From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7226 Path: news.gmane.org!not-for-mail From: Konstantin Serebryany Newsgroups: gmane.linux.lib.musl.general Subject: Re: buffer overflow in regcomp and a way to find more of those Date: Fri, 20 Mar 2015 17:06:18 -0700 Message-ID: References: <20150320235227.GE16260@port70.net> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1426896420 3263 80.91.229.3 (21 Mar 2015 00:07:00 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 21 Mar 2015 00:07:00 +0000 (UTC) To: Konstantin Serebryany , musl@lists.openwall.com Original-X-From: musl-return-7239-gllmg-musl=m.gmane.org@lists.openwall.com Sat Mar 21 01:06:55 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YZ6wF-0006hY-TY for gllmg-musl@m.gmane.org; Sat, 21 Mar 2015 01:06:52 +0100 Original-Received: (qmail 15515 invoked by uid 550); 21 Mar 2015 00:06:50 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 15496 invoked from network); 21 Mar 2015 00:06:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=iOxr4pft7JM6N7w2FPkoh10GzVx1OF6i0XNGrLdG0FU=; b=r9qHh+94W040foV0yG09qG+bxz6oqQtXnoVDN/O4HsK7uo158ySA8DQ+Uk5mipYE6p wc6wkJigybtCOHkIExG9XXGwi+Rd5hcu9jDzFVqtekZYd1bvTLkRv97fHLJS92ro4Axk sIK/aUF5j132MKL2+N1FLOkboAMf7bg+HYS7W6gW964IzPLwzyG+wt6ktlSDfZZa9eIS RgVb+pptPS2k17KC6vCXWxS0VJecFqFp4PpgTlZmLlHulZyeqLzcLSUu+o+3ltSfd1Xa 0V+F4uPOgAYPvXnlnRiK4jXJsRNCWIGqrOz+0n8IA45KBXcVTkw+H52I1m/LdoLFwv7x 0Bug== X-Received: by 10.52.233.40 with SMTP id tt8mr87882595vdc.77.1426896398423; Fri, 20 Mar 2015 17:06:38 -0700 (PDT) In-Reply-To: <20150320235227.GE16260@port70.net> Xref: news.gmane.org gmane.linux.lib.musl.general:7226 Archived-At: On Fri, Mar 20, 2015 at 4:52 PM, Szabolcs Nagy wrote: > * Konstantin Serebryany [2015-03-20 13:17:47 -0700]: >> Following the discussion at the glibc mailing list >> (https://sourceware.org/ml/libc-alpha/2015-03/msg00662.html) >> I've tried to fuzz musl regcomp and the first bug popped up quickly. >> Please let me know if you would be interested in adding the fuzzer >> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup) >> to the musl testing process. >> > > (now with correct To: header) > > > (1) the clean approach would be to have a way to build an > instrumented libc and a separate set of test cases for > various libc apis that the fuzzer could use. Correct. Building libc.a is simple: CC="clang -fsanitize=address -fsanitize-coverage=3 " ./configure && make -j But then I don't know how to properly link libc.a to a test case. How do you usually link tests with libc.a on x86_64 linux? > > (2) the other approach is to cut parts of the libc out > (the parsers often don't depend on too much libc internals) > and build them with whatever runtime the fuzzer needs That's exactly what I did. Not optimal, I agree. > > the question is how hard it is to do (1) ? > > i assume asan is non-trivial to set up for that (or is it > enough to replace malloc calls? and some startup logic?) asan replaces malloc and a few more libc functions. It works with various different libcs, so there is a good chance that it will work here with no or minimal changes. > > at first it is ok if the fuzzer only catches crashing bugs > so if that's easy to do i'd go for that. > > for (1) i can write the test cases and adjust the musl build > system, but i dont know how much difficulty should i expect > > thanks