[Development] Submitting Qt to oss-fuzz

Thu Aug 30 21:27:42 CEST 2018

Hi Albert,

Nice! Robert has been working on exactly the same thing lately. I think it would be good if you guys coordinated the effort :)

It would be ideal, if we could somehow get those mails forwarded to the security mailing list. I wonder whether we could do that with a special mail account that forwards to the security mailing list.

Cheers,
Lars

> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development <development at qt-project.org> wrote:
> 
> oss-fuzz is an online fuzzing service run by Google. 
> 
> They test daily the code base and run fuzzying over it, maintaining a list of open and closed bugs.
> 
> As example you can see one of the poppler issues i fixed at 
>    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
> 
> Everything is done automatically by a bot, except my "This is fixed by" comment, but that's just there for historical reasons, it's not really needed.
> 
> Found bugs are sent to a list of trusted address and kept private for 90 days, then if not fixed then they become public. 
> 
> Fixed bugs become public 30 days after being fixed.
> 
> I have made a qimage fuzzer that uses libpng test files as seed corpus. 
> 
> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
> 
> Adding support for Qt is "relatively simple" see 
> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f
> 
> I made a local test run of the undefined sanitizer and it found 
> https://paste.kde.org/prkox41mx
> in a few seconds, so "it works"
> 
> If you want to test it locally you can do
>    python infra/helper.py build_fuzzers --sanitizer undefined qt
>    python infra/helper.py run_fuzzer qt qimage_fuzzer
> for the undefined sanitizer and
>    python infra/helper.py build_fuzzers --sanitizer address qt
>    python infra/helper.py run_fuzzer qt qimage_fuzzer
> 
> Unfortunately I have not been able to compile with the memory sanitizer enabled yet.
> 
> The most important thing before submitting this upstream is changing the list of trusted addresses the private bugs get sent to.
> 
> To have something written i've used my email address but i guess at least i should add eirik.aavitsland at qt.io (listed as QImage maintainer) there too? Anyone else? 
> 
> I am not sure how the email address thing works, but i think they need to be "google account" activated, whatever that means, so we can't use security at qt-project.org. On poppler i'm using my @gmail.com address and not my @kde.org address since it was just easier.
> 
> Comments?
> 
> Cheers,
>  Albert
> 
> -- 
> Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
> Klarälvdalens Datakonsult AB, a KDAB Group company
> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
> KDAB - The Qt, C++ and OpenGL Experts
> 
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development