Reporting crashes found by running a fuzzing campaign

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Reporting crashes found by running a fuzzing campaign

Hiromasa Ito-2
Hi, all.

I have written a new test driver and ran a fuzzing campaign on lwIP with American Fuzzy Lop (AFL).
As a result, I have found nine crashes caused by assertion failures, and they seem to be bugs.
I have already reported two of them, but still have seven crashes not reported.

https://savannah.nongnu.org/bugs/?51447
https://savannah.nongnu.org/bugs/?55706

There for, I have two questions for developers.

First, how should I report these unreported crashes?
Should I report them individually, like the ones above?
If needed, I can upload the test driver, crashed inputs, and the source codes of lwIP I used.

Second, can I write about these crashes in my academic paper?
I'm a master's student in computer science in Japan.
If any bugs cause these crashes, I'd like to write about them in my paper.
If it is inconvenient, please let me know.

Best regards,
Hiromasa

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reporting crashes found by running a fuzzing campaign

goldsimon@gmx.de


"Hiromasa Ito" <[hidden email]> wrote:

> I have written a new test driver and ran a fuzzing campaign on lwIP with American Fuzzy Lop (AFL).
> As a result, I have found nine crashes caused by assertion failures, and they seem to be bugs.
> I have already reported two of them, but still have seven crashes not reported.
>
> https://savannah.nongnu.org/bugs/?51447
> https://savannah.nongnu.org/bugs/?55706
>
> There for, I have two questions for developers.
>
> First, how should I report these unreported crashes?

As bug reports, like above.

> Should I report them individually, like the ones above?

That depends if they are real separate issues (report individually) or crashes
in the same area (combine in one bug).

> If needed, I can upload the test driver, crashed inputs, and the source codes of lwIP I used.

The crashed inputs are certainly needed!

The test driver would be interesting. You might have noticed we have and AFL
setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
incorporate changes if appropriate.

>
> Second, can I write about these crashes in my academic paper?
> I'm a master's student in computer science in Japan.
> If any bugs cause these crashes, I'd like to write about them in my paper.
> If it is inconvenient, please let me know.

Yes, I don't see a problem writing about that.

Regards,
Simon

>
> Best regards,
> Hiromasa
>
> _______________________________________________
> lwip-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reporting crashes found by running a fuzzing campaign

Hiromasa Ito
Hi, Simon.

Thank you for your reply! :)

> As bug reports, like above.

OK. I will report all crashes I found as bug reports.

> The crashed inputs are certainly needed!
>
> The test driver would be interesting. You might have noticed we have and AFL
> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
> incorporate changes if appropriate.

OK. I think I should upload the whole fuzzing environment
(crashed inputs, my test driver, initial seeds, and lwIP I tested) for reproducibility.
Please give me some time to prepare for publication.

Best regards,
Hiromasa

On 2019/12/04 17:48, Simon Goldschmidt wrote:

>
>
> "Hiromasa Ito" <[hidden email]> wrote:
>> I have written a new test driver and ran a fuzzing campaign on lwIP with American Fuzzy Lop (AFL).
>> As a result, I have found nine crashes caused by assertion failures, and they seem to be bugs.
>> I have already reported two of them, but still have seven crashes not reported.
>>
>> https://savannah.nongnu.org/bugs/?51447
>> https://savannah.nongnu.org/bugs/?55706
>>
>> There for, I have two questions for developers.
>>
>> First, how should I report these unreported crashes?
>
> As bug reports, like above.
>
>> Should I report them individually, like the ones above?
>
> That depends if they are real separate issues (report individually) or crashes
> in the same area (combine in one bug).
>
>> If needed, I can upload the test driver, crashed inputs, and the source codes of lwIP I used.
>
> The crashed inputs are certainly needed!
>
> The test driver would be interesting. You might have noticed we have and AFL
> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
> incorporate changes if appropriate.
>
>>
>> Second, can I write about these crashes in my academic paper?
>> I'm a master's student in computer science in Japan.
>> If any bugs cause these crashes, I'd like to write about them in my paper.
>> If it is inconvenient, please let me know.
>
> Yes, I don't see a problem writing about that.
>
> Regards,
> Simon
>
>>
>> Best regards,
>> Hiromasa
>>
>> _______________________________________________
>> lwip-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>
>
> _______________________________________________
> lwip-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>

--
vhertz

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reporting crashes found by running a fuzzing campaign

goldsimon@gmx.de
Am 04.12.2019 um 15:03 schrieb Hiromasa Ito:

> Hi, Simon.
>
> Thank you for your reply! :)
>
>> As bug reports, like above.
>
> OK. I will report all crashes I found as bug reports.
>
>> The crashed inputs are certainly needed!
>>
>> The test driver would be interesting. You might have noticed we have and AFL
>> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
>> incorporate changes if appropriate.
>
> OK. I think I should upload the whole fuzzing environment
> (crashed inputs, my test driver, initial seeds, and lwIP I tested) for reproducibility.
> Please give me some time to prepare for publication.

A patch to test/fuzz and the inputs that directly crash would be best to
keep it simple enough for me to reproduce the issue.

