OSS-Fuzz - continuous fuzzing for open source software.

Overview

OSS-Fuzz: Continuous Fuzzing for Open Source Software

Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.

In cooperation with the Core Infrastructure Initiative and the OpenSSF, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.

Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.

Overview

OSS-Fuzz process diagram

Documentation

Read our detailed documentation to learn how to use OSS-Fuzz.

Trophies

As of January 2022, OSS-Fuzz has found over 36,000 bugs in 550 open source projects.

Blog posts

Comments
  • firefox micro-targets

    firefox micro-targets

    I'd like to know what Googlers (and Mozillians) think of this.

    There are currently two Firefox projects here: qcms and spidermonkey. Both build stand-alone and are also useful separate from Firefox. Firefox core does however have many more potential targets. I'll give a simple example: the FTP LIST parser. Please take a look.

    For such targets Firefox has a native fuzzing interface, which is integrated into its normal build system, and produces a binary that can be run with the normal libFuzzer flags. (ASAN-only currently.) Quite similar to how spidermonkey seems to be integrated here right now.

    Is this still within the scope of oss-fuzz?

    opened by pdknsk 93
  • Integrate afl++ with OSS-Fuzz, deprecate vanilla afl.

    Integrate afl++ with OSS-Fuzz, deprecate vanilla afl.

    @jonathanmetzman @lszekeres @inferno-chromium

    The following are variations on how you can run afl++ effectively.

    1. building afl++
    git clone https://github.com/AFLplusplus/AFLplusplus afl++
    cd afl++
    checkout stable
    make all
    make -C llvm_mode
    make -C examples/aflpp_driver
    

    The last entry builds the libafl driver (see https://github.com/google/fuzzbench/blob/master/fuzzers/aflplusplus/builder.Dockerfile)

    1. building targets Just use afl-clang-fast afl-clang-lto is a full step better (faster, auto dictionary) plus has a high impact on build time. Plain, or better with two useful options:
    AFL_LLVM_CMPLOG=1     <= cmplog/redqueen, highly effective., not compatible with afl spinoffs
    AFL_LLVM_LAF_ALL=1     <= highly improved laf-intel (floats, non-literal string support, etc.), compatible with afl spinoffs
    

    Note that the binary comparability with afl and spin-offs are limited, as afl++ support variable map sizes - means: afl-fuzz and the target choose the correct size and have a non-colliding coverage. So far some targets the map will be 15k entries, and these are no problem. For a few large targets it can be > 64k and then these binaries cannot be used with others.

    Note that for cmplog you are faster if you compile one version with cmplog and one without. the cmplog version is passed with the -c parameter to afl-fuzz. However if you do not care to loose a bit of speed, then you can use just a cmplog compiled one for both.

    1. running targets The normal havoc mode is improved on afl and better than MOpt, and if it has a cycle without finds then it addionally activates MOpt. so your choices are:
      -L 0   <- MOpt only
      -L -1 <- start with mixed mode
     nothing  <- mixed mode is turned on after a cycle without finds
      AFL_EXPAND_HAVOC_NOW=1  <- dont wait for a cycle without finds to enable advanced havoc mode
    

    And then you can select a schedule. we have 9 schedules and the best are: seek, rare, explore (the default). (-p schedule).

    as you are fuzzing with an existing and growing corpus I highly recommend to use cmplog and laf-intel, use AFL_EXPAND_HAVOC_NOW and -p rare or -p seek. These options are the more effective ones to find new paths.

    If you have further questions - just put them here.

    opened by vanhauser-thc 70
  • -fsanitize=fuzzer is not handling exceptions correctly

    -fsanitize=fuzzer is not handling exceptions correctly

    The only case I've verified where this happens is jsonnet. However, it looks like the same issue occurs with freeimage (load_from_memory_fuzzer), libsass (data_context_fuzzer), and opencv (imdecode_fuzzer)

    To reproduce, download my patch and run these commands:

    git apply jsonnet.txt
    python infra/helper.py build_fuzzers jsonnet
    python infra/helper.py check_build jsonnet
    ...
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==36==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f236d5b6d10 bp 0x00000090605b sp 0x7ffd7f950d68 T0)
    ==36==The signal is caused by a READ memory access.
    ==36==Hint: address points to the zero page.
    SCARINESS: 10 (null-deref)
    ERROR: 100% of fuzz targets seem to be broken. See the list above for a detailed information.
    Check build failed
    

    This is a stacktrace that I captured slightly before the crash occurs.

