[llvm-dev] how to auto-report LLVM bugs found by fuzzing?

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Tue Oct 10 18:09:03 PDT 2017


Or maybe we want to change the subjects indeed...
Filed https://github.com/google/oss-fuzz/issues/883 for discussion.

On Tue, Oct 10, 2017 at 12:54 PM, Kostya Serebryany <kcc at google.com> wrote:

>
>
> On Tue, Oct 10, 2017 at 12:48 PM, Richard Smith <richard at metafoo.co.uk>
> wrote:
>
>> Is it possible to put different tags in the subject line for the LLVM /
>> Clang / clang-format fuzz targets, so that mail filters can identify the
>> ones of interest?
>>
>
> In subject -- probably not easy (at least not desirable -- some target
> names are pretty long).
> Can you filter by the message contents? ("Fuzz target binary: clang-fuzzer
> ")
>
>
>>
>> On 8 September 2017 at 13:01, Kostya Serebryany via llvm-dev <
>> llvm-dev at lists.llvm.org> wrote:
>>
>>>
>>>
>>> On Wed, Aug 30, 2017 at 4:54 PM, Kostya Serebryany <kcc at google.com>
>>> wrote:
>>>
>>>> Bugs found by oss-fuzz in llvm are now public:
>>>> https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm
>>>> (and the new ones will be public too).
>>>> I've also added llvm-bugs at lists.llvm.org to the list of e-mail
>>>> recipients:
>>>> https://github.com/google/oss-fuzz/blob/master/projects/llvm
>>>> /project.yaml
>>>>
>>>
>>> .. and now mailing to llvm-bugs actually works:
>>> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058151.html
>>> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058152.html
>>>
>>>
>>>
>>>>
>>>> On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com>
>>>> wrote:
>>>>
>>>>> Kostya Serebryany <kcc at google.com> writes:
>>>>> > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <
>>>>> mail at justinbogner.com>
>>>>> > wrote:
>>>>> >
>>>>> >> Kostya Serebryany <kcc at google.com> writes:
>>>>> >> > Hi,
>>>>> >> >
>>>>> >> > We have several llvm fuzz targets running on OSS-Fuzz, a
>>>>> continuous
>>>>> >> > automated fuzzing service:
>>>>> >> > https://github.com/google/oss-fuzz
>>>>> >> > https://www.usenix.org/sites/default/files/conference/protec
>>>>> ted-files/
>>>>> >> usenixsecurity17_slides_serebryany.pdf
>>>>> >> >
>>>>> >> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump
>>>>> >> already,
>>>>> >> > and we expect to add more fuzz targets to it soon
>>>>> (llvm-isel-fuzzer,
>>>>> >> > clang-format-fuzzer, ...)
>>>>> >> >
>>>>> >> > A question to everyone: how do we report these bugs properly?
>>>>> >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it
>>>>> can not
>>>>> >> > file bugs to bugzilla.
>>>>> >> > By default, the bug reports are private for security reasons, and
>>>>> only
>>>>> >> > those CC-ed explicitly can see them.
>>>>> >> >
>>>>> >> > Should we make the bug reports public by default?
>>>>> >> > We can set things differently for the llvm project (llvm, clang,
>>>>> etc)
>>>>> >> and
>>>>> >> > libcxxabi (demangler):
>>>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
>>>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm
>>>>> _libcxxabi
>>>>> >>
>>>>> >> At least some of these should probably just be public by default.
>>>>> Things
>>>>> >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for
>>>>> security
>>>>> >> bugs, so I wouldn't expect them to find stuff that falls under the
>>>>> >> responsible disclosure umbrella.
>>>>> >>
>>>>> >
>>>>> > So, how about making all LLVM bugs public by default and leaving
>>>>> > cxa_demangler bugs private?
>>>>> > (I can't make it finer-grained, see below)
>>>>>
>>>>> This sounds good to me.
>>>>>
>>>>> >>
>>>>> >> This should be thought about on a case by case basis, of course.
>>>>> >>
>>>>> >> > Should we automatically CC the bugs to any of the llvm maliing
>>>>> lists
>>>>> >> (e.g.
>>>>> >> > llvm-dev)?
>>>>> >>
>>>>> >> Perhaps we could CC them to llvm-bugs? That's the same list that new
>>>>> >> bugzilla bugs are announced to.
>>>>> >>
>>>>> >
>>>>> > Ah, good idea.
>>>>> > Unless someone objects I'll add llvm-bugs to the spam^W list :)
>>>>> >
>>>>> >>
>>>>> >> > If a bug is CC-ed to a list, everyone will see the bug report
>>>>> summary in
>>>>> >> > e-mail,
>>>>> >> > but if the bug remains private the reproducer for the bug will
>>>>> remain
>>>>> >> > private.
>>>>> >> >
>>>>> >> > Who wants to be CC-ed explicitly?
>>>>> >> > (please add yourself to
>>>>> >> > https://github.com/google/oss-fuzz/blob/master/projects/
>>>>> >> llvm/project.yaml)
>>>>> >>
>>>>> >> Can this be set up to CC per-fuzz-target or so? I'm sure some
>>>>> people are
>>>>> >> interested in, say, clang, but not necessarily cxa_demangler, or
>>>>> >> vice-versa.
>>>>> >>
>>>>> >
>>>>> > Sadly, no.
>>>>> >
>>>>> > We can distinguish llvm_cxxabi (cxa_demangler) from everything else
>>>>> because
>>>>> > these are currently two independent projects on oss-fuzz.
>>>>> > Making it finer-grained would require setting up separate oss-fuzz
>>>>> projects
>>>>> > which is harder to maintain and would not be welcome on oss-fuzz
>>>>> side.
>>>>> > The automatic e-mails announce the fuzz target's name, so filters
>>>>> will be
>>>>> > easy to set up.
>>>>>
>>>>> Fair enough.
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> LLVM Developers mailing list
>>> llvm-dev at lists.llvm.org
>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20171010/74ce7660/attachment.html>


More information about the llvm-dev mailing list