| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Dec 2015 18:21:14 +0100 From: Dmitry Vyukov <dvyukov@...gle.com> To: Daniel Borkmann <daniel@...earbox.net> Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>, David Miller <davem@...emloft.net>, Alexei Starovoitov <ast@...nel.org>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Eric Dumazet <edumazet@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, syzkaller <syzkaller@...glegroups.com>, netdev <netdev@...r.kernel.org> Subject: Re: [PATCH net] bpf, array: fix heap out-of-bounds access when updating elements On Tue, Dec 1, 2015 at 11:30 AM, Daniel Borkmann <daniel@...earbox.net> wrote: > On 12/01/2015 10:38 AM, Dmitry Vyukov wrote: >> >> On Mon, Nov 30, 2015 at 7:29 PM, Alexei Starovoitov >> <alexei.starovoitov@...il.com> wrote: > > ... >>> >>> Dmitry, thanks a lot for applying syzkaller to bpf. The issues >>> got cought much sooner than they would have been discovered otherwise. >>> Looks like the fuzzing has limited dependency chains described >>> in sys/sys.txt. Can they be improved into doing something like: >>> single call to map_create followed by many calls to update to >>> stress oom ? I did it manually so far without kasan. >> >> >> Hi Alexei, >> >> Please elaborate. >> sys.txt describes signatures of syscalls. Based on that syzkaller >> generates programs that can contain a map_create call followed by >> multiple map update calls. Though, it won't generate millions of >> update calls on a single map, because it directly conflicts with the >> idea of coverage guided fuzzing. For OOMs I guess you want to try >> kmalloc fault injection. > > > Wrt dependency chains, I believe what is meant is that there are some > options that could only be covered by the fuzzer after having succeeded > a couple of dependencies first. > > Perhaps not directly related to BPF, but f.e. some things can only be > reached after having a session established, like the transfer of fds via > SCM_RIGHTS, options that are being fuzzed while having a tcp/udp/sctp/ > netlink/etc session established and such. > > Perhaps in BPF case, f.e. updating of a program array, which itself would > require some semi-autogenerated program to get loaded first. (The latter > is already a different beast by itself wrt testing the verifier, though.) Well, that's the whole idea of syzkaller to build longer sequences of syscalls that use resources in sensible ways. In fact, you can see that in the reproducer program syzkaller creates a map and then does two update operations on it. However, it does not work ideally at the moment. Description of syscalls can be improved, description of syscalls can contain plain bugs, lots of implicit syscalls are not described (e.g. ioctls, or functionalities available via opening of magical files), algorithm of program generation can be improved (currently syzkaller generates random syscalls and then tries to reuse some resources across these syscalls, but I am thinking about explicitly centering the process around resources: here are resources that we have, what can we do with them?), and of course there are lots of heuristics and tuning involved. Help is welcome. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists