DragonFly kernel List (threaded) for 2006-09
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: Playing with fuzzers

From:	Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date:	Fri, 15 Sep 2006 20:30:29 -0700 (PDT)

:Op vrijdag 15 september 2006 12:17, schreef Emiel Kollof:
:> Hi,
:>
:> Ilja van Sprundel (some of you might know him) was playing around with a
:> trivial syscall fuzzer in DragonFly 1.6-RELEASE and found a few bugs.
:>
:> One is a free(NULL) in sendmsg, and a panic in malloc that's triggered by
:> vfork -> fork1 -> fdcopy -> malloc.
:
:He also has some backraces that were caused by the fuzzer here:
:
:ilja.netric.org/files/dfbsd.bmp
:ilja.netric.org/files/dfbsd.2bmp
:ilja.netric.org/files/dfbsd3.bmp
:ilja.netric.org/files/dfbsd4.bmp
:
:Those are vmware screendumps.
:
:Cheers,
:Emiel

    Very interesting.  

    The sys_osendmsg() bug is due to iovec_free() being called improperly.
    Three different system calls use the same erronous sequence.  I'll
    get those fixed shortly.

    sys_pathconf() is clearly dying to a bogus path, but not knowing the
    path I don't know why.  I'll try to reproduce it.

    I think the panic in the sys_ogetkerninfo() is due to a '0' value for
    the length field being fed into vm_map_wire() along with an unmapped
    address.  The 0 length prevents useracc() from returning an error,
    then vm_map_wire() blows up.  I'll fix that one shortly.

					-Matt

References:
- Playing with fuzzers
  - From: Emiel Kollof
- Re: Playing with fuzzers
  - From: Emiel Kollof

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]