Dave Jones has been fuzzing Linux system calls
lately, and has found a bug
in the interaction between perf and mprotect()
. He has plans for adding other fuzzing techniques and expects that this is just the first bug that will be found. "So I started exploring the idea of writing a tool that instead of passing random junk, actually passed semi sensible data. If the first thing a syscall does is check if a value is between 0 and 3, then passing rand() % 3 is going to get us further into the function than it would if we had just passed rand() unmasked. There are a bunch of other things that can be done too. If a syscall expects a file descriptor, pass one. If it expects an address of a structure, pass it realistic looking addresses (kernel addresses, userspace addresses, 'weird' looking addresses).
to post comments)