Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Placeholder: Fuzzing with AFL #1

Open
pallas opened this issue May 27, 2020 · 5 comments
Open

Placeholder: Fuzzing with AFL #1

pallas opened this issue May 27, 2020 · 5 comments

Comments

@pallas
Copy link

pallas commented May 27, 2020

I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-à-vis, your workflow) to report these crashes?

@error27
Copy link
Owner

error27 commented May 28, 2020 via email

@pallas
Copy link
Author

pallas commented May 28, 2020

Thanks. All but two that I've seen so far are null dereferences in the parse tree when the input is invalid.

@pallas
Copy link
Author

pallas commented May 28, 2020

The other two are adding to an invalid function_symbol_list, so who knows.

@pallas
Copy link
Author

pallas commented May 29, 2020

It looks like most of the cases are where the right half of an expression is bad but the expression is still passed back up. I have the sources of the ones I could find fixed but there are still other cases where a bad parse input causes the tree to be invalid and a client function does not check for this condition.

@error27
Copy link
Owner

error27 commented May 29, 2020 via email

error27 pushed a commit that referenced this issue Apr 21, 2022
Unrelated fix: In match_memdup() then I added some add_dereference(left/right)
calls.

Problem: This codes a tangled mess and zeroing memory does not work.

This code is supposed to handle three things.  #1 Copying a known struct
to a different struct of the same type.  #2 Copying unknown data to a
struct.  #3 Copying a zeroed buffer to a struct.

I think #1 basically works.  It's hard to get #2 wrong so I think that
works but probably in the wrong way.  But #3 was not working.

In the original code, it treated "struct = struct" as different from
memcpying.  Which is sort of not a bad idea, but not how it's implemented.
So get rid of that.  Just say COPY_NORMAL.  Use COPY_UNKNOWN for #2 of
an unknown buffer and COPY_ZERO for a zeroed buffer.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants