Reporting 1.2K crashes

To: debian-devel@lists.debian.org

Subject: Reporting 1.2K crashes

From: Alexandre Rebert <alexandre.rebert@gmail.com>

Date: Tue, 25 Jun 2013 01:28:10 -0400

Message-id: <[🔎] CAF1AS2itHonB5KTnqNnX5xat4Bh7ytr0dG2txX6BSKzboVSMzA@mail.gmail.com>

Hi, I am a security researcher at Carnegie Mellon University, and my team has found thousands of crashes in binaries downloaded from debian wheeze packages. After contacting owner@bugs.debian.org, Don Armstrong advised us to contact you before submitting ~1.2K bug reports to the Debian BTS using maintonly@bugs.debian.org (to avoid spamming debian-bugs-dist). We found the bugs using Mayhem [1], an automatic bug finding system that we've been developing in David Brumley's research lab for a couple of years. We recently ran Mayhem on almost all ELF binaries of Debian Wheezy (~23K binaries) [2], and it reported thousands of crashes. Our goal here is to make our bug reports as complete and accurate as possible. To minimize duplicates, we are reporting only one crash per binary, and at most 5 crashes per package. This amounts to ~1.2K crashes. Moreover, to ensure accuracy, we confirmed all the crashes by re-running them in a fresh unstable installation. Finally, we also filter out assertion failures for now, as they seemed less important. In short, every report is reproducible and actionable. You can download the list of affected packages, with their maintainers [3], generated with dd-list, as well as a sample bug report for gcov-4.6 [4]. The bug report contains: 1) the bug report that will be mailed to maintonly@bugs.debian.org (report.txt) 2) a testcase reproducing the crash in ./crash/ 3) information about the crash in ./crash_info/: a core dump (core), the output of the crash (crash_output.txt), the dmesg of the crash (dmesg.txt), as well as the exit status (exit_status.txt). This is a lot of bugs, and we want to make sure we're doing bug reports right, so that we don't make anyone angry by spamming the BTS with bad reports. Please let us know if the reports are good enough to proceed with the filing, or if any additional information should be included in the report. Thanks, The Mayhem Team Cylab, Carnegie Mellon Univeristy [1] http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf [2] http://forallsecure.com/summaries [3] http://forallsecure.com/reports/dd-list.txt [4] http://forallsecure.com/reports/gcov-4.6-report.tar.bz2