[Development] Submitting Qt to oss-fuzz

Robert Loehning Robert.Loehning at qt.io
Mon Jan 21 18:36:06 CET 2019 

Hi everybody,

the Qt project is now registered in oss-fuzz's list of projects: 
https://github.com/google/oss-fuzz/tree/master/projects

What I have so far:
- fuzzing Qt with libFuzzer locally
- registered Qt project for oss-fuzz

What I don't have so far:
- setting up build/run on Google's servers
- finding out what kind of dashboard I'll get there

I'll send updates as soon as I know more...

Cheers,
Robert

-- 
   Robert Löhning, Software Engineer - The Qt Company GmbH
   The Qt Company GmbH, Rudower Chaussee 13, D-12489 Berlin
   Geschäftsführer: Mika Pälsi, Juha Varelius, Mika Harjuaho
   Sitz der Gesellschaft: Berlin,
   Registergericht: Amtsgericht Charlottenburg, HRB 144331 B


Am 31.08.2018 um 11:24 schrieb Robert Löhning:
> Hi everybody,
> 
> yes I did. So far I have been working on getting Qt into a better shape 
> for fuzzing at all, resulting in [1].
> 
> This prepares a Qt build for being fuzz tested with clang's libFuzzer, 
> the tool that Google also uses in oss-fuzz. The fuzzer I used for 
> testing my setup already found a crash.
> 
> What I have so far:
> - fuzzing Qt with libFuzzer locally, using [1]
> - AFAICS collected all the needed "OK"s to enter Qt [2]
> 
> What I don't have so far:
> - create the pull request for [2], wanted to do this now-ish
> - Everything that comes after registering the project like:
>    - setting up build/run on Google's servers
>    - finding out what kind of dashboard I'll get there
> 
> I would appreciate if I might use the scripts you posted, Albert, or if 
> we could work on this together.
> 
> Cheers,
> Robert
> 
> [1] https://codereview.qt-project.org/236937/
> [2] https://github.com/google/oss-fuzz/compare/master...rlohning:master
> 
> Am 30.08.2018 um 21:27 schrieb Lars Knoll:
>> Hi Albert,
>>
>> Nice! Robert has been working on exactly the same thing lately. I 
>> think it would be good if you guys coordinated the effort :)
>>
>> It would be ideal, if we could somehow get those mails forwarded to 
>> the security mailing list. I wonder whether we could do that with a 
>> special mail account that forwards to the security mailing list.
>>
>> Cheers,
>> Lars
>>
>>> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development 
>>> <development at qt-project.org> wrote:
>>>
>>> oss-fuzz is an online fuzzing service run by Google.
>>>
>>> They test daily the code base and run fuzzying over it, maintaining a 
>>> list of open and closed bugs.
>>>
>>> As example you can see one of the poppler issues i fixed at
>>>     https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382
>>>
>>> Everything is done automatically by a bot, except my "This is fixed 
>>> by" comment, but that's just there for historical reasons, it's not 
>>> really needed.
>>>
>>> Found bugs are sent to a list of trusted address and kept private for 
>>> 90 days, then if not fixed then they become public.
>>>
>>> Fixed bugs become public 30 days after being fixed.
>>>
>>> I have made a qimage fuzzer that uses libpng test files as seed corpus.
>>>
>>> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz
>>>
>>> Adding support for Qt is "relatively simple" see
>>> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f 
>>>
>>>
>>> I made a local test run of the undefined sanitizer and it found
>>> https://paste.kde.org/prkox41mx
>>> in a few seconds, so "it works"
>>>
>>> If you want to test it locally you can do
>>>     python infra/helper.py build_fuzzers --sanitizer undefined qt
>>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>>> for the undefined sanitizer and
>>>     python infra/helper.py build_fuzzers --sanitizer address qt
>>>     python infra/helper.py run_fuzzer qt qimage_fuzzer
>>>
>>> Unfortunately I have not been able to compile with the memory 
>>> sanitizer enabled yet.
>>>
>>> The most important thing before submitting this upstream is changing 
>>> the list of trusted addresses the private bugs get sent to.
>>>
>>> To have something written i've used my email address but i guess at 
>>> least i should add eirik.aavitsland at qt.io (listed as QImage 
>>> maintainer) there too? Anyone else?
>>>
>>> I am not sure how the email address thing works, but i think they 
>>> need to be "google account" activated, whatever that means, so we 
>>> can't use security at qt-project.org. On poppler i'm using my @gmail.com 
>>> address and not my @kde.org address since it was just easier.
>>>
>>> Comments?
>>>
>>> Cheers,
>>>   Albert
>>>
>>> -- 
>>> Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
>>> Klarälvdalens Datakonsult AB, a KDAB Group company
>>> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
>>> KDAB - The Qt, C++ and OpenGL Experts
>>>
>>> _______________________________________________
>>> Development mailing list
>>> Development at qt-project.org
>>> http://lists.qt-project.org/mailman/listinfo/development
>>
> 
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

More information about the Development mailing list