This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: is there a fuzzer for libc?

From: Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>
To: Rich Felker <dalias at libc dot org>
Cc: Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Thu, 19 Jun 2014 11:53:51 +0400
Subject: Re: is there a fuzzer for libc?
Authentication-results: sourceware.org; auth=none
References: <CAGQ9bdwcMhLU_8-FJQFk9VUJAUWcpRzMeq1WuPrmRvxyXJ3K7w at mail dot gmail dot com> <20140602200155 dot GI507 at brightrain dot aerifal dot cx> <CAAHN_R1U1e9N7eBF70baVZ_pHCRgnSCfPW-544tYkJ0KfXCQdA at mail dot gmail dot com> <CAGQ9bdxQuAbCmVOzywWjiLZycuT=Dis=HV0RYxdg4MBO5PMuEQ at mail dot gmail dot com> <20140603183434 dot GK507 at brightrain dot aerifal dot cx>

Quick update: I found regfuzz, a fuzzer for regular expressions.
https://code.google.com/p/regfuzz/
A short run revealed a least 3 somewhat scary situations in regcomp:
infinite loop, quick memory exhaustion and a memory leak:
I've submitted two bugs so far; if they are considered interesting and
get fixed I can file more :)
 https://sourceware.org/bugzilla/show_bug.cgi?id=17069
 https://sourceware.org/bugzilla/show_bug.cgi?id=17070

I also wrote a naive fuzzer for wildcards and it found a buffer
overflow in fnmatch:
https://sourceware.org/bugzilla/show_bug.cgi?id=17062 (already fixed).

--kcc

On Tue, Jun 3, 2014 at 10:34 PM, Rich Felker <dalias@libc.org> wrote:
> On Tue, Jun 03, 2014 at 11:00:44AM +0400, Konstantin Serebryany wrote:
>> Thanks for the answer -- it confirms what I concluded from a quick web search.
>> There are however some libc functions that might be easier to fuzz
>> (e.g. gethostbyname),
>> so I thought that there could be at least something.
>
> Sure, one class of functions that aren't too hard to fuzz is functions
> which take only integer and pointer-to-string arguments with no
> constraints on them. However it still may be hard to hit the
> meaningful cases. I think fuzzing gethostbyname would be pretty slow
> since you'd end up waiting for the dns request to fail for nearly
> every random string you generated.
>
> Rich

Follow-Ups:
- Re: is there a fuzzer for libc?
  - From: Roland McGrath

References:
- is there a fuzzer for libc?
  - From: Konstantin Serebryany
- Re: is there a fuzzer for libc?
  - From: Rich Felker
- Re: is there a fuzzer for libc?
  - From: Siddhesh Poyarekar
- Re: is there a fuzzer for libc?
  - From: Konstantin Serebryany
- Re: is there a fuzzer for libc?
  - From: Rich Felker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]