    #0  __asan_handle_no_return () at /src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:598
    #1  0x00000000005f7084 in (anonymous namespace)::Parser::parseTerminalBracketsOrUnary (this=0x6110000000c0) at /src/jsonnet/core/parser.cpp:591
    #2  0x00000000005e5321 in (anonymous namespace)::Parser::parse (this=0x7fffffffcec0, max_precedence=<optimized out>) at /src/jsonnet/core/parser.cpp:898
    #3  0x00000000005e49f8 in jsonnet_parse (alloc=<optimized out>, tokens=...) at /src/jsonnet/core/parser.cpp:1093
    #4  0x00000000005caed7 in jsonnet_evaluate_snippet_aux (vm=<optimized out>, filename=<optimized out>, snippet=<optimized out>, error=<optimized out>, kind=<optimized out>) at /src/jsonnet/core/libjsonnet.cpp:492
    #5  0x00000000005ca76d in jsonnet_evaluate_snippet (vm=0x60f000000040, filename=0x89c900 <.str> "", snippet=0x7fffffffdaa1 "", error=0x7fffffffd9c0) at /src/jsonnet/core/libjsonnet.cpp:667
    #6  0x00000000005bbcce in ConvertJsonnetToJson(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at convert_jsonnet_fuzzer.cc:24
    #7  0x00000000005bc011 in LLVMFuzzerTestOneInput () at convert_jsonnet_fuzzer.cc:40
    #8  0x00000000004c2f35 in ExecuteCallback () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:529
    #9  0x00000000004c4e54 in ReadAndExecuteSeedCorpora () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:729
    #10 0x00000000004c5426 in Loop () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:779
    #11 0x00000000004b437b in FuzzerDriver () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776
    #12 0x00000000004de3d3 in main () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19
    

    The crash does not occur when -lFuzzingEngine is used instead of -fsanitize=fuzzer

    The source line (parser.cpp:591) causing the crash contains: throw StaticError(tok.location, "unexpected end of file.");

    I think this crash has something to do with exceptions.

    opened by jonathanmetzman 47
  • How do I test different code branches using CIFuzz?

    How do I test different code branches using CIFuzz?

    I have integrated CIFuzz with my project (libjpeg-turbo), but I cannot figure out how to make it test the actual code that is being passed to GitHub Actions. Because of https://github.com/google/oss-fuzz/blob/9f236c1c9c5929cf152f39312796d72acead175c/projects/libjpeg-turbo/Dockerfile#L19 the main branch of libjpeg-turbo is always built and tested. This can be confirmed in the GitHub Actions log files.

    This log file is from fuzzing the dev branch, which should be v2.1.80, but CIFuzz is testing v2.1.4 from the main branch instead: https://github.com/libjpeg-turbo/libjpeg-turbo/runs/5518437997

    This log file is from fuzzing the 2.0.x branch, which should be v2.0.7, but CIFuzz is testing v2.1.4 from the main branch instead: https://github.com/libjpeg-turbo/libjpeg-turbo/runs/5728485608

    opened by dcommander 42
  • Rust coverage report (for Suricata)

    Rust coverage report (for Suricata)

    cc @inferno-chromium and @Dor1s Fixes #4637

    This will work when https://github.com/rust-lang/rust/pull/79365 gets merged into rust nightly compiler and gets shipped into oss-fuzz docker images (or if you recompile rustc)

    This is a draft PR. The right one will not use a custom patch for Suricata, but wait until https://github.com/OISF/suricata/pull/5595 is merged

    Last, there is a question about the demangler As some project may have both C++ and Rust, I think that the demangler should be a custom one basically doing rustfilt | c++filt -n Do you have thoughts on that ?

    opened by catenacyber 40
  • Missing asan_blacklist.txt when building via Bazel

    Missing asan_blacklist.txt when building via Bazel

    We have the following error in the fuzz build: https://oss-fuzz-build-logs.storage.googleapis.com/index.html#oak

    Step #4: ERROR: /builder/home/.cache/bazel/_bazel_root/872aac72dffae06b4e2a5b0308508d03/external/com_google_absl/absl/base/BUILD.bazel:171:1: undeclared inclusion(s) in rule '@com_google_absl//absl/base:base':
    Step #4: this rule is missing dependency declarations for the following files included by 'external/com_google_absl/absl/base/internal/unscaledcycleclock.cc':
    Step #4:   '/usr/local/lib/clang/10.0.0/share/asan_blacklist.txt'
    

    And each time we run fuzzing - the library that causes the problem randomly changes.

