<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <span dir="ltr"><<a href="mailto:mail@justinbogner.com" target="_blank">mail@justinbogner.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">Kostya Serebryany <<a href="mailto:kcc@google.com">kcc@google.com</a>> writes:<br>
> Hi,<br>
><br>
> We have several llvm fuzz targets running on OSS-Fuzz, a continuous<br>
> automated fuzzing service:<br>
> <a href="https://github.com/google/oss-fuzz" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz</a><br>
> <a href="https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_serebryany.pdf" rel="noreferrer" target="_blank">https://www.usenix.org/sites/<wbr>default/files/conference/<wbr>protected-files/<wbr>usenixsecurity17_slides_<wbr>serebryany.pdf</a><br>
><br>
> It has reported a few bugs in cxa_demangler, clang, and dwarfdump already,<br>
> and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,<br>
> clang-format-fuzzer, ...)<br>
><br>
> A question to everyone: how do we report these bugs properly?<br>
> OSS-Fuzz files bugs automatically into a separate bug tracker, it can not<br>
> file bugs to bugzilla.<br>
> By default, the bug reports are private for security reasons, and only<br>
> those CC-ed explicitly can see them.<br>
><br>
> Should we make the bug reports public by default?<br>
> We can set things differently for the llvm project (llvm, clang, etc) and<br>
> libcxxabi (demangler):<br>
> <a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/tree/master/projects/llvm</a><br>
> <a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/tree/master/projects/<wbr>llvm_libcxxabi</a><br>
<br>
</span>At least some of these should probably just be public by default. Things<br>
like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security<br>
bugs, so I wouldn't expect them to find stuff that falls under the<br>
responsible disclosure umbrella.<br></blockquote><div><br></div><div>So, how about making all LLVM bugs public by default and leaving cxa_demangler bugs private?</div><div>(I can't make it finer-grained, see below)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
This should be thought about on a case by case basis, of course.<br>
<span class="gmail-"><br>
> Should we automatically CC the bugs to any of the llvm maliing lists (e.g.<br>
> llvm-dev)?<br>
<br>
</span>Perhaps we could CC them to llvm-bugs? That's the same list that new<br>
bugzilla bugs are announced to.<br></blockquote><div><br></div><div>Ah, good idea. </div><div>Unless someone objects I'll add llvm-bugs to the spam^W list :) </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class="gmail-"><br>
> If a bug is CC-ed to a list, everyone will see the bug report summary in<br>
> e-mail,<br>
> but if the bug remains private the reproducer for the bug will remain<br>
> private.<br>
><br>
> Who wants to be CC-ed explicitly?<br>
> (please add yourself to<br>
> <a href="https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/blob/master/projects/<wbr>llvm/project.yaml</a>)<br>
<br>
</span>Can this be set up to CC per-fuzz-target or so? I'm sure some people are<br>
interested in, say, clang, but not necessarily cxa_demangler, or<br>
vice-versa.<br></blockquote><div><br></div><div>Sadly, no. </div><div><br></div><div>We can distinguish llvm_cxxabi (cxa_demangler) from everything else because these are currently two independent projects on oss-fuzz. </div><div>Making it finer-grained would require setting up separate oss-fuzz projects which is harder to maintain and would not be welcome on oss-fuzz side. </div><div>The automatic e-mails announce the fuzz target's name, so filters will be easy to set up. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
