[Development] Submitting Qt to oss-fuzz

Robert Löhning robert.loehning at qt.io
Tue Sep 4 14:03:31 CEST 2018 

Hi Peter,

I saw your post and it helped me get started. Thanks for that!

By the way: In step 1 you use
-fsanitize-coverage=edge
whereas I followed LLVM's example [1] and used
-fsanitize-coverage=trace-pc-guard

Unfortunately the documentation seems to be a bit scarce. Could you 
please tell me briefly about the advantages of either one?

I guess I should include "edge" to [2], shouldn't I? Instead of hacking 
the mkspec you could then just use
<src>/configure -sanitize address -coverage edge <further params>

Cheers,
Robert

[1] https://llvm.org/docs/LibFuzzer.html
[2] https://codereview.qt-project.org/236937/

Am 04.09.2018 um 11:17 schrieb Peter Hartmann:
> Hello,
> 
> sounds like a good initiative, I was asking about the same thing 2 years
> ago ([1]) but then somehow didn't follow up on this.
> 
> Back then I also wrote some simple fuzzing test cases ([2]) that found
> some crashes and memory corruptions ([3]), I would be happy to
> contribute them if they are deemed useful.
> 
> Regards,
> 
> Peter
> 
> 
> [1]
> http://lists.qt-project.org/pipermail/development/2016-December/028016.html
> [2] https://github.com/peter-ha/qt-fuzzing
> [3]
> https://www.peter.hartmann.tk/single-post/2016/11/29/Fuzzing-Qt-with-libFuzzer
> 
> 
> On 31.08.2018 11:24, Robert Löhning wrote:
>> Hi everybody,
>>
>> yes I did. So far I have been working on getting Qt into a better
>> shape for fuzzing at all, resulting in [1].
>>
>> This prepares a Qt build for being fuzz tested with clang's libFuzzer,
>> the tool that Google also uses in oss-fuzz. The fuzzer I used for
>> testing my setup already found a crash.
>>
>> What I have so far:
>> - fuzzing Qt with libFuzzer locally, using [1]
>> - AFAICS collected all the needed "OK"s to enter Qt [2]
>>
>> What I don't have so far:
>> - create the pull request for [2], wanted to do this now-ish
>> - Everything that comes after registering the project like:
>>    - setting up build/run on Google's servers
>>    - finding out what kind of dashboard I'll get there
>>
>> I would appreciate if I might use the scripts you posted, Albert, or
>> if we could work on this together.
>>
>> Cheers,
>> Robert
>>
>> [1] https://codereview.qt-project.org/236937/
>> [2] https://github.com/google/oss-fuzz/compare/master...rlohning:master
>>
>> Am 30.08.2018 um 21:27 schrieb Lars Knoll:
>>> Hi Albert,
>>>
>>> Nice! Robert has been working on exactly the same thing lately. I
>>> think it would be good if you guys coordinated the effort :)
>>>
>>> It would be ideal, if we could somehow get those mails forwarded to
>>> the security mailing list. I wonder whether we could do that with a
>>> special mail account that forwards to the security mailing list.
>>>
>>> Cheers,
>>> Lars
>>>
>>>> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development
>>>> <development at qt-project.org> wrote:
>>>>
>>>> oss-fuzz is an online fuzzing service run by Google.
>>>>
>>>> They test daily the code base and run fuzzying over it, maintaining
>>>> a list of open and closed bugs.
>>>>
>>>> As example you can see one of the poppler issues i fixed at
>>>>      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
>>>>
>>>> Everything is done automatically by a bot, except my "This is fixed
>>>> by" comment, but that's just there for historical reasons, it's not
>>>> really needed.
>>>>
>>>> Found bugs are sent to a list of trusted address and kept private
>>>> for 90 days, then if not fixed then they become public.
>>>>
>>>> Fixed bugs become public 30 days after being fixed.
>>>>
>>>> I have made a qimage fuzzer that uses libpng test files as seed corpus.
>>>>
>>>> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
>>>>
>>>> Adding support for Qt is "relatively simple" see
>>>> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f
>>>>
>>>>
>>>> I made a local test run of the undefined sanitizer and it found
>>>> https://paste.kde.org/prkox41mx
>>>> in a few seconds, so "it works"
>>>>
>>>> If you want to test it locally you can do
>>>>      python infra/helper.py build_fuzzers --sanitizer undefined qt
>>>>      python infra/helper.py run_fuzzer qt qimage_fuzzer
>>>> for the undefined sanitizer and
>>>>      python infra/helper.py build_fuzzers --sanitizer address qt
>>>>      python infra/helper.py run_fuzzer qt qimage_fuzzer
>>>>
>>>> Unfortunately I have not been able to compile with the memory
>>>> sanitizer enabled yet.
>>>>
>>>> The most important thing before submitting this upstream is changing
>>>> the list of trusted addresses the private bugs get sent to.
>>>>
>>>> To have something written i've used my email address but i guess at
>>>> least i should add eirik.aavitsland at qt.io (listed as QImage
>>>> maintainer) there too? Anyone else?
>>>>
>>>> I am not sure how the email address thing works, but i think they
>>>> need to be "google account" activated, whatever that means, so we
>>>> can't use security at qt-project.org. On poppler i'm using my
>>>> @gmail.com address and not my @kde.org address since it was just
>>>> easier.
>>>>
>>>> Comments?
>>>>
>>>> Cheers,
>>>>    Albert
>>>>
>>>> -- 
>>>> Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
>>>> Klarälvdalens Datakonsult AB, a KDAB Group company
>>>> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
>>>> KDAB - The Qt, C++ and OpenGL Experts
>>>>
>>>> _______________________________________________
>>>> Development mailing list
>>>> Development at qt-project.org
>>>> http://lists.qt-project.org/mailman/listinfo/development
>>>
>>
>> _______________________________________________
>> Development mailing list
>> Development at qt-project.org
>> http://lists.qt-project.org/mailman/listinfo/development
> 
>

More information about the Development mailing list