From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7250 Path: news.gmane.org!not-for-mail From: Szabolcs Nagy Newsgroups: gmane.linux.lib.musl.general Subject: Re: buffer overflow in regcomp and a way to find more of those Date: Mon, 23 Mar 2015 13:25:54 +0100 Message-ID: <20150323122553.GO16260@port70.net> References: <20150321013225.GT23507@brightrain.aerifal.cx> <20150321015619.GU23507@brightrain.aerifal.cx> <20150321022023.GW23507@brightrain.aerifal.cx> <20150321132810.GI16260@port70.net> <20150321210302.GJ16260@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1427113574 22294 80.91.229.3 (23 Mar 2015 12:26:14 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 23 Mar 2015 12:26:14 +0000 (UTC) Cc: Rich Felker , musl@lists.openwall.com To: Konstantin Serebryany Original-X-From: musl-return-7263-gllmg-musl=m.gmane.org@lists.openwall.com Mon Mar 23 13:26:09 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1Ya1Qm-0002ny-RV for gllmg-musl@m.gmane.org; Mon, 23 Mar 2015 13:26:08 +0100 Original-Received: (qmail 32514 invoked by uid 550); 23 Mar 2015 12:26:06 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 32493 invoked from network); 23 Mar 2015 12:26:05 -0000 Mail-Followup-To: Konstantin Serebryany , Rich Felker , musl@lists.openwall.com Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Xref: news.gmane.org gmane.linux.lib.musl.general:7250 Archived-At: * Konstantin Serebryany [2015-03-22 22:02:48 -0700]: > On Sat, Mar 21, 2015 at 2:03 PM, Szabolcs Nagy wrote: > > i wrote some trivial test cases for > > > > __dn_expand > > __dns_parse > > __pleval > > fnmatch > > inet_pton > > strptime > > Cool! Is there something you plan to have in the repository or share > some other way? > (musl does not have extra tools/docs/tests in the main repo, this is what you want eg for toolchain builds and packaging) but i plan to release the tests somewhere (currently they just trivial calls into the relevant libc function) i don't know what's the best way to fuzz more than one argument eg fnmatch(pattern, string, flags) is it ok to just split the input data between the args? (i havent looked under the hood how the fuzzer mutates the input) > > #27461772 NEW: 548 B: 0 L: 16 S: 22 I: 0 8283::2:2.8.83.3 16: 56 50 56 51 58 58 50 58 50 46 56 46 56 51 46 51 > > #27469404 NEW: 549 B: 0 L: 24 S: 23 I: 2 8283::2:283:2.8.83.2.833 24: 56 50 56 51 58 58 50 58 50 56 51 58 50 46 56 46 56 51 46 50 46 56 51 51 > > Bus error (core dumped) > > > > is there a way to get a reproducer after such a crash? > > > > the fuzzer relies on asan to call at-crash handler -- this is what > __sanitizer_set_death_callback is for. > w/o asan you can set up a signal handler that will print > fuzzer::Fuzzer::CurrentUnit. > If everything else fails you can of course re-rerun the fuzzer with > the same seed. > thanks, sounds good