[ovs-dev] [ovs-security] RFC: Adding OvS to fuzzer test suite

Kostya Serebryany kcc at google.com
Thu Aug 31 21:34:57 UTC 2017 

With this fuzz target on v2.3.2 fuzzing finds CVE-2016-2074 in just a few
seconds starting from an empty corpus:

mkdir  C; ./openvswitch-2.3.2-libfuzzer C -jobs=20

==34306==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffcfbfddce8 at pc 0x00000050e2b8 bp 0x7ffcfbfdd990 sp 0x7ffcfbfdd988
READ of size 4 at 0x7ffcfbfddce8 thread T0
    #0 0x50e2b7 in flow_union_with_miniflow lib/flow.h:607:31
    #1 0x50e2b7 in miniflow_expand lib/flow.c:1727
    #2 0x50e2b7 in flow_extract lib/flow.c:356
    #3 0x50df1a in LLVMFuzzerTestOneInput

Address 0x7ffcfbfddce8 is located in stack of thread T0 at offset 328 in
frame
    #0 0x50dddf in LLVMFuzzerTestOneInput

  This frame has 2 object(s):
    [32, 88) 'packet' (line 46)
    [128, 328) 'flow' (line 48) <== Memory access at offset 328 overflows
this variable


On Thu, Aug 31, 2017 at 2:18 PM, Kostya Serebryany <kcc at google.com> wrote:

> For the version Bhargava is testing I guess this reads as
> int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
> {
>   struct ofpbuf packet;
>   ofpbuf_use_const(&packet, data, size);
>
>   struct flow flow;
>
>   flow_extract(&packet, NULL, &flow);
>
>   return 0;
> }
>
> Looks great, and runs fast.
>
>
> On Thu, Aug 31, 2017 at 2:05 PM, Bhargava Shastry <bshastry at sec.t-labs.tu-
> berlin.de> wrote:
>
>> Hi,
>>
>> > I didn't look at the actual code before, but now that I have, I don't
>> > understand at all why it was doing file I/O just to write a packet to
>> > disk and then read it back.
>>
>> Sorry, this was due to my ignorance. I was not aware of something like
>> dp_packet_use_const(). This should speed things up. I am working on it.
>>
>> >
>> > Here is a more natural way to do this:
>> >
>> > int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
>> > {
>> >     struct dp_packet packet;
>> >     dp_packet_use_const(&packet, data, size);
>> >
>> >     struct flow flow;
>> >     flow_extract(&packet, &flow);
>> >
>> >     return 0;
>> > }
>> >
>>
>> --
>> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
>> Security in Telecommunications
>> TU Berlin / Telekom Innovation Laboratories
>> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
>> phone: +49 30 8353 58235
>> Keybase: https://keybase.io/bshastry
>>
>
>

More information about the dev mailing list