haypo / fusil

Fusil the fuzzer is a Python library used to write fuzzing programs. It helps to start process with a prepared environment, start network client or server, and create mangled files. Fusil has many probes to detect program crash: watch process exit code, process stdout/syslog for text patterns, session duration, cpu usage, etc.

Clone this repository (size: 1.6 MB): HTTPS / SSH
$ hg clone http://bitbucket.org/haypo/fusil/

fusil-python is the most active fuzzer. I'm using it on Python since april 2007 (3 years ago). I tried fusil-python on CPython 2.5, 2.6, 2.7 (alpha), 3.0, 3.1 and 3.2 (alpha), PyPy 1.1, 1.2 (alpha) with the JIT, and Unladen Swallow.

CPython bugs found by fusil-python (not fixed yet)

  1. 2010-01-11: audioop: check that length is a multiple of the size
    1. Module: audioop, cause: insufficient input validations, consequence: write to uninitialized memory
  2. 2010-01-10: _sqlite3: Block *all* operations on a closed Connection object
    1. Module: sqlite3, cause: operations on a closed connection, consequence: ?
  3. 2009-12-19: Fatal error on thread creation in low memory condition
    1. Module: thread, cause: insufficient error handling, consequence: quit python (fatal error)
  4. 2009-12-13: _lsprof (cProfile): Profiler.clear() keeps references to detroyed nodes
    1. Module: cProfile, cause: ?, consequence: read freed memory (may raise a segmentation fault)
  5. 2009-12-11: _sqlite3 doesn't catch PyDict_SetItem error
    1. Module: sqlite3, cause: missing error handling, consequence: ?

CPython bugs found by fusil-python (fixed)

