fuzzing dtc with AFL

fuzzing dtc with AFL

[Anton Blanchard]

[-- Attachment #1: Type: text/plain, Size: 560 bytes --]

Hi David,

I wanted something to test AFL with, and since dtc is simple, self
contained and checked out on my laptop, I attacked it. It found a
number of interesting testcases:

A divide by zero issue:

# ./dtc test1.dts 
Floating point exception

An issue parsing octals:

# ./dtc test2.dts 
dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]'
failed.
Aborted

An issue with null escape characters:

# ./dtc test3.dts 
dtc: util.c:155: get_escape_char: Assertion `c' failed.
Aborted

and a SEGV:

# ./dtc test4.dts 
Segmentation fault

Anton

[-- Attachment #2: test1.dts --]
[-- Type: audio/vnd.dts, Size: 31 bytes --]

[-- Attachment #3: test2.dts --]
[-- Type: audio/vnd.dts, Size: 29 bytes --]

[-- Attachment #4: test3.dts --]
[-- Type: audio/vnd.dts, Size: 36 bytes --]

[-- Attachment #5: test4.dts --]
[-- Type: audio/vnd.dts, Size: 8 bytes --]

Re: fuzzing dtc with AFL

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 979 bytes --]

On Sun, Jan 03, 2016 at 02:32:47AM +1100, Anton Blanchard wrote:
> Hi David,
> 
> I wanted something to test AFL with, and since dtc is simple, self

What's AFL?

> contained and checked out on my laptop, I attacked it. It found a
> number of interesting testcases:
> 
> A divide by zero issue:
> 
> # ./dtc test1.dts 
> Floating point exception
> 
> An issue parsing octals:
> 
> # ./dtc test2.dts 
> dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]'
> failed.
> Aborted
> 
> An issue with null escape characters:
> 
> # ./dtc test3.dts 
> dtc: util.c:155: get_escape_char: Assertion `c' failed.
> Aborted
> 
> and a SEGV:
> 
> # ./dtc test4.dts 
> Segmentation fault

Nice catches all.  I'll try to debug these in detail soon.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: fuzzing dtc with AFL

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

On Sun, Jan 03, 2016 at 08:28:48PM +1100, David Gibson wrote:
> On Sun, Jan 03, 2016 at 02:32:47AM +1100, Anton Blanchard wrote:
> > Hi David,
> > 
> > I wanted something to test AFL with, and since dtc is simple, self
> 
> What's AFL?
> 
> > contained and checked out on my laptop, I attacked it. It found a
> > number of interesting testcases:
> > 
> > A divide by zero issue:
> > 
> > # ./dtc test1.dts 
> > Floating point exception
> > 
> > An issue parsing octals:
> > 
> > # ./dtc test2.dts 
> > dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]'
> > failed.
> > Aborted
> > 
> > An issue with null escape characters:
> > 
> > # ./dtc test3.dts 
> > dtc: util.c:155: get_escape_char: Assertion `c' failed.
> > Aborted
> > 
> > and a SEGV:
> > 
> > # ./dtc test4.dts 
> > Segmentation fault
> 
> Nice catches all.  I'll try to debug these in detail soon.

I've now commited fixes (and test cases) for all of these to the
master tree.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: fuzzing dtc with AFL

[Anton Blanchard]

Hi David,

> What's AFL?

http://lcamtuf.coredump.cx/afl/

> Nice catches all.  I'll try to debug these in detail soon.

Thanks!

Anton

Re: fuzzing dtc with AFL

[Anton Blanchard]

> I've now commited fixes (and test cases) for all of these to the
> master tree.

Thanks David! It's looking much better, but the fuzzer did trip on
another divide by zero, this time a modulo:

/dts-v1/;

/ {
        x = <(0%0)>
};

Anton

Re: fuzzing dtc with AFL

[David Gibson]

[-- Attachment #1: Type: text/plain, Size: 621 bytes --]

On Tue, Jan 05, 2016 at 10:16:30PM +1100, Anton Blanchard wrote:
> 
> > I've now commited fixes (and test cases) for all of these to the
> > master tree.
> 
> Thanks David! It's looking much better, but the fuzzer did trip on
> another divide by zero, this time a modulo:
> 
> /dts-v1/;
> 
> / {
>         x = <(0%0)>
> };

Oops, really should have thought of that case at the same time.  Oh
well, fixed now.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]