51 58 58 50 58 50 46 56 46 56 51 46 51
>> > #27469404       NEW: 549 B: 0 L: 24 S: 23 I: 2  8283::2:283:2.8.83.2.833        24: 56 50 56 51 58 58 50 58 50 56 51 58 50 46 56 46 56 51 46 50 46 56 51 51
>> > Bus error (core dumped)
>> >
>> > is there a way to get a reproducer after such a crash?
>> >
>>
>> the fuzzer relies on asan to call at-crash handler -- this is what
>> __sanitizer_set_death_callback is for.
>> w/o asan you can set up a signal handler that will print
>> fuzzer::Fuzzer::CurrentUnit.
>> If everything else fails you can of course re-rerun the fuzzer with
>> the same seed.
>>
>
> thanks, sounds good
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.