You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by Vincent Ulitzsch <vi...@gmail.com> on 2019/10/29 13:57:44 UTC
Integration into oss-fuzz
Dear all,
We were wondering if an integration to oss-fuzz[1] would be interesting
for xerces-c?
This would allow parts of xerces' codebase to be continuously fuzzed, which
would probably result in the detection of security bugs early on in the
development process.
If you are interested, we would be happy to help with writing the fuzzers.
Cheers,
Vincent
[1] https://github.com/google/oss-fuzz
PS: I wrote this email before, but I am afraid it bounced because I was not subscribed to the mailing at the time. Just in case it indeed bounced,
I am sending this email again.
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org
Re: Integration into oss-fuzz
Posted by Vincent Ulitzsch <vi...@gmail.com>.
Dear Xerces-C Development team, especially Scott,
Bhargava (in CC) and I are working on a fuzzer for xerces-c. The goal of
this project is to integrate xerces-c into oss-fuzz, for it to be
continuously fuzzed. A test harness
we set up already found a way reachable failing assertion in the
xerces-c xml parsing code. Find attached a patch that fixes that assertion.
The assertion fails when parsing a malformed xml-file, we attached a
crashing testcase. We would suggest fixing this assertion, since it
opens up the possibility
for Denial of Service attacks via malformed xml files.
We used the code below to parse file and fuzz xerces-c, where Data
contains the contents of the xml-file
and Size is the length of the file content. The parser fails with the
following assertion:
xercesc/internal/XMLReader.cpp:651: bool
xercesc_3_2::XMLReader::getName(xercesc_3_2::XMLBuffer &, const bool):
Assertion `fCharIndex+1 < fCharsAvail' failed.
We would also like to ask you for feedback on our fuzzing harness (code
below). The basic idea is that we want to stress-test xerces-c by
passing different "Data" strings.
Once you are happy with the fuzzing harness, we would send a PR your way
and work for the integration into OSS-Fuzz.
Cheers and thank you,
Bhargava and Vincent
SAXParser::ValSchemes valScheme = SAXParser::Val_Auto;
bool doNamespaces = false;
bool doSchema = false;
bool schemaFullChecking = false;
SAXParser *parser = new SAXParser;
parser->setValidationScheme(valScheme);
parser->setDoNamespaces(doNamespaces);
parser->setDoSchema(doSchema);
parser->setHandleMultipleImports(true);
parser->setValidationSchemaFullChecking(schemaFullChecking);
static const char *gMemBufId = "prodInfo";
MemBufInputSource *memBufIS = new MemBufInputSource(
(const XMLByte *)Data, Size, gMemBufId, false);
parser->parse(*memBufIS);
delete parser;
delete memBufIS;
On 10/31/19 1:38 PM, Cantor, Scott wrote:
> On 10/29/19, 11:51 AM, "Vincent Ulitzsch" <vi...@gmail.com> wrote:
>
>> We were wondering if an integration to oss-fuzz[1] would be interesting
>> for xerces-c?
> It falls into the category of "don't ask questions you don't want the answers to". It will likely lead to the discovery of many vulnerabilities, some possibly difficult or impossible to fix based on the remaining knowledge of the code and the resources available.
>
>> This would allow parts of xerces' codebase to be continuously fuzzed, which
>> would probably result in the detection of security bugs early on in the
>> development process.
> There is no active development. There have been build process changes of late, but nothing else really of note.
>
>> If you are interested, we would be happy to help with writing the fuzzers.
> s/help/do the work, then I'm happy to see it happen, but I have no knowledge of, nor time to, work on such a thing.
>
> -- Scott
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>
Re: Integration into oss-fuzz
Posted by "Cantor, Scott" <ca...@osu.edu>.
On 10/29/19, 11:51 AM, "Vincent Ulitzsch" <vi...@gmail.com> wrote:
> We were wondering if an integration to oss-fuzz[1] would be interesting
> for xerces-c?
It falls into the category of "don't ask questions you don't want the answers to". It will likely lead to the discovery of many vulnerabilities, some possibly difficult or impossible to fix based on the remaining knowledge of the code and the resources available.
> This would allow parts of xerces' codebase to be continuously fuzzed, which
> would probably result in the detection of security bugs early on in the
> development process.
There is no active development. There have been build process changes of late, but nothing else really of note.
> If you are interested, we would be happy to help with writing the fuzzers.
s/help/do the work, then I'm happy to see it happen, but I have no knowledge of, nor time to, work on such a thing.
-- Scott