OSDev.org

Posted: **Sun Jun 27, 2021 12:30 pm**

So I just fuzzed serde via postcard (serde itself can't serialize or deserialize anything). My code was as follows:

#![no_main]
use libfuzzer_sys::fuzz_target;
use postcard::from_bytes;
use serde::{Deserialize, Serialize};

#[repr(C)]
#[derive(
    Clone, Copy, Debug, Default, Eq, PartialEq, Ord, PartialOrd, Hash, Serialize, Deserialize,
)]
struct ReadRequest {
    pub fd: u64,
    pub buf_addr: u64,
    pub size: usize,
}

fuzz_target!(|data: &[u8]| {
    match from_bytes::<ReadRequest>(data) {
        Ok(mut req) => {
            req.fd = 0;
            req.buf_addr = 0;
            req.size = 0;
        }
        Err(_) => {}
    }
});

It didn't crash at all during my fuzzing. I didn't run it for long -- it got up to about #134 million -- but my fuzzing might've not been exhaustive/adequate enough. (I know that humans are naturally unpredictable so fuzzing isn't a complete guarantee, but as far as I know its as close as you can get.)

Posted: **Mon Jun 28, 2021 11:50 am**

That doesn't fuzz against concurrent modification though (which you cannot really represent in Rust because it'd involve data races / two mut refs to the same array).

Posted: **Mon Jun 28, 2021 2:30 pm**

Korona wrote:That doesn't fuzz against concurrent modification though (which you cannot really represent in Rust because it'd involve data races / two mut refs to the same array).

This can be fuzzed via static mut. The problem is simulating the threads. The input isn't static; its a macro (fuzz_target!), though perhaps fuzz_mutator! may help. I've submitted a forum on rust-users asking how to do that.

OSDev.org

Question about a design of syscalls for microkernels

Re: Question about a design of syscalls for microkernels

Re: Question about a design of syscalls for microkernels

Re: Question about a design of syscalls for microkernels