* fuzzing dtc with AFL @ 2016-01-02 15:32 Anton Blanchard 2016-01-03 9:28 ` David Gibson 0 siblings, 1 reply; 6+ messages in thread From: Anton Blanchard @ 2016-01-02 15:32 UTC (permalink / raw) To: David Gibson; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 560 bytes --] Hi David, I wanted something to test AFL with, and since dtc is simple, self contained and checked out on my laptop, I attacked it. It found a number of interesting testcases: A divide by zero issue: # ./dtc test1.dts Floating point exception An issue parsing octals: # ./dtc test2.dts dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]' failed. Aborted An issue with null escape characters: # ./dtc test3.dts dtc: util.c:155: get_escape_char: Assertion `c' failed. Aborted and a SEGV: # ./dtc test4.dts Segmentation fault Anton [-- Attachment #2: test1.dts --] [-- Type: audio/vnd.dts, Size: 31 bytes --] [-- Attachment #3: test2.dts --] [-- Type: audio/vnd.dts, Size: 29 bytes --] [-- Attachment #4: test3.dts --] [-- Type: audio/vnd.dts, Size: 36 bytes --] [-- Attachment #5: test4.dts --] [-- Type: audio/vnd.dts, Size: 8 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: fuzzing dtc with AFL 2016-01-02 15:32 fuzzing dtc with AFL Anton Blanchard @ 2016-01-03 9:28 ` David Gibson [not found] ` <20160103092848.GE9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org> 0 siblings, 1 reply; 6+ messages in thread From: David Gibson @ 2016-01-03 9:28 UTC (permalink / raw) To: Anton Blanchard; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 979 bytes --] On Sun, Jan 03, 2016 at 02:32:47AM +1100, Anton Blanchard wrote: > Hi David, > > I wanted something to test AFL with, and since dtc is simple, self What's AFL? > contained and checked out on my laptop, I attacked it. It found a > number of interesting testcases: > > A divide by zero issue: > > # ./dtc test1.dts > Floating point exception > > An issue parsing octals: > > # ./dtc test2.dts > dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]' > failed. > Aborted > > An issue with null escape characters: > > # ./dtc test3.dts > dtc: util.c:155: get_escape_char: Assertion `c' failed. > Aborted > > and a SEGV: > > # ./dtc test4.dts > Segmentation fault Nice catches all. I'll try to debug these in detail soon. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <20160103092848.GE9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org>]
* Re: fuzzing dtc with AFL [not found] ` <20160103092848.GE9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org> @ 2016-01-04 11:58 ` David Gibson [not found] ` <20160104115858.GG9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org> 2016-01-04 12:04 ` Anton Blanchard 1 sibling, 1 reply; 6+ messages in thread From: David Gibson @ 2016-01-04 11:58 UTC (permalink / raw) To: Anton Blanchard; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 1192 bytes --] On Sun, Jan 03, 2016 at 08:28:48PM +1100, David Gibson wrote: > On Sun, Jan 03, 2016 at 02:32:47AM +1100, Anton Blanchard wrote: > > Hi David, > > > > I wanted something to test AFL with, and since dtc is simple, self > > What's AFL? > > > contained and checked out on my laptop, I attacked it. It found a > > number of interesting testcases: > > > > A divide by zero issue: > > > > # ./dtc test1.dts > > Floating point exception > > > > An issue parsing octals: > > > > # ./dtc test2.dts > > dtc: dtc-lexer.l:156: yylex: Assertion `!(*e) || !e[strspn(e, "UL")]' > > failed. > > Aborted > > > > An issue with null escape characters: > > > > # ./dtc test3.dts > > dtc: util.c:155: get_escape_char: Assertion `c' failed. > > Aborted > > > > and a SEGV: > > > > # ./dtc test4.dts > > Segmentation fault > > Nice catches all. I'll try to debug these in detail soon. I've now commited fixes (and test cases) for all of these to the master tree. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <20160104115858.GG9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org>]
* Re: fuzzing dtc with AFL [not found] ` <20160104115858.GG9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org> @ 2016-01-05 11:16 ` Anton Blanchard 2016-01-12 8:29 ` David Gibson 0 siblings, 1 reply; 6+ messages in thread From: Anton Blanchard @ 2016-01-05 11:16 UTC (permalink / raw) To: David Gibson; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA > I've now commited fixes (and test cases) for all of these to the > master tree. Thanks David! It's looking much better, but the fuzzer did trip on another divide by zero, this time a modulo: /dts-v1/; / { x = <(0%0)> }; Anton ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: fuzzing dtc with AFL 2016-01-05 11:16 ` Anton Blanchard @ 2016-01-12 8:29 ` David Gibson 0 siblings, 0 replies; 6+ messages in thread From: David Gibson @ 2016-01-12 8:29 UTC (permalink / raw) To: Anton Blanchard; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 621 bytes --] On Tue, Jan 05, 2016 at 10:16:30PM +1100, Anton Blanchard wrote: > > > I've now commited fixes (and test cases) for all of these to the > > master tree. > > Thanks David! It's looking much better, but the fuzzer did trip on > another divide by zero, this time a modulo: > > /dts-v1/; > > / { > x = <(0%0)> > }; Oops, really should have thought of that case at the same time. Oh well, fixed now. -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: fuzzing dtc with AFL [not found] ` <20160103092848.GE9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org> 2016-01-04 11:58 ` David Gibson @ 2016-01-04 12:04 ` Anton Blanchard 1 sibling, 0 replies; 6+ messages in thread From: Anton Blanchard @ 2016-01-04 12:04 UTC (permalink / raw) To: David Gibson; +Cc: devicetree-compiler-u79uwXL29TY76Z2rM5mHXA Hi David, > What's AFL? http://lcamtuf.coredump.cx/afl/ > Nice catches all. I'll try to debug these in detail soon. Thanks! Anton ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-01-12 8:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-02 15:32 fuzzing dtc with AFL Anton Blanchard
2016-01-03 9:28 ` David Gibson
[not found] ` <20160103092848.GE9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org>
2016-01-04 11:58 ` David Gibson
[not found] ` <20160104115858.GG9329-JFWYtBTiNpwvqAi9XkHEEA@public.gmane.org>
2016-01-05 11:16 ` Anton Blanchard
2016-01-12 8:29 ` David Gibson
2016-01-04 12:04 ` Anton Blanchard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).