Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531)

[Alexander Cherepanov <cherepan () mccme ru>]

On 2014-11-07 18:58, Robert Święcki wrote:
> 2014-11-07 11:08 GMT+01:00 Yury Gribov <y.gribov () samsung com>:
> > On 11/07/2014 07:43 AM, Alexander Cherepanov wrote:
> > > Longer version: I started with the most simple approach I could get
> > > results with and improved it only a little bit so far. There was just no
> > > need for improvements -- until recently I was getting more crashes than
> > > I can analyze (i.e. run through valgrind:-).
> >
> >
> > This looks rather impressive.  Have you considered automatically detecting
> > duplicates by e.g. analyzing stacktraces?
>
> Feel free to take a look at honggfuzz - https://code.google.com/p/honggfuzz/
>
> It provides a crude version of unification on the basis of offending
> program counter (as well as simple disassembly of the offending
> instruction).

Is it really interesting? For objdump many crashes are in quite generic 
functions like bfd_getl16 and PC will not differentiate between them. 
Using full stacktrace is probably too much but using only PC seems to be 
too coarse.

> It also disables address randomization to get repeatable
> crashes. Example output (from testing strings-multiarch):

BTW is there a publicly available corpus of binaries from various 
architectures?

> http://alt.swiecki.net/.t/strings-multiarch.txt
>
> Usage:
> honggfuzz -f in/ -r 0.1 -q -- /usr/bin/strings ___FILE___

--
Alexander Cherepanov