https://reviews.llvm.org/rL285135 adds standalone main
Reproduce command should link with that one instead of full libfuzzer.

So that regression ranges for older testcases will work again.

http://www.grpc.io/

libmagic library is used on untrusted files and had a history of CVEs

source: https://github.com/file/file.git
home: http://www.darwinsys.com/file/
fuzzer:

magic_t magic_open(int flags);
const char * magic_buffer(magic_t cookie, const void *buffer, size_t length);
void magic_close(magic_t cookie);

build.sh for an out-of-free fuzzer does:

$CXX $CXXFLAGS /src/oss-fuzz/mylib/my_fuzzer.cc -o ...

https://github.com/google/oss-fuzz/blob/master/docs/new_library.md#testing-locally suggests to test locally with:

$ python scripts/helper.py build_fuzzers $LIB_NAME

This fails because my fuzzer is not committed to oss-fuzz yet:

clang-4.0: error: no such file or directory: '/src/oss-fuzz/mylib/my_fuzzer.cc'

To test I need to commit. To commit I need to test.

Created a fuzzer following https://github.com/google/oss-fuzz/blob/master/docs/new_library.md
#18
Docs claim that options and dictionary will be picked up. This does not happen:

$ sudo python scripts/helper.py run_fuzzer $LIB_NAME curl_fuzzer
Running: docker run -i -v /usr/local/google/home/dvyukov/src/oss-fuzz/build/out:/out -t ossfuzz/libfuzzer-runner /out/curl/curl_fuzzer
INFO: Seed: 2376061953
INFO: Loaded 0 modules (0 guards): 
INFO: -max_len is not provided, using 64

--depth 1 --shallow-submodules

https://twitter.com/scarybeasts/status/800838966878478336

https://twitter.com/hanno/status/801001207678599169

https://twitter.com/hanno/status/801020713788473344

@mikea The git entries in the Jenkinsfiles are no longer used right? We should remove them if that's the case.

(I'm looking at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=72)

The fields there are too ClusterFuzz specific. They should be:

Target: libchewing
Fuzzer: chewing_fuzzer
Sanitizer: asan

See curl/fuzzer.cc in https://github.com/google/oss-fuzz/pull/18/files

I would like to create a bunch of fuzzers for curl: http, http2, ftp, imap, ftp, pop3, etc. They could share build.sh, Dockerfile, Jenkins, and most of the fuzzer code. Though, they may need different dictionaries. Currently I need to throw in a dozen of top level directories with lots of copy-pasted code. It would be nice if I could create a dozen of fuzzers in the same dir sharing most of the code.

Code for cluster is in infra/jenkins-cluster

Jenkins can build our images using the cluster definition.

We can not run those images with mounted directories. It is not possible to know exact physical location to send to docker daemon from within the container. Further investigation is needed

Otherwise all abort() and assert() failures of different projects will be grouped into single one.

https://github.com/google/libfuzzer-bot/tree/master/dockerfiles/libarchive

https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md

Dockerfile location should come from target.yaml file (#89)

MSan finds lots of interesting bugs, but setting it up is tricky: all dependencies of the target have to be built with msan.

Let me use this issue as a laundry list for small improvements.

• Change the scripts and the docs to use /work/libFuzzer.a instead of /work/libfuzzer/*.o. Not that it will have any different result, but this is the way we document it in libFuzzer docs.
• Document what to do with non-git (svn, hg, etc)
• Can we use shorter (2-line) copyright headers?
• Why do we have -
  LDFLAGS=-Wl,-whole-archive /usr/local/lib/libc++.a /usr/local/lib/libc++abi.a -Wl,-no-whole-archive?
  It breaks the build for me on pcre2 because LDFLAGS are applied to the command that generates .a files. (maybe, a but in pcre2 build system?)
• docs/new_library.md#checking-in-to-oss-fuzz-repository requires an example, of links to documentation or both. We shouldn't assume the the user is familiar with git workflow
• $ sudo python scripts/helper.py run_fuzzer $LIB_NAME name_of_a_fuzzer in new_library.md.
  I don't think you need sudo

Let's try to support AFL in Q1'17, same way we already to it in Chrome.

build fuzzers with Undefined Behavior Sanitizer

signed-integer-overflow,shift,vptr are good starting configuration.

Should be a different upload binary.

Example: https://clusterfuzz-external.appspot.com/v2/testcase-detail/6470551652532224

Error: failed to open /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzers/libFuzzer/empty/libjpeg-turbo_libjpeg_turbo_fuzzer/afl-testcases. Please use -r if you want to include samples from directories.

We should make recursive search as default as corpuses can have their own subdirectory structure. Thoughts ?

subj..
For example, https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9
would have title "freetype2: Heap-buffer-overflow in cid_parser_new".

I've read the main page and "New Library Guide", but I am still puzzled as to what is the overall workflow and why/when do I want to use it (as an owner of an OSS project).

