-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes for a few fuzzer issues #11975
Conversation
This is almost the same as 0e636bf. I looked through the code, and I don't see any more instances of this pattern, so hopefully this will be the last one. https://oss-fuzz.com/issue/5660094128193536/13691.
@@ -0,0 +1,2 @@ | |||
[libfuzzer] | |||
max_len = 65535 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't going to work when AFL is used as a fuzzing engine so ClusterFuzz will keep opening issues you're trying to avoid. They recommend checking whether the length passed to LLVMFuzzerTestOneInput
makes sense in fuzz targets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I doubt ClusterFuzz would have been able to find a couple of stack overflows if it hadn't tried to feed too much data to, for example, |
We have a few cases or reported issues which are about a timeout to parse the input in 25 s. In all cases, the input is a few hundred kb. We don't really care if the config parsers are super efficent, so let's set a limit on the input size to avoid triggering such issues. The parsers often contain quadratic algorithms. This is OK, because the numbers of elements are almost always very small in real use. Rewriting the code to use more complicated data structures to speed this up would not only complicate the code, but also pessimize behaviour for the overwhelmingly common case of small samples. Note that in all those cases, the input data is trusted. We care about memory correctness, and not not so much about efficiency. The size checks are done twice: using options for libfuzzer, and using an internal check for afl. Those should be changed together. I didn't use a define, because there is no easy mechanism to share the define between the two files.
Updated to add internal checks on size.
So... generally, I think we should let the fuzzers use large inputs, iff the input data is external, and has no natural bound (e.g. from packet size). |
I'm wondering where (This reminds me that |
As far as I can tell, |
@evverx sure, if you feel it worth the trouble, please rewrite the fuzzer to do reads and writes in loops. Using an event loop, this probably will not even be too much code. I just didn't think it worth the trouble, but I'd be happy to review a patch. |
@keszybz I hope I'll get round to it, but in the meantime, what I'm trying to say is that it isn't clear to me why issues like that can't be just left open. It's not that we need to "close" as many issues as possible. |
What's more interesting is that some fuzzers like |
I added another commit to allow empty inputs. |
which seems to explain why the fuzzers have always been skipped when |
hmm, what's the state of this one? from my side this looks good, do you, @evverx have objections? |
The last commit (to allow size==0) was causing problems. I backed it out now. I think this should be good to merge. |
I'll return to the size==0 issue later. |
@poettering it's not that I have any objections. It's just that I'm a little concerned that the fuzzers are slowly drifting into the point where they're starting to be less useful than they can be. It's not the first time issues that nobody supposedly is interested in have been swept under the rug by changing the fuzzers. If I recall correctly, the first one was about |
Speaking of the coverage report (and how useful it is), judging by https://storage.googleapis.com/oss-fuzz-coverage/systemd/reports/20190315/linux/src/systemd/src/fuzz/fuzz-calendarspec.c.html#L17, |
I'm not sure what you're trying to say. I'm quite sure that having fuzzers which produce known-bogus results regularly, and having somebody just click through them and mark them as bogus is not the solution. We have a similar situation with CI — and wasted a lot of human time and it quickly leads to the situation where everybody is ignoring the results. Once again: the problem is that any place which does strv appends in the parsing stack is going to be "vulnerable" to timeouts if the sample size is large enough. If you have a better idea how to avoid this other than limiting the sample size, I'm all ears. |
I'm not saying that limiting the sample size is necessarily a bad thing. It's just unclear to me why you decided to use |
As far as I cat tell, the situation is getting better. Fedora CI, which was never actively maintained properly, was turned off and doesn't bother anybody any more. CentOS CI is taken care of by @mrc0mmand, Semaphore was turned into something useful by @martinpitt recenlty and Ubuntu CI, well, it's more or less fine as long as it isn't ignored and the maintainers are notified of any weirdness happening there so I don't know why anybody would ignore the CI now. |
No description provided.