This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: is there a fuzzer for libc?
- From: Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>
- To: Szabolcs Nagy <szabolcs dot nagy at arm dot com>
- Cc: Roland McGrath <roland at hack dot frob dot com>, Rich Felker <dalias at libc dot org>, Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 20 Mar 2015 09:04:21 -0700
- Subject: Re: is there a fuzzer for libc?
- Authentication-results: sourceware.org; auth=none
- References: <CAGQ9bdwcMhLU_8-FJQFk9VUJAUWcpRzMeq1WuPrmRvxyXJ3K7w at mail dot gmail dot com> <20140602200155 dot GI507 at brightrain dot aerifal dot cx> <CAAHN_R1U1e9N7eBF70baVZ_pHCRgnSCfPW-544tYkJ0KfXCQdA at mail dot gmail dot com> <CAGQ9bdxQuAbCmVOzywWjiLZycuT=Dis=HV0RYxdg4MBO5PMuEQ at mail dot gmail dot com> <20140603183434 dot GK507 at brightrain dot aerifal dot cx> <CAGQ9bdwNm+OgzKikSD+yvf8BxavEO=UBkNM8quPYpXsh3qZTfw at mail dot gmail dot com> <20140619201021 dot CC7D12C3A00 at topped-with-meat dot com> <CAGQ9bdw-i_C55t3b9Mh+4m67GRuu6RfCmUDUPLwTezbAoW1UNg at mail dot gmail dot com> <CAGQ9bdyTYvuebAa4SUk0Gv7rYT7PyBkZKRKd-_W7pHcrPG6+-Q at mail dot gmail dot com> <550B09A9 dot 7060007 at arm dot com> <CAGQ9bdxE9C0yTA+1VAiLX6nFPgraNzLdKE7Cpk8BX5ZXOVBPZg at mail dot gmail dot com> <550C1A41 dot 8020107 at arm dot com>
On Fri, Mar 20, 2015 at 6:01 AM, Szabolcs Nagy <szabolcs.nagy@arm.com> wrote:
>
>
> On 19/03/15 18:25, Konstantin Serebryany wrote:
>> Step1:
>> If you can implement a function
>> void TestOneInput(const unsigned char *Data, size_t Size);
>> that uses one of the glibc APIs in an interesting way as in the examples above
>> I can run it with the fuzzer on the instrumented glibc.
>> You can run yourself too, but the build process is a bit too hairy today.
>> The requirement for TestOneInput is that it runs reasonably fast (e.g. < 1ms)
>> and does not crash on malformed inputs (unless there is a bug).
>> For non-trivial kinds of input I may also need an initial set of
>> inputs (test corpus),
>> but for regcomp/fnmatch/wordexp and similar the fuzzer is capable of
>> generating the corpus from scratch.
>>
>> Step2:
>> Finish Glibc+Clang (https://sourceware.org/glibc/wiki/GlibcMeetsClang)
>> and integrate the LLMV fuzzer
>> (http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup)
>> or any similar coverage-guided fuzzer with the glibc testing process.
>>
>
> it seems the coverage tool depends on asan
It can work w/o asan, but it requires clang.
Without asan the fuzzer will be able to distill the test corpus, but
it will not find memory bugs (except for simple ones like null deref).
>
> i could not yet get asan to work on my system
> so i cant try the fuzzer
If you have lots of assembly asan will not help because it does not
instrument asm.
Otherwise, if the code is platform independent, you can test the code on x86
>
> fuzzing glibc is a useful project but i'm looking
> for a tool that helps catching regressions in musl
> libc when some complex parser code like fnmatch
> is updated.
>
> maybe i can automate cutting out the relevant
> code from the musl source tree and then run
> fuzzing on that without libc instrumentation..
Let me know if you need help with that.
> (but i was hoping for a nicer solution)
>
--kcc