Kostya Serebryany via llvm-dev
2017-Sep-08 20:01 UTC
[llvm-dev] how to auto-report LLVM bugs found by fuzzing?
On Wed, Aug 30, 2017 at 4:54 PM, Kostya Serebryany <kcc at google.com> wrote:> Bugs found by oss-fuzz in llvm are now public: > https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm > (and the new ones will be public too). > I've also added llvm-bugs at lists.llvm.org to the list of e-mail recipients: > https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml >.. and now mailing to llvm-bugs actually works: http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058151.html http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058152.html> > On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com> > wrote: > >> Kostya Serebryany <kcc at google.com> writes: >> > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com> >> > wrote: >> > >> >> Kostya Serebryany <kcc at google.com> writes: >> >> > Hi, >> >> > >> >> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous >> >> > automated fuzzing service: >> >> > https://github.com/google/oss-fuzz >> >> > https://www.usenix.org/sites/default/files/conference/protec >> ted-files/ >> >> usenixsecurity17_slides_serebryany.pdf >> >> > >> >> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump >> >> already, >> >> > and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer, >> >> > clang-format-fuzzer, ...) >> >> > >> >> > A question to everyone: how do we report these bugs properly? >> >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it >> can not >> >> > file bugs to bugzilla. >> >> > By default, the bug reports are private for security reasons, and >> only >> >> > those CC-ed explicitly can see them. >> >> > >> >> > Should we make the bug reports public by default? >> >> > We can set things differently for the llvm project (llvm, clang, etc) >> >> and >> >> > libcxxabi (demangler): >> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm >> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm >> _libcxxabi >> >> >> >> At least some of these should probably just be public by default. >> Things >> >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for >> security >> >> bugs, so I wouldn't expect them to find stuff that falls under the >> >> responsible disclosure umbrella. >> >> >> > >> > So, how about making all LLVM bugs public by default and leaving >> > cxa_demangler bugs private? >> > (I can't make it finer-grained, see below) >> >> This sounds good to me. >> >> >> >> >> This should be thought about on a case by case basis, of course. >> >> >> >> > Should we automatically CC the bugs to any of the llvm maliing lists >> >> (e.g. >> >> > llvm-dev)? >> >> >> >> Perhaps we could CC them to llvm-bugs? That's the same list that new >> >> bugzilla bugs are announced to. >> >> >> > >> > Ah, good idea. >> > Unless someone objects I'll add llvm-bugs to the spam^W list :) >> > >> >> >> >> > If a bug is CC-ed to a list, everyone will see the bug report >> summary in >> >> > e-mail, >> >> > but if the bug remains private the reproducer for the bug will remain >> >> > private. >> >> > >> >> > Who wants to be CC-ed explicitly? >> >> > (please add yourself to >> >> > https://github.com/google/oss-fuzz/blob/master/projects/ >> >> llvm/project.yaml) >> >> >> >> Can this be set up to CC per-fuzz-target or so? I'm sure some people >> are >> >> interested in, say, clang, but not necessarily cxa_demangler, or >> >> vice-versa. >> >> >> > >> > Sadly, no. >> > >> > We can distinguish llvm_cxxabi (cxa_demangler) from everything else >> because >> > these are currently two independent projects on oss-fuzz. >> > Making it finer-grained would require setting up separate oss-fuzz >> projects >> > which is harder to maintain and would not be welcome on oss-fuzz side. >> > The automatic e-mails announce the fuzz target's name, so filters will >> be >> > easy to set up. >> >> Fair enough. >> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170908/32566992/attachment.html>
Kostya Serebryany via llvm-dev
2017-Oct-10 19:54 UTC
[llvm-dev] how to auto-report LLVM bugs found by fuzzing?
