[Python-Dev] Play with fuzzing (original) (raw)

Victor Stinner victor.stinner at haypocalc.com
Mon Jul 7 01:11:52 CEST 2008

Hi,

I wrote a fuzzing "framework" called Fusil and this week I wrote a fuzzer for Python. The idea is quite simple: for a module,

Example: --------------------- 8< ----------------------------------- print "Call 39/40: linuxaudiodev.open()" try: linuxaudiodev.open( # argument 1/2 u"\u62C0\uFBD7\uB46A\u55E0\uFB7B\uD392\u7CEE", # argument 2/2 52.682, ) except Exception, err: print >>stderr, "ERROR: %s" % err --------------------- 8< -----------------------------------

I tried it on CPython 2.5 and then on CPython trunk (future 2.6). I found some bugs, see last bug entries in Python bugtracker. Just an example:

http://bugs.python.org/issue3304 -> invalid call to PyMem_Free() in fileio_init()

Most bugs crash with a segmentation fault, abort or a denial of service.

If you would like to try my fuzzer, use: (1) svn co http://fusil.hachoir.org/svn/trunk fusil (2) cd fusil (3) ./run_fusil.sh -p projects/python.py --fast --remove ALL

The option --fast goes faster, --remove does remove session directory even if Python generated some files, and "ALL" test all modules.

FUSIL IS NOT SAFE! So run it under a different user using to avoid dangerous call to os.unlink().

The module list is hardcoded: it's the list of CPython modules written in C.

More informations about Fusil: http://fusil.hachoir.org/trac

-- Victor Stinner aka haypo http://www.haypocalc.com/blog/

More information about the Python-Dev mailing list