I've got that I need to do lots of steps and then somebody will run something on some ClusterFuzz.
Who will receive bug reports? Is it me? Or only that somebody? If it's me, then how will I receive them? Is there some kind of dashboard? Can I integrate it with my bug tracker (e.g. github issues or Mantis)? Can I subscribe the project mailing list? Should I subscribe the mailing list straight away? Or start with just me? What is ClusterFuzz? How do bug reports look like? Is it like "your project has a bug" (which would not be too useful)?

All these questions need to be answered on the main page.
I am not sure ClusterFuzz should be mentioned here at all. It is irrelevant for users. And can change in future.
On the other hand, the very first sentence of main page talks about "coverage-guided" and "in-process". That's not the most important piece of information for end users. They probably don't even know what it is. And that can change in future as well (i.e. implementation detail).

• explain that the corpus is stored in GCS
• explain that google-account should be added to the corpus owners
  • can we do it automatically?
• explain how to install gsutil
• explain how to download files.

This looks interesting, but it's not clear to me from the documentation where you can use it. From the looks of the examples, it seems to be only for native libraries, written in C/C++? Is that correct? Would it be possible to add some information about where it is intended to be used to the README?

Replace COV_FLAGS with -fsanitize-coverage=trace-pc-guard.

Easy test:

docker run -ti -e COV_FLAGS="-fsanitize-coverage=trace-pc-guard" ossfuzz/expat test

https://github.com/google/libfuzzer-bot/tree/master/dockerfiles/lcms2

oss-fuzz is going to bring a bunch of new folks to the ClusterFuzz UI. Immediately on looking at a crash I had a handful of questions:

• What does the "REDO" button do?
• Do I need to create an issue for each crash I see?
• How do I go about getting an non-reproducible hang from Fixed: NO to some other state?

Leak detection is disabled because it always gives a false positive.

To reproduce:

docker run -ti -e ASAN_OPTIONS=detect_leaks=1 ossfuzz/expat run expat_parse_fuzzer -runs=100

This will generate lots of leaks like:

Indirect leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x50d000 in operator new(unsigned long) /src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:82
    #1 0x53fd89 in std::__1::__allocate(unsigned long) /usr/local/bin/../include/c++/v1/new:171:10
    #2 0x53fd89 in std::__1::allocator<unsigned char>::allocate(unsigned long, void const*) /usr/local/bin/../include/c++/v1/memory:1771
    #3 0x53fd89 in std::__1::allocator_traits<std::__1::allocator<unsigned char> >::allocate(std::__1::allocator<unsigned char>&, unsigned long) /usr/local/bin/../include/c++/v1/memory:1526
    #4 0x53fd89 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::allocate(unsigned long) /usr/local/bin/../include/c++/v1/vector:923
    #5 0x53f2a4 in _ZNSt3__16vectorIhNS_9allocatorIhEEE6assignIPhEENS_9enable_ifIXaasr21__is_forward_iteratorIT_EE5valuesr16is_constructibleIhNS_15iterator_traitsIS7_E9referenceEEE5valueEvE4typeES7_S7_ /usr/local/bin/../include/c++/v1/vector:1403:9
    #6 0x52d096 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::operator=(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /usr/local/bin/../include/c++/v1/vector:1348:9
    #7 0x52d096 in fuzzer::InputCorpus::AddToCorpus(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long, bool) /src/libfuzzer/FuzzerCorpus.h:71
    #8 0x583213 in fuzzer::Fuzzer::ShuffleAndMinimize(std::__1::vector<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >, std::__1::allocator<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > > >*) /src/libfuzzer/FuzzerLoop.cpp:427:14
    #9 0x52059f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:519:5
    #10 0x5aac38 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #11 0x7f9b61f2982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

go-fuzz is a fuzzer for Go:
https://github.com/dvyukov/go-fuzz

Since oss-fuzz aimed at supporting multiple fuzzers, go-fuzz support should be possible and would be useful.

go-fuzz contains 70 fuzzers for Go std lib and other popular packages but there is no story for continous running:
https://github.com/dvyukov/go-fuzz/tree/master/examples

Linking everything static is a huge pain in the ass.
Case in point.

My dependencies are fontconfig, harfbuzz, fribidi and freetype. In static link I have to list all indirect deps, too, so the list grows a bit: graphite, glib, pcre, z, png, expat. Note that this is internal detail of third party libraries, and may change when the base system is updated.

I also need to install all the -dev packages.

Also, fribidi and graphite packages don't include static libraries. I need to build them from source. More autocrap.

There goes my day, and I have not yet run my 5-line fuzzer once.

The solution is to include shared libraries with the fuzzer. Just put them in the same directory and use RPATH or LD_LIBRARY_PATH. The list of shared libraries can be generated automatically with recursive readelf/ldd walk. Can we support that?

https://github.com/google/libfuzzer-bot/tree/master/dockerfiles/openssl

$FUZZER_LDFLAGS is needed because of clang driver bug: https://llvm.org/bugs/show_bug.cgi?id=30919

Remove the variable once upstream bug is fixed.