    I have found a flag, that causes this behavior:

    $ bazel build --cxxopt=-fsanitize=address //oak/server:wasm_node
    INFO: Analyzed target //oak/server:wasm_node (0 packages loaded, 0 targets configured).
    INFO: Found 1 target...
    ERROR: /root/.cache/bazel/_bazel_root/872aac72dffae06b4e2a5b0308508d03/external/com_google_absl/absl/numeric/BUILD.bazel:27:1: undeclared inclusion(s) in rule '@com_google_absl//absl/numeric:int128':
    this rule is missing dependency declarations for the following files included by 'external/com_google_absl/absl/numeric/int128.cc':
      '/usr/local/lib/clang/10.0.0/share/asan_blacklist.txt'
    Target //oak/server:wasm_node failed to build
    

    I get this error even after bazel clean --expunge.

    It seems that the address sanitizer implicitly adds a dependency on /usr/local/lib/clang/10.0.0/share/asan_blacklist.txt in every compiled file (even external ones). And Bazel could not compile targets because all dependencies should be explicitly included in BUILD files.

    Another project that has the same issue is gRPC: https://oss-fuzz-build-logs.storage.googleapis.com/index.html#grpc cc @tiziano88 @yang-g @Dor1s

    More information on the issue: https://github.com/project-oak/oak/issues/349

    opened by ipetr0v 40
  • Seed corpus not being used for `aspell` project

    Seed corpus not being used for `aspell` project

    My project aspell does not seam to be using the seed corpus. About two days ago I expanded the seed corpus to improve coverage and yet coverage has not changed.

    The files are currently not named based on the sha1 checksum. Is this a requirement? The manual strongly hints at this when it says:

    The name of each file in the corpus is the sha1 checksum (which you can get using the sha1sum or shasum comand) of its contents.

    bug 
    opened by kevina 40
  • Tracking of projects that fail to run coverage job

    Tracking of projects that fail to run coverage job

    • [x] bad_example Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/bad_example/targets.list.address". as the target is not being run on CF
    • [x] chakra The same root cause: Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/chakra/targets.list.address".
    • [x] dlplibs the disk is full, cannot unpack the corpus:
    I  Step #4: /corpus/mswksfuzzer/5baeffd6604290d2cbea9a2112181f6c7b91ea0c:  write error (disk full?).  Continue? (y/n/^C)  
    I  Step #4: warning:  /corpus/mswksfuzzer/5baeffd6604290d2cbea9a2112181f6c7b91ea0c is probably truncated 
    I  Step #4: checkdir:  cannot create extraction directory: /corpus/mswrdfuzzer 
    I  Step #4:            No space left on device 
    I  Step #4: checkdir:  cannot create extraction directory: /corpus/multiplanfuzzer 
    I  Step #4:            No space left on device 
    
    • [x] example download_corpus failed, target is disabled on CF
    • [x] firefox the disk is full, cannot finish compilation
    I  Step #2: + find media/webrtc/trunk/webrtc/test/fuzzers/corpora/stun-corpus -type f -exec zip -qju /workspace/out/profile/StunParser_seed_corpus.zip '{}' ';' 
    I  Step #2: + cp media/webrtc/trunk/webrtc/test/fuzzers/corpora/stun.tokens /workspace/out/profile/StunParser.dict 
    I  Step #2: cp: error writing '/workspace/out/profile/work/obj-fuzz/_tests/testing/mochitest/chrome/toolkit/mozapps/update/tests/data/updater': No space left on device 
    I  Step #2: cp: cannot create directory '/workspace/out/profile/work/obj-fuzz/_tests/testing/mochitest/chrome/toolkit/components': No space left on device 
    
