This is the mail archive of the
mailing list for the glibc project.
Re: is there a fuzzer for libc?
- From: Szabolcs Nagy <szabolcs dot nagy at arm dot com>
- To: Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>
- Cc: Roland McGrath <roland at hack dot frob dot com>, Rich Felker <dalias at libc dot org>, Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 20 Mar 2015 13:01:53 +0000
- Subject: Re: is there a fuzzer for libc?
- Authentication-results: sourceware.org; auth=none
- References: <CAGQ9bdwcMhLU_8-FJQFk9VUJAUWcpRzMeq1WuPrmRvxyXJ3K7w at mail dot gmail dot com> <20140602200155 dot GI507 at brightrain dot aerifal dot cx> <CAAHN_R1U1e9N7eBF70baVZ_pHCRgnSCfPW-544tYkJ0KfXCQdA at mail dot gmail dot com> <CAGQ9bdxQuAbCmVOzywWjiLZycuT=Dis=HV0RYxdg4MBO5PMuEQ at mail dot gmail dot com> <20140603183434 dot GK507 at brightrain dot aerifal dot cx> <CAGQ9bdwNm+OgzKikSD+yvf8BxavEO=UBkNM8quPYpXsh3qZTfw at mail dot gmail dot com> <20140619201021 dot CC7D12C3A00 at topped-with-meat dot com> <CAGQ9bdw-i_C55t3b9Mh+4m67GRuu6RfCmUDUPLwTezbAoW1UNg at mail dot gmail dot com> <CAGQ9bdyTYvuebAa4SUk0Gv7rYT7PyBkZKRKd-_W7pHcrPG6+-Q at mail dot gmail dot com> <550B09A9 dot 7060007 at arm dot com> <CAGQ9bdxE9C0yTA+1VAiLX6nFPgraNzLdKE7Cpk8BX5ZXOVBPZg at mail dot gmail dot com>
On 19/03/15 18:25, Konstantin Serebryany wrote:
> If you can implement a function
> void TestOneInput(const unsigned char *Data, size_t Size);
> that uses one of the glibc APIs in an interesting way as in the examples above
> I can run it with the fuzzer on the instrumented glibc.
> You can run yourself too, but the build process is a bit too hairy today.
> The requirement for TestOneInput is that it runs reasonably fast (e.g. < 1ms)
> and does not crash on malformed inputs (unless there is a bug).
> For non-trivial kinds of input I may also need an initial set of
> inputs (test corpus),
> but for regcomp/fnmatch/wordexp and similar the fuzzer is capable of
> generating the corpus from scratch.
> Finish Glibc+Clang (https://sourceware.org/glibc/wiki/GlibcMeetsClang)
> and integrate the LLMV fuzzer
> or any similar coverage-guided fuzzer with the glibc testing process.
it seems the coverage tool depends on asan
i could not yet get asan to work on my system
so i cant try the fuzzer
fuzzing glibc is a useful project but i'm looking
for a tool that helps catching regressions in musl
libc when some complex parser code like fnmatch
maybe i can automate cutting out the relevant
code from the musl source tree and then run
fuzzing on that without libc instrumentation..
(but i was hoping for a nicer solution)