Re: buffer overflow in regcomp and a way to find more of those

[Konstantin Serebryany <konstantin.s.serebryany@gmail.com>]

On Mon, Mar 23, 2015 at 5:25 AM, Szabolcs Nagy <nsz@port70.net> wrote:
> * Konstantin Serebryany <konstantin.s.serebryany@gmail.com> [2015-03-22 22:02:48 -0700]:
>> On Sat, Mar 21, 2015 at 2:03 PM, Szabolcs Nagy <nsz@port70.net> wrote:
>> > i wrote some trivial test cases for
>> >
>> > __dn_expand
>> > __dns_parse
>> > __pleval
>> > fnmatch
>> > inet_pton
>> > strptime
>>
>> Cool! Is there something you plan to have in the repository or share
>> some other way?
>>
>
> (musl does not have extra tools/docs/tests in the main repo,
> this is what you want eg for toolchain builds and packaging)
>
> but i plan to release the tests somewhere
> (currently they just trivial calls into the relevant libc function)
>
> i don't know what's the best way to fuzz more than one argument
> eg fnmatch(pattern, string, flags)

Yes, splitting the input bytes between the args is the most
straightforward way.
Although sharing the input bytes (e.g. fnmatch(X, X, X[0])) was
surprisingly interesting too.

>
> is it ok to just split the input data between the args?
> (i havent looked under the hood how the fuzzer mutates the input)
>
>> > #27461772       NEW: 548 B: 0 L: 16 S: 22 I: 0  8283::2:2.8.83.3        16: 56 50 56 51 58 58 50 58 50 46 56 46 56 51 46 51
>> > #27469404       NEW: 549 B: 0 L: 24 S: 23 I: 2  8283::2:283:2.8.83.2.833        24: 56 50 56 51 58 58 50 58 50 56 51 58 50 46 56 46 56 51 46 50 46 56 51 51
>> > Bus error (core dumped)
>> >
>> > is there a way to get a reproducer after such a crash?
>> >
>>
>> the fuzzer relies on asan to call at-crash handler -- this is what
>> __sanitizer_set_death_callback is for.
>> w/o asan you can set up a signal handler that will print
>> fuzzer::Fuzzer::CurrentUnit.
>> If everything else fails you can of course re-rerun the fuzzer with
>> the same seed.
>>
>
> thanks, sounds good
>