third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff - Issue 2075883002: Add American Fuzzy Lop (afl) to third_party/afl/

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff

Issue 2075883002: Add American Fuzzy Lop (afl) to third_party/afl/ (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix nits Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « third_party/afl/src/experimental/asan_cgroups/limit_memory.sh ('k') | third_party/afl/src/experimental/canvas_harness/canvas_harness.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 This patch shows a very simple way to find post-Shellshock bugs in bash, as

	2 discussed here:

	3

	4 http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

	5

	6 In essence, it shows a way to fuzz environmental variables. Instructions:

	7

	8 1) Download bash 4.3, apply this patch, compile with:

	9

	10 CC=/path/to/afl-gcc ./configure

	11 make clean all

	12

	13 Note that the harness puts the fuzzed output in $TEST_VARIABLE. With

	14 Florian's Shellshock patch (bash43-028), this is no longer passed down

	15 to the parser.

	16

	17 2) Create and cd to an empty directory, put the compiled bash binary in

	18 there, and run these commands:

	19

	20 mkdir in_dir

	21 echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt

	22

	23 3) Run the fuzzer with:

	24

	25 /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :

	26

	27 The -d parameter is advisable only if the tested shell is fairly slow

	28 or if you are in a hurry; will cover more ground faster, but

	29 less systematically.

	30

	31 4) Watch for crashes in out_dir/crashes/. Also watch for any new files

	32 created in cwd if you're interested in non-crash RCEs (files will be

	33 created whenever the shell executes "foo>bar" or something like

	34 that). You can correlate their creation date with new entries in

	35 out_dir/queue/.

	36

	37 You can also modify the bash binary to directly check for more subtle

	38 fault conditions, or use the synthesized entries in out_dir/queue/

	39 as a seed for other, possibly slower or more involved testing regimes.

	40

	41 Expect several hours to get decent coverage.

	42

	43 --- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100

	44 +++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200

	45 @@ -371,6 +371,14 @@

	46 env = environ;

	47 #endif /* __OPENNT */

	48

	49 + {

	50 +

	51 + static char val[1024 * 16];

	52 + read(0, val, sizeof(val) - 1);

	53 + setenv("TEST_VARIABLE", val, 1);

	54 +

	55 + }

	56 +

	57 USE_VAR(argc);

	58 USE_VAR(argv);

	59 USE_VAR(env);

OLD	NEW