On Tue, Oct 10, 2017 at 12:48 PM, Richard Smith <richard at metafoo.co.uk> wrote:> Is it possible to put different tags in the subject line for the LLVM / > Clang / clang-format fuzz targets, so that mail filters can identify the > ones of interest? >In subject -- probably not easy (at least not desirable -- some target names are pretty long). Can you filter by the message contents? ("Fuzz target binary: clang-fuzzer")> > On 8 September 2017 at 13:01, Kostya Serebryany via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > >> >> >> On Wed, Aug 30, 2017 at 4:54 PM, Kostya Serebryany <kcc at google.com> >> wrote: >> >>> Bugs found by oss-fuzz in llvm are now public: >>> https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm >>> (and the new ones will be public too). >>> I've also added llvm-bugs at lists.llvm.org to the list of e-mail >>> recipients: >>> https://github.com/google/oss-fuzz/blob/master/projects/llvm >>> /project.yaml >>> >> >> .. and now mailing to llvm-bugs actually works: >> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058151.html >> http://lists.llvm.org/pipermail/llvm-bugs/2017-September/058152.html >> >> >> >>> >>> On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com> >>> wrote: >>> >>>> Kostya Serebryany <kcc at google.com> writes: >>>> > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com >>>> > >>>> > wrote: >>>> > >>>> >> Kostya Serebryany <kcc at google.com> writes: >>>> >> > Hi, >>>> >> > >>>> >> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous >>>> >> > automated fuzzing service: >>>> >> > https://github.com/google/oss-fuzz >>>> >> > https://www.usenix.org/sites/default/files/conference/protec >>>> ted-files/ >>>> >> usenixsecurity17_slides_serebryany.pdf >>>> >> > >>>> >> > It has reported a few bugs in cxa_demangler, clang, and dwarfdump >>>> >> already, >>>> >> > and we expect to add more fuzz targets to it soon >>>> (llvm-isel-fuzzer, >>>> >> > clang-format-fuzzer, ...) >>>> >> > >>>> >> > A question to everyone: how do we report these bugs properly? >>>> >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it >>>> can not >>>> >> > file bugs to bugzilla. >>>> >> > By default, the bug reports are private for security reasons, and >>>> only >>>> >> > those CC-ed explicitly can see them. >>>> >> > >>>> >> > Should we make the bug reports public by default? >>>> >> > We can set things differently for the llvm project (llvm, clang, >>>> etc) >>>> >> and >>>> >> > libcxxabi (demangler): >>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm >>>> >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm >>>> _libcxxabi >>>> >> >>>> >> At least some of these should probably just be public by default. >>>> Things >>>> >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for >>>> security >>>> >> bugs, so I wouldn't expect them to find stuff that falls under the >>>> >> responsible disclosure umbrella. >>>> >> >>>> > >>>> > So, how about making all LLVM bugs public by default and leaving >>>> > cxa_demangler bugs private? >>>> > (I can't make it finer-grained, see below) >>>> >>>> This sounds good to me. >>>> >>>> >> >>>> >> This should be thought about on a case by case basis, of course. >>>> >> >>>> >> > Should we automatically CC the bugs to any of the llvm maliing >>>> lists >>>> >> (e.g. >>>> >> > llvm-dev)? >>>> >> >>>> >> Perhaps we could CC them to llvm-bugs? That's the same list that new >>>> >> bugzilla bugs are announced to. >>>> >> >>>> > >>>> > Ah, good idea. >>>> > Unless someone objects I'll add llvm-bugs to the spam^W list :) >>>> > >>>> >> >>>> >> > If a bug is CC-ed to a list, everyone will see the bug report >>>> summary in >>>> >> > e-mail, >>>> >> > but if the bug remains private the reproducer for the bug will >>>> remain >>>> >> > private. >>>> >> > >>>> >> > Who wants to be CC-ed explicitly? >>>> >> > (please add yourself to >>>> >> > https://github.com/google/oss-fuzz/blob/master/projects/ >>>> >> llvm/project.yaml) >>>> >> >>>> >> Can this be set up to CC per-fuzz-target or so? I'm sure some people >>>> are >>>> >> interested in, say, clang, but not necessarily cxa_demangler, or >>>> >> vice-versa. >>>> >> >>>> > >>>> > Sadly, no. >>>> > >>>> > We can distinguish llvm_cxxabi (cxa_demangler) from everything else >>>> because >>>> > these are currently two independent projects on oss-fuzz. >>>> > Making it finer-grained would require setting up separate oss-fuzz >>>> projects >>>> > which is harder to maintain and would not be welcome on oss-fuzz side. >>>> > The automatic e-mails announce the fuzz target's name, so filters >>>> will be >>>> > easy to set up. >>>> >>>> Fair enough. >>>> >>> >>> >> >> _______________________________________________ >> LLVM Developers mailing list >> llvm-dev at lists.llvm.org >> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >> >> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20171010/f37e2caa/attachment.html>