[ovs-dev] [ovs-security] RFC: Adding OvS to fuzzer test suite
Kostya Serebryany
kcc at google.com
Thu Aug 31 21:34:57 UTC 2017
With this fuzz target on v2.3.2 fuzzing finds CVE-2016-2074 in just a few
seconds starting from an empty corpus:
mkdir C; ./openvswitch-2.3.2-libfuzzer C -jobs=20
==34306==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffcfbfddce8 at pc 0x00000050e2b8 bp 0x7ffcfbfdd990 sp 0x7ffcfbfdd988
READ of size 4 at 0x7ffcfbfddce8 thread T0
#0 0x50e2b7 in flow_union_with_miniflow lib/flow.h:607:31
#1 0x50e2b7 in miniflow_expand lib/flow.c:1727
#2 0x50e2b7 in flow_extract lib/flow.c:356
#3 0x50df1a in LLVMFuzzerTestOneInput
Address 0x7ffcfbfddce8 is located in stack of thread T0 at offset 328 in
frame
#0 0x50dddf in LLVMFuzzerTestOneInput
This frame has 2 object(s):
[32, 88) 'packet' (line 46)
[128, 328) 'flow' (line 48) <== Memory access at offset 328 overflows
this variable
On Thu, Aug 31, 2017 at 2:18 PM, Kostya Serebryany <kcc at google.com> wrote:
> For the version Bhargava is testing I guess this reads as
> int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
> {
> struct ofpbuf packet;
> ofpbuf_use_const(&packet, data, size);
>
> struct flow flow;
>
> flow_extract(&packet, NULL, &flow);
>
> return 0;
> }
>
> Looks great, and runs fast.
>
>
> On Thu, Aug 31, 2017 at 2:05 PM, Bhargava Shastry <bshastry at sec.t-labs.tu-
> berlin.de> wrote:
>
>> Hi,
>>
>> > I didn't look at the actual code before, but now that I have, I don't
>> > understand at all why it was doing file I/O just to write a packet to
>> > disk and then read it back.
>>
>> Sorry, this was due to my ignorance. I was not aware of something like
>> dp_packet_use_const(). This should speed things up. I am working on it.
>>
>> >
>> > Here is a more natural way to do this:
>> >
>> > int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
>> > {
>> > struct dp_packet packet;
>> > dp_packet_use_const(&packet, data, size);
>> >
>> > struct flow flow;
>> > flow_extract(&packet, &flow);
>> >
>> > return 0;
>> > }
>> >
>>
>> --
>> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
>> Security in Telecommunications
>> TU Berlin / Telekom Innovation Laboratories
>> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
>> phone: +49 30 8353 58235
>> Keybase: https://keybase.io/bshastry
>>
>
>
More information about the dev
mailing list