Closed Bug 320928 Opened 19 years ago Closed 16 years ago

Crashes found using automated mangleme testing.

Categories

(Core :: Security, defect)

x86
All
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 264944

People

(Reporter: bc, Assigned: dveditz)

References

(Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: [sg:nse] meta)

Attachments

(4 files)

This bug is marked security sensitive and separate from bug 264944 until the issues involved have been resolved.
This is the original version of mangleme I started with.
This is the modified version of mangleme I use in automated testing. It replaces the platform dependent random numbers with a simple version which is not platform dependent, adds a new program mangle-scan.cgi.c which is used to look for crashes in sequences of 256 input parameters. In the automated testing, the driving scripts pick a random initial parameter value of the form 0xXXXX0000 and calls mangle-scan.cgi?parm. If mangle-scan.cgi does not find a crash in the next 0x100 parameters, the driving script calls mangle-scan.cgi with the parameter increased by 0x100. If a crash/timeout is found, then the driving script calls remangle.cgi for each parameter value in the range looking for the particular value which crashed or timed out. The entire run consists of searching for all crashes/timeouts for parameters 0xXXXX0000 - 0xXXXXFFFF. The driving scripts and other infrastructure are kept on the qa machines at mofo.
Keywords: meta
Whiteboard: [sg:nse] meta
crashes or timeouts found in this run appear as mangleme: 0xXXXXXXXX... while older crashes which were reproducible in this run appear as mangleme: http://..../remangle.cgi?0xXXXXXXXX The end of each line identifies the machine, the date the test run began and the build which was tested. For example, prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built on 2005-12-14-11. You can reproduce each test case by running remangle.cgi from the modified mangleme package with the appropriate parameter.
I was at conference talk about fuzz testing, the author raised a complaint against mangleme in the original version that it does not test all html tags and does not use all possible attributes. See http://ilja.netric.org/files/fuzzers/htmler.py for a more complete list. Even the html4 list does not include our own special tags that are listed at http://landfill.mozilla.org/mxr-test/seamonkey/source/content/html/content/src/nsHTMLAtomList.h canvas comes into mind
Depends on: 323026
bc, does this metabug still need to be private and separate from bug 264944?
No.
Group: core-security
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: