<div dir="ltr">Bugs found by oss-fuzz in llvm are now public: <div><a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm">https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm</a><div>(and the new ones will be public too). </div>I've also added <a href="mailto:llvm-bugs@lists.llvm.org">llvm-bugs@lists.llvm.org</a> to the list of e-mail recipients:<div><a href="https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml">https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml</a> </div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <span dir="ltr"><<a href="mailto:mail@justinbogner.com" target="_blank">mail@justinbogner.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Kostya Serebryany <<a href="mailto:kcc@google.com">kcc@google.com</a>> writes:<br>
> On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <<a href="mailto:mail@justinbogner.com">mail@justinbogner.com</a>><br>
> wrote:<br>
><br>
>> Kostya Serebryany <<a href="mailto:kcc@google.com">kcc@google.com</a>> writes:<br>
>> > Hi,<br>
>> ><br>
>> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous<br>
>> > automated fuzzing service:<br>
>> > <a href="https://github.com/google/oss-fuzz" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz</a><br>
>> > <a href="https://www.usenix.org/sites/default/files/conference/protected-files/" rel="noreferrer" target="_blank">https://www.usenix.org/sites/<wbr>default/files/conference/<wbr>protected-files/</a><br>
>> usenixsecurity17_slides_<wbr>serebryany.pdf<br>
>> ><br>
>> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump<br>
>> already,<br>
>> > and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,<br>
>> > clang-format-fuzzer, ...)<br>
>> ><br>
>> > A question to everyone: how do we report these bugs properly?<br>
>> > OSS-Fuzz files bugs automatically into a separate bug tracker, it can not<br>
>> > file bugs to bugzilla.<br>
>> > By default, the bug reports are private for security reasons, and only<br>
>> > those CC-ed explicitly can see them.<br>
>> ><br>
>> > Should we make the bug reports public by default?<br>
>> > We can set things differently for the llvm project (llvm, clang, etc)<br>
>> and<br>
>> > libcxxabi (demangler):<br>
>> > <a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/tree/master/projects/llvm</a><br>
>> > <a href="https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/tree/master/projects/<wbr>llvm_libcxxabi</a><br>
>><br>
>> At least some of these should probably just be public by default. Things<br>
>> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security<br>
>> bugs, so I wouldn't expect them to find stuff that falls under the<br>
>> responsible disclosure umbrella.<br>
>><br>
><br>
> So, how about making all LLVM bugs public by default and leaving<br>
> cxa_demangler bugs private?<br>
> (I can't make it finer-grained, see below)<br>
<br>
</div></div>This sounds good to me.<br>
<div><div class="h5"><br>
>><br>
>> This should be thought about on a case by case basis, of course.<br>
>><br>
>> > Should we automatically CC the bugs to any of the llvm maliing lists<br>
>> (e.g.<br>
>> > llvm-dev)?<br>
>><br>
>> Perhaps we could CC them to llvm-bugs? That's the same list that new<br>
>> bugzilla bugs are announced to.<br>
>><br>
><br>
> Ah, good idea.<br>
> Unless someone objects I'll add llvm-bugs to the spam^W list :)<br>
><br>
>><br>
>> > If a bug is CC-ed to a list, everyone will see the bug report summary in<br>
>> > e-mail,<br>
>> > but if the bug remains private the reproducer for the bug will remain<br>
>> > private.<br>
>> ><br>
>> > Who wants to be CC-ed explicitly?<br>
>> > (please add yourself to<br>
>> > <a href="https://github.com/google/oss-fuzz/blob/master/projects/" rel="noreferrer" target="_blank">https://github.com/google/oss-<wbr>fuzz/blob/master/projects/</a><br>
>> llvm/project.yaml)<br>
>><br>
>> Can this be set up to CC per-fuzz-target or so? I'm sure some people are<br>
>> interested in, say, clang, but not necessarily cxa_demangler, or<br>
>> vice-versa.<br>
>><br>
><br>
> Sadly, no.<br>
><br>
> We can distinguish llvm_cxxabi (cxa_demangler) from everything else because<br>
> these are currently two independent projects on oss-fuzz.<br>
> Making it finer-grained would require setting up separate oss-fuzz projects<br>
> which is harder to maintain and would not be welcome on oss-fuzz side.<br>
> The automatic e-mails announce the fuzz target's name, so filters will be<br>
> easy to set up.<br>
<br>
</div></div>Fair enough.<br>
</blockquote></div><br></div>