[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 04/14] fuzz/x86_emulate: Add a better input size check



On Fri, Aug 25, 2017 at 05:43:33PM +0100, George Dunlap wrote:
> For some reason the 'feof()' check for the file size isn't working in
> llvm-clang-fast mode; the result is several kilobyte files rather than
> the 4k limit files as we've requested.  This is bad in part because
> AFL will spend time trying to "fuzz" bits of the input that are never
> touched.
> 

You mean feof returns non-zero (true) when it shouldn't?

> Add a new check: Offer to read INPUT_SIZE + 1; if we actually get that
> many bytes, return an error.
> 
> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
> ---
> CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
> CC: Wei Liu <wei.liu2@xxxxxxxxxx>
> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> CC: Jan Beulich <jbeulich@xxxxxxxx>
> ---
>  tools/fuzz/x86_instruction_emulator/afl-harness.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c 
> b/tools/fuzz/x86_instruction_emulator/afl-harness.c
> index 1a79ff228e..51e0183356 100644
> --- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
> +++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
> @@ -76,7 +76,7 @@ int main(int argc, char **argv)
>              }
>          }
>  
> -        size = fread(input, 1, INPUT_SIZE, fp);
> +        size = fread(input, 1, INPUT_SIZE + 1, fp);

You probably want to actual define input to be of INPUT_SIZE+1 byte as well.

I doubt address sanitiser will be happy with overrunning the buffer.

>  
>          if ( ferror(fp) )
>          {
> @@ -84,7 +84,7 @@ int main(int argc, char **argv)
>              exit(-1);
>          }
>  
> -        if ( !feof(fp) )
> +        if ( !feof(fp) || size > INPUT_SIZE )
>          {
>              printf("Input too large\n");
>              exit(-1);
> -- 
> 2.14.1
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.