    • [x] fuzzing-puzzles The project is disabled: Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/fuzzing-puzzles/targets.list.address".
    • [x] glib Compilation failure. Weird, as I've added -ldl flag. Looks like the project does linking using clang, not clang++:
    I  Step #2: [773/955] Linking target gio/gsettings. 
    I  Step #2: FAILED: gio/gsettings  
    I  Step #2: clang  -o gio/gsettings 'gio/[email protected]@[email protected]/gsettings-tool.c.o' -Wl,--no-undefined -Wl,--as-needed -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fprofile-instr-generate -fcoverage-mapping -pthread -Wl,-ldl -Wno-unused-command-line-argument -Wl,--start-group gio/libgio-2.0.a gio/xdgmime/libxdgmime.a gio/inotify/libinotify.a glib/libglib-2.0.a glib/libcharset/libcharset.a glib/pcre/libpcre.a gobject/libgobject-2.0.a subprojects/libffi/src/libffi.a subprojects/zlib-1.2.11/libz.a gmodule/libgmodule-2.0.a -lresolv -Wl,--end-group   
    I  Step #2: gmodule/libgmodule-2.0.a(gmodule.c.o): In function `_g_module_self': 
    I  Step #2: /work/meson/../../src/glib/gmodule/gmodule-dl.c:125: undefined reference to `dlopen' 
    I  Step #2: gmodule/libgmodule-2.0.a(gmodule.c.o): In function `_g_module_open': 
    I  Step #2: /work/meson/../../src/glib/gmodule/gmodule-dl.c:98: undefined reference to `dlopen' 
    I  Step #2: gmodule/libgmodule-2.0.a(gmodule.c.o): In function `_g_module_close': 
    I  Step #2: /work/meson/../../src/glib/gmodule/gmodule-dl.c:150: undefined reference to `dlclose' 
    I  Step #2: gmodule/libgmodule-2.0.a(gmodule.c.o): In function `_g_module_symbol': 
    I  Step #2: /work/meson/../../src/glib/gmodule/gmodule-dl.c:163: undefined reference to `dlsym' 
    I  Step #2: gmodule/libgmodule-2.0.a(gmodule.c.o): In function `fetch_dlerror': 
    I  Step #2: /work/meson/../../src/glib/gmodule/gmodule-dl.c:80: undefined reference to `dlerror' 
    I  Step #2: clang-7: error: linker command failed with exit code 1 (use -v to see invocation) 
    
    • [x] jsc The project is disabled: Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/jsc/targets.list.address".
    • [x] libchewing The target doesn't have corpus backups as it's disabled: https://github.com/google/oss-fuzz/blob/master/projects/libchewing/project.yaml#L2
    • [x] libprotobuf-mutator Compilation failure without a reasonable error message:
    I  Step #2: [208/209] Building CXX object CMakeFiles/protoc.dir/src/libprotobuf-mutator/build/external.protobuf/src/external.protobuf/src/google/protobuf/compiler/main.cc.o 
    I  Step #2: [209/209] Linking CXX executable protoc 
    I  Step #2: ninja: build stopped: subcommand failed. 
    I  Finished Step #2 
    I  ERROR 
    I  ERROR: build step 2 "gcr.io/oss-fuzz/libprotobuf-mutator" failed: exit status 1 
    

    Regular build has the same problem though: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10003

    • [x] libpsl Compilation failure:
    I  Step #2:   CCLD     psl 
    I  Step #2: /usr/bin/ld: /src/deps/lib/libicuuc.a(putil.ao): undefined reference to symbol '[email protected]@GLIBC_2.2.5' 
    I  Step #2: //lib/x86_64-linux-gnu/libm.so.6: error adding symbols: DSO missing from command line 
    I  Step #2: clang-7: error: linker command failed with exit code 1 (use -v to see invocation) 
    I  Step #2: make[2]: *** [psl] Error 1 
    I  Step #2: Makefile:468: recipe for target 'psl' failed 
    
    • [x] libssh Compilation failure, the same as the regular build has.
    I  Step #2: CMake Error at cmake/Modules/CheckCCompilerFlagSSP.cmake:19 (include_guard): 
    I  Step #2:   Unknown CMake command "include_guard". 
    I  Step #2: Call Stack (most recent call first): 
    I  Step #2:   CompilerChecks.cmake:2 (include) 
    I  Step #2:   CMakeLists.txt:31 (include) 
    I  Step #2:  
    I  Step #2:  
    I  Step #2: -- Configuring incomplete, errors occurred! 
    I  Step #2: See also "/src/libssh/build/CMakeFiles/CMakeOutput.log". 
    
