Long time no blog.
For a while I’ve been working on a system call fuzzing tool. A really long time ago, Kurt Garloff wrote one, which I added some improvements to, which just blasted random crap in every register, and called random calls. After it triggered some really stupid bugs which got fixed pretty quickly, it rarely found anything again. Sometimes when a new syscall was added, someone would miss something, and it would trigger some new bug, but for the most part every call just -EINVAL’d immediately.
So I started exploring the idea of writing a tool that instead of passing random junk, actually passed semi sensible data. If the first thing a syscall does is check if a value is between 0 and 3, then passing rand() % 3 is going to get us further into the function than it would if we had just passed rand() unmasked. There are a bunch of other things that can be done too. If a syscall expects a file descriptor, pass one. If it expects an address of a structure, pass it realistic looking addresses (kernel addresses, userspace addresses, ‘weird’ looking addresses).
The new tool just found its first real bug. If perf is running, and mprotect is being fuzzed, then we get an oops. Oops indeed.
I suspect it’ll find some more bugs over time as I add more twists on ‘random’ data. I already have a bunch of ideas that I want to implement (some are listed in the TODO). Seeing a bunch of people at the kernel summit / plumbers conf last week gave me a whole bunch more ideas too.