I’ve continued development on my system call fuzzer over the last few months.
One of the biggest changes was introducing multiple processes, and sharing fd’s between them.
This started turning up all kinds of interesting bugs, including recently a bug in the mbind code that caused a use-after-free silently corrupting memory.
This led Kosaki Motohiro to audit the mempolicy code, where it looks like he’s found a bunch of long-lived bugs..
Oh, Oh my god.. Who can imagine alloc_pages_vma() was broken!? It is one of Linux memory management central code! This bug was introduced by commit 52cd3b0740
(mempolicy: rework mempolicy Reference Counting) at 2008. I.e. it was living 4 years!
Four years ago, Trinity was in its infancy (then called ‘scrashme’) and lacked the features it has today, so never managed to get deep enough into these syscalls to cause any damage, additionally, without the multiple processes sharing policies, these bugs wouldn’t show up.