Skip to content

Fuzzing #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 22, 2017
Merged

Fuzzing #250

merged 3 commits into from
Jul 22, 2017

Conversation

polachok
Copy link
Contributor

@polachok polachok commented Feb 27, 2017
edited
Loading

https://github.com/rust-fuzz/cargo-fuzz just arrived and I tried to use it on libpnet

2 seconds into cargo fuzz --fuzz-target fuzzer_script_1 and here we go:

INFO: Seed: 849846349
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0      READ units: 2
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/plhk/src/libpnet/fuzz/target/debug/build/pnet-470ff5253a202a9d/out/ipv4.rs:1209
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==30801== ERROR: libFuzzer: deadly signal
    #0 0x7f76dc157b39  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x1dbb39)
    #1 0x7f76dbfb0bc6  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x34bc6)
    #2 0x7f76db43932f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #3 0x7f76dae84c36  (/lib/x86_64-linux-gnu/libc.so.6+0x36c36)
    #4 0x7f76dae88027  (/lib/x86_64-linux-gnu/libc.so.6+0x3a027)
    #5 0x7f76dc08c1d8  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x1101d8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a
artifact_prefix='./'; Test unit written to ./crash-f7c2d3e118e956163283f66c387fdb6455aceef4
Base64: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACg==

#141

@mrmonday
Copy link
Contributor

This is awesome, I've wanted to fuzz libpnet for quite some time!

I see you've marked this as WIP - I'll hold off merging for now. I'm excited to see where this leads.

@polachok
Copy link
Contributor Author

I just wanted to start a discussion about this.
I think it would be great to have fuzzing scripts generation automated somehow.
It's kinda tiresome to write them by hand.
Alternatively, we could write scripts for all existing packet types and not accept PRs without fuzzing scripts :)

@Manishearth
Copy link

cc @pnkfelix

@mrmonday
Copy link
Contributor

mrmonday commented Mar 6, 2017

I'm not sure we need fuzzing scripts for all packet types - ideally pnet_macros should generate "perfect" packet parsers which always pass fuzzing. With that said, yes, we could auto-generate these (they wouldn't be as sophisticated as what you've provided until we have an answer to #140).

@polachok polachok changed the title [WIP] Fuzzing Fuzzing Mar 7, 2017
@polachok
Copy link
Contributor Author

polachok commented Mar 7, 2017

ipv4:

INFO: Seed: 377758501
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-470ff5253a202a9d/out/ipv4.rs:1209
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28165== ERROR: libFuzzer: deadly signal
    #0 0x55b81f18abe9  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x1f2be9)
    #1 0x55b81efe6f4b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x4ef4b)
    #2 0x55b81efe6e95  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x4ee95)
    #3 0x55b81efddde3  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x45de3)
    #4 0x7ff3af89e5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7ff3af2e591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7ff3af2e7519  (/lib64/libc.so.6+0x37519)
    #7 0x55b81f0bf1a8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x1271a8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0xff,0xff,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0xff,0xff,0xff,0xa,
\x00\xff\xff)\xfb\xff\xff\xff\xff\xff\x00)\xfb\xff\xff\xff\xff\xff\x00\xff\xff\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-0aea91efc06d5d4f0dc074cd0d00b340e8ddf6ed
Base64: AP//Kfv//////wAp+///////AP///wo=

tcp

INFO: Seed: 2225802277
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
thread '<unnamed>' panicked at 'slice index starts at 60 but ends at 23', /checkout/src/libcore/slice.rs:584
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28270== ERROR: libFuzzer: deadly signal
    #0 0x5618dba9fc29  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x1f2c29)
    #1 0x5618db8fbf4b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x4ef4b)
    #2 0x5618db8fbe95  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x4ee95)
    #3 0x5618db8f2de3  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x45de3)
    #4 0x7fcb3fbbe5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7fcb3f60591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7fcb3f607519  (/lib64/libc.so.6+0x37519)
    #7 0x5618db9d41e8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x1271e8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0xff,0xff,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0xff,0xff,0xff,0xa,
\x00\xff\xff)\xfb\xff\xff\xff\xff\xff\x00)\xfb\xff\xff\xff\xff\xff\x00\xff\xff\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-0aea91efc06d5d4f0dc074cd0d00b340e8ddf6ed
Base64: AP//Kfv//////wAp+///////AP///wo=

gre

INFO: Seed: 4282533105
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
#7	INITED cov: 206 corp: 2/21b exec/s: 0 rss: 16Mb
thread '<unnamed>' panicked at 'Source routed GRE packets not supported', /home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-470ff5253a202a9d/out/gre.rs:1286
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28429== ERROR: libFuzzer: deadly signal
    #0 0x5624f62bed39  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x1f3d39)
    #1 0x5624f611bb8b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x50b8b)
    #2 0x5624f611bad5  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x50ad5)
    #3 0x5624f6112a23  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x47a23)
    #4 0x7f6e7a52e5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7f6e79f7591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7f6e79f77519  (/lib64/libc.so.6+0x37519)
    #7 0x5624f61f32f8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x1282f8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 EraseBytes-; base unit: b06cd6c26e6815ad21073fe628c591e19f824293
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0xff,0xa,
\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-9b609f50c71bf3a519c326a505eb20e4519a9bf3
Base64: //////////8AAAD/Cg==

@mrmonday mrmonday mentioned this pull request Mar 8, 2017
Merged
@mrmonday mrmonday mentioned this pull request Apr 2, 2017
Merged
@polachok
Copy link
Contributor Author

I rebased branch. Tcp seems fixed, ipv4 still failing.

