In the x86 instruction emulator fuzzer, when checking wether the input size is correct, we are checking for this bounds : DATA_OFFSET < size < INPUT_SIZE.

The fact is that INPUT_SIZE is actually the size of the data buffer in the fuzz_corpus structure. This way, AFL is not able to have full control over this entry, as we are actually filling this buffer for at most

If I understand the fuzzer correctly, we really need to give full control on this to AFL so that we can get some "random" from it.

I am wondering if the bounds should rather be :
DATA_OFFSET < size < sizeof (struct fuzz_corpus)
but maybe I am missing something here 🙂


Paul Semel

Xen-devel mailing list

Reply via email to