Hi everybody,
yes I did. So far I have been working on getting Qt into a better shape
for fuzzing at all, resulting in [1].
This prepares a Qt build for being fuzz tested with clang's libFuzzer,
the tool that Google also uses in oss-fuzz. The fuzzer I used for
testing my setup already found a crash.
What I have so far:
- fuzzing Qt with libFuzzer locally, using [1]
- AFAICS collected all the needed "OK"s to enter Qt [2]
What I don't have so far:
- create the pull request for [2], wanted to do this now-ish
- Everything that comes after registering the project like:
- setting up build/run on Google's servers
- finding out what kind of dashboard I'll get there
I would appreciate if I might use the scripts you posted, Albert, or if
we could work on this together.
Cheers,
Robert
[1] https://codereview.qt-project.org/236937/
[2] https://github.com/google/oss-fuzz/compare/master...rlohning:master
Am 30.08.2018 um 21:27 schrieb Lars Knoll:
Hi Albert,
Nice! Robert has been working on exactly the same thing lately. I think it
would be good if you guys coordinated the effort :)
It would be ideal, if we could somehow get those mails forwarded to the
security mailing list. I wonder whether we could do that with a special mail
account that forwards to the security mailing list.
Cheers,
Lars
On 30 Aug 2018, at 20:42, Albert Astals Cid via Development
<[email protected]> wrote:
oss-fuzz is an online fuzzing service run by Google.
They test daily the code base and run fuzzying over it, maintaining a list of
open and closed bugs.
As example you can see one of the poppler issues i fixed at
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
Everything is done automatically by a bot, except my "This is fixed by"
comment, but that's just there for historical reasons, it's not really needed.
Found bugs are sent to a list of trusted address and kept private for 90 days,
then if not fixed then they become public.
Fixed bugs become public 30 days after being fixed.
I have made a qimage fuzzer that uses libpng test files as seed corpus.
You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
Adding support for Qt is "relatively simple" see
https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f
I made a local test run of the undefined sanitizer and it found
https://paste.kde.org/prkox41mx
in a few seconds, so "it works"
If you want to test it locally you can do
python infra/helper.py build_fuzzers --sanitizer undefined qt
python infra/helper.py run_fuzzer qt qimage_fuzzer
for the undefined sanitizer and
python infra/helper.py build_fuzzers --sanitizer address qt
python infra/helper.py run_fuzzer qt qimage_fuzzer
Unfortunately I have not been able to compile with the memory sanitizer enabled
yet.
The most important thing before submitting this upstream is changing the list
of trusted addresses the private bugs get sent to.
To have something written i've used my email address but i guess at least i
should add [email protected] (listed as QImage maintainer) there too?
Anyone else?
I am not sure how the email address thing works, but i think they need to be "google
account" activated, whatever that means, so we can't use [email protected]. On
poppler i'm using my @gmail.com address and not my @kde.org address since it was just
easier.
Comments?
Cheers,
Albert
--
Albert Astals Cid | [email protected] | Software Engineer
Klarälvdalens Datakonsult AB, a KDAB Group company
Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
KDAB - The Qt, C++ and OpenGL Experts
_______________________________________________
Development mailing list
[email protected]
http://lists.qt-project.org/mailman/listinfo/development
_______________________________________________
Development mailing list
[email protected]
http://lists.qt-project.org/mailman/listinfo/development
