Tracking issue for fuzzing

[m4b]

Many overflow issues should disappear once upgraded to latest scroll

• With seed 4, I get another overflow at src/strtab.rs:37. (To reproduce, be sure to delete fuzz/corpus.)
• Seed 10 gives index out of bounds at src/elf/mod.rs:205. (Corrupt sh_link.)

/cc @sanxiyn

[sanxiyn]

Seed 41 gives index out of bounds at src/elf/dyn.rs:402. (DT_NEEDED.)

I systematically ran 1 million runs each for seed from 1 to 100.

• 56 successes
• 34 failures
  • 23 in strtab
  • 7 in sh_link
  • 4 in DT_NEEDED
• 9 out-of-memory
• 1 AddressSanitizer failure

At this point, it is probably necessary to fix above 3 issues before finding others.

[m4b]

This is really great, thanks for doing this ! :) 👍

Unfortunately, these fixes are blocked until latest version of scroll lands. In meantime, good to note them here; eager to see what else is in store once the scroll update lands :)

[m4b]

Ok, the scroll port/branch is now on master, and so can fuzz/report bugs from there!

[sanxiyn]

I re-ran fuzzing on 9f405aa, and the result is:

• 65 successes
• 11 out-of-memory
• 19 strtab (seed 2)
• 5 sh_link (seed 64)

DT_NEEDED seems fixed.

To reproduce with seed X, run rm -rf fuzz/{artifacts,corpus}; RUST_BACKTRACE=1 cargo fuzz run parse -- -seed=X.

[sanxiyn]

With #34 merged, 71 successes, 20 out-of-memory, 9 sh_link (seed 1). Hm, I hoped to discover some new issues, but no dice. Maybe I should try something new.

[sanxiyn]

With #35 merged, I am happy to report that goblin withstood 100 million fuzzing runs, 1 million runs each for seed 1~100.

Please close this issue. I will open the new one when I discover more issues by fuzzing differently. First thing to try is adding corpus, instead of starting from zero.

[m4b]

👍 thanks for all your investigations, this was epic! :D