search

trailofbits / ruzzy

A coverage-guided fuzzer for pure Ruby code and Ruby C extensions
GNU Affero General Public License v3.0
80 stars 5 forks source link

Fuzzing candidates #2

Open mschwager opened 10 months ago

mschwager commented 10 months ago

EDIT: more:

mschwager commented 9 months ago

It looks like json, psych, and date are already fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/ruby.

zlib could be interesting, although that extension appears to be a direct copy of the ubiquitous Zlib C library, so it's probably already been fuzzed extensively.

woodruffw commented 9 months ago

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

mschwager commented 9 months ago

nokogiri (especially the SAX parser) is also worth fuzzing, they have a long track record of NPEs and other memory violations: https://www.cvedetails.com/vulnerability-list/vendor_id-20514/product_id-59208/Nokogiri-Nokogiri.html

Edit: Fuzzed here: https://github.com/google/oss-fuzz/tree/master/projects/nokogiri

Good call, looks like they're only doing UBSAN though? https://github.com/google/oss-fuzz/blob/master/projects/nokogiri/project.yaml#L9-L10

woodruffw commented 9 months ago

Yeah, interesting choice 🤔

woodruffw commented 9 months ago

The ffi gem might also be worth fuzzing: https://github.com/ffi/ffi

mschwager commented 9 months ago

Here's a useful GH query for finding repositories with a extconf.rb file (indicates a Ruby C extension): https://github.com/search?q=lang%3Aruby+path%3Aextconf.rb+NOT+is%3Aarchived&type=code.

mschwager commented 3 months ago

Ruby C code that accepts Marshal'ed data:

Ruby RubyVM::InstructionSequence binary functionality: