Hi everybody, the Qt project is now registered in oss-fuzz's list of projects: https://github.com/google/oss-fuzz/tree/master/projects
What I have so far: - fuzzing Qt with libFuzzer locally - registered Qt project for oss-fuzz What I don't have so far: - setting up build/run on Google's servers - finding out what kind of dashboard I'll get there I'll send updates as soon as I know more... Cheers, Robert -- Robert Löhning, Software Engineer - The Qt Company GmbH The Qt Company GmbH, Rudower Chaussee 13, D-12489 Berlin Geschäftsführer: Mika Pälsi, Juha Varelius, Mika Harjuaho Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B Am 31.08.2018 um 11:24 schrieb Robert Löhning: > Hi everybody, > > yes I did. So far I have been working on getting Qt into a better shape > for fuzzing at all, resulting in [1]. > > This prepares a Qt build for being fuzz tested with clang's libFuzzer, > the tool that Google also uses in oss-fuzz. The fuzzer I used for > testing my setup already found a crash. > > What I have so far: > - fuzzing Qt with libFuzzer locally, using [1] > - AFAICS collected all the needed "OK"s to enter Qt [2] > > What I don't have so far: > - create the pull request for [2], wanted to do this now-ish > - Everything that comes after registering the project like: > - setting up build/run on Google's servers > - finding out what kind of dashboard I'll get there > > I would appreciate if I might use the scripts you posted, Albert, or if > we could work on this together. > > Cheers, > Robert > > [1] https://codereview.qt-project.org/236937/ > [2] https://github.com/google/oss-fuzz/compare/master...rlohning:master > > Am 30.08.2018 um 21:27 schrieb Lars Knoll: >> Hi Albert, >> >> Nice! Robert has been working on exactly the same thing lately. I >> think it would be good if you guys coordinated the effort :) >> >> It would be ideal, if we could somehow get those mails forwarded to >> the security mailing list. I wonder whether we could do that with a >> special mail account that forwards to the security mailing list. >> >> Cheers, >> Lars >> >>> On 30 Aug 2018, at 20:42, Albert Astals Cid via Development >>> <development@qt-project.org> wrote: >>> >>> oss-fuzz is an online fuzzing service run by Google. >>> >>> They test daily the code base and run fuzzying over it, maintaining a >>> list of open and closed bugs. >>> >>> As example you can see one of the poppler issues i fixed at >>> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382 >>> >>> Everything is done automatically by a bot, except my "This is fixed >>> by" comment, but that's just there for historical reasons, it's not >>> really needed. >>> >>> Found bugs are sent to a list of trusted address and kept private for >>> 90 days, then if not fixed then they become public. >>> >>> Fixed bugs become public 30 days after being fixed. >>> >>> I have made a qimage fuzzer that uses libpng test files as seed corpus. >>> >>> You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz >>> >>> Adding support for Qt is "relatively simple" see >>> https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f >>> >>> >>> >>> I made a local test run of the undefined sanitizer and it found >>> https://paste.kde.org/prkox41mx >>> in a few seconds, so "it works" >>> >>> If you want to test it locally you can do >>> python infra/helper.py build_fuzzers --sanitizer undefined qt >>> python infra/helper.py run_fuzzer qt qimage_fuzzer >>> for the undefined sanitizer and >>> python infra/helper.py build_fuzzers --sanitizer address qt >>> python infra/helper.py run_fuzzer qt qimage_fuzzer >>> >>> Unfortunately I have not been able to compile with the memory >>> sanitizer enabled yet. >>> >>> The most important thing before submitting this upstream is changing >>> the list of trusted addresses the private bugs get sent to. >>> >>> To have something written i've used my email address but i guess at >>> least i should add eirik.aavitsl...@qt.io (listed as QImage >>> maintainer) there too? Anyone else? >>> >>> I am not sure how the email address thing works, but i think they >>> need to be "google account" activated, whatever that means, so we >>> can't use secur...@qt-project.org. On poppler i'm using my @gmail.com >>> address and not my @kde.org address since it was just easier. >>> >>> Comments? >>> >>> Cheers, >>> Albert >>> >>> -- >>> Albert Astals Cid | albert.astals....@kdab.com | Software Engineer >>> Klarälvdalens Datakonsult AB, a KDAB Group company >>> Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322) >>> KDAB - The Qt, C++ and OpenGL Experts >>> >>> _______________________________________________ >>> Development mailing list >>> Development@qt-project.org >>> http://lists.qt-project.org/mailman/listinfo/development >> > > _______________________________________________ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development _______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development