|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 04/14] fuzz/x86_emulate: Add a better input size check
On Fri, Aug 25, 2017 at 05:43:33PM +0100, George Dunlap wrote:
> For some reason the 'feof()' check for the file size isn't working in
> llvm-clang-fast mode; the result is several kilobyte files rather than
> the 4k limit files as we've requested. This is bad in part because
> AFL will spend time trying to "fuzz" bits of the input that are never
> touched.
>
You mean feof returns non-zero (true) when it shouldn't?
> Add a new check: Offer to read INPUT_SIZE + 1; if we actually get that
> many bytes, return an error.
>
> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
> ---
> CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
> CC: Wei Liu <wei.liu2@xxxxxxxxxx>
> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> CC: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> tools/fuzz/x86_instruction_emulator/afl-harness.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c
> b/tools/fuzz/x86_instruction_emulator/afl-harness.c
> index 1a79ff228e..51e0183356 100644
> --- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
> +++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
> @@ -76,7 +76,7 @@ int main(int argc, char **argv)
> }
> }
>
> - size = fread(input, 1, INPUT_SIZE, fp);
> + size = fread(input, 1, INPUT_SIZE + 1, fp);
You probably want to actual define input to be of INPUT_SIZE+1 byte as well.
I doubt address sanitiser will be happy with overrunning the buffer.
>
> if ( ferror(fp) )
> {
> @@ -84,7 +84,7 @@ int main(int argc, char **argv)
> exit(-1);
> }
>
> - if ( !feof(fp) )
> + if ( !feof(fp) || size > INPUT_SIZE )
> {
> printf("Input too large\n");
> exit(-1);
> --
> 2.14.1
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |