Login at Kodi Home

Gourav Singh Bajeli · 2021-03-05, 10:36

Hello

I am Gourav Singh Bajeli an undergraduate from Amrita University India.
I am interested in fuzzing kodi. I am a member of team bi0s and mainly deal with Reverse Engineering and Fuzzing. I have experience fuzzing binaries with Libfuzzer and AFL. I would like to know the outcomes of this project and the requirements needed.

Looking forward to hearing back.

Gourav

**Razze** · 2021-03-12, 02:41

Hey, nice to have you

I'm not 100 percent sure what to fuzz and how much value there really is, most video photo files hopefully go straight to ffmpeg, which should be fuzzed already. It might still show problems when we do more/something wrong, so there might still be value. Maybe even in fuzzing xml configs?
By the nature of kodi, there are quiet some files, that get read.

Best possible outcome in my book, would be a reproduce-able fuzzing pipeline, that could also be run scheduled on a server.

Gourav Singh Bajeli · 2021-03-30, 20:38

(2021-03-12, 02:41)Razze Wrote: Hey, nice to have you

I'm not 100 percent sure what to fuzz and how much value there really is, most video photo files hopefully go straight to ffmpeg, which should be fuzzed already. It might still show problems when we do more/something wrong, so there might still be value. Maybe even in fuzzing xml configs?
By the nature of kodi, there are quiet some files, that get read.

Best possible outcome in my book, would be a reproduce-able fuzzing pipeline, that could also be run scheduled on a server.

Hey @Razze ,
The above idea works we can set up the fuzzer on a server that clones the project daily and perform the fuzz test and send a report to a mailing list. Also, have there been any previous attempts on fuzz testing Kodi? If yes, can you share the details as it would help to understand the source code?

**Razze** · 2021-04-01, 00:19

(2021-03-30, 20:38)Gourav Singh Bajeli Wrote:
(2021-03-12, 02:41)Razze Wrote: Hey, nice to have you

I'm not 100 percent sure what to fuzz and how much value there really is, most video photo files hopefully go straight to ffmpeg, which should be fuzzed already. It might still show problems when we do more/something wrong, so there might still be value. Maybe even in fuzzing xml configs?
By the nature of kodi, there are quiet some files, that get read.

Best possible outcome in my book, would be a reproduce-able fuzzing pipeline, that could also be run scheduled on a server.
Hey @Razze ,
The above idea works we can set up the fuzzer on a server that clones the project daily and perform the fuzz test and send a report to a mailing list. Also, have there been any previous attempts on fuzz testing Kodi? If yes, can you share the details as it would help to understand the source code?

I'm not aware of such attempts

Gourav Singh Bajeli · 2021-04-13, 14:44

Hey @Razze

I have submitted a draft proposal through GSoC website. I have attached a link for the draft . Open to feedback and suggestions.
Draft proposal :https://docs.google.com/document/d/1FMpQvdzVm5M_IYVhpj3VQUgidy8aX83JB3RXmipD_70/edit?usp=sharing

Thanks