[Pkg-libburnia-devel] Bug#774152: libisofs6: null pointer dereference

Tue Dec 30 23:34:07 UTC 2014

* Thomas Schmitt <scdbackup at gmx.net>, 2014-12-29, 18:38:
>Can you tell me your setup for xorriso ?

A program is worth a thousand words, so I wrote a scripts that sets 
(almost) everything up. It assumes that AFL is already installed (and 
the afl-* scripts are within $PATH), and that current working directory 
is root of the libisofs source.

I hope the script is sufficiently commented, but I recommend reading AFL 
documentation in addition to that: at least README and 
docs/status_screen.txt.

>Are there any known problems to avoid ?

Setting up AFL is a multi-step process, and there's a few ways things 
could break. Fortunately, afl-fuzz is designed to be goof-proof. :-) It 
usually warns you if something went wrong.

-- 
Jakub Wilk
-------------- next part --------------
#!/bin/sh
set -e
if ! [ -f demo/demo.c -a -d libisofs ]; then
	echo 'This script must be run in the root directory of libisofs source.' >&2;
	exit 1
fi

# 1) Enable hardening for afl-gcc.
# Hardening allows catching more memory bugs at the expense of a slight
# performance loss. It's a good trade-off IMO.
export AFL_HARDEN=1

# 2) Build the library AFL instrumentation:
./configure CC=afl-gcc
make
mkdir tmp

# 3) Create a (small) initial test case:
cat > tmp/limeric <<EOF
There was a young man from Japan
Whose limericks never would scan.
When asked why that was,
He replied "It's because
I always try to cram as many words into the last line as I possibly can."
EOF
mkdir -p afl-input
xorrisofs tmp > afl-input/input.iso
rm -rf tmp
# Unfortunately, the test case is kinda big.
# Test cases under 1K are ideal for AFL, but oh well,
# we'll keep our cool with this 360K monster. :-P

# 4) Find or write a program that will exercise the library.
# It is important that the target program is as fast as possible.
# For example, xorriso(1) overhead is far too big.
# Fortunately, the demo looks like a good candidate for the target program. :-)
# Let's just check that it actually works:

demo/demo -iso_read afl-input/input.iso

# 5) Start fuzzing:
afl-fuzz -d -i afl-input/ -o afl-output/ -- demo/demo -iso_read @@
# Here:
#  "-d" enables quick & dirty mode (which is rather necessary with our huge test case)
#  "-i" specifies input directory
#  "-o" specifies output directory for AFL findings
#  parameters after "--" is the command line that AFL will execute
#  "@@" is a placeholder for filename of mutated input
#
# And that's it! :-) The fuzzing process will continue until you press Ctrl-C.
#
# See the status_screen.txt file in the AFL documentation for information on
# how to interpret the displayed stats and monitor the health of the process.
#
# AFL will store input files that triggered a crash in afl-output/crashes/.