[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fuzzing poke with afl & afl++
From: |
Jose E. Marchesi |
Subject: |
Re: fuzzing poke with afl & afl++ |
Date: |
Tue, 14 Jan 2020 00:27:32 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Long story short: I've let afl++ fuzz poke's script mode overnight on my
laptop (12 fuzzing processes were running, one in deterministic mode and
11 in random mode) for about 5 hours until poke filled up my /tmp/ and
the fuzzer died (because it was running on the same partition to not
murder my SSD). It found 600-something input files that made poke crash,
but of these only 164 are distinct crashes (distinct according to afl,
at least the failed assertions could be maybe only a handful of
bugs). I've put them into the following categories according to the type
of crash that occurred:
assertion failed: 122
double free: 11
signal FPE: 2
signal SEGV: 19
use after free: 8
misc: 2 (these just result in an "Aborted" message)
The resulting files are attached in the archive crashes.tar.gz.
Allright, we definitely want to file bugs for these bugs. I will look
at crashes.tar.gz and do so.
So I did, fixed several bugs, and filed a couple of them that still have
to be fixed.
Right now we are down to:
7 assertion failures
0 double frees
0 signal FPE
0 signal SEGV
0 use after free
0 misc
Of the reported 265 hangs, after the bug fixes, none of them are
unjustified.
I have one suggestion though: could we add a flag to poke (either
compile- or run-time), so that it will not create diagnostic files in
/tmp/? This is not really useful when running poke a few million times
with mostly invalid input.
Definitely yes. Will add it.
Done. Now poke won't dump anything under /tmp when an ICE is reported,
if the tool was invoked with --quiet (this is the case when running
tests.)
So, at this point, you may want to rerun afl. poke should be much more
robust now :)
This fuzzing already uncovered 5 bugs. Definitely worth it. Thanks for
doing it Dan!