DragonFly BSD
DragonFly kernel List (threaded) for 2006-09
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Playing with fuzzers

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Sep 2006 20:30:29 -0700 (PDT)

:Op vrijdag 15 september 2006 12:17, schreef Emiel Kollof:
:> Hi,
:> Ilja van Sprundel (some of you might know him) was playing around with a
:> trivial syscall fuzzer in DragonFly 1.6-RELEASE and found a few bugs.
:> One is a free(NULL) in sendmsg, and a panic in malloc that's triggered by
:> vfork -> fork1 -> fdcopy -> malloc.
:He also has some backraces that were caused by the fuzzer here:
:Those are vmware screendumps.

    Very interesting.  

    The sys_osendmsg() bug is due to iovec_free() being called improperly.
    Three different system calls use the same erronous sequence.  I'll
    get those fixed shortly.

    sys_pathconf() is clearly dying to a bogus path, but not knowing the
    path I don't know why.  I'll try to reproduce it.

    I think the panic in the sys_ogetkerninfo() is due to a '0' value for
    the length field being fed into vm_map_wire() along with an unmapped
    address.  The 0 length prevents useracc() from returning an error,
    then vm_map_wire() blows up.  I'll fix that one shortly.


[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]