SystemSan per-target config

[nikic]

For the PHP project, we have a number of fuzzers that essentially execute arbitrary code. For those fuzzers reading arbitrary files is expected, and even writing them is only a fuzzer quality problem (we do try to blacklist such functions just to limit corruption).

Is there some way to disable SystemSan or configure it to not report certain issues?

[oliverchang]

Yes, there will be a way to configure SystemSan.

Right now we are not filing bugs automatically for such issues until we have that mechanism in place.

[nikic]

Even if not issues are filed, they still abort fuzzing. The reason why I noticed this is that I looked at fuzzer statistics and noticed a very high percentage of startup crashes caused by this. It doesn't help that the error doesn't contain a backtrace, so it's hard to figure out where the FS access comes from, if you have hundreds of places that could perform one.

[oliverchang]

That's a very good point.

We currently only enable this in 10% of all of our runs, and will be adding capabilities very soon to configure the checks to enable per target.

Does 10% still sound too high in the meantime?

[nikic]

It turns out that the "arbitrary file open" was caused by an rpath being set, which resulted in attempts to load libraries like /ORIGIN/lib/glibcs..., which meant that all our fuzzers were crashing in 10% of runs. After dropping the (no longer used) rpath, the situation looks better, in that it only affects the "arbitrary code execution" fuzzers now, and the percentage is less than 10%. So I think this is okay in the meantime.

[catenacyber]

By the way, this false positive should be fixed by #8562 which just got merged