New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
segfault with fuzzing in sds.c #5753
Comments
Hello @siscia, I don't know how the fuzzer works, but normally in such cases what you want is to instrument the fuzzer more and more in order to understand exactly what was the state that created the issue, so that you can try to reproduce it outside the fuzzer to validate the discover. |
Greetings redis developers and contributors, We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:
Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues. Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure. We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward. To help you getting started, we can attach our internal fuzzer for your project that you are welcome to use directly, or to use it as a starting point. If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future. If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com. Thanks! Tommy |
Hi all,
finally I am working again to fuzz Redis and include it into the google OSS-fuzz project.
A first implementation look like the following: unstable...siscia:fuzzing#diff-0235f01a49d01b35e981a41f59a9d2d6R4006
(Still a quite big WIP).
With the core that looks like this, where
Data
is the fuzzing data of sizeSize
While the instrumentation and the fuzzing works and the code is actually tested and executed I found a very recurring error.
Whenever the input string contains "\n",
processInputBuffer
goes into segmentation fault.The backtrace looks like this:
Debugging deeper it looks like that the problem resize into
sdssplitargs
that does not produce valid output.I tried to work with GDB and even RR, but a memory location change in a way that I don't understand and it produce the wrong output.
The sdssplitargs seems to be like 9 years old code, so I believe that the problem is somewhere else, maybe in my own instrumentation.
Does anyone have any idea of how to dig deeper into this issue? Does the instrumentation look reasonable?
Cheers,
The text was updated successfully, but these errors were encountered: