Fuzzing libc
This page is dedicated to fuzz-testing a libc implementation. Since libc is a collection of loosely-connected interfaces it is hard or impossible to fuzz libc as a whole. However successful attempts has been made to fuzz parts of libc.
This page is incomplete, input is welcome!
Fuzzing regular expressions and wildcards
Regfuzz creates random regular expressions that can be fed to e.g. regcomp().
A very simple wildcard fuzzer found a buffer overflow in fnmatch(): 17062.
In-process coverage-guided mutation LLVM's libFuzzer coupled with AddressSanitizer. Currently requires a hacky build with Clang.
Notes on fuzzing wordexp
As shown above, wordexp() is an interesting target for fuzzing (i.e. it has a few bugs that a fuzzer can discover). However it is also a challenging target for a set of reasons:
wordexp may read and set environment variables (!!!), so one call to wordexp is not enough to evaluate all possible states. For an in-process fuzzer it means that separate execution of wordexp are not isolated, and for an out-of-process fuzzer it means that some of the bugs are not detectable (see e.g. 18043#c19)
- wordexp runs external commands. Fuzzing has to be done with WRDE_NOCMD or somehow else very careful not to execute arbitrary command.
- wordexp actually calls glob() that reads the file system -- it may dramatically slowdown the fuzzing.