    • [x] mercurial Corpus download failed, probably because https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9694 xdiff_fuzzer seems to be crazy slow so corpus pruning never finishes since early July
    • [x] nss No fuzz targets (weird): Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/nss/targets.list.address".
    • [x] openvswitch Build failure:
    I  Step #2: + clang++ -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fprofile-instr-generate -fcoverage-mapping -pthread -Wl,-ldl -Wno-unused-command-line-argument -stdlib=libc++ /workspace/out/profile/flow_extract_target.o ./lib/.libs/libopenvswitch.a -lz -lssl -lcrypto -latomic -lFuzzingEngine -o /workspace/out/profile/flow_extract_fuzzer 
    I  Step #2: ./lib/.libs/libopenvswitch.a(async-append-aio.o): In function `async_append_write': 
    I  Step #2: /src/openvswitch/lib/async-append-aio.c:144: undefined reference to `aio_write' 
    I  Step #2: ./lib/.libs/libopenvswitch.a(async-append-aio.o): In function `async_append_wait': 
    I  Step #2: /src/openvswitch/lib/async-append-aio.c:99: undefined reference to `aio_error' 
    I  Step #2: /src/openvswitch/lib/async-append-aio.c:106: undefined reference to `aio_suspend' 
    I  Step #2: /src/openvswitch/lib/async-append-aio.c:108: undefined reference to `aio_return' 
    I  Step #2: clang-7: error: linker command failed with exit code 1 (use -v to see invocation) 
    
    
    • [x] postgis Corpus download failed. Missing corpus backup for postgis_wkb_import_fuzzer.
    • [x] proj4 Build failure (messing up with atexit which is used for dumping coverage):
    I  Step #2: clang-7: error: linker command failed with exit code 1 (use -v to see invocation) 
    I  Step #2: /usr/bin/ld: .libs/basic_test: hidden symbol `atexit' in /usr/lib/x86_64-linux-gnu/libc_nonshared.a(atexit.oS) is referenced by DSO 
    I  Step #2: /usr/bin/ld: final link failed: Bad value 
    I  Step #2: make[2]: *** [proj_errno_string_test] Error 1 
    I  Step #2: Makefile:424: recipe for target 'proj_errno_string_test' failed 
    I  Step #2: clang-7: error: linker command failed with exit code 1 (use -v to see invocation) 
    I  Step #2: make[2]: *** [basic_test] Error 1 
    I  Step #2: Makefile:416: recipe for target 'basic_test' failed 
    I  Step #2: Makefile:369: recipe for target 'all-recursive' failed 
    I  Step #2: make[1]: *** [all-recursive] Error 1 
    I  Step #2: make: *** [all-recursive] Error 1 
    I  Step #2: Makefile:448: recipe for target 'all-recursive' failed 
    
    
    • [x] spidermonkey No fuzz targets, WAI: Failed to get list of targets from "https://storage.googleapis.com/clusterfuzz-builds/spidermonkey/targets.list.address".
    • [x] strongswan Build failure. Not sure what's going on, by adding -lm likely will solve the problem:
    I  Step #2: rm -f libFuzzerLocal.a 
    I  Step #2: ar cru libFuzzerLocal.a libFuzzerLocal.o ../src/libstrongswan/libstrongswan.la 
    I  Step #2: ar: `u' modifier ignored since `D' is the default (see `U') 
    I  Step #2: ranlib libFuzzerLocal.a 
    I  Step #2: /usr/lib/libFuzzingEngine.a(FuzzerLoop.o): In function `ceil': 
    I  Step #2: /usr/local/bin/../include/c++/v1/math.h:834: undefined reference to `ceilf' 
    I  Step #2: /usr/local/bin/../include/c++/v1/math.h:834: undefined reference to `ceilf' 
    
    opened by Dor1s 40
  • Initial checkin of CPython fuzz tests.

    Initial checkin of CPython fuzz tests.

