[llvm-dev] how to auto-report LLVM bugs found by fuzzing? (original) (raw)

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Wed Aug 30 16:54:45 PDT 2017

Bugs found by oss-fuzz in llvm are now public: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm (and the new ones will be public too). I've also added llvm-bugs at lists.llvm.org to the list of e-mail recipients: https://github.com/google/oss-fuzz/blob/master/projects/llvm/project.yaml

On Tue, Aug 29, 2017 at 4:27 PM, Justin Bogner <mail at justinbogner.com> wrote:

Kostya Serebryany <kcc at google.com> writes: > On Tue, Aug 29, 2017 at 4:13 PM, Justin Bogner <mail at justinbogner.com> > wrote: > >> Kostya Serebryany <kcc at google.com> writes: >> > Hi, >> > >> > We have several llvm fuzz targets running on OSS-Fuzz, a continuous >> > automated fuzzing service: >> > https://github.com/google/oss-fuzz >> > https://www.usenix.org/sites/default/files/conference/ protected-files/ >> usenixsecurity17slidesserebryany.pdf >> > >> > It has reported a few bugs in cxademangler, clang, and dwarfdump >> already, >> > and we expect to add more fuzz targets to it soon (llvm-isel-fuzzer, >> > clang-format-fuzzer, ...) >> > >> > A question to everyone: how do we report these bugs properly? >> > OSS-Fuzz files bugs automatically into a separate bug tracker, it can not >> > file bugs to bugzilla. >> > By default, the bug reports are private for security reasons, and only >> > those CC-ed explicitly can see them. >> > >> > Should we make the bug reports public by default? >> > We can set things differently for the llvm project (llvm, clang, etc) >> and >> > libcxxabi (demangler): >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm >> > https://github.com/google/oss-fuzz/tree/master/projects/ llvmlibcxxabi >> >> At least some of these should probably just be public by default. Things >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security >> bugs, so I wouldn't expect them to find stuff that falls under the >> responsible disclosure umbrella. >> > > So, how about making all LLVM bugs public by default and leaving > cxademangler bugs private? > (I can't make it finer-grained, see below)

This sounds good to me. >> >> This should be thought about on a case by case basis, of course. >> >> > Should we automatically CC the bugs to any of the llvm maliing lists >> (e.g. >> > llvm-dev)? >> >> Perhaps we could CC them to llvm-bugs? That's the same list that new >> bugzilla bugs are announced to. >> > > Ah, good idea. > Unless someone objects I'll add llvm-bugs to the spam^W list :) > >> >> > If a bug is CC-ed to a list, everyone will see the bug report summary in >> > e-mail, >> > but if the bug remains private the reproducer for the bug will remain >> > private. >> > >> > Who wants to be CC-ed explicitly? >> > (please add yourself to >> > https://github.com/google/oss-fuzz/blob/master/projects/ >> llvm/project.yaml) >> >> Can this be set up to CC per-fuzz-target or so? I'm sure some people are >> interested in, say, clang, but not necessarily cxademangler, or >> vice-versa. >> > > Sadly, no. > > We can distinguish llvmcxxabi (cxademangler) from everything else because > these are currently two independent projects on oss-fuzz. > Making it finer-grained would require setting up separate oss-fuzz projects > which is harder to maintain and would not be welcome on oss-fuzz side. > The automatic e-mails announce the fuzz target's name, so filters will be > easy to set up. Fair enough. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170830/c9dafff0/attachment-0001.html>

More information about the llvm-dev mailing list