| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Dec 2015 11:30:01 +0100 From: Daniel Borkmann <daniel@...earbox.net> To: Dmitry Vyukov <dvyukov@...gle.com>, Alexei Starovoitov <alexei.starovoitov@...il.com> CC: David Miller <davem@...emloft.net>, Alexei Starovoitov <ast@...nel.org>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, syzkaller <syzkaller@...glegroups.com>, netdev <netdev@...r.kernel.org> Subject: Re: [PATCH net] bpf, array: fix heap out-of-bounds access when updating elements On 12/01/2015 10:38 AM, Dmitry Vyukov wrote: > On Mon, Nov 30, 2015 at 7:29 PM, Alexei Starovoitov > <alexei.starovoitov@...il.com> wrote: ... >> Dmitry, thanks a lot for applying syzkaller to bpf. The issues >> got cought much sooner than they would have been discovered otherwise. >> Looks like the fuzzing has limited dependency chains described >> in sys/sys.txt. Can they be improved into doing something like: >> single call to map_create followed by many calls to update to >> stress oom ? I did it manually so far without kasan. > > Hi Alexei, > > Please elaborate. > sys.txt describes signatures of syscalls. Based on that syzkaller > generates programs that can contain a map_create call followed by > multiple map update calls. Though, it won't generate millions of > update calls on a single map, because it directly conflicts with the > idea of coverage guided fuzzing. For OOMs I guess you want to try > kmalloc fault injection. Wrt dependency chains, I believe what is meant is that there are some options that could only be covered by the fuzzer after having succeeded a couple of dependencies first. Perhaps not directly related to BPF, but f.e. some things can only be reached after having a session established, like the transfer of fds via SCM_RIGHTS, options that are being fuzzed while having a tcp/udp/sctp/ netlink/etc session established and such. Perhaps in BPF case, f.e. updating of a program array, which itself would require some semi-autogenerated program to get loaded first. (The latter is already a different beast by itself wrt testing the verifier, though.) Cheers, Daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists