https://lwn.net/Articles/872649/ This is a special feed containing comments posted to the individual LWN article titled "Scrutinizing bugs found by syzbot". en-us Tue, 21 Oct 2025 06:16:41 +0000 Tue, 21 Oct 2025 06:16:41 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/873094/ https://lwn.net/Articles/873094/ fryman <div class="FormattedComment"> No specific questions, but just a thank you for this write-up and coverage. I read many articles and enjoy them, but this one is extremely timely and raises several flags for further slow consideration.<br> </div> Fri, 15 Oct 2021 21:36:11 +0000 https://lwn.net/Articles/872925/ https://lwn.net/Articles/872925/ epa <div class="FormattedComment"> I think those sanitizers set canary values and check them but I meant allowing user space to control what goes into the out-of-bounds memory. Then the fuzzer can experiment with different data to trigger a crash.<br> </div> Thu, 14 Oct 2021 13:39:39 +0000 https://lwn.net/Articles/872917/ https://lwn.net/Articles/872917/ Sesse <div class="FormattedComment"> Isn&#x27;t this exactly what ASan (and by extension, KASAN) is doing?<br> </div> Thu, 14 Oct 2021 10:28:15 +0000 https://lwn.net/Articles/872914/ https://lwn.net/Articles/872914/ kleptog <div class="FormattedComment"> With this many bugs being found and fixed by a fuzzer, is actual progress being made? Are these kinds of bugs being fixed faster than they are being added?<br> <p> Ideally you&#x27;d like each patch, before merging, to be subjected to targeted fuzzing in the area being modified. If that can be made efficient enough, it could maybe detect issues *before* they are merged.<br> <p> But it&#x27;s amazing that fuzzing has gotten this advanced. Good stuff!<br> </div> Thu, 14 Oct 2021 10:16:39 +0000 https://lwn.net/Articles/872912/ https://lwn.net/Articles/872912/ epa <div class="FormattedComment"> To help fuzzing, the kernel could let you set out-of-bounds memory. It could oversize all allocations by 10% and then, subject to safety checks that the memory really is out of bounds, a system call lets you copy bytes into that extra space. Or you could specify a buffer which will be copied (or partly copied) into the extra 10% of all allocations made from then onwards. Or a buffer to be copied in when kernel memory is freed.<br> <p> Obviously you&#x27;d never enable any of these features or system calls in a production system, but when fuzzing they could help the fuzzer to set up exploits. If it finds one that depends on setting out-of-bounds memory, then this is at least a &quot;theoretical security hole&quot; and could well be a real security hole, if an attacker more intelligent than a fuzzing program can find a way to set up the out-of-bounds memory without the helper system calls.<br> </div> Thu, 14 Oct 2021 08:08:57 +0000