Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1004432ybv; Thu, 13 Feb 2020 13:49:23 -0800 (PST) X-Google-Smtp-Source: APXvYqxJZmkOPKf0H9uPnRUTQwChiTH8h+2JUrbX60m1bx/8XCvUES57oG6ScQ8HrHYZE74wMR0g X-Received: by 2002:a05:6808:b1c:: with SMTP id s28mr4503486oij.2.1581630562892; Thu, 13 Feb 2020 13:49:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581630562; cv=none; d=google.com; s=arc-20160816; b=FflSbgO6DBn8SkPJzdkpjvvtk1yR1N132G6xB/k8J7/blP8SWiFofNktULbmnbuMbw AdiLQbQ1XPE+Dwj7EXVuUNvDX93ZEP6qViOUMRXDqsQ676QGpEQUkUZK2NiTHayJkDka InfMjJ9VShNKNSjZ6peYz0dfzPfCNmveSPKpkpcX60G6KJ65g+I1wqucbhcF/ZmYjee5 fIuQw3Lvx/gKi3RfhhGGH9YwJyykysfbmQfqi3vkb3V3bRD7kmMRhS3q9TWBZD99eQBv Sp8gQqIAwWgfEMasN5+OZMch+fmUkDOn3Br2AN+lbnbMRxCHQSwCg70BxhnJTH9ZrhsZ OJQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=KlKACa/mQPd8tkmq5swyMsNEDn0uqWsx8npzEGGBLF0=; b=vnTLJCVt83wZkDUum5Dx0fVk+Y/k2Q4fejhngzwyWRYpZEOQYvDtMh/bWkxaBN6l/2 KBgdnH3amFgCX2oHIsz78DwmGqOa6FQrC0xOPdr2l//aXjs3CYdiY/pQ3NzvqAxhuY/b QJ6ps9Fe1RIkUHvX5A2lRmIw9r8wElOxi+hyb2r4ipywfzSXo7mARBUOxxtivakUu9Ds QCQIY9HqH+ejC0b7Ah80C80RQawqKVKVzMXQA3JqLm6g2Ff/IkknXflRnueT0wMXur8m mZMdB3gmYIJplM9+6iA4OgmnhMV/EDEG+otrelPZWb6NtORo3fOD23yhazgio6hkHtJf Np4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t127si1836358oih.45.2020.02.13.13.49.00; Thu, 13 Feb 2020 13:49:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727705AbgBMVmr (ORCPT + 99 others); Thu, 13 Feb 2020 16:42:47 -0500 Received: from smail.rz.tu-ilmenau.de ([141.24.186.67]:40094 "EHLO smail.rz.tu-ilmenau.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726282AbgBMVmr (ORCPT ); Thu, 13 Feb 2020 16:42:47 -0500 Received: from [192.168.178.20] (unknown [93.209.2.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smail.rz.tu-ilmenau.de (Postfix) with ESMTPSA id 724FE580073; Thu, 13 Feb 2020 22:42:45 +0100 (CET) Subject: Re: [RFC PATCH] iw: add clang-based fuzzer for scan IEs To: Johannes Berg Cc: linux-wireless@vger.kernel.org References: <20200211114502.4250-1-markus.theil@tu-ilmenau.de> <03361a0c6f35db6aac6eab650d35e8ade0541d21.camel@sipsolutions.net> From: Markus Theil Message-ID: <508d7975-bbfe-3a95-e967-660491a79b0f@tu-ilmenau.de> Date: Thu, 13 Feb 2020 22:42:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <03361a0c6f35db6aac6eab650d35e8ade0541d21.camel@sipsolutions.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 2/13/20 9:19 PM, Johannes Berg wrote: > FWIW, I applied most of your patches, though some I squashed since you > just introduced the bugs in a previous non-applied patch ... :) ;) > Regarding the fuzzing ... how long did you run this? The first bugs were found nearly instantly, the last ones after several minutes (<= 20). > I adjusted this to afl-clang-fast (afl++, not the original) and it's not > finding much easily... > > I guess making it realloc each element into a separate buffer so that > it's checking out-of-bounds for each element separately will help > somewhat, let's see... > > johannes > >