> Examples of bug reports follow.<br>
><br>
> Thanks!<br>
><br>
> --kcc<br>
><br>
><br>
> dwarfdump:<br>
><br>
> <a href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3216&q=label%3AProj-llvm%20dwarfdump-fuzzer&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary" rel="noreferrer" target="_blank">https://bugs.chromium.org/p/<wbr>oss-fuzz/issues/detail?id=<wbr>3216&q=label%3AProj-llvm%<wbr>20dwarfdump-fuzzer&colspec=ID%<wbr>20Type%20Component%20Status%<wbr>20Proj%20Reported%20Owner%<wbr>20Summary</a><br>
><br>
> Crash Type: ASSERT<br>
> Crash Address:<br>
> Crash State:<br>
> result <= UINT32_MAX<br>
> llvm::object::WasmObjectFile::<wbr>parseStartSection<br>
> llvm::object::WasmObjectFile::<wbr>parseSection<br>
><br>
> Crash Type: Heap-buffer-overflow READ 1<br>
> Crash Address: 0x60200000009a<br>
> Crash State:<br>
> llvm::object::WasmObjectFile::<wbr>parseCustomSection<br>
> llvm::object::WasmObjectFile::<wbr>parseSection<br>
> llvm::object::WasmObjectFile::<wbr>WasmObjectFile<br>
><br>
> Crash Type: Heap-buffer-overflow READ 1<br>
> Crash Address: 0x604000000776<br>
> Crash State:<br>
> llvm::StringMapImpl::<wbr>LookupBucketFor<br>
> std::pair<llvm::<wbr>StringMapIterator<unsigned int>, bool><br>
> llvm::StringMap<unsigned<br>
> llvm::DWARFContext::create<br>
><br>
> Crash Type: Heap-buffer-overflow READ 4<br>
> Crash Address: 0x60300000011c<br>
> Crash State:<br>
> llvm::identify_magic<br>
> llvm::object::ObjectFile::<wbr>createObjectFile<br>
> _start<br>
><br>
> clang-fuzzer:<br>
> <a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm+clang-fuzzer&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids" rel="noreferrer" target="_blank">https://bugs.chromium.org/p/<wbr>oss-fuzz/issues/list?can=1&q=<wbr>label%3AProj-llvm+clang-<wbr>fuzzer&colspec=ID+Type+<wbr>Component+Status+Proj+<wbr>Reported+Owner+Summary&cells=<wbr>ids</a><br>
> Crash Type: Stack-buffer-overflow READ 1<br>
> Crash Address: 0x7f79e7b71760<br>
> Crash State:<br>
> clang::Lexer::SkipLineComment<br>
> clang::Lexer::LexTokenInternal<br>
> clang::Lexer::Lex<br>
><br>
> Crash Type: Direct-leak<br>
> Crash Address:<br>
> Crash State:<br>
> clang::Parser::<wbr>ParseParameterDeclarationClaus<wbr>e<br>
> clang::Parser::<wbr>ParseFunctionDeclarator<br>
> clang::Parser::<wbr>ParseDirectDeclarator<br>
><br>
><br>
> Crash Type: Stack-overflow<br>
> Crash Address: 0x7ffc78d69f48<br>
> Crash State:<br>
> clang::StmtVisitorBase<clang::<wbr>make_const_ptr, IntExprEvaluator,<br>
> bool>::Visit<br>
> Evaluate<br>
> IntExprEvaluator::<wbr>VisitBinaryOperator<br>
><br>
> Crash Type: ASSERT<br>
> Crash Address:<br>
> Crash State:<br>
> !Prev.isAmbiguous() && "Cannot have an ambiguity in previous-declaration<br>
> lookup"<br>
> DiagnoseInvalidRedeclaration<br>
> clang::Sema::<wbr>ActOnFunctionDeclarator<br>
><br>
><br>
> cxa_demangler:<br>
><br>
> <a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=label%3AProj-llvm_libcxxabi&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids" rel="noreferrer" target="_blank">https://bugs.chromium.org/p/<wbr>oss-fuzz/issues/list?can=1&q=<wbr>label%3AProj-llvm_libcxxabi&<wbr>colspec=ID+Type+Component+<wbr>Status+Proj+Reported+Owner+<wbr>Summary&cells=ids</a><br>
><br>
><br>
> Crash Type: Heap-buffer-overflow READ 8<br>
> Crash Address: 0x619000000078<br>
> Crash State:<br>
> __cxxabiv1::parse_encoding<br>
> __cxxabiv1::demangle<br>
> __cxa_demangle<br>
</div></div></blockquote></div><br></div></div>