Placeholder: Fuzzing with AFL

[pallas]

I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-à-vis, your workflow) to report these crashes?

[error27]

On Wed, May 27, 2020 at 03:11:31PM -0700, Derrick Lyndon Pallas wrote: I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-à-vis, your workflow) to report these crashes?

Ah. Thanks. You could email them to [email protected] or to me directly. regards, dan carpenter

[pallas]

Thanks. All but two that I've seen so far are null dereferences in the parse tree when the input is invalid.

[pallas]

The other two are adding to an invalid function_symbol_list, so who knows.

[pallas]

It looks like most of the cases are where the right half of an expression is bad but the expression is still passed back up. I have the sources of the ones I could find fixed but there are still other cases where a bad parse input causes the tree to be invalid and a client function does not check for this condition.

[error27]

On Thu, May 28, 2020 at 07:18:48PM -0700, Derrick Lyndon Pallas wrote: It looks like most of the cases are where the right half of an expression is bad but the expression is still passed back up. I have the sources of the ones I could find fixed but there are still other cases where a bad parse input causes the tree to be invalid and a client function does not check for this condition.

If you have sample code which causes the crash and do a `valgrind ./smatch test.c` that normally gives a good stack trace and it's easy enough to add a NULL check. The unfortunate thing is that often the checks expect valid code so they all have the same bugs. :/ regards, dan carpenter