[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 02/16] fuzz: Add general virtual-device fuzzer
|
From: |
Alexander Bulekov |
|
Subject: |
Re: [PATCH v3 02/16] fuzz: Add general virtual-device fuzzer |
|
Date: |
Sun, 11 Oct 2020 11:35:22 -0400 |
On 201008 0903, Paolo Bonzini wrote:
> On 21/09/20 16:34, Alexander Bulekov wrote:
> >> Can you fuzz writing "FUZZ" in memory? Like:
> >> OP_WRITE(0x100000, "UsingLibFUZZerString")?
> > No.. Hopefully that's not a huge problem.
> >
>
> Instead of always looking for a separator, can you:
>
> 1) skip over it if you find it naturally at the end of a command (that
> is, "FUZZ" is like a comment command)
>
> 2) actively search for it only if you stumble upon an unrecognized command?
>
What is the end goal? Is it to be able to use the "FUZZ" bytes to fuzz
devices?
My concern is that we want to keep the "stability" added by the FUZZ
separators (ie removing a single byte shouldn't completely change the
sequence of operations).
> In that case, if you have
>
> AbcFUZZD0x100000UsingLibFUZZerFUZZ
>
> The first and third instances would be ignored, while the second would
> be part of the input. On the other hand if you have
>
> bcFUZZD0x100000UsingLibFUZZerFUZZ
>
> "b" is an invalid command and therefore you'd skip directly to "D".
There aren't any invalid OPCodes, since we interpret the opcode modulo
the size of the OPcode table. We only have invalid/skipped commands when
there isn't enough data after the opcode to figure out what we should do.
>
> Paolo
>