[Development] Submitting Qt to oss-fuzz

Fri Aug 31 11:24:58 CEST 2018

Hi everybody,

yes I did. So far I have been working on getting Qt into a better shape 
for fuzzing at all, resulting in [1].

This prepares a Qt build for being fuzz tested with clang's libFuzzer, 
the tool that Google also uses in oss-fuzz. The fuzzer I used for 
testing my setup already found a crash.

What I have so far:
- fuzzing Qt with libFuzzer locally, using [1]
- AFAICS collected all the needed "OK"s to enter Qt [2]

What I don't have so far:
- create the pull request for [2], wanted to do this now-ish
- Everything that comes after registering the project like:
   - setting up build/run on Google's servers
   - finding out what kind of dashboard I'll get there

I would appreciate if I might use the scripts you posted, Albert, or if 
we could work on this together.

Cheers,
Robert

[1] https://codereview.qt-project.org/236937/
[2] https://github.com/google/oss-fuzz/compare/master...rlohning:master

Am 30.08.2018 um 21:27 schrieb Lars Knoll:
> Hi Albert,
> 
> Nice! Robert has been working on exactly the same thing lately. I think it would be good if you guys coordinated the effort :)
> 
> It would be ideal, if we could somehow get those mails forwarded to the security mailing list. I wonder whether we could do that with a special mail account that forwards to the security mailing list.
> 
> Cheers,
> Lars
> 
>> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development <development at qt-project.org> wrote:
>>
>> oss-fuzz is an online fuzzing service run by Google.
>>
>> They test daily the code base and run fuzzying over it, maintaining a list of open and closed bugs.
>>
>> As example you can see one of the poppler issues i fixed at
>>     https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
>>
>> Everything is done automatically by a bot, except my "This is fixed by" comment, but that's just there for historical reasons, it's not really needed.
>>
>> Found bugs are sent to a list of trusted address and kept private for 90 days, then if not fixed then they become public.
>>
>> Fixed bugs become public 30 days after being fixed.
>>
>> I have made a qimage fuzzer that uses libpng test files as seed corpus.
>>
>> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
>>
>> Adding support for Qt is "relatively simple" see
>> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f
>>
>> I made a local test run of the undefined sanitizer and it found
>> https://paste.kde.org/prkox41mx
>> in a few seconds, so "it works"
>>
>> If you want to test it locally you can do
>>     python infra/helper.py build_fuzzers --sanitizer undefined qt
>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>> for the undefined sanitizer and
>>     python infra/helper.py build_fuzzers --sanitizer address qt
>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>>
>> Unfortunately I have not been able to compile with the memory sanitizer enabled yet.
>>
>> The most important thing before submitting this upstream is changing the list of trusted addresses the private bugs get sent to.
>>
>> To have something written i've used my email address but i guess at least i should add eirik.aavitsland at qt.io (listed as QImage maintainer) there too? Anyone else?
>>
>> I am not sure how the email address thing works, but i think they need to be "google account" activated, whatever that means, so we can't use security at qt-project.org. On poppler i'm using my @gmail.com address and not my @kde.org address since it was just easier.
>>
>> Comments?
>>
>> Cheers,
>>   Albert
>>
>> -- 
>> Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
>> Klarälvdalens Datakonsult AB, a KDAB Group company
>> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
>> KDAB - The Qt, C++ and OpenGL Experts
>>
>> _______________________________________________
>> Development mailing list
>> Development at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/development
> 