[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] fuzz/x86_emulate: fix bounds for input size

On 02/23/2018 10:48 PM, Paul Semel wrote:
> The maximum size for the input size was set to INPUT_SIZE, which is actually
> the size of the data array inside the fuzz_corpus structure and so was not
> abling user (or AFL) to fill in the whole structure. Changing to
> sizeof(struct fuzz_corpus) correct this problem.
> Signed-off-by: Paul Semel <semelpaul@xxxxxxxxx>

Hey Paul,

Thanks for the patch.  Looking a bit more at the code over the weekend,
I figured out what that BUILD_BUG_ON() is for -- in afl_harness.c, we
statically allocate a buffer of size INPUT_SIZE to hold the fuzz data.
The BUILD_BUG_ON() is to make sure that this buffer is always big enough
to hold the minimum input size.  And increasing the size accepted by
LLVMFuzzerTestOneInput() won't have any effect for anybody using
afl-harness, as the size passed in will never be larger than INPUT_SIZE.

Are you running afl-harness, or are you using fuzz-emul directly some
other way (e.g., through Google's fuzzing service)?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.