  1. 2010-01-14: fix output string length for binascii.b2a_uu() (commit)
    1. Module: binascii, cause: error in output buffer size computation, consequence: write to uninitialized memory
  2. 2009-12-08: crash in str.rfind() with an invalid start value (commit 1, commit 2, not written by me)
    1. Module: __builtin__ (str type), cause: insufficient input validations, consequence: read uninitialized memory
  3. 2009-12-08: cPickle: stack underflow in load_pop() (commit)
    1. Module: cPickle, cause: ?, consequence: read uninitialized memory
  4. 2009-09-24: _json crash on scanner/encoder initialization error (commit)
    1. Module: json, cause: insufficient error handling, consequence: ?
  5. 2009-07-22: bytearray.translate(): error in error handling (commit)
    1. Module: __builtin__ (bytearray type), cause: insufficient error handling, consequence: read uninitialized memory
  6. 2009-05-05: _json: _convertPyInt_AsSsize_t() never raise any error (commit)
    1. Module: json, cause: insufficient input validation, consequence: read uninitialiazed memory
  7. 2009-01-30: Invalid UTF-8 ("%s") length in PyUnicode_FromFormatV() (commit)
    1. Module: __builtin__ (unicode type), cause: ?, consequence: write into uninitialiazed memory
  8. 2008-09-30: fix security issue 2: imageop's poor validation of arguments could result in segfaults (commit)
    1. Module: imageop, cause: insufficient input validation, consequence: read and write from/into uninitialiazed memory
  9. 2008-09-26: Check PyInt_AsSsize_t/PyLong_AsSsize_t error (commit 1, commit 2)
    1. Module: struct and io (BytesIO and StringIO), cause: insufficient error handling, consequence: ?
  10. 2008-09-25: bytearray().count() (commit)
    1. Module: __builtin__ (bytearray type), cause: insufficient input validations, consequence: read uninitialized memory
  11. 2008-09-24: _hotshot: invalid error control in logreader() (commit)
    1. Module: hotshot, cause: invalid error handling, consequence: unexpected exception during garbage collection (fatal error)
  12. 2008-09-24: _lsprof: clear() should call flush_unmatched() (invalid, unable to reproduce the crash)
    1. Module: cProfile, cause: ?, consequence: ?
  13. 2008-09-16: errors on _bsddb creation and dealloc (commit)
    1. Module: bsddb, cause: non initialized memory, consequence: read uninitialized memory
    2. Module: bsddb, cause: invalid error handling, consequence: unexpected exception during garbage collection (fatal error)
  14. 2008-09-16: _tkinter._flatten() doesn't check PySequence_Size() error code (commit)
    1. Module: Tkinter, cause: missing error handling, consequence: unexpected exception during garbage collection (fatal error)
  15. 2008-08-22: Add more checks to testcapi (commit 1, commit 2)
    1. Module: testcapi, cause: insufficient input validation, consequence: unexpected exception during garbage collection (fatal error)
  16. 2008-08-21: Remove module level functions in _tkinter that depend on TkappObject (commit for py3k, commit for trunk)
    1. Module: Tkinter, cause: ?, consequence: write into non initialized memory
  17. 2008-08-21: invalid result value of _weakref.__init__() (commit)
    1. Module: weakref, cause: bug in error handler, consequence: unexpected exception during garbage collection (fatal error)
  18. 2008-08-21: use string_print() in gdb (commit). Not a bug, but it helps development.
  19. 2008-08-20: _json: fix raise_errmsg(), py_encode_basestring_ascii() and linecol() (commit 1, commit 2)
    1. Module: json, cause: missing error handling, consequence: read uninitialized memory
  20. 2008-08-20: possible deadlock in python IO implementation (fixed by the new io library)
    1. Module: io, cause: profiling callback using writing to stdout while a function is also writing to stdout, consequence: dead lock
  21. 2008-08-20: Invalid exception context (commit 1, commit 2)
  22. 2008-07-08: bugs in scanstring_str() and scanstring_unicode() of _json module (commit)
    1. Module: json, cause: insufficient input validation, consequence: read uninitialized memory
  23. 2008-07-08: _multiprocessing.Connection() doesn't check handle (commit)
    1. Module: multiprocessing, cause: insufficient input validation, consequence: write into uninitialized memory
  24. 2008-07-07: dlopen() error with no error message from dlerror() (commit)
    1. Module: dl and ctypes, cause: missing error handling, consequence: read uninitialized memory (NULL pointer)
  25. 2008-07-07: bugs in _sqlite module (commit)
    1. Module: sqlite3, cause: missing error handling, consequence: read uninitialized memory (NULL pointer)
  26. 2008-07-07: block operation on closed socket/pipe for multiprocessing (commit)
  27. 2008-07-07: missing lock release in BZ2File_iternext() (commit)
    1. Module: bz2, cause: invalid error handling, consequence: dead lock
  28. 2008-07-06: invalid check of _bsddb creation failure (commit)
    1. Module: bsddb, cause: invalid error handling, consequence: read uninitialized memory
  29. 2008-07-06: audioop.findmax() crashs with negative length (commit)
    1. Module: audioop, cause: insufficient input validation, consequence: read uninitialized memory
  30. 2008-07-06: Use Py_XDECREF() instead of Py_DECREF() in MultibyteCodec and MultibyteStreamReader (commit)
    1. Module: multibytecodec, cause: invalid error handling, consequence: read uninitialized memory (NULL pointer)
  31. 2008-07-06: invalid call to PyMem_Free() in fileio_init() (commit)
    1. Module: io (FileIO class), cause: invalid error handling, consequence: ?
  32. 2008-07-06: invalid ref count on locale.strcoll() error (commit)
    1. Module: locale, cause: invalid error handling, consequence: invalid reference count
  33. 2008-07-06: segfault on gettext(None) (commit)
    1. Module: locale, cause: insufficient input validation, consequence: read uninitialized memory (NULL pointer)
  34. 2008-07-06: DoS when lo is negative in bisect.insort_right() / _left() (commit)
    1. Module: bisect, cause: insufficient input validation, consequence: unlimited loop (denial of service)
  35. 2007-04-10: Segfaults on memory error (commit)
    1. Module: __builtin__ (Exception, long and object types), cause: missing error handling, consequence: read uninitialized memory (NULL pointer)

PyPy and Unladen Swallow

PyPy and Unladen Swallow were also tested using Fusil :


This revision is from 2010-01-25 02:21