Closed
Bug 320928
Opened 19 years ago
Closed 16 years ago
Crashes found using automated mangleme testing.
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 264944
People
(Reporter: bc, Assigned: dveditz)
References
(Blocks 1 open bug)
Details
(Keywords: meta, Whiteboard: [sg:nse] meta)
Attachments
(4 files)
This bug is marked security sensitive and separate from bug 264944 until the issues involved have been resolved.
Reporter | ||
Comment 1•19 years ago
|
||
This is the original version of mangleme I started with.
Reporter | ||
Comment 2•19 years ago
|
||
This is the modified version of mangleme I use in automated testing. It replaces the platform dependent random numbers with a simple version which is not platform dependent, adds a new program mangle-scan.cgi.c which is used to look for crashes in sequences of 256 input parameters.
In the automated testing, the driving scripts pick a random initial parameter value of the form 0xXXXX0000 and calls mangle-scan.cgi?parm. If mangle-scan.cgi does not find a crash in the next 0x100 parameters, the driving script calls mangle-scan.cgi with the parameter increased by 0x100. If a crash/timeout is found, then the driving script calls remangle.cgi for each parameter value in the range looking for the particular value which crashed or timed out.
The entire run consists of searching for all crashes/timeouts for parameters 0xXXXX0000 - 0xXXXXFFFF.
The driving scripts and other infrastructure are kept on the qa machines at mofo.
Reporter | ||
Comment 3•19 years ago
|
||
Reporter | ||
Comment 4•19 years ago
|
||
crashes or timeouts found in this run appear as
mangleme: 0xXXXXXXXX...
while older crashes which were reproducible in this run appear as
mangleme: http://..../remangle.cgi?0xXXXXXXXX
The end of each line identifies the machine, the date the test run began and the build which was tested. For example,
prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log
was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built on 2005-12-14-11.
You can reproduce each test case by running remangle.cgi from the modified mangleme package with the appropriate parameter.
I was at conference talk about fuzz testing, the author raised a complaint against mangleme in the original version that it does not test all html tags and does not use all possible attributes. See http://ilja.netric.org/files/fuzzers/htmler.py for a more complete list.
Even the html4 list does not include our own special tags that are listed at http://landfill.mozilla.org/mxr-test/seamonkey/source/content/html/content/src/nsHTMLAtomList.h
canvas comes into mind
Comment 6•16 years ago
|
||
bc, does this metabug still need to be private and separate from bug 264944?
Reporter | ||
Comment 7•16 years ago
|
||
No.
Group: core-security
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•