    This depends on changes that haven't landed in CPython yet. You can test it by replacing the git clone with:

    RUN git clone -b fix-issue-29505 --depth 1 https://github.com/ssbr/cpython.git cpython
    

    The corresponding pull request to CPython is here: https://github.com/python/cpython/pull/2878

    Those are the first fuzz tests I've ever written, and maybe are too trivial or something. Will get to better fuzz tests soon.

    Extra notes: Google bug: b/37562550 (and there are others for other bits of CPython) Python bug: https://bugs.python.org/issue29505

    opened by ssbr 38
  • Fix libFuzzer minimization command line parsing, should be able to process special chars like (

    Fix libFuzzer minimization command line parsing, should be able to process special chars like (

    I downloaded a reproducer testcase from https://oss-fuzz.com/download?testcase_id=5146387221315584 (related to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547) and noticed that it was much larger than it should have been so by manually running the fuzz target with -minimize_crash=1 I managed to reduce the size from 4333 bytes to just 128 bytes.

    It seems the testcase wasn't minimized because "LibFuzzer minimization failed" (which is strange in the sense that the bug was found with honggfuzz as far as I can see):

    [2020-05-26 12:58:23 UTC] oss-fuzz-linux-zone3-host-swn3-6: Fuzz task : Fuzzer honggfuzz_systemd_fuzz-netdev-parser generated testcase crashed in 4736 seconds (r202005260645).
    [2020-05-26 13:21:10 UTC] oss-fuzz-linux-zone1-host-v84z-8: Minimize task started.
    [2020-05-26 13:21:46 UTC] oss-fuzz-linux-zone1-host-v84z-8: Minimize task errored out: LibFuzzer minimization failed.
    [2020-05-26 13:23:39 UTC] oss-fuzz-linux-zone1-host-v84z-8: Regression task started.
    
    bug priority 
    opened by evverx 36
  • Use bundled libFuzzer runtime from clang instead of building it locally

    Use bundled libFuzzer runtime from clang instead of building it locally

    @kcc points out that building locally is causing performance issues since we aren't using the correct build flags.

    I've experimented with linking fuzz targets against the bundled runtime instead of the locally built one. I'm hoping to transparently do this so that $LIB_FUZZING_ENGINE is the bundled runtime instead of a locally built one without needing any changes in projects' build processes.

    However, @Dor1s and I found that we need to use -lc++abi when linking directly against the bundled libFuzzer. Is this expected? Is there a way to force everyone linking against libFuzzer to also link against c++abi (maybe the libcxxabi.a and libclang_rt.fuzzer-x86_64.a libraries can be combined)? Adding -lc++abi to CXXFLAGS/CFLAGS sort of works, but causes a lot of compiler warnings when the flags are used just for compilation and not linking.

    cc @morehouse

    opened by jonathanmetzman 32
  • Github workflow hanging in clusterfuzz?

    Github workflow hanging in clusterfuzz?

    I started seeing consistent repeated GH fuzzing workflow timeouts on https://github.com/PJK/libcbor caused by google/oss-fuzz/infra/cifuzz/actions/[email protected] overrunning fuzz-seconds, starting around September 23rd 2022.

    Looking at the log, it seems that clusterfuzz is stuck waiting on input (??)

    [...]
    /github/workspace/build-out/cbor_load_fuzzer -timeout=25 -rss_limit_mb=2560 -len_control=0 -seed=1337 -artifact_prefix=/tmp/tmpv98trfvl/ -max_total_time=14400 -print_final_stats=1 /github/workspace/cifuzz-corpus/cbor_load_fuzzer >fuzz-1.log 2>&1
    Traceback (most recent call last):
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers_entrypoint.py", line 96, in <module>
        sys.exit(main())
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers_entrypoint.py", line 92, in main
        return run_fuzzers_entrypoint()
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers_entrypoint.py", line 62, in run_fuzzers_entrypoint
        result = run_fuzzers.run_fuzzers(config)
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers.py", line 302, in run_fuzzers
        if not fuzz_target_runner.run_fuzz_targets():
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers.py", line 130, in run_fuzz_targets
        result = self.run_fuzz_target(target)
      File "/opt/oss-fuzz/infra/cifuzz/run_fuzzers.py", line 245, in run_fuzz_target
        return fuzz_target_obj.fuzz()
      File "/opt/oss-fuzz/infra/cifuzz/fuzz_target.py", line 188, in fuzz
        result = engine_impl.fuzz(self.target_path, options, artifacts_dir,
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/bot/fuzzers/libFuzzer/engine.py", line 266, in fuzz
        fuzz_result = runner.fuzz(
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/bot/fuzzers/libfuzzer.py", line 411, in fuzz
        return LibFuzzerCommon.fuzz(self, corpus_directories, fuzz_timeout,
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/bot/fuzzers/libfuzzer.py", line 228, in fuzz
        return self.run_and_wait(
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/system/new_process.py", line 406, in run_and_wait
        result = ProcessRunner.run_and_wait(self, *args, **kwargs)
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/system/new_process.py", line 390, in run_and_wait
        result = wait_process(
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/system/new_process.py", line 97, in wait_process
        output = process.communicate(input_data)[0]
      File "/usr/local/lib/python3.8/dist-packages/clusterfuzz/_internal/system/new_process.py", line 164, in communicate
        line = self._popen.stdout.readline()
    KeyboardInterrupt
    Error: The operation was canceled.
    
