Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(241)

Unified Diff: third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff

Issue 2075883002: Add American Fuzzy Lop (afl) to third_party/afl/ (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix nits Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff
diff --git a/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff b/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff
new file mode 100644
index 0000000000000000000000000000000000000000..3fa05bf814c38ecdaa962ec521fa45b1a9f668b9
--- /dev/null
+++ b/third_party/afl/src/experimental/bash_shellshock/shellshock-fuzz.diff
@@ -0,0 +1,59 @@
+This patch shows a very simple way to find post-Shellshock bugs in bash, as
+discussed here:
+
+ http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
+
+In essence, it shows a way to fuzz environmental variables. Instructions:
+
+1) Download bash 4.3, apply this patch, compile with:
+
+ CC=/path/to/afl-gcc ./configure
+ make clean all
+
+ Note that the harness puts the fuzzed output in $TEST_VARIABLE. With
+ Florian's Shellshock patch (bash43-028), this is no longer passed down
+ to the parser.
+
+2) Create and cd to an empty directory, put the compiled bash binary in
+ there, and run these commands:
+
+ mkdir in_dir
+ echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt
+
+3) Run the fuzzer with:
+
+ /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :
+
+ The -d parameter is advisable only if the tested shell is fairly slow
+ or if you are in a hurry; will cover more ground faster, but
+ less systematically.
+
+4) Watch for crashes in out_dir/crashes/. Also watch for any new files
+ created in cwd if you're interested in non-crash RCEs (files will be
+ created whenever the shell executes "foo>bar" or something like
+ that). You can correlate their creation date with new entries in
+ out_dir/queue/.
+
+ You can also modify the bash binary to directly check for more subtle
+ fault conditions, or use the synthesized entries in out_dir/queue/
+ as a seed for other, possibly slower or more involved testing regimes.
+
+ Expect several hours to get decent coverage.
+
+--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100
++++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200
+@@ -371,6 +371,14 @@
+ env = environ;
+ #endif /* __OPENNT */
+
++ {
++
++ static char val[1024 * 16];
++ read(0, val, sizeof(val) - 1);
++ setenv("TEST_VARIABLE", val, 1);
++
++ }
++
+ USE_VAR(argc);
+ USE_VAR(argv);
+ USE_VAR(env);

Powered by Google App Engine
This is Rietveld 408576698