This is the mail archive of the
mailing list for the binutils project.
Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- From: Michal Zalewski <lcamtuf at coredump dot cx>
- To: Petr Machata <pmachata at redhat dot com>
- Cc: Pedro Alves <palves at redhat dot com>, Yury Gribov <y dot gribov at samsung dot com>, Nicholas Clifton <nickc at redhat dot com>, "Maciej W. Rozycki" <macro at linux-mips dot org>, bugtraq <bugtraq at securityfocus dot com>, binutils at sourceware dot org, Mark Wielaard <mjw at redhat dot com>
- Date: Thu, 30 Oct 2014 08:32:56 -0700
- Subject: Re: vulnerabilities in libbfd (CVE-2014-beats-me)
- Authentication-results: sourceware.org; auth=none
- References: <CALx_OUBq4iRGZNPLdCuqXmehVV=6vhXN3J16ytzM91cFqVSAoQ at mail dot gmail dot com> <alpine dot LFD dot 2 dot 11 dot 1410271451411 dot 3413 at eddie dot linux-mips dot org> <54521A7F dot 4050501 at redhat dot com> <5452389B dot 502 at samsung dot com> <54524C50 dot 8010606 at redhat dot com> <m261f1d1ja dot fsf at redhat dot com>
> Yep, quite a few. Melkor is nice in that it doesn't fuzz fully
> randomly, but when it tweaks a value, it also tweaks other dependent
> values, so simple sanity checking doesn't tend to catch those.
In general, it doesn't really cost much to run multiple fuzzers, so
it's probably good to try a bunch. Syntax-aware fuzzers have their
benefits (as you mention), but also drawbacks (they are constrained by
the assumptions made by whoever coded it up about the features the
fuzzed code actually supports, and the value of fuzzing various
fields). "Dumb" fuzzers are the opposite.
(Afl is actually somewhere in between - it uses compile-time
instrumentation to figure out what / how to fuzz - so it shares some
of the benefits and drawbacks of both).