[llvm-dev] how to auto-report LLVM bugs found by fuzzing?
Kostya Serebryany via llvm-dev
llvm-dev at lists.llvm.org
Tue Aug 29 15:32:57 PDT 2017
Hi,
We have several llvm fuzz targets running on OSS-Fuzz, a continuous
automated fuzzing service:
https://github.com/google/oss-fuzz
https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_serebryany.pdf
It has reported a few bugs in cxa_demangler, clang, and dwarfdump already,
and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,
clang-format-fuzzer, ...)
A question to everyone: how do we report these bugs properly?
OSS-Fuzz files bugs automatically into a separate bug tracker, it can not
file bugs to bugzilla.
By default, the bug reports are private for security reasons, and only
those CC-ed explicitly can see them.
Should we make the bug reports public by default?
We can set things differently for the llvm project (llvm, clang, etc) and
libcxxabi (demangler):
https://github.com/google/oss-fuzz/tree/master/projects/llvm
https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi
Should we automatically CC the bugs to any of the llvm maliing lists (e.g.
llvm-dev)?
If a bug is CC-ed to a list, everyone will see the bug report summary in
e-mail,
but if the bug remains private the reproducer for the bug will remain
private.
Who wants to be CC-ed explicitly?
(please add yourself to
https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml)
Examples of bug reports follow.
Thanks!
--kcc
dwarfdump:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3216&q=label%3AProj-llvm%20dwarfdump-fuzzer&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary
Crash Type: ASSERT
Crash Address:
Crash State:
result <= UINT32_MAX
llvm::object::WasmObjectFile::parseStartSection
llvm::object::WasmObjectFile::parseSection
Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000009a
Crash State:
llvm::object::WasmObjectFile::parseCustomSection
llvm::object::WasmObjectFile::parseSection
llvm::object::WasmObjectFile::WasmObjectFile
Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x604000000776
Crash State:
llvm::StringMapImpl::LookupBucketFor
std::pair<llvm::StringMapIterator<unsigned int>, bool>
llvm::StringMap<unsigned
llvm::DWARFContext::create
Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60300000011c
Crash State:
llvm::identify_magic
llvm::object::ObjectFile::createObjectFile
_start
clang-fuzzer:
https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm+clang-fuzzer&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids
Crash Type: Stack-buffer-overflow READ 1
Crash Address: 0x7f79e7b71760
Crash State:
clang::Lexer::SkipLineComment
clang::Lexer::LexTokenInternal
clang::Lexer::Lex
Crash Type: Direct-leak
Crash Address:
Crash State:
clang::Parser::ParseParameterDeclarationClause
clang::Parser::ParseFunctionDeclarator
clang::Parser::ParseDirectDeclarator
Crash Type: Stack-overflow
Crash Address: 0x7ffc78d69f48
Crash State:
clang::StmtVisitorBase<clang::make_const_ptr, IntExprEvaluator,
bool>::Visit
Evaluate
IntExprEvaluator::VisitBinaryOperator
Crash Type: ASSERT
Crash Address:
Crash State:
!Prev.isAmbiguous() && "Cannot have an ambiguity in previous-declaration
lookup"
DiagnoseInvalidRedeclaration
clang::Sema::ActOnFunctionDeclarator
cxa_demangler:
https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm_libcxxabi&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids
Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x619000000078
Crash State:
__cxxabiv1::parse_encoding
__cxxabiv1::demangle
__cxa_demangle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170829/26654c21/attachment.html>
More information about the llvm-dev
mailing list