Playing with fuzzers

Matthew Dillon dillon at apollo.backplane.com
Fri Sep 15 20:52:39 PDT 2006


:Op vrijdag 15 september 2006 12:17, schreef Emiel Kollof:
:> Hi,
:>
:> Ilja van Sprundel (some of you might know him) was playing around with a
:> trivial syscall fuzzer in DragonFly 1.6-RELEASE and found a few bugs.
:>
:> One is a free(NULL) in sendmsg, and a panic in malloc that's triggered by
:> vfork -> fork1 -> fdcopy -> malloc.
:
:He also has some backraces that were caused by the fuzzer here:
:
:ilja.netric.org/files/dfbsd.bmp
:ilja.netric.org/files/dfbsd.2bmp
:ilja.netric.org/files/dfbsd3.bmp
:ilja.netric.org/files/dfbsd4.bmp
:
:Those are vmware screendumps.
:
:Cheers,
:Emiel

    Very interesting.  

    The sys_osendmsg() bug is due to iovec_free() being called improperly.
    Three different system calls use the same erronous sequence.  I'll
    get those fixed shortly.

    sys_pathconf() is clearly dying to a bogus path, but not knowing the
    path I don't know why.  I'll try to reproduce it.

    I think the panic in the sys_ogetkerninfo() is due to a '0' value for
    the length field being fed into vm_map_wire() along with an unmapped
    address.  The 0 length prevents useracc() from returning an error,
    then vm_map_wire() blows up.  I'll fix that one shortly.

					-Matt






More information about the Kernel mailing list