|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [xen-devel] [fuzz] [x86 emulator] Input size
On Thu, Feb 22, 2018 at 01:39:01PM +0100, Paul Semel wrote: > Hello, > > > In the x86 instruction emulator fuzzer, when checking wether the input size > is correct, we are checking for this bounds : DATA_OFFSET < size < > INPUT_SIZE. > > > The fact is that INPUT_SIZE is actually the size of the data buffer in the > fuzz_corpus structure. This way, AFL is not able to have full control over > this entry, as we are actually filling this buffer for at most > INPUT_SIZE - DATA_OFFSET. > > > If I understand the fuzzer correctly, we really need to give full control on > this to AFL so that we can get some "random" from it. > > > I am wondering if the bounds should rather be : > DATA_OFFSET < size < sizeof (struct fuzz_corpus) Yes. I think you're right. The code has gone through several iterations. It isn't surprising that we got something messed up in between. (CC'ing people who modified the code before to sanity-check) Are you up for writing a patch? I.e. replacing INPUT_SIZE with a sizeof expression. Also I think the BUILD_BUG_ON in fuzz_minimal_input_size should also be fixed in a similar fashion. Wei. > but maybe I am missing something here 🙂 > > > > Thanks, > > -- > Paul Semel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |