fuzzing boost at OSS-Fuzz

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

fuzzing boost at OSS-Fuzz

Boost - Dev mailing list
Hi,

I would like to invite boost developers to use OSS-Fuzz, a continuous
automated fuzzing service.
https://github.com/google/oss-fuzz
https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

I've made the initial set up that fuzzes boost::regex and it found 8 bugs
there, see
https://svn.boost.org/trac10/ticket/12818#comment:7

3460 boost: Integer-overflow in
boost::re_detail_NUMBER::basic_regex_parser...
3464 boost: Integer-overflow in boost::re_detail_NUMBER::perl_matcher...
3469 boost: ASSERT: jmp->type == syntax_element_jump
3471 boost: Stack-overflow in boost::re_detail_NUMBER::basic_regex_parser...
3472 boost: Stack-overflow in boost::re_detail_NUMBER::perl_matcher…
3478 boost: Stack-buffer-overflow in
boost::re_detail_NUMBER::perl_matcher...
3479 boost: Null-dereference READ in boost::re_detail_NUMBER::basic_regex...

Vinnie Falco pointed me to Jens Weller's blog post about fuzzing beast:
https://www.meetingcpp.com/blog/items/fuzzing-beast.html .
Jens used libFuzzer, which is one of the two fuzzing engines used by
OSS-Fuzz.
Adding a boost library to OSS-Fuzz will look very similar to this blog
post.

For those of you who are at CppCon this week: we can discuss this face to
face.

--kcc

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing boost at OSS-Fuzz

Boost - Dev mailing list
Hi again,

Any interest in fuzzing parts of boost on OSS-Fuzz?

BTW, John Maddock is actively fixing boost::regex bugs found by fuzzing:
https://github.com/boostorg/regex/search?q=oss-fuzz&type=Commits
(Thanks John!)

--kcc


On Tue, Sep 26, 2017 at 8:51 PM, Kostya Serebryany <[hidden email]> wrote:

> Hi,
>
> I would like to invite boost developers to use OSS-Fuzz, a continuous
> automated fuzzing service.
> https://github.com/google/oss-fuzz
> https://opensource.googleblog.com/2017/05/oss-fuzz-five-
> months-later-and.html
>
> I've made the initial set up that fuzzes boost::regex and it found 8 bugs
> there, see
> https://svn.boost.org/trac10/ticket/12818#comment:7
>
> 3460 boost: Integer-overflow in boost::re_detail_NUMBER::
> basic_regex_parser...
> 3464 boost: Integer-overflow in boost::re_detail_NUMBER::perl_matcher...
> 3469 boost: ASSERT: jmp->type == syntax_element_jump
> 3471 boost: Stack-overflow in boost::re_detail_NUMBER::
> basic_regex_parser...
> 3472 boost: Stack-overflow in boost::re_detail_NUMBER::perl_matcher…
> 3478 boost: Stack-buffer-overflow in boost::re_detail_NUMBER::perl_
> matcher...
> 3479 boost: Null-dereference READ in boost::re_detail_NUMBER::
> basic_regex...
>
> Vinnie Falco pointed me to Jens Weller's blog post about fuzzing beast:
> https://www.meetingcpp.com/blog/items/fuzzing-beast.html .
> Jens used libFuzzer, which is one of the two fuzzing engines used by
> OSS-Fuzz.
> Adding a boost library to OSS-Fuzz will look very similar to this blog
> post.
>
> For those of you who are at CppCon this week: we can discuss this face to
> face.
>
> --kcc
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost