Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: fuzz crash minimizer should try deleting, rewriting input bytes #48129

Closed
rsc opened this issue Sep 2, 2021 · 4 comments
Closed

cmd/go: fuzz crash minimizer should try deleting, rewriting input bytes #48129

rsc opened this issue Sep 2, 2021 · 4 comments
Labels
FrozenDueToAge fuzz Issues related to native fuzzing support NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.18

Comments

@rsc
Copy link
Contributor

rsc commented Sep 2, 2021

The fuzzer found a crash in a package I'm working on:

go test fuzz v1
string("--\xd6M\x8b<!---->")

I can manually minimize this input further by just doing a trial deletion of each byte, keeping each deletion only if it preserves the crash (not the exact panic message, because slice bounds are changing while remaining invalid, but the fact of a crash). This reduces the input to:

string("M\x8b<!---->")

Then I can change each input byte to an A, one at a time, keeping the crashes. This simplifies to:

string("AA<!---->")

which appears to be the simplest possible (and more readable) form of this crasher.

What I did, the crash minimizer should be able to do. It will result in more ASCII-only crashes. I would suggest for the input byte rewriting to have a priority list ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ trying letters, digit, space, and finally punctuation for each byte, stopping at the first one that preserves the crash. The letters could be thinned out and the punctuation elided if this is too much. Even ABCXYZabcxyz012789 would be fine.

/cc @jayconrod @katiehockman
@rsc rsc added NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels Sep 2, 2021
@rsc rsc added this to the Go1.18 milestone Sep 2, 2021
@rsc
Copy link
Contributor Author

rsc commented Sep 2, 2021

Another good possibility for simplifcation would be seeing if setting x[i] = x[i-1] preserves the crash. The minimizer did a good job cutting "&#XabD02caD0cabD;6206b&#Xca0cabD06b&#XD00cabD06\n" down to "&#XaD0cabD;", but then it could have tried that rule and ended at "&#Xaaaaaaa;".

@jayconrod jayconrod added the fuzz Issues related to native fuzzing support label Sep 9, 2021
@katiehockman
Copy link
Contributor

I'm going to remove the release-blocker label for this one. @rsc LMK if you disagree strongly.

This sounds like an improvement to the minimizer, rather than a bug. Although I definitely agree this is an improvement worth doing, I am trying to trim down the release-blocking work as much as possible and limit it only to features that are essential for the UX and for bugs.
(fwiw we may very well still get to this before 1.18)

@ALTree ALTree mentioned this issue Sep 28, 2021
Closed
@gopherbot
Copy link

Change https://golang.org/cl/352614 mentions this issue: internal/fuzz: minimize str to be human readable

@ameowlia
Copy link
Contributor

ameowlia commented Sep 28, 2021
edited

Hi all,

I submitted an algorithm for this where the minimizer tries to replace every character with a "0". If that doesn't work, then it tries to replace each letter with "a", each symbol with "$", and each punctuation with ".".

@rsc - I would like to run this against the same test you were referencing above. Do you mind sharing the test code you were using if you still have it?

Thanks!

@golang golang locked and limited conversation to collaborators Nov 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge fuzz Issues related to native fuzzing support NeedsFix The path to resolution is known, but the work has not been done.
Projects
Go Security
Status: No status
Milestone
Go1.18
Development

No branches or pull requests
5 participants
@rsc @jayconrod @ameowlia @gopherbot @katiehockman