New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libFuzzer integration + bug report #1035
Conversation
|
Attached is the crash for the mg_parse_http fuzzer + screenshot of the backtrace. I think this should also be given a CVE for a memory corruption vulnerability. I'll be happy to contribute more fuzzers after this bug is fixed so it won't fail the other fuzzers. Also, I'll be happy to contribute an integration to Fuzzit (I'm the CEO of the company) which will enable continuous fuzzing for the project for free as it's an open-source project. you can read also about systemd case study here. To reproduce run cd fuzz
make
./fuzz/mg_parse_http/mg_parse_http
Cheers, |
|
Not sure who is the right person to review the PR. but CCing @cpq as you merged a CVE bugfix lately. |
|
@alashkin maybe you can look at this? not sure who is the right person. |
|
Hi. I saw this posted on reddit and am in no way affiliated with the project, but it looks like you've accidentally committed the 2.7MB fuzzing binary which likely isn't meant to be in the repo. I had a brief go at running the fuzzer myself and it looks like the crash is the result of an incorrect assumption on the behaviour of
This patch fixes the issue by checking that the first character of the status code isn't a space, and hence fixes the crash as it can no longer be given a string of 4 spaces which it would read off of: I also beefed up the fuzzer locally to test the other paths and nothing else was flagged up. Feel free to use it if you'd like: Also I notice the undefined behaviour sanitizer isn't enabled in the root Makefile? Nothing was flagged up when it was enabled, but integer overflow is a very common issue and that sanitizer is ideal for detecting it. |
|
Thank you gents. |
This commit places the basics for libFuzzer integration with one fuzzer which fuzzes the mg_parse_http function. The fuzzer is located at fuzz/mg_parse_http. To add more fuzzers please add them to ./fuzz directory. Also a memory corruption bug is found using this fuzzer which might lead to additional bugs after fix is pushed.
7b06ccb
to
82beafb
Compare
|
@cpq Signed the CLA, Also would you be interested if we also contributed integration to Fuzzit so the fuzzers will run continuously? (like in systemd or apache arrow) @bobsayshilol Thanks! is there a way to reach out to you privately? wanted to discuss an idea with you? you ping me at yp@fuzzit.dev and I'll reply there. |
|
@cpq note that there aren't any commits attributed to me in this PR so I don't need to sign the CLA, so this should be ready to be looked at/merged. @yevgenypats I'll drop you an email. |
|
@yevgenypats @bobsayshilol thank you so much, gents. Closing this. |
|
@cpq You welcome. I wanted to follow-up and see if you guys are interested in integrating the fuzzers with our (Fuzzit) Continuous Fuzzing as a Service platform. My biased opinion:) is that it is crucial for the stability and security of native code applications. Feel free to ping my at yp@fuzzit.dev. |
|
This was assigned CVE-2019-13503. |
|
@nluedtke shall the CVE mention Mongoose 6.14 and prior? |
|
It does not and nor do I know who reported it. Just referencing it for tracking purposes. Ill mention it on the Red Hat bug. |
|
Ah, thanks for the clarification @nluedtke , appreciated. |
|
@cpq can you clarify? the fixing commits don't show they are part of a 6.15 release. at the time this was reported, 6.15 was the current version I think? |
|
@attritionorg you're correct, we pushed to the dev branch but did not make a release. |
|
@cpq do you have an idea of a new release date which includes this fix ? Thanks ! |
|
Just tagged 6.16 |
|
@cqp thanks for the tag! |

This commit places the basics for libFuzzer integration with one
fuzzer which fuzzes the mg_parse_http function. The fuzzer is
located at fuzz/mg_parse_http.
To add more fuzzers please add them to ./fuzz directory.
Also a memory corruption bug is found using this fuzzer which
might lead to additional bugs after fix is pushed.