Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fuzzer for OSS-Fuzz integration #169

Merged
merged 2 commits into from
Mar 15, 2023
Merged

Add fuzzer for OSS-Fuzz integration #169

merged 2 commits into from
Mar 15, 2023

Conversation

DavidKorczynski
Copy link
Contributor

Hello!

This PR adds a first fuzzer and the goal is to set up an integration of Numactl with OSS-Fuzz. OSS-Fuzz is a service run by Google for important open source projects that will continuously build and run fuzzers. There is a corresponding PR in the OSS-Fuzz repository (with the fuzzer included there too, but we can remove that if you're happy to accept this PR) here google/oss-fuzz#9877

The fuzzer will be build with a set of different sanitizer (ASAN, UBSAN, MSAN) and any bugs found will be reported to maintainers listed in the corresponding project.yaml on the OSS-Fuzz repo (in the linked PR there is project.yaml with my email in for now) -- if you'd be happy to integrate then please provide a set of emails for those that should receive bug reports.

@DavidKorczynski
Add fuzzer for OSS-Fuzz integration
7d20447 
Signed-off-by: David Korczynski <david@adalogics.com>
@DavidKorczynski
fix typo
4b557b0 
Signed-off-by: David Korczynski <david@adalogics.com>
@andikleen andikleen merged commit 693fee1 into numactl:master Mar 15, 2023
@andikleen
Copy link
Contributor

Thanks! Although I'm not sure people really use the parser with untrusted input, but i suppose it cannot hurt.

I suppose should also cover numa_parse_cpustring(), that's another text parser.
And then there is a lot of parsing for the sysfs inputs, but I guess you consider that attack vector out of scope?

@DavidKorczynski
Copy link
Contributor Author

Thanks @andikleen ! Can I attach your email from your github commits to the OSS-Fuzz maintainer list? That way you'll get notified in the event an issue is found.

We can try to fuzz the inputs where parsing is done on trusted input -- we can then decide if the bugs are worth fixing if they show up? i.e. am not against fuzzing for trusted input unless the fuzzing produces a lot of noise.

I'll try to come up with some more fuzzers for other parts of the code too!

@andikleen
Copy link
Contributor

andikleen commented Mar 15, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DavidKorczynski @andikleen