lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+Y+Ys_U=sY7nh-QCfB0QGxd=bj2JMhpTd=VjbGmBAqcJw@mail.gmail.com>
Date:	Thu, 3 Dec 2015 18:21:14 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Daniel Borkmann <daniel@...earbox.net>
Cc:	Alexei Starovoitov <alexei.starovoitov@...il.com>,
	David Miller <davem@...emloft.net>,
	Alexei Starovoitov <ast@...nel.org>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Eric Dumazet <edumazet@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	syzkaller <syzkaller@...glegroups.com>,
	netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net] bpf, array: fix heap out-of-bounds access when
 updating elements

On Tue, Dec 1, 2015 at 11:30 AM, Daniel Borkmann <daniel@...earbox.net> wrote:
> On 12/01/2015 10:38 AM, Dmitry Vyukov wrote:
>>
>> On Mon, Nov 30, 2015 at 7:29 PM, Alexei Starovoitov
>> <alexei.starovoitov@...il.com> wrote:
>
> ...
>>>
>>> Dmitry, thanks a lot for applying syzkaller to bpf. The issues
>>> got cought much sooner than they would have been discovered otherwise.
>>> Looks like the fuzzing has limited dependency chains described
>>> in sys/sys.txt. Can they be improved into doing something like:
>>> single call to map_create followed by many calls to update to
>>> stress oom ? I did it manually so far without kasan.
>>
>>
>> Hi Alexei,
>>
>> Please elaborate.
>> sys.txt describes signatures of syscalls. Based on that syzkaller
>> generates programs that can contain a map_create call followed by
>> multiple map update calls. Though, it won't generate millions of
>> update calls on a single map, because it directly conflicts with the
>> idea of coverage guided fuzzing. For OOMs I guess you want to try
>> kmalloc fault injection.
>
>
> Wrt dependency chains, I believe what is meant is that there are some
> options that could only be covered by the fuzzer after having succeeded
> a couple of dependencies first.
>
> Perhaps not directly related to BPF, but f.e. some things can only be
> reached after having a session established, like the transfer of fds via
> SCM_RIGHTS, options that are being fuzzed while having a tcp/udp/sctp/
> netlink/etc session established and such.
>
> Perhaps in BPF case, f.e. updating of a program array, which itself would
> require some semi-autogenerated program to get loaded first. (The latter
> is already a different beast by itself wrt testing the verifier, though.)


Well, that's the whole idea of syzkaller to build longer sequences of
syscalls that use resources in sensible ways. In fact, you can see
that in the reproducer program syzkaller creates a map and then does
two update operations on it.
However, it does not work ideally at the moment. Description of
syscalls can be improved, description of syscalls can contain plain
bugs, lots of implicit syscalls are not described (e.g. ioctls, or
functionalities available via opening of magical files), algorithm of
program generation can be improved (currently syzkaller generates
random syscalls and then tries to reuse some resources across these
syscalls, but I am thinking about explicitly centering the process
around resources: here are resources that we have, what can we do with
them?), and of course there are lots of heuristics and tuning
involved. Help is welcome.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