I know I always can run docker command explicitly to build any fancy env I want. But I feel helper script should provide better support for common usage.

1. fuzzer developing.
   When developing fuzzer, I may need to modify build script, fuzzer code, and sometimes the library code. In the past, /src is shared, I can run editor outside the docker in one terminal while run build script in another terminal. The development cycle is fast.

   Now the /src is not shared. If I need to modify fuzzer code, I need to either install/setup my editor inside docker (inconvenient) or run full build_fuzzers script (slow).

   If I need to tweak the library code, although I can edit inside the docker, I need to think how to send the diff to outside of docker.

   I don't know what is the best solution. I feel it may be good idea to add --mount DIR option (which add -v $DIR:/mnt to docker command line) to the helper script. Then I can sync my work between inside and outside of docker.

2. debugging support
   I know this doc. It would be great that helper script supports it natively.

https://clusterfuzz-external.appspot.com/fuzzerstats?fuzzer_name=libFuzzer_chewing_fuzzer&job_type=all
chewing_fuzzer seems don't run with data files.

Could you please check the fuzzer and data files are at the same location when it run?
If it run with data files, "cov" should be more than 500 easily and find crashes quickly (much less than 5 minutes).

Example:

target: file
homepage: "http://www.darwinsys.com/file/"
primary_contact: "[email protected]"
cc_emails: 
 - "[email protected]"

How do chrome fuzzer determine the time limit? Could you help adjust the time limit of oss-fuzz's lcms_cms_transform_fuzzer similar to chrome's pdf_codec_icc_fuzzer ? I guess lcms_cms_transform_fuzzer exercise less paths than pdf_codec_icc_fuzzer because its time limit is much shorter.

I have a project I started that uses libFuzzer with CPython -- https://bitbucket.org/ebadf/fuzzpy

I'd love to integrate it with oss-fuzz, I think it would make a good contribution. But it generates the fuzz tests dynamically given test cases defined in Python source. What would be a good way to hook it into oss-fuzz's build system?

Note that as it exists currently it is a monorepo and I'd be willing to decompose it into constituent parts in order to work well with oss-fuzz.

https://github.com/google/oss-fuzz/blob/master/docs/new_library.md#dictionaries-and-custom-libfuzzer-options

Any top-level files in the library directory ending with the extension ".dict" or ".options" will be picked up by ClusterFuzz. Files ending with ".dict" are assumed to be libFuzzer compatible dictionaries, and .options files have the format:

[libfuzzer]
dict = dictionary_name.dict
max_len = 9001

If .dict files are picked up by ClusterFuzz and are assumed to be libFuzzer compatible dictionaries, why do they need to be specified in the config file? Are they picked up iff they are specified in the config? Will they be picked up if I don't specify them in the config?...

python script should specify current user id: docker run --user=<uid>:<gid>

see FFmpeg/FFmpeg@c06d923
This is a meta-target, meaning that from this single C file we can build several dozens fuzz targets
that consume different types of inputs.

RE2 repo has its own fuzz target, we should be using that one.
https://github.com/google/re2/blob/master/re2/fuzzing/re2_fuzzer.cc

Something like following could be useful:
scripts/helper.py get_coverage $LIB_NAME fuzzer

get_coverage:

1. run fuzzer for some time to build corpus
2. run with ASAN_OPTIONS=coverage=1
3. present some report to the user

CVE-2016-1248 : http://seclists.org/oss-sec/2016/q4/506

Looking at fuzzing logs for nss fuzzers, e.g. gs://nss-logs.clusterfuzz-external.appspot.com/libFuzzer_nss_asn1_algorithmid_fuzzer/libfuzzer_asan_nss/2016-11-03/19:13:46:418169.txt

#0	READ units: 1
#1	INITED cov: 5 bits: 5 corp: 1/1b exec/s: 0 rss: 16Mb
#262144	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 87381 rss: 32Mb
#524288	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 87381 rss: 32Mb
#1048576	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 80659 rss: 32Mb
#2097152	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 74898 rss: 32Mb
#4194304	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 74898 rss: 32Mb
#8388608	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 75573 rss: 32Mb
#16777216	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 74565 rss: 32Mb
#33554432	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 72160 rss: 32Mb
#67108864	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 71468 rss: 32Mb
#134217728	pulse  cov: 5 bits: 5 corp: 1/1b exec/s: 71468 rss: 32Mb
#210138166	DONE   cov: 5 bits: 5 corp: 1/1b exec/s: 71209 rss: 32Mb
Done 210138166 runs in 2951 second(s)
stat::number_of_executed_units: 210138166
stat::average_exec_per_sec:     71209
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              32

cov and bits seems to be stuck at 5. This appears to be the case for all other nss fuzzers.

It should be one image for building a library and another image for building a fuzzer.
When I change fuzzer, I don't want to rebuild the library itself.