[llvm-dev] how to auto-report LLVM bugs found by fuzzing?

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Tue Aug 29 15:32:57 PDT 2017


Hi,

We have several llvm fuzz targets running on OSS-Fuzz, a continuous
automated fuzzing service:
https://github.com/google/oss-fuzz
https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_serebryany.pdf

It has reported a few bugs in cxa_demangler, clang, and dwarfdump already,
and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,
clang-format-fuzzer, ...)

A question to everyone: how do we report these bugs properly?
OSS-Fuzz files bugs automatically into a separate bug tracker, it can not
file bugs to bugzilla.
By default, the bug reports are private for security reasons, and only
those CC-ed explicitly can see them.

Should we make the bug reports public by default?
We can set things differently for the llvm project (llvm, clang, etc)  and
libcxxabi (demangler):
https://github.com/google/oss-fuzz/tree/master/projects/llvm
https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi

Should we automatically CC the bugs to any of the llvm maliing lists (e.g.
llvm-dev)?
If a bug is CC-ed to a list, everyone will see the bug report summary in
e-mail,
but if the bug remains private the reproducer for the bug will remain
private.

Who wants to be CC-ed explicitly?
(please add yourself to
https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml)

Examples of bug reports follow.

Thanks!

--kcc


dwarfdump:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3216&q=label%3AProj-llvm%20dwarfdump-fuzzer&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary

Crash Type: ASSERT
Crash Address:
Crash State:
  result <= UINT32_MAX
  llvm::object::WasmObjectFile::parseStartSection
  llvm::object::WasmObjectFile::parseSection

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000009a
Crash State:
  llvm::object::WasmObjectFile::parseCustomSection
  llvm::object::WasmObjectFile::parseSection
  llvm::object::WasmObjectFile::WasmObjectFile

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x604000000776
Crash State:
  llvm::StringMapImpl::LookupBucketFor
  std::pair<llvm::StringMapIterator<unsigned int>, bool>
llvm::StringMap<unsigned
  llvm::DWARFContext::create

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60300000011c
Crash State:
  llvm::identify_magic
  llvm::object::ObjectFile::createObjectFile
  _start

clang-fuzzer:
https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm+clang-fuzzer&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids
Crash Type: Stack-buffer-overflow READ 1
Crash Address: 0x7f79e7b71760
Crash State:
  clang::Lexer::SkipLineComment
  clang::Lexer::LexTokenInternal
  clang::Lexer::Lex

Crash Type: Direct-leak
Crash Address:
Crash State:
  clang::Parser::ParseParameterDeclarationClause
  clang::Parser::ParseFunctionDeclarator
  clang::Parser::ParseDirectDeclarator


Crash Type: Stack-overflow
Crash Address: 0x7ffc78d69f48
Crash State:
  clang::StmtVisitorBase<clang::make_const_ptr, IntExprEvaluator,
bool>::Visit
  Evaluate
  IntExprEvaluator::VisitBinaryOperator

Crash Type: ASSERT
Crash Address:
Crash State:
  !Prev.isAmbiguous() && "Cannot have an ambiguity in previous-declaration
lookup"
  DiagnoseInvalidRedeclaration
  clang::Sema::ActOnFunctionDeclarator


cxa_demangler:

https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm_libcxxabi&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids


Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x619000000078
Crash State:
  __cxxabiv1::parse_encoding
  __cxxabiv1::demangle
  __cxa_demangle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170829/26654c21/attachment.html>


More information about the llvm-dev mailing list