Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size
On Mon, Feb 26, 2018 at 10:33:40AM +, Wei Liu wrote: > On Fri, Feb 23, 2018 at 11:48:57PM +0100, Paul Semel wrote: > > The maximum size for the input size was set to INPUT_SIZE, which is actually > > the size of the data array inside the fuzz_corpus structure and so was not > > abling user (or AFL) to fill in the whole structure. Changing to > > sizeof(struct fuzz_corpus) correct this problem. > > > > Signed-off-by: Paul Semel > > Acked-by: Wei Liu Applied. Thanks for your patch. ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size
Hey George, On 02/27/2018 11:39 AM, George Dunlap wrote: Thanks for the patch. Looking a bit more at the code over the weekend, I figured out what that BUILD_BUG_ON() is for -- in afl_harness.c, we statically allocate a buffer of size INPUT_SIZE to hold the fuzz data. The BUILD_BUG_ON() is to make sure that this buffer is always big enough to hold the minimum input size. And increasing the size accepted by LLVMFuzzerTestOneInput() won't have any effect for anybody using afl-harness, as the size passed in will never be larger than INPUT_SIZE. Thanks for replying me ! Actually, I understood what this BUILD_BUG_ON() was for and I totally agree with you 🙂 Anyway, I am pretty sure that this check is not needed anymore for the new changes I made, as the condition is never reachable anymore. Are you running afl-harness, or are you using fuzz-emul directly some other way (e.g., through Google's fuzzing service)? I am actually not using it, but I discovered this tool some time before, and I am now trying to port the idea on an other emulator project.. 🙂 Anyway, I made much changes on my own version, and if it still does interest you, I can share those changes with you once I'm done with my thing ! -George -- Paul ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size
On 02/23/2018 10:48 PM, Paul Semel wrote: > The maximum size for the input size was set to INPUT_SIZE, which is actually > the size of the data array inside the fuzz_corpus structure and so was not > abling user (or AFL) to fill in the whole structure. Changing to > sizeof(struct fuzz_corpus) correct this problem. > > Signed-off-by: Paul Semel Hey Paul, Thanks for the patch. Looking a bit more at the code over the weekend, I figured out what that BUILD_BUG_ON() is for -- in afl_harness.c, we statically allocate a buffer of size INPUT_SIZE to hold the fuzz data. The BUILD_BUG_ON() is to make sure that this buffer is always big enough to hold the minimum input size. And increasing the size accepted by LLVMFuzzerTestOneInput() won't have any effect for anybody using afl-harness, as the size passed in will never be larger than INPUT_SIZE. Are you running afl-harness, or are you using fuzz-emul directly some other way (e.g., through Google's fuzzing service)? -George ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size
On Fri, Feb 23, 2018 at 11:48:57PM +0100, Paul Semel wrote: > The maximum size for the input size was set to INPUT_SIZE, which is actually > the size of the data array inside the fuzz_corpus structure and so was not > abling user (or AFL) to fill in the whole structure. Changing to > sizeof(struct fuzz_corpus) correct this problem. > > Signed-off-by: Paul Semel Acked-by: Wei Liu ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
[Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size
The maximum size for the input size was set to INPUT_SIZE, which is actually the size of the data array inside the fuzz_corpus structure and so was not abling user (or AFL) to fill in the whole structure. Changing to sizeof(struct fuzz_corpus) correct this problem. Signed-off-by: Paul Semel --- tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index 964682aa1a..0ada613f52 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -33,6 +33,7 @@ struct fuzz_corpus unsigned char data[INPUT_SIZE]; } input; #define DATA_OFFSET offsetof(struct fuzz_corpus, data) +#define FUZZ_CORPUS_SIZE (sizeof(struct fuzz_corpus)) /* * Internal state of the fuzzing harness. Calculated initially from the input @@ -828,7 +829,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size) return 1; } -if ( size > INPUT_SIZE ) +if ( size > FUZZ_CORPUS_SIZE ) { printf("Input too large\n"); return 1; @@ -859,8 +860,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size) unsigned int fuzz_minimal_input_size(void) { -BUILD_BUG_ON(DATA_OFFSET > INPUT_SIZE); - return DATA_OFFSET + 1; } -- 2.16.1 ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel