The Bulletproof Penguin

Most Recent Change: Fri Aug 3 08:57:23 2001 UTC.

(Thanks to another Scott A. Maxwell (!) for the cool high-tech fighting-penguin logo.)

A well-known 1995 paper (available in PostScript or PDF format) showed that Linux and GNU utilities handled unexpected random input much better than commercial Unixes -- fewer crashes, fewer hangs. But I decided that the 6-9% failure rate reported in this paper still wasn't good enough: I want my GNU/Linux box to be bulletproof!

So I went through all the bugs the paper reported and fixed every one I could reproduce. I've sent all of my patches to the maintainers, so I'm sure official fixes will appear before long. In the meantime, you can retrieve the patches below. I intend to continue fuzz-testing GNU software and will provide patches as I uncover and fix more problems.

The status of these and other applications I've fuzz-tested are listed on the status page.

In the following table, ``Type'' is either ``C'' if the patch fixes a crash or ``H'' if it fixes a hang (loosely, an infinite loop), or ``B'' for both. Sorry for using preformatted text rather than an HTML table here -- it may not be pretty, but it's Lynx-friendly!

Program/Version  |  Type  |  README  |  Patch  |  Unpatched SRPM (from Red Hat)
-----------------+--------+----------+---------+-------------------------------
pbmclean 2.0.13  |   C    |  README  |  Patch  |  libgr-2.0.13-13
pbmtext 2.0.13   |   C    |  README  |  Patch  |  libgr-2.0.13-13
game 4.0pl77     |   C    |  README  |  Patch  |  gnuchess-4.0.pl77-5
cproto 4.4       |   C    |  README  |  Patch  |  cproto-4.4-7
cproto 4.4       |   B    |  README  |  Patch  |  cproto-4.4-7
bison 1.25       |   C    |  README  |  Patch  |  bison-1.25-4
bison 1.25       |   C    |  README  |  Patch  |  bison-1.25-4
bison 1.25       |   B    |  README  |  Patch  |  bison-1.25-4
asciitopgm 2.0.13|   C    |  README  |  Patch  |  libgr-2.0.13-4
gas 2.8.1        |   C    |  README  |  Patch  |  binutils-2.8.1.0.1-1
dc 1.04          |   C    |  README  |  Patch  |  bc-1.04
flex 2.5.4a      |   C    |  README  |  Patch  |  flex-2.5.4a
indent 1.9.1     |   H    |  README  |  Patch  |  indent-1.9.1
ul 2.7           |   C    |  README  |  Patch  |  util-linux-2.7

(Note (1999 Nov 27): Tested another three dozen or so applications; the results, as always, have been added to the status page. Two bugs were found -- one each in pbmtext and pbmclean. The patches are given above.)

(Note (1999 Oct 14): Now that my wrists and I have recovered somewhat from the book, I'm back to fuzz-testing. The status page is current, and is now being sporadically updated as testing progresses.)

(Note (1999 May 02): As I've just discovered, time flies when you're writing a Linux book. That's what I'm doing, and I'm sorry to say it's left me zero time for this project lately. Don't worry, though; the Bulletproof Penguin is not dead, it's just going to move very slowly for the next few months, 'til the book is done.)

(Note (1999 Jan 26): Tested another 32 applications -- no fuzz bugs found! Updated the status page to reflect the new results.)

(Note (1999 Jan 27): Added a patch for two bugs found in game, a utility that's part of gnuchess.)

(Note (1999 Jan 26): Tested another dozen applications or so -- no bugs in any of them! Wow, you guys are good. Updated the status page to reflect the new results.)

(Note (1999 Jan 21): Added cproto patches. There's one more bug I haven't fully fixed yet, so another cproto patch will show up eventually.)

(Note (1999 Jan 17): Sorry, my real life's been keeping me busy. I have some more patches almost ready to go. Meanwhile, I've made a gzipped tar file with my primitive testing aids available for download so that you too can join the fun!)

(Note (1998 Dec 08): Thanks to alert reader Ed Nather, I've learned that the malloc() bug described below has not been fixed; the following note has been updated accordingly.)

(Note (1998 Dec 04): A malloc() bug in glibc can cause fuzz bugs in applications; I discovered this in testing cpio. The problem is that malloc() returns a bogus pointer instead of NULL when given a request for an absurdly large chunk of memory. Applications can't tell the request failed (because they don't get NULL back), but the returned memory block is smaller than the requested size. The result is a SEGV. There is no apparent workaround or fix for this bug yet; it's listed as "suspended" in the GNATS database, meaning that nobody's actively working on it. So maybe I will, eventually. Meanwhile, I've provided a C program that will tell you whether your system has this bug; you may have the source or an Intel binary.)

(Note (1998 Nov 30): dc's maintainer told me that the above bug is fixed in dc 1.05.)

I haven't made patched SRPMs (or RPMs or .tgzs) available because my ISP is stingy with their disk space. But everything you need is still available from here; the following procedure outlines the steps (but beware that this is intended for relatively sophisticated users -- you have to understand what you're doing):

1. Download the unpatched SRPM from Red Hat or one of its mirrors; for your convenience, suitable links are above. (The links are actually to the Red Hat mirror site at ftp.cdrom.com; and they're links to the RH5.0 version of the SRPMs, since that's the version I have and tested against.) Or get the SRPM (or .tgz) from your distribution's CD.
2. If you use an RPM-based distribution, install the SRPM with rpm -Uhv package.src.rpm. Become root and cd to the source directory (/usr/src/redhat/SOURCES if you use Red Hat). Non-RPM-based distributions (Slackware) can extract the SRPM's information with rpm2cpio.
3. Unpack the sources with something like tar zxvf package.tar.gz.
4. Move the downloaded patch into the source directory.
5. Apply the new patch and any patches that were already in the SRPM with something like for i in *.patch ; do patch <$i ; done.
6. Configure, make, and install the package according to its directions. I recommend installing the patched versions under /usr/local. (In the packages that offer a configure script, you can do this with configure --prefix=/usr/local.)