[llvm-dev] how to auto-report LLVM bugs found by fuzzing?
Justin Bogner via llvm-dev
llvm-dev at lists.llvm.org
Tue Aug 29 16:27:53 PDT 2017
Kostya Serebryany <kcc at google.com> writes:
> On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com>
> wrote:
>
>> Kostya Serebryany <kcc at google.com> writes:
>> > Hi,
>> >
>> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous
>> > automated fuzzing service:
>> > https://github.com/google/oss-fuzz
>> > https://www.usenix.org/sites/default/files/conference/protected-files/
>> usenixsecurity17_slides_serebryany.pdf
>> >
>> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump
>> already,
>> > and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,
>> > clang-format-fuzzer, ...)
>> >
>> > A question to everyone: how do we report these bugs properly?
>> > OSS-Fuzz files bugs automatically into a separate bug tracker, it can not
>> > file bugs to bugzilla.
>> > By default, the bug reports are private for security reasons, and only
>> > those CC-ed explicitly can see them.
>> >
>> > Should we make the bug reports public by default?
>> > We can set things differently for the llvm project (llvm, clang, etc)
>> and
>> > libcxxabi (demangler):
>> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
>> > https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi
>>
>> At least some of these should probably just be public by default. Things
>> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security
>> bugs, so I wouldn't expect them to find stuff that falls under the
>> responsible disclosure umbrella.
>>
>
> So, how about making all LLVM bugs public by default and leaving
> cxa_demangler bugs private?
> (I can't make it finer-grained, see below)
This sounds good to me.
>>
>> This should be thought about on a case by case basis, of course.
>>
>> > Should we automatically CC the bugs to any of the llvm maliing lists
>> (e.g.
>> > llvm-dev)?
>>
>> Perhaps we could CC them to llvm-bugs? That's the same list that new
>> bugzilla bugs are announced to.
>>
>
> Ah, good idea.
> Unless someone objects I'll add llvm-bugs to the spam^W list :)
>
>>
>> > If a bug is CC-ed to a list, everyone will see the bug report summary in
>> > e-mail,
>> > but if the bug remains private the reproducer for the bug will remain
>> > private.
>> >
>> > Who wants to be CC-ed explicitly?
>> > (please add yourself to
>> > https://github.com/google/oss-fuzz/blob/master/projects/
>> llvm/project.yaml)
>>
>> Can this be set up to CC per-fuzz-target or so? I'm sure some people are
>> interested in, say, clang, but not necessarily cxa_demangler, or
>> vice-versa.
>>
>
> Sadly, no.
>
> We can distinguish llvm_cxxabi (cxa_demangler) from everything else because
> these are currently two independent projects on oss-fuzz.
> Making it finer-grained would require setting up separate oss-fuzz projects
> which is harder to maintain and would not be welcome on oss-fuzz side.
> The automatic e-mails announce the fuzz target's name, so filters will be
> easy to set up.
Fair enough.
More information about the llvm-dev
mailing list