Handling 0 length inputs (and/or improve IPC)
v-p-b opened this issue · 2 comments
inject_input() reports failure when input length is 0:
https://github.com/intel/kernel-fuzzer-for-xen-project/blob/master/src/main.c#L25
As a result, afl_report() is not called, and AFL assumes that calibration failed (well, it kind of did), terminating the setup.
IMO a 0 length input can be valid, so inject_input() could just exit early with success. I'm not familiar enough with the code yet to decide if failed input injections should terminate the fuzzing process or the harness should just report back to AFL like nothing happened, but this part may need some improvement too.
Injecting an input of 0 length is effectively doing no fuzzing at all. So for calibration it might be OK, since at that stage AFL is just trying to get a feel for how long things take normally so it can guess when things hang. But otherwise it's definitely a condition that's worth stopping on because it might mean the user just supplied a bad seed and there is no point in spinning for a while before the user notices that nothing is happening.