FuzzingLibc - glibc wiki (original) (raw)

Fuzzing libc

This page is dedicated to fuzz-testing a libc implementation. Since libc is a collection of loosely-connected interfaces it is hard or impossible to fuzz libc as a whole. However successful attempts has been made to fuzz parts of libc.

This page is incomplete, input is welcome!

Fuzzing regular expressions and wildcards

• Regfuzz creates random regular expressions that can be fed to e.g. regcomp().
  • Several bugs have been found this way: 17069, 17070
• A very simple wildcard fuzzer found a buffer overflow in fnmatch(): 17062.
• In-process coverage-guided mutation LLVM's libFuzzer coupled with AddressSanitizer. Currently requires a hacky build with Clang.
  • fnmatch: 1803218036
  • regcomp/regexec: 180371804018041
  • wordexp: 18042 18043 18096 18099 18100

Notes on fuzzing wordexp

As shown above, wordexp() is an interesting target for fuzzing (i.e. it has a few bugs that a fuzzer can discover). However it is also a challenging target for a set of reasons:

• wordexp may read and set environment variables (!!!), so one call to wordexp is not enough to evaluate all possible states. For an in-process fuzzer it means that separate execution of wordexp are not isolated, and for an out-of-process fuzzer it means that some of the bugs are not detectable (see e.g. 18043#c19)
• wordexp runs external commands. Fuzzing has to be done with WRDE_NOCMD or somehow else very careful not to execute arbitrary command.
• wordexp actually calls glob() that reads the file system -- it may dramatically slowdown the fuzzing.