Time on lwIP is scarce at the moment, so try to keep me from losing
track ;-)

Regards,
Simon

>
> Best regards,
> Hiromasa
>
> On 2019/12/04 17:48, Simon Goldschmidt wrote:
>>
>>
>> "Hiromasa Ito" <[hidden email]> wrote:
>>> I have written a new test driver and ran a fuzzing campaign on lwIP with American Fuzzy Lop (AFL).
>>> As a result, I have found nine crashes caused by assertion failures, and they seem to be bugs.
>>> I have already reported two of them, but still have seven crashes not reported.
>>>
>>> https://savannah.nongnu.org/bugs/?51447
>>> https://savannah.nongnu.org/bugs/?55706
>>>
>>> There for, I have two questions for developers.
>>>
>>> First, how should I report these unreported crashes?
>>
>> As bug reports, like above.
>>
>>> Should I report them individually, like the ones above?
>>
>> That depends if they are real separate issues (report individually) or crashes
>> in the same area (combine in one bug).
>>
>>> If needed, I can upload the test driver, crashed inputs, and the source codes of lwIP I used.
>>
>> The crashed inputs are certainly needed!
>>
>> The test driver would be interesting. You might have noticed we have and AFL
>> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
>> incorporate changes if appropriate.
>>
>>>
>>> Second, can I write about these crashes in my academic paper?
>>> I'm a master's student in computer science in Japan.
>>> If any bugs cause these crashes, I'd like to write about them in my paper.
>>> If it is inconvenient, please let me know.
>>
>> Yes, I don't see a problem writing about that.
>>
>> Regards,
>> Simon
>>
>>>
>>> Best regards,
>>> Hiromasa
>>>
>>> _______________________________________________
>>> lwip-devel mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>>
>>
>> _______________________________________________
>> lwip-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>
>
> --
> vhertz
>
> _______________________________________________
> lwip-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reporting crashes found by running a fuzzing campaign

Hiromasa Ito
Hi, Simon.

I made patches for lwip and lwip-contrib (both are for v2.1.0.RC1).
The lwip patch generates my test driver and modifies Makefile and lwipopts.h a little.
The lwip-contrib patch modifies UNIX-ported sys_arch.c to make sys_now() fuzzy.

To build my test driver, run this command at test/fuzz:
`make triple_fuzz D='-DFUZZED_TMR'`

After that, to reproduce crashes, run this command:
`./triple_fuzz <crashed_input_file>`

crashed_input.tar.gz contains nine crashed input files.
Each file reproduces crashes failed at different assertions.

Please check them out!

Best regards,
Hiromasa

On 2019/12/05 5:47, [hidden email] wrote:

> Am 04.12.2019 um 15:03 schrieb Hiromasa Ito:
>> Hi, Simon.
>>
>> Thank you for your reply! :)
>>
>>> As bug reports, like above.
>>
>> OK. I will report all crashes I found as bug reports.
>>
>>> The crashed inputs are certainly needed!
>>>
>>> The test driver would be interesting. You might have noticed we have and AFL
>>> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
>>> incorporate changes if appropriate.
>>
>> OK. I think I should upload the whole fuzzing environment
>> (crashed inputs, my test driver, initial seeds, and lwIP I tested) for reproducibility.
>> Please give me some time to prepare for publication.
>
> A patch to test/fuzz and the inputs that directly crash would be best to
> keep it simple enough for me to reproduce the issue.
>
> Time on lwIP is scarce at the moment, so try to keep me from losing
> track ;-)
>
> Regards,
> Simon
>
>>
>> Best regards,
>> Hiromasa
>>
>> On 2019/12/04 17:48, Simon Goldschmidt wrote:
>>>
>>>
>>> "Hiromasa Ito" <[hidden email]> wrote:
>>>> I have written a new test driver and ran a fuzzing campaign on lwIP with American Fuzzy Lop (AFL).
>>>> As a result, I have found nine crashes caused by assertion failures, and they seem to be bugs.
>>>> I have already reported two of them, but still have seven crashes not reported.
>>>>
>>>> https://savannah.nongnu.org/bugs/?51447
>>>> https://savannah.nongnu.org/bugs/?55706
>>>>
>>>> There for, I have two questions for developers.
>>>>
>>>> First, how should I report these unreported crashes?
>>>
>>> As bug reports, like above.
>>>
>>>> Should I report them individually, like the ones above?
>>>
>>> That depends if they are real separate issues (report individually) or crashes
>>> in the same area (combine in one bug).
>>>
>>>> If needed, I can upload the test driver, crashed inputs, and the source codes of lwIP I used.
>>>
>>> The crashed inputs are certainly needed!
>>>
>>> The test driver would be interesting. You might have noticed we have and AFL
>>> setup in test/fuzz and input files in test/fuzz/inputs. I'd be happy to
>>> incorporate changes if appropriate.
>>>
>>>>
>>>> Second, can I write about these crashes in my academic paper?
>>>> I'm a master's student in computer science in Japan.
>>>> If any bugs cause these crashes, I'd like to write about them in my paper.
>>>> If it is inconvenient, please let me know.
>>>
>>> Yes, I don't see a problem writing about that.
>>>
>>> Regards,
>>> Simon
>>>
>>>>
>>>> Best regards,
>>>> Hiromasa
>>>>
>>>> _______________________________________________
>>>> lwip-devel mailing list
>>>> [hidden email]
>>>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>>>
>>>
>>> _______________________________________________
>>> lwip-devel mailing list
>>> [hidden email]
>>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>>
>>
>> --
>> vhertz
>>
>> _______________________________________________
>> lwip-devel mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>>
>
>
> _______________________________________________
> lwip-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/lwip-devel

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel

lwip.patch (20K) Download Attachment
contrib.patch (1K) Download Attachment
crashed_inputs.tar.gz (12K) Download Attachment