[llvm-dev] how to auto-report LLVM bugs found by fuzzing?

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Tue Oct 10 12:54:39 PDT 2017 

On Tue, Oct 10, 2017 at 12:48 PM, Richard Smith <richard at metafoo.co.uk>
wrote:

> Is it possible to put different tags in the subject line for the LLVM /
> Clang / clang-format fuzz targets, so that mail filters can identify the
> ones of interest?
>

In subject -- probably not easy (at least not desirable -- some target
names are pretty long).
Can you filter by the message contents? ("Fuzz target binary: clang-fuzzer")


>
> On 8 September 2017 at 13:01, Kostya Serebryany via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
>
>>
>>
>> On Wed, Aug 30, 2017 at 4:54 PM, Kostya Serebryany <kcc at google.com>
>> wrote:
>>
>>> Bugs found by oss-fuzz in llvm are now public:
>>> https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm
>>> (and the new ones will be public too).
>>> I've also added llvm-bugs at lists.llvm.org to the list of e-mail
>>> recipients:
>>> https://github.com/google/oss-fuzz/blob/master/projects/llvm
>>> /project.yaml
>>>
>>
>> .. and now mailing to llvm-bugs actually works:
>> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058151.html
>> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058152.html
>>
>>
>>
>>>
>>> On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com>
>>> wrote:
>>>
>>>> Kostya Serebryany <kcc at google.com> writes:
>>>> > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com
>>>> >
>>>> > wrote:
>>>> >
>>>> >> Kostya Serebryany <kcc at google.com> writes:
>>>> >> > Hi,
>>>> >> >
>>>> >> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous
>>>> >> > automated fuzzing service:
>>>> >> > https://github.com/google/oss-fuzz
>>>> >> > https://www.usenix.org/sites/default/files/conference/protec
>>>> ted-files/
>>>> >> usenixsecurity17_slides_serebryany.pdf
>>>> >> >
>>>> >> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump
>>>> >> already,
>>>> >> > and we expect to add more fuzz targets to it soon
>>>> (llvm-isel-fuzzer,
>>>> >> > clang-format-fuzzer, ...)
>>>> >> >
>>>> >> > A question to everyone: how do we report these bugs properly?
>>>> >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it
>>>> can not
>>>> >> > file bugs to bugzilla.
>>>> >> > By default, the bug reports are private for security reasons, and
>>>> only
>>>> >> > those CC-ed explicitly can see them.
>>>> >> >
>>>> >> > Should we make the bug reports public by default?
>>>> >> > We can set things differently for the llvm project (llvm, clang,
>>>> etc)
>>>> >> and
>>>> >> > libcxxabi (demangler):
>>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
>>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
>>>> _libcxxabi
>>>> >>
>>>> >> At least some of these should probably just be public by default.
>>>> Things
>>>> >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for
>>>> security
>>>> >> bugs, so I wouldn't expect them to find stuff that falls under the
>>>> >> responsible disclosure umbrella.
>>>> >>
>>>> >
>>>> > So, how about making all LLVM bugs public by default and leaving
>>>> > cxa_demangler bugs private?
>>>> > (I can't make it finer-grained, see below)
>>>>
>>>> This sounds good to me.
>>>>
>>>> >>
>>>> >> This should be thought about on a case by case basis, of course.
>>>> >>
>>>> >> > Should we automatically CC the bugs to any of the llvm maliing
>>>> lists
>>>> >> (e.g.
>>>> >> > llvm-dev)?
>>>> >>
>>>> >> Perhaps we could CC them to llvm-bugs? That's the same list that new
>>>> >> bugzilla bugs are announced to.
>>>> >>
>>>> >
>>>> > Ah, good idea.
>>>> > Unless someone objects I'll add llvm-bugs to the spam^W list :)
>>>> >
>>>> >>
>>>> >> > If a bug is CC-ed to a list, everyone will see the bug report
>>>> summary in
>>>> >> > e-mail,
>>>> >> > but if the bug remains private the reproducer for the bug will
>>>> remain
>>>> >> > private.
>>>> >> >
>>>> >> > Who wants to be CC-ed explicitly?
>>>> >> > (please add yourself to
>>>> >> > https://github.com/google/oss-fuzz/blob/master/projects/
>>>> >> llvm/project.yaml)
>>>> >>
>>>> >> Can this be set up to CC per-fuzz-target or so? I'm sure some people
>>>> are
>>>> >> interested in, say, clang, but not necessarily cxa_demangler, or
>>>> >> vice-versa.
>>>> >>
>>>> >
>>>> > Sadly, no.
>>>> >
>>>> > We can distinguish llvm_cxxabi (cxa_demangler) from everything else
>>>> because
>>>> > these are currently two independent projects on oss-fuzz.
>>>> > Making it finer-grained would require setting up separate oss-fuzz
>>>> projects
>>>> > which is harder to maintain and would not be welcome on oss-fuzz side.
>>>> > The automatic e-mails announce the fuzz target's name, so filters
>>>> will be
>>>> > easy to set up.
>>>>
>>>> Fair enough.
>>>>
>>>
>>>
>>
>> _______________________________________________
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20171010/f37e2caa/attachment.html>

More information about the llvm-dev mailing list