Crashes found using automated mangleme testing.

RESOLVED DUPLICATE of bug 264944

Status

()

defect
RESOLVED DUPLICATE of bug 264944
14 years ago
10 years ago

People

(Reporter: bc, Assigned: dveditz)

Tracking

(Blocks 1 bug, {meta})

Trunk
x86
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] meta)

Attachments

(4 attachments)

This bug is marked security sensitive and separate from bug 264944 until the issues involved have been resolved.
This is the original version of mangleme I started with.
This is the modified version of mangleme I use in automated testing. It replaces the platform dependent random numbers with a simple version which is not platform dependent, adds a new program mangle-scan.cgi.c which is used to look for crashes in sequences of 256 input parameters.

In the automated testing, the driving scripts pick a random initial parameter value of the form 0xXXXX0000 and calls mangle-scan.cgi?parm. If mangle-scan.cgi does not find a crash in the next 0x100 parameters, the driving script calls mangle-scan.cgi with the parameter increased by 0x100. If a crash/timeout is found, then the driving script calls remangle.cgi for each parameter value in the range looking for the particular value which crashed or timed out.

The entire run consists of searching for all crashes/timeouts for parameters 0xXXXX0000 - 0xXXXXFFFF.

The driving scripts and other infrastructure are kept on the qa machines at mofo.
Keywords: meta
Whiteboard: [sg:nse] meta
crashes or timeouts found in this run appear as 

mangleme: 0xXXXXXXXX...

while older crashes which were reproducible in this run appear as 
mangleme: http://..../remangle.cgi?0xXXXXXXXX

The end of each line identifies the machine, the date the test run began and the build which was tested. For example, 

prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log

was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built on 2005-12-14-11. 

You can reproduce each test case by running remangle.cgi from the modified mangleme package with the appropriate parameter.
I was at conference talk about fuzz testing, the author raised a complaint against mangleme in the original version that it does not test all html tags and does not use all possible attributes. See http://ilja.netric.org/files/fuzzers/htmler.py for a more complete list.

Even the html4 list does not include our own special tags that are listed at http://landfill.mozilla.org/mxr-test/seamonkey/source/content/html/content/src/nsHTMLAtomList.h
canvas comes into mind


Depends on: 323026
bc, does this metabug still need to be private and separate from bug 264944?
No.
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: Zalewski
You need to log in before you can comment on or make changes to this bug.