OSS-Fuzz coverage improvment #3312
Comments
|
Thanks... while it's very welcome, I am not sure what to do with this or how to test it, from lws perspective (eg, ./Dockerfile is not something in upstream lws). |
|
The .cpp files (fuzz harnesses) act as glue between you code and the fuzzing engine. They are not OSS-Fuzz specific as they are designed for LibFuzzer and are compatible with most fuzzing engines. Similarly, seed and dictionary files, used by fuzzing engines to generate test cases, are also independent from OSS-fuzz. This is why OSS-Fuzz maintainers recommend keeping those files in the project's upstream repository. I assume they prefer to keep only OSS-Fuzz code and OSS-Fuzz specific project integration (the Dockerfile and build.sh script) on their side. You can test the fuzz targets locally by building them using the OSS-Fuzz Docker image: $ cd /path/to/oss-fuzz
$ python infra/helper.py build_image libwebsockets
$ python infra/helper.py build_fuzzers --sanitizer address libwebsocketsWhere /path/to/oss-fuzz is the cloned OSS-fuzz repository (sanitizers "memory" and "undefined" are also available but won't work with your project as is). $ python infra/helper.py run_fuzzer libwebsockets <fuzz_target>Available fuzz targets are:
The last three are added in the PR. The output will include periodic statistics and status updates displayed on stdout. If the fuzzer detects a crash or hang, the input that triggered it will be saved at /path/to/oss-fuzz/build/out/libwebsockets/. For details, you can refer to the OSS-Fuzz documentation. Alternatively you can build and run the fuzz targets outside of OSS-fuzz, see LibFuzzer documentation, for example. However if you do this there is no guarantee it will work properly within OSS-Fuzz. I hope this clears things up, let me know if not. |
|
Thanks for the info. I spent some time trying to build libwebsockets inside this and fuzz it using the flow given here, but it blew chunks when trying to launch the fuzzer I found some warnings during the build inside oss-fuzz, and pushed two patches on main that should clear them on the assumption that's blocking the fuzzer build. But I was unable to get the build to bring in the changes, I assume it is pinned somewhere to some earlier commit. |
|
The build is not failing. You're having issues because I typed the name of the pre-existing fuzzer wrong... It's lws_upng_inflate_fuzzer, not lws_upng_fuzzer. Sorry about this. No commit is pinned - from the Dockerfile: RUN git clone --depth 1 https://github.com/warmcat/libwebsockets.git8210ccb appears to be empty.
e0c312c is taking effects on my side. There is a only warning left while there was multiple ones previously. /src/libwebsockets//lib/secure-streams/private-lib-secure-streams.h:214:1: warning: empty union has size 0 in C, size 1 in C++ [-Wextern-c-compat]
214 | union lws_ss_contemp {
| But that's not stopping the build anyway. |
I submitted a PR a few weeks ago that significantly improves the fuzzing coverage of your project, with a focus on parsers. While it occasionally uses internal APIs due to the unconventional nature of this type of testing, I am reasonably confident in its stability as I ran the fuzz targets for an extended period at home and took the time to read the related source code.
Would you be able to review it when you have some time? You can find it here: google/oss-fuzz#12852
The text was updated successfully, but these errors were encountered: