https://github.com/google/oss-fuzz/pull/3285
Thanks for getting us in, @Jonathan Foote!
Very cool :slight_smile:
Thanks to you @Nick Fitzgerald ! I will respond to your latest comment and get the integration PR submitted today.
I am excited. Hopefully this becomes a bellwether for future Rust projects as well.
Also how about that face-melting Wasm fuzzing demo from Jonathan Metzman. Really cool.
IIUC if we go the -Z sanitizer=fuzzer
route we would not be linking the oss-fuzz supplied libfuzzer library. Rust targets would be using the version vendored into libfuzzer-sys, rather than the version supplied by the clang
that is installed in the oss-fuzz build environment. If the oss-fuzz team is alright that we my not need to use $LIB_FUZZING_ENGINE
or $LIB_FUZZING_ENGINE_DEPRECATED
at all for Rust targets, so this effort would not block removal of the latter.
I will comment on the PR thread
Yeah I wasn't sure if the goal was to use the clang-provided libfuzzer where they can make sure it is built with the correct flags (something like this was mentioned in one of the issues) or if it was wanting a One True Way to support everything.
It is a good question. I don't know the answer.
Looks like this is the point at which they decided to put linker directives in LIB_FUZZING_ENGINE
(rather than just a path to the library): https://github.com/google/oss-fuzz/pull/2312#issuecomment-482274830
I am so excited that I made this the subject of my annual tweet
Looks like the preference might be to simply use the libfuzzer library that is vendored into libfuzzer-sys after all. I will give give kcc and max a day or so to respond before I potentially update the branch (including adding -O
) and make the PR.
@Nick Fitzgerald Are you seeing the crash reports from oss-fuzz? I have not dug into them yet myself. No rush at all, just want to confirm you are getting the reports.
I haven’t received any emails. FYI, not super available this week because of Mozilla all hands.
That is not good. Now that you mention it I haven't seen messages to "security@bytecodealliance.org" either. The project.yaml (https://github.com/google/oss-fuzz/blob/master/projects/wasmtime/project.yaml) looks OK to me.
The body of the email indicates the proper addresses were CC'd
Status: New Owner: ---- CC: fitz...@gmail.com, secur...@bytecodealliance.com, jonathan...@gmail.com Labels: Restrict-View-Commit ClusterFuzz Reproducible Engine-libfuzzer OS-Linux Proj-wasmtime Reported-2020-01-29 Type: Bug
https://oss-fuzz.com/testcase-detail/5199399699611648 is an example link. No rush at all -- but could you try accessing that (authenticating with fitzgen@gmail.com
) when you get a chance?
-- I hope the all hands goes well for you :stop::point_up::point_down::point_left::point_right::raised_hands:
https://github.com/google/oss-fuzz/blob/master/projects/wasmtime/project.yaml#L4 bytecodealliance.com
. D'oh. That explains why we didn't get a message to security@bytecodealliance.org.
PR for correction: https://github.com/google/oss-fuzz/pull/3307
I got the crash reports via the security@bytecodealliance.org list after that PR was merged
Last updated: Dec 23 2024 at 13:07 UTC