Wireshark-dev: Re: [Wireshark-dev] oss-fuzz status
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 5 May 2017 16:23:30 +0200
Hi Michael, On Fri, May 05, 2017 at 09:50:04AM -0400, Michael Mann wrote: > > Peter, > > I'm not sure if this is a conversation for -dev, (I think -dev is good, adding in cc.) > but I'm just curious myself - what is the "status" of oss-fuzz? It > feels like the bugs being logged are grouped into "categories" and a > new "category" shows up about every week. > Are you adding a category at a time, and then try to fix the bugs from > that category before moving on? Are the fuzzes just that different > than current fuzzbots that it'll just be awhile before it levels out > (and the bugs start to dry up)? > > Michael Some history: Jakub added oss-fuzz integration (starting with https://github.com/google/oss-fuzz/pull/532, later updated with more dissection tables in https://github.com/google/oss-fuzz/pull/533 and finally moved to the WS tree in tools/oss-fuzzshark/). I have done little to tune oss-fuzz, Google's fuzzing cluster ("clusterfuzz") just discovers issues automatically. I think there is an option to build a corpus (Jakub is building one at https://bitbucket.org/jwzawadzki/wireshark-fuzzdb I believe). So far, we have seen these report types: - Undefined behavior from large or negative shifts (not too bad). - buffer overrun (read) by a small amount. Mostly harmless and in some cases it actually requires a special patch to reproduce: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13608#c2 - Timeouts. These are more severe as it causes a denial of service due to "infinite" loops. - Stack overflow. Denial of service due to deep recursion. Bad. - Null pointer dereference. More about this later. - Out-of-memory. Request for malloc((guint32)-1), bad memory management, etc. - (Direct) memory leaks. So about the null pointer dereference, that happened due to unexpected layerings, one protocol for example always expected to be layered on top of IP which was not always the case because oss-fuzzshark would call a dissector directly through its dissector table ("udp.port" or "ip.proto"). For the reproducers, I have emulated this by crafting packets using the Upper Pdu ("Export PDU") encapsulation (which is not supported by 2.0 though, so the pcaps cannot be used to reproduce crashes with 2.0). These issues were found without trying very hard (the very first report was the result of mutating an x86 executable... rather than a valid protocol message). I don't know how our own fuzzer exactly works, but oss-fuzz uses libFuzzer and AFL, both of them are smarter and add compile-time instrumentation which guide the fuzzing process. My current workflow is: 1. Check mail, notice one or more oss-fuzz reports. 2. If it is a new report, download reproducer and run my script to reproduce it. If reproduced, it will automatically file a new bug. For updates to an existing oss-fuzz issue, try to validate that the bug was indeed fixed. 3. Archive the mail. Until I get around publishing the scripts and further documentation, here is a list of all reported (open/closed) issues: https://bugs.wireshark.org/bugzilla/buglist.cgi?bug_status=__all__&columnlist=resolution%2Cshort_desc%2Cbug_file_loc%2Cchangeddate&content=%22%5Boss-fuzz%5D%22&order=bug_file_loc Here are all open oss-fuzz issues: https://bugs.wireshark.org/bugzilla/buglist.cgi?resolution=---&content=%22oss-fuzz%22&columnlist=product%2Ccomponent%2Cbug_status%2Cresolution%2Cshort_desc%2Cbug_file_loc%2Cchangeddate -- Kind regards, Peter Wu https://lekensteyn.nl
- Prev by Date: Re: [Wireshark-dev] stable[32|64].xml
- Next by Date: Re: [Wireshark-dev] stable[32|64].xml
- Previous by thread: Re: [Wireshark-dev] stable[32|64].xml
- Next by thread: [Wireshark-dev] Python interface for dissectors
- Index(es):