    • Workflow config: https://github.com/PJK/libcbor/blob/e87d5714e69214f187db225f23985aea51c52d28/.github/workflows/fuzz.yml
    • Sample failed run: https://github.com/PJK/libcbor/actions/runs/3120941813/jobs/5061912055
    • Logs attached: logs_314.zip
    opened by PJK 1
  • build(deps): bump protobuf from 3.20.1 to 3.20.2 in /infra/cifuzz

    build(deps): bump protobuf from 3.20.1 to 3.20.2 in /infra/cifuzz

    Bumps protobuf from 3.20.1 to 3.20.2.

    Release notes

    Sourced from protobuf's releases.

    Protocol Buffers v3.20.2

    C++

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 0
  • build(deps): bump protobuf from 3.20.1 to 3.20.2 in /infra/build/functions

    build(deps): bump protobuf from 3.20.1 to 3.20.2 in /infra/build/functions

    Bumps protobuf from 3.20.1 to 3.20.2.

    Release notes

    Sourced from protobuf's releases.

    Protocol Buffers v3.20.2

    C++

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 0
  • [lldpd] initial integration

    [lldpd] initial integration

    Hello @vincentbernat  Can you check this PR?

    oss-fuzz team.  Application usage in router: 

    • Unifi,
    • Cambium Networks,
    • oVirt,
    • OpenWrt,
    • Poly,
    • MikroTik,
    • Cumulus,
    • ASUS. It is possibly used in other places as well.

    Signed-off-by: 0x34d [email protected]

    opened by 0x34d 1
  • Cloning from sourceware.org fails in freetype2 project

    Cloning from sourceware.org fails in freetype2 project

    We get failed build reports for freetype2. The build logs contain the following parts, which we believe are the reason for the error.

    Step #3 - "compile-afl-address-x86_64": + git submodule update --init --depth 1 /src/freetype2-testing/external/bzip2
    Step #3 - "compile-afl-address-x86_64": Submodule 'external/bzip2' (git://sourceware.org/git/bzip2.git) registered for path '../../../external/bzip2'
    Step #3 - "compile-afl-address-x86_64": Cloning into '/src/freetype2-testing/external/bzip2'...
    Step #3 - "compile-afl-address-x86_64": remote: Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
    Step #3 - "compile-afl-address-x86_64": error: Server does not allow request for unadvertised object 8ca1faa31f396d94ab927b257f3a05236c84e330
    Step #3 - "compile-afl-address-x86_64": Fetched in submodule path '../../../external/bzip2', but it did not contain 8ca1faa31f396d94ab927b257f3a05236c84e330. Direct fetching of that commit failed.
    

    However, this is not reproducible locally. The sourceware.org bzip2 checkout succeeds here.

    Oss-fuzz reference bug reporting the build failure: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51442#c4

    The bug contains additional info on failed attempts at reproducing this.

    opened by drott 1
Owner
Google
Google ❤️ Open Source
Google
The Rumor is pure, nasty growling bass fuzz pedal, with bold out-front presence, and cutting articulation.

