Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

[Wei Liu]

On Mon, Feb 26, 2018 at 10:33:40AM +, Wei Liu wrote:
> On Fri, Feb 23, 2018 at 11:48:57PM +0100, Paul Semel wrote:
> > The maximum size for the input size was set to INPUT_SIZE, which is actually
> > the size of the data array inside the fuzz_corpus structure and so was not
> > abling user (or AFL) to fill in the whole structure. Changing to
> > sizeof(struct fuzz_corpus) correct this problem.
> > 
> > Signed-off-by: Paul Semel 
> 
> Acked-by: Wei Liu 

Applied. Thanks for your patch.

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

[Paul Semel]

Hey George,

On 02/27/2018 11:39 AM, George Dunlap wrote:

Thanks for the patch. Looking a bit more at the code over the weekend,
I figured out what that BUILD_BUG_ON() is for -- in afl_harness.c, we
statically allocate a buffer of size INPUT_SIZE to hold the fuzz data.
The BUILD_BUG_ON() is to make sure that this buffer is always big enough
to hold the minimum input size.  And increasing the size accepted by
LLVMFuzzerTestOneInput() won't have any effect for anybody using
afl-harness, as the size passed in will never be larger than INPUT_SIZE.



Thanks for replying me ! Actually, I understood what this BUILD_BUG_ON() was for 
and I totally agree with you 🙂


Anyway, I am pretty sure that this check is not needed anymore for the new 
changes I made, as the condition is never reachable anymore.



Are you running afl-harness, or are you using fuzz-emul directly some
other way (e.g., through Google's fuzzing service)?



I am actually not using it, but I discovered this tool some time before, and I 
am now trying to port the idea on an other emulator project.. 🙂
Anyway, I made much changes on my own version, and if it still does interest 
you, I can share those changes with you once I'm done with my thing !



 -George

--
Paul

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

[George Dunlap]

On 02/23/2018 10:48 PM, Paul Semel wrote:
> The maximum size for the input size was set to INPUT_SIZE, which is actually
> the size of the data array inside the fuzz_corpus structure and so was not
> abling user (or AFL) to fill in the whole structure. Changing to
> sizeof(struct fuzz_corpus) correct this problem.
> 
> Signed-off-by: Paul Semel 

Hey Paul,

Thanks for the patch.  Looking a bit more at the code over the weekend,
I figured out what that BUILD_BUG_ON() is for -- in afl_harness.c, we
statically allocate a buffer of size INPUT_SIZE to hold the fuzz data.
The BUILD_BUG_ON() is to make sure that this buffer is always big enough
to hold the minimum input size.  And increasing the size accepted by
LLVMFuzzerTestOneInput() won't have any effect for anybody using
afl-harness, as the size passed in will never be larger than INPUT_SIZE.

Are you running afl-harness, or are you using fuzz-emul directly some
other way (e.g., through Google's fuzzing service)?

 -George


___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

[Wei Liu]

On Fri, Feb 23, 2018 at 11:48:57PM +0100, Paul Semel wrote:
> The maximum size for the input size was set to INPUT_SIZE, which is actually
> the size of the data array inside the fuzz_corpus structure and so was not
> abling user (or AFL) to fill in the whole structure. Changing to
> sizeof(struct fuzz_corpus) correct this problem.
> 
> Signed-off-by: Paul Semel 

Acked-by: Wei Liu 

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

[Paul Semel]

The maximum size for the input size was set to INPUT_SIZE, which is actually
the size of the data array inside the fuzz_corpus structure and so was not
abling user (or AFL) to fill in the whole structure. Changing to
sizeof(struct fuzz_corpus) correct this problem.

Signed-off-by: Paul Semel 
---
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 
b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 964682aa1a..0ada613f52 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -33,6 +33,7 @@ struct fuzz_corpus
 unsigned char data[INPUT_SIZE];
 } input;
 #define DATA_OFFSET offsetof(struct fuzz_corpus, data)
+#define FUZZ_CORPUS_SIZE (sizeof(struct fuzz_corpus))
 
 /*
  * Internal state of the fuzzing harness.  Calculated initially from the input
@@ -828,7 +829,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t 
size)
 return 1;
 }
 
-if ( size > INPUT_SIZE )
+if ( size > FUZZ_CORPUS_SIZE )
 {
 printf("Input too large\n");
 return 1;
@@ -859,8 +860,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t 
size)
 
 unsigned int fuzz_minimal_input_size(void)
 {
-BUILD_BUG_ON(DATA_OFFSET > INPUT_SIZE);
-
 return DATA_OFFSET + 1;
 }
 
-- 
2.16.1


___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel