smatch Placeholder: Fuzzing with AFL

I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-à-vis, your workflow) to report these crashes?

May 27 '20 22:05 pallas

On Wed, May 27, 2020 at 03:11:31PM -0700, Derrick Lyndon Pallas wrote:

I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-à-vis, your workflow) to report these crashes?

Ah. Thanks.

You could email them to [email protected] or to me directly.

regards, dan carpenter

May 28 '20 09:05 error27

Thanks. All but two that I've seen so far are null dereferences in the parse tree when the input is invalid.

May 28 '20 21:05 pallas

The other two are adding to an invalid function_symbol_list, so who knows.

May 28 '20 22:05 pallas

It looks like most of the cases are where the right half of an expression is bad but the expression is still passed back up. I have the sources of the ones I could find fixed but there are still other cases where a bad parse input causes the tree to be invalid and a client function does not check for this condition.

May 29 '20 02:05 pallas

On Thu, May 28, 2020 at 07:18:48PM -0700, Derrick Lyndon Pallas wrote:

It looks like most of the cases are where the right half of an expression is bad but the expression is still passed back up. I have the sources of the ones I could find fixed but there are still other cases where a bad parse input causes the tree to be invalid and a client function does not check for this condition.

If you have sample code which causes the crash and do a valgrind ./smatch test.c that normally gives a good stack trace and it's easy enough to add a NULL check.

The unfortunate thing is that often the checks expect valid code so they all have the same bugs. :/

regards, dan carpenter

May 29 '20 07:05 error27