<div dir="ltr">Hi, <br><br>We have several llvm fuzz targets running on OSS-Fuzz, a continuous automated fuzzing service:<div><a href="https://github.com/google/oss-fuzz">https://github.com/google/oss-fuzz</a></div><div><a href="https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_serebryany.pdf">https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_serebryany.pdf</a><br></div><div><br>It has reported a few bugs in cxa_demangler, clang, and dwarfdump already, <br>and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer, clang-format-fuzzer, ...)<div><br></div><div>A question to everyone: how do we report these bugs properly?</div><div>OSS-Fuzz files bugs automatically into a separate bug tracker, it can not file bugs to bugzilla. <br></div><div>By default, the bug reports are private for security reasons, and only those CC-ed explicitly can see them. </div><div><br></div><div>Should we make the bug reports public by default? </div>We can set things differently for the llvm project (llvm, clang, etc)  and libcxxabi (demangler):<div><a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm">https://github.com/google/oss-fuzz/tree/master/projects/llvm</a></div><div><a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi">https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi</a></div><div><br></div><div>Should we automatically CC the bugs to any of the llvm maliing lists (e.g. llvm-dev)? <br></div><div>If a bug is CC-ed to a list, everyone will see the bug report summary in e-mail, </div><div>but if the bug remains private the reproducer for the bug will remain private. <br><div><br></div><div>Who wants to be CC-ed explicitly?</div><div>(please add yourself to <a href="https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml">https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml</a>)</div><div><br></div><div><div>Examples of bug reports follow. </div><div><br></div><div>Thanks! </div><div><br></div><div>--kcc</div><div><br></div><div><br><div>dwarfdump:<br><br><a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3216&q=label%3AProj-llvm%20dwarfdump-fuzzer&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary">https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3216&q=label%3AProj-llvm%20dwarfdump-fuzzer&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary</a><br><br>Crash Type: ASSERT<br>Crash Address: <br>Crash State:<br>  result <= UINT32_MAX<br>  llvm::object::WasmObjectFile::parseStartSection<br>  llvm::object::WasmObjectFile::parseSection<br><br>Crash Type: Heap-buffer-overflow READ 1<br>Crash Address: 0x60200000009a<br>Crash State:<br>  llvm::object::WasmObjectFile::parseCustomSection<br>  llvm::object::WasmObjectFile::parseSection<br>  llvm::object::WasmObjectFile::WasmObjectFile<br><br>Crash Type: Heap-buffer-overflow READ 1<br>Crash Address: 0x604000000776<br>Crash State:<br>  llvm::StringMapImpl::LookupBucketFor<br>  std::pair<llvm::StringMapIterator<unsigned int>, bool> llvm::StringMap<unsigned <br>  llvm::DWARFContext::create<br><br>Crash Type: Heap-buffer-overflow READ 4<br>Crash Address: 0x60300000011c<br>Crash State:<br>  llvm::identify_magic<br>  llvm::object::ObjectFile::createObjectFile<br>  _start</div></div><div><br></div><div>clang-fuzzer:</div><div><a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm+clang-fuzzer&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids">https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm+clang-fuzzer&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids</a><br></div>Crash Type: Stack-buffer-overflow READ 1<br>Crash Address: 0x7f79e7b71760<br>Crash State:<br>  clang::Lexer::SkipLineComment<br>  clang::Lexer::LexTokenInternal<br>  clang::Lexer::Lex<br><br>Crash Type: Direct-leak<br>Crash Address: <br>Crash State:<br>  clang::Parser::ParseParameterDeclarationClause<br>  clang::Parser::ParseFunctionDeclarator<br>  clang::Parser::ParseDirectDeclarator<br>  <br><br>Crash Type: Stack-overflow<br>Crash Address: 0x7ffc78d69f48<br>Crash State:<br>  clang::StmtVisitorBase<clang::make_const_ptr, IntExprEvaluator, bool>::Visit<br>  Evaluate<br>  IntExprEvaluator::VisitBinaryOperator<br><br>Crash Type: ASSERT<br>Crash Address: <br>Crash State:<br>  !Prev.isAmbiguous() && "Cannot have an ambiguity in previous-declaration lookup"<br>  DiagnoseInvalidRedeclaration<br>  clang::Sema::ActOnFunctionDeclarator<br><br><br>cxa_demangler:<br><br><a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm_libcxxabi&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids">https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm_libcxxabi&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids</a><div><br></div><div><br>Crash Type: Heap-buffer-overflow READ 8<br>Crash Address: 0x619000000078<br>Crash State:<br>  __cxxabiv1::parse_encoding<br>  __cxxabiv1::demangle<br>  __cxa_demangle</div></div></div></div></div>