[Development] Submitting Qt to oss-fuzz

Peter Hartmann peter-qt at hartmann.tk
Tue Sep 4 11:17:09 CEST 2018 

Hello,

sounds like a good initiative, I was asking about the same thing 2 years
ago ([1]) but then somehow didn't follow up on this.

Back then I also wrote some simple fuzzing test cases ([2]) that found
some crashes and memory corruptions ([3]), I would be happy to
contribute them if they are deemed useful.

Regards,

Peter


[1]
http://lists.qt-project.org/pipermail/development/2016-December/028016.html
[2] https://github.com/peter-ha/qt-fuzzing
[3]
https://www.peter.hartmann.tk/single-post/2016/11/29/Fuzzing-Qt-with-libFuzzer


On 31.08.2018 11:24, Robert Löhning wrote:
> Hi everybody,
>
> yes I did. So far I have been working on getting Qt into a better
> shape for fuzzing at all, resulting in [1].
>
> This prepares a Qt build for being fuzz tested with clang's libFuzzer,
> the tool that Google also uses in oss-fuzz. The fuzzer I used for
> testing my setup already found a crash.
>
> What I have so far:
> - fuzzing Qt with libFuzzer locally, using [1]
> - AFAICS collected all the needed "OK"s to enter Qt [2]
>
> What I don't have so far:
> - create the pull request for [2], wanted to do this now-ish
> - Everything that comes after registering the project like:
>   - setting up build/run on Google's servers
>   - finding out what kind of dashboard I'll get there
>
> I would appreciate if I might use the scripts you posted, Albert, or
> if we could work on this together.
>
> Cheers,
> Robert
>
> [1] https://codereview.qt-project.org/236937/
> [2] https://github.com/google/oss-fuzz/compare/master...rlohning:master
>
> Am 30.08.2018 um 21:27 schrieb Lars Knoll:
>> Hi Albert,
>>
>> Nice! Robert has been working on exactly the same thing lately. I
>> think it would be good if you guys coordinated the effort :)
>>
>> It would be ideal, if we could somehow get those mails forwarded to
>> the security mailing list. I wonder whether we could do that with a
>> special mail account that forwards to the security mailing list.
>>
>> Cheers,
>> Lars
>>
>>> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development
>>> <development at qt-project.org> wrote:
>>>
>>> oss-fuzz is an online fuzzing service run by Google.
>>>
>>> They test daily the code base and run fuzzying over it, maintaining
>>> a list of open and closed bugs.
>>>
>>> As example you can see one of the poppler issues i fixed at
>>>     https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
>>>
>>> Everything is done automatically by a bot, except my "This is fixed
>>> by" comment, but that's just there for historical reasons, it's not
>>> really needed.
>>>
>>> Found bugs are sent to a list of trusted address and kept private
>>> for 90 days, then if not fixed then they become public.
>>>
>>> Fixed bugs become public 30 days after being fixed.
>>>
>>> I have made a qimage fuzzer that uses libpng test files as seed corpus.
>>>
>>> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
>>>
>>> Adding support for Qt is "relatively simple" see
>>> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f
>>>
>>>
>>> I made a local test run of the undefined sanitizer and it found
>>> https://paste.kde.org/prkox41mx
>>> in a few seconds, so "it works"
>>>
>>> If you want to test it locally you can do
>>>     python infra/helper.py build_fuzzers --sanitizer undefined qt
>>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>>> for the undefined sanitizer and
>>>     python infra/helper.py build_fuzzers --sanitizer address qt
>>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>>>
>>> Unfortunately I have not been able to compile with the memory
>>> sanitizer enabled yet.
>>>
>>> The most important thing before submitting this upstream is changing
>>> the list of trusted addresses the private bugs get sent to.
>>>
>>> To have something written i've used my email address but i guess at
>>> least i should add eirik.aavitsland at qt.io (listed as QImage
>>> maintainer) there too? Anyone else?
>>>
>>> I am not sure how the email address thing works, but i think they
>>> need to be "google account" activated, whatever that means, so we
>>> can't use security at qt-project.org. On poppler i'm using my
>>> @gmail.com address and not my @kde.org address since it was just
>>> easier.
>>>
>>> Comments?
>>>
>>> Cheers,
>>>   Albert
>>>
>>> -- 
>>> Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
>>> Klarälvdalens Datakonsult AB, a KDAB Group company
>>> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
>>> KDAB - The Qt, C++ and OpenGL Experts
>>>
>>> _______________________________________________
>>> Development mailing list
>>> Development at qt-project.org
>>> http://lists.qt-project.org/mailman/listinfo/development
>>
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development


-- 
Peter Hartmann // Titurelstrasse 2 // 89125 Munich // Germany
peter at hartmann.tk
www.peter.hartmann.tk

More information about the Development mailing list