[Development] Submitting Qt to oss-fuzz

Albert Astals Cid albert.astals.cid at kdab.com
Fri Aug 31 11:53:52 CEST 2018 

El divendres, 31 d’agost de 2018, a les 11:24:58 CEST, Robert Löhning va 
escriure:
> Hi everybody,
> 
> yes I did. So far I have been working on getting Qt into a better shape
> for fuzzing at all, resulting in [1].
> 
> This prepares a Qt build for being fuzz tested with clang's libFuzzer,
> the tool that Google also uses in oss-fuzz. The fuzzer I used for
> testing my setup already found a crash.
> 
> What I have so far:
> - fuzzing Qt with libFuzzer locally, using [1]
> - AFAICS collected all the needed "OK"s to enter Qt [2]
> 
> What I don't have so far:
> - create the pull request for [2], wanted to do this now-ish
> - Everything that comes after registering the project like:
>    - setting up build/run on Google's servers
>    - finding out what kind of dashboard I'll get there
> 
> I would appreciate if I might use the scripts you posted, Albert, or if
> we could work on this together.

Feel free to merge my github branch into your github branch :)

Cheers,
  Albert

> 
> Cheers,
> Robert
> 
> [1] https://codereview.qt-project.org/236937/
> [2] https://github.com/google/oss-fuzz/compare/master...rlohning:master
> 
> Am 30.08.2018 um 21:27 schrieb Lars Knoll:
> > Hi Albert,
> > 
> > Nice! Robert has been working on exactly the same thing lately. I think it
> > would be good if you guys coordinated the effort :)
> > 
> > It would be ideal, if we could somehow get those mails forwarded to the
> > security mailing list. I wonder whether we could do that with a special
> > mail account that forwards to the security mailing list.
> > 
> > Cheers,
> > Lars
> > 
> >> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development
> >> <development at qt-project.org> wrote:
> >> 
> >> oss-fuzz is an online fuzzing service run by Google.
> >> 
> >> They test daily the code base and run fuzzying over it, maintaining a
> >> list of open and closed bugs.
> >> 
> >> As example you can see one of the poppler issues i fixed at
> >> 
> >>     https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
> >> 
> >> Everything is done automatically by a bot, except my "This is fixed by"
> >> comment, but that's just there for historical reasons, it's not really
> >> needed.
> >> 
> >> Found bugs are sent to a list of trusted address and kept private for 90
> >> days, then if not fixed then they become public.
> >> 
> >> Fixed bugs become public 30 days after being fixed.
> >> 
> >> I have made a qimage fuzzer that uses libpng test files as seed corpus.
> >> 
> >> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
> >> 
> >> Adding support for Qt is "relatively simple" see
> >> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8
> >> a6a44b1cd679bf356e6e6ed3f
> >> 
> >> I made a local test run of the undefined sanitizer and it found
> >> https://paste.kde.org/prkox41mx
> >> in a few seconds, so "it works"
> >> 
> >> If you want to test it locally you can do
> >> 
> >>     python infra/helper.py build_fuzzers --sanitizer undefined qt
> >>     python infra/helper.py run_fuzzer qt qimage_fuzzer
> >> 
> >> for the undefined sanitizer and
> >> 
> >>     python infra/helper.py build_fuzzers --sanitizer address qt
> >>     python infra/helper.py run_fuzzer qt qimage_fuzzer
> >> 
> >> Unfortunately I have not been able to compile with the memory sanitizer
> >> enabled yet.
> >> 
> >> The most important thing before submitting this upstream is changing the
> >> list of trusted addresses the private bugs get sent to.
> >> 
> >> To have something written i've used my email address but i guess at least
> >> i should add eirik.aavitsland at qt.io (listed as QImage maintainer) there
> >> too? Anyone else?
> >> 
> >> I am not sure how the email address thing works, but i think they need to
> >> be "google account" activated, whatever that means, so we can't use
> >> security at qt-project.org. On poppler i'm using my @gmail.com address and
> >> not my @kde.org address since it was just easier.
> >> 
> >> Comments?
> >> 
> >> Cheers,
> >> 
> >>   Albert
> >> 
> >> _______________________________________________
> >> Development mailing list
> >> Development at qt-project.org
> >> http://lists.qt-project.org/mailman/listinfo/development


-- 
Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
Klarälvdalens Datakonsult AB, a KDAB Group company
Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
KDAB - The Qt, C++ and OpenGL Experts

More information about the Development mailing list