Rumor.lv2 The Rumor is pure, nasty growling bass fuzz pedal, with bold out-front presence, and cutting articulation. Features Nasty FUZZ simulation. D

Hermann 12 Feb 28, 2022
Continuous-Time Spline Visual-Inertial Odometry

Continuous-Time Spline Visual-Inertial Odometry Related Publications Direct Sparse Odometry, J. Engel, V. Koltun, D. Cremers, In IEEE Transactions on

Minnesota Interactive Robotics and Vision Laboratory 55 Sep 6, 2022
Continuous Time LiDAR odometry

CT-ICP: Elastic SLAM for LiDAR sensors This repository implements the SLAM CT-ICP (see our article), a lightweight, precise and versatile pure LiDAR o

null 315 Sep 21, 2022
Syncspirit is a continuous file synchronization program, which synchronizes files between devices.

syncspirit sites: github, abf syncspirit is a continuous file synchronization program, which synchronizes files between devices. It is build using C++

Ivan Baidakou 15 Aug 10, 2022
CollabFuzz: A Framework for Collaborative Fuzzing

Collaborative Fuzzing Design In this cooperative framework, the fuzzers collaborate using a centralized scheduler.

VUSec 60 Sep 6, 2022
The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Seed Selection for Successful Fuzzing The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary art

HexHive 31 Aug 22, 2022
USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types

Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types Nyx is fast full-VM snapshot fuzzer for type-2 hypervisors. It's built upon kAFL

Chair for Sys­tems Se­cu­ri­ty 158 Aug 29, 2022
Owfuzz: a WiFi protocol fuzzing tool

owfuzz owfuzz: a WiFi protocol fuzzing tool using openwifi. Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with

Alipay 140 Aug 25, 2022
BSOD: Binary-only Scalable fuzzing Of device Drivers

bsod-kernel-fuzzing This repository contains the implementations described in "BSOD: Binary-only Scalable fuzzing Of device Drivers". The paper and th

Fabian Toepfer 131 Aug 5, 2022
StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 162 Aug 24, 2022
TAFuzzer: Effective and Efficient Targeted Fuzzing framework for Smart Contract Vulnerability Detection (CCS2022a Under Review).

TAFuzzer An effective and efficient targeted fuzzing framework for smart contract vulnerability detection. Requirements TAFuzzer is supported on Linux

null 2 Feb 7, 2022
ModuLiDAR is an all-in-one open-source software for autonomous UGVs and industrial robots.

ModuLiDAR is an all-in-one open-source software for autonomous UGVs and industrial robots. the target industries that ModuLiDAR is working on are farming industry, mining industry, warehouses industry, and construction industry.

null 18 Jun 22, 2022
SDR++ is a cross-platform and open source SDR software with the aim of being bloat free and simple to use.

SDR++ is a cross-platform and open source SDR software with the aim of being bloat free and simple to use.

AlexandreRouma 2k Sep 23, 2022
OpenFOAM is a free, open source computational fluid dynamics (CFD) software package

acousticStreamingFoam About OpenFOAM OpenFOAM is a free, open source computational fluid dynamics (CFD) software package released by the OpenFOAM Foun

Bruno 1 Nov 2, 2021
Open-source KVM software

Barrier Eliminate the barrier between your machines. Find releases for windows and macOS here. Your distro probably already has barrier packaged for i

null 602 Sep 22, 2022
C++ Open Source Software Template

cpp-oss-template cpp-oss-template is a simple template for C++ language based project. Support CI Appveyor Travis CI Azure Pipelines Support Tool Code

Chris Ohk 12 Jun 21, 2022
OpenToonz - An open-source full-featured 2D animation creation software

OpenToonz 日本語 What is OpenToonz? OpenToonz is a 2D animation software published by DWANGO. It is based on Toonz Studio Ghibli Version, originally deve

OpenToonz 3.6k Sep 17, 2022
Open source software for autonomous drones.

Prometheus - 自主无人机开源项目 [English Readme] Prometheus是希腊神话中最具智慧的神明之一,希望本项目能为无人机研发带来无限的智慧与光明。 项目总览 Prometheus是一套开源的自主无人机软件平台,为无人机的智能与自主飞行提供全套解决方案。本项目基于PX4

Amov Lab 1.5k Sep 21, 2022
Open source hardware design and software for OpenPodcar.

OpenPodcar Open Source Hardware Design and Software for OpenPodcar. OpenPodcar_obstacle_avoidance_INB_Atrium.mov Table of Contents I. General Info II.

null 10 Jul 8, 2022