[llvm-dev] how to auto-report LLVM bugs found by fuzzing?

Wed Aug 30 16:54:45 PDT 2017

Bugs found by oss-fuzz in llvm are now public:
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm
(and the new ones will be public too).
I've also added llvm-bugs at lists.llvm.org to the list of e-mail recipients:
https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml

On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com>
wrote:

> Kostya Serebryany <kcc at google.com> writes:
> > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com>
> > wrote:
> >
> >> Kostya Serebryany <kcc at google.com> writes:
> >> > Hi,
> >> >
> >> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous
> >> > automated fuzzing service:
> >> > https://github.com/google/oss-fuzz
> >> > https://www.usenix.org/sites/default/files/conference/
> protected-files/
> >> usenixsecurity17_slides_serebryany.pdf
> >> >
> >> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump
> >> already,
> >> > and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer,
> >> > clang-format-fuzzer, ...)
> >> >
> >> > A question to everyone: how do we report these bugs properly?
> >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it can
> not
> >> > file bugs to bugzilla.
> >> > By default, the bug reports are private for security reasons, and only
> >> > those CC-ed explicitly can see them.
> >> >
> >> > Should we make the bug reports public by default?
> >> > We can set things differently for the llvm project (llvm, clang, etc)
> >> and
> >> > libcxxabi (demangler):
> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
> >> > https://github.com/google/oss-fuzz/tree/master/projects/
> llvm_libcxxabi
> >>
> >> At least some of these should probably just be public by default. Things
> >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security
> >> bugs, so I wouldn't expect them to find stuff that falls under the
> >> responsible disclosure umbrella.
> >>
> >
> > So, how about making all LLVM bugs public by default and leaving
> > cxa_demangler bugs private?
> > (I can't make it finer-grained, see below)
>
> This sounds good to me.
>
> >>
> >> This should be thought about on a case by case basis, of course.
> >>
> >> > Should we automatically CC the bugs to any of the llvm maliing lists
> >> (e.g.
> >> > llvm-dev)?
> >>
> >> Perhaps we could CC them to llvm-bugs? That's the same list that new
> >> bugzilla bugs are announced to.
> >>
> >
> > Ah, good idea.
> > Unless someone objects I'll add llvm-bugs to the spam^W list :)
> >
> >>
> >> > If a bug is CC-ed to a list, everyone will see the bug report summary
> in
> >> > e-mail,
> >> > but if the bug remains private the reproducer for the bug will remain
> >> > private.
> >> >
> >> > Who wants to be CC-ed explicitly?
> >> > (please add yourself to
> >> > https://github.com/google/oss-fuzz/blob/master/projects/
> >> llvm/project.yaml)
> >>
> >> Can this be set up to CC per-fuzz-target or so? I'm sure some people are
> >> interested in, say, clang, but not necessarily cxa_demangler, or
> >> vice-versa.
> >>
> >
> > Sadly, no.
> >
> > We can distinguish llvm_cxxabi (cxa_demangler) from everything else
> because
> > these are currently two independent projects on oss-fuzz.
> > Making it finer-grained would require setting up separate oss-fuzz
> projects
> > which is harder to maintain and would not be welcome on oss-fuzz side.
> > The automatic e-mails announce the fuzz target's name, so filters will be
> > easy to set up.
>
> Fair enough.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170830/c9dafff0/attachment-0001.html>