This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: is there a fuzzer for libc?

From: Szabolcs Nagy <szabolcs dot nagy at arm dot com>
To: Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>
Cc: Roland McGrath <roland at hack dot frob dot com>, Rich Felker <dalias at libc dot org>, Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 20 Mar 2015 13:01:53 +0000
Subject: Re: is there a fuzzer for libc?
Authentication-results: sourceware.org; auth=none
References: <CAGQ9bdwcMhLU_8-FJQFk9VUJAUWcpRzMeq1WuPrmRvxyXJ3K7w at mail dot gmail dot com> <20140602200155 dot GI507 at brightrain dot aerifal dot cx> <CAAHN_R1U1e9N7eBF70baVZ_pHCRgnSCfPW-544tYkJ0KfXCQdA at mail dot gmail dot com> <CAGQ9bdxQuAbCmVOzywWjiLZycuT=Dis=HV0RYxdg4MBO5PMuEQ at mail dot gmail dot com> <20140603183434 dot GK507 at brightrain dot aerifal dot cx> <CAGQ9bdwNm+OgzKikSD+yvf8BxavEO=UBkNM8quPYpXsh3qZTfw at mail dot gmail dot com> <20140619201021 dot CC7D12C3A00 at topped-with-meat dot com> <CAGQ9bdw-i_C55t3b9Mh+4m67GRuu6RfCmUDUPLwTezbAoW1UNg at mail dot gmail dot com> <CAGQ9bdyTYvuebAa4SUk0Gv7rYT7PyBkZKRKd-_W7pHcrPG6+-Q at mail dot gmail dot com> <550B09A9 dot 7060007 at arm dot com> <CAGQ9bdxE9C0yTA+1VAiLX6nFPgraNzLdKE7Cpk8BX5ZXOVBPZg at mail dot gmail dot com>


On 19/03/15 18:25, Konstantin Serebryany wrote:
> Step1:
> If you can implement a function
> void TestOneInput(const unsigned char *Data, size_t Size);
> that uses one of the glibc APIs in an interesting way as in the examples above
> I can run it with the fuzzer on the instrumented glibc.
> You can run yourself too, but the build process is a bit too hairy today.
> The requirement for TestOneInput is that it runs reasonably fast (e.g. < 1ms)
> and does not crash on malformed inputs (unless there is a bug).
> For non-trivial kinds of input I may also need an initial set of
> inputs (test corpus),
> but for regcomp/fnmatch/wordexp and similar the fuzzer is capable of
> generating the corpus from scratch.
> 
> Step2:
> Finish Glibc+Clang (https://sourceware.org/glibc/wiki/GlibcMeetsClang)
> and integrate the LLMV fuzzer
> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
> or any similar coverage-guided fuzzer with the glibc testing process.
> 

it seems the coverage tool depends on asan

i could not yet get asan to work on my system
so i cant try the fuzzer

fuzzing glibc is a useful project but i'm looking
for a tool that helps catching regressions in musl
libc when some complex parser code like fnmatch
is updated.

maybe i can automate cutting out the relevant
code from the musl source tree and then run
fuzzing on that without libc instrumentation..
(but i was hoping for a nicer solution)

Follow-Ups:
- Re: is there a fuzzer for libc?
  - From: Konstantin Serebryany

References:
- Re: is there a fuzzer for libc?
  - From: Konstantin Serebryany
- Re: is there a fuzzer for libc?
  - From: Szabolcs Nagy
- Re: is there a fuzzer for libc?
  - From: Konstantin Serebryany

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]