[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [xen-devel] [fuzz] [x86 emulator] Input size

To: xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Paul Semel <semelpaul@xxxxxxxxx>
Date: Thu, 22 Feb 2018 13:39:01 +0100
Cc: wei.liu2@xxxxxxxxxx
Delivery-date: Thu, 22 Feb 2018 12:16:27 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hello,

In the x86 instruction emulator fuzzer, when checking wether the input size iscorrect, we are checking for this bounds : DATA_OFFSET < size < INPUT_SIZE.

The fact is that INPUT_SIZE is actually the size of the data buffer in thefuzz_corpus structure. This way, AFL is not able to have full control over thisentry, as we are actually filling this buffer for at most

INPUT_SIZE - DATA_OFFSET.

If I understand the fuzzer correctly, we really need to give full control onthis to AFL so that we can get some "random" from it.



I am wondering if the bounds should rather be :
DATA_OFFSET < size < sizeof (struct fuzz_corpus)
but maybe I am missing something here 🙂



Thanks,

--
Paul Semel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [xen-devel] [fuzz] [x86 emulator] Input size
  - From: Wei Liu

Prev by Date: Re: [Xen-devel] [PATCH] xtf: fix cdefs.h conflict with __section
Next by Date: Re: [Xen-devel] [PATCH] build: Rename as-insn-check to as-insn-add
Previous by thread: [Xen-devel] [PATCH] xtf: fix cdefs.h conflict with __section
Next by thread: Re: [Xen-devel] [xen-devel] [fuzz] [x86 emulator] Input size
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.