@polachok
Copy link
Contributor Author

polachok commented Apr 18, 2017
edited
Loading

Ok, I broke tcp again

cargo fuzz run tcp -- -max_len=512                                                                                                                                                                                    
       Fresh pnet_macros_support v0.1.1 (file:///home/plhk/libpnet/pnet_macros_support)
       Fresh winapi v0.2.8
       Fresh rustc-serialize v0.3.23
       Fresh ipnetwork v0.12.3
       Fresh gcc v0.3.45
       Fresh void v1.0.2
       Fresh term v0.4.5
       Fresh winapi-build v0.1.1
       Fresh utf8-ranges v1.0.0
       Fresh log v0.3.7
       Fresh unicode-xid v0.0.3
       Fresh bitflags v0.5.0
       Fresh libc v0.2.21
       Fresh regex-syntax v0.4.0
       Fresh syntex_pos v0.42.0
       Fresh unreachable v0.1.1
       Fresh thread-id v3.0.0
       Fresh memchr v1.0.1
       Fresh syntex_errors v0.42.0
       Fresh thread_local v0.3.3
       Fresh aho-corasick v0.6.3
       Fresh syntex_syntax v0.42.0
       Fresh libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#36a3928e)
       Fresh ws2_32-sys v0.2.1
       Fresh regex v0.2.1
       Fresh syntex v0.42.2
       Fresh pnet_macros v0.13.1 (file:///home/plhk/libpnet/pnet_macros)
       Fresh pnet v0.17.0 (file:///home/plhk/libpnet)
       Fresh pnet-fuzz v0.0.1 (file:///home/plhk/libpnet/fuzz)
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `fuzz/target/x86_64-unknown-linux-gnu/debug/tcp -artifact_prefix=/home/plhk/libpnet/fuzz/artifacts/tcp/ -max_len=512 /home/plhk/libpnet/fuzz/corpus/tcp`
INFO: Seed: 1109823738
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: /home/plhk/libpnet/fuzz/corpus/tcp
#0      READ units: 3
thread '<unnamed>' panicked at 'index 98 out of range for slice of length 3', /checkout/src/libcore/slice/mod.rs:672
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: core::slice::slice_index_len_fail
             at /checkout/src/libcore/slice/mod.rs:672
   1: <core::ops::Range<usize> as core::slice::SliceIndex<[T]>>::index
             at /checkout/src/libcore/slice/mod.rs:803
   2: core::slice::<impl core::ops::Index<I> for [T]>::index
             at /checkout/src/libcore/slice/mod.rs:654
   3: <pnet::packet::PacketData<'p> as core::ops::Index<core::ops::Range<usize>>>::index
             at ./src/packet/mod.rs:67
   4: <pnet::packet::tcp::TcpOptionPacket<'a> as pnet::packet::Packet>::payload
             at ./fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-c83bfb2e5ea3cb12/out/tcp.rs:1211
   5: rust_fuzzer_test_input
             at ./fuzz/fuzzers/tcp.rs:13
   6: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/plhk/.multirust/toolchains/nightly/cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
==25073== ERROR: libFuzzer: deadly signal
    #0 0x559c8f50da53  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x133a53)
    #1 0x559c8f4326b7  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x586b7)
    #2 0x559c8f432605  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x58605)
    #3 0x559c8f43039a  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x5639a)
    #4 0x7f43f2e3833f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1033f)
    #5 0x7f43f2883cc8  (/lib/x86_64-linux-gnu/libc.so.6+0x36cc8)
    #6 0x7f43f28870d7  (/lib/x86_64-linux-gnu/libc.so.6+0x3a0d7)
    #7 0x559c8f5fbdf8  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x221df8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x2a,0x28,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,
*(bbbbbbbbbbbbbbbbbbbbb
artifact_prefix='/home/plhk/libpnet/fuzz/artifacts/tcp/'; Test unit written to /home/plhk/libpnet/fuzz/artifacts/tcp/crash-d070951eea8297d7bdf4aa9968825515e7bba656
Base64: KihiYmJiYmJiYmJiYmJiYmJiYmJiYmI=

@pnkfelix pnkfelix mentioned this pull request Apr 19, 2017
Open
@polachok polachok mentioned this pull request Apr 20, 2017
Closed
@daniellockyer
Copy link

I've pulled a copy of this PR and will work on it 😄

@mrmonday
Copy link
Contributor

@neosilky Thank you for picking this up! Let us know how you get on, or if you need any assistance.

@polachok
Copy link
Contributor Author

@neosilky any progress? I made some commits to https://github.com/polachok/libpnet/commits/syncookied, but they need to be rebased

@mrmonday
Copy link
Contributor

Going to do a release later this week, would be great to get some of the fixes in if they're ready.

@mrmonday mrmonday merged commit e9047d3 into libpnet:master Jul 22, 2017
@mrmonday
Copy link
Contributor

I've merged the fuzzing stuff in so other people can play around with it. I'll check out the syncookied branch and cherry pick fixes across and get them merged in too.

@polachok polachok deleted the fuzzing branch July 24, 2017 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@polachok @mrmonday @Manishearth @daniellockyer