fitzgen (he/him) (Jan 23 2020 at 18:59): fitzgen (he/him) (Jan 23 2020 at 18:59):https://github.com/google/oss-fuzz/pull/3285
Thanks for getting us in, @Jonathan Foote!
Katelyn Martin (Jan 23 2020 at 19:07):Very cool :slight_smile:
Jonathan Foote (Jan 23 2020 at 19:43):Thanks to you @Nick Fitzgerald ! I will respond to your latest comment and get the integration PR submitted today.
I am excited. Hopefully this becomes a bellwether for future Rust projects as well.
Jonathan Foote (Jan 23 2020 at 19:45):Also how about that face-melting Wasm fuzzing demo from Jonathan Metzman. Really cool.
Jonathan Foote (Jan 23 2020 at 20:06):IIUC if we go the -Z sanitizer=fuzzer route we would not be linking the oss-fuzz supplied libfuzzer library. Rust targets would be using the version vendored into libfuzzer-sys, rather than the version supplied by the clang that is installed in the oss-fuzz build environment. If the oss-fuzz team is alright that we my not need to use $LIB_FUZZING_ENGINE or $LIB_FUZZING_ENGINE_DEPRECATED at all for Rust targets, so this effort would not block removal of the latter.
Jonathan Foote (Jan 23 2020 at 20:07):I will comment on the PR thread
fitzgen (he/him) (Jan 23 2020 at 20:09):Yeah I wasn't sure if the goal was to use the clang-provided libfuzzer where they can make sure it is built with the correct flags (something like this was mentioned in one of the issues) or if it was wanting a One True Way to support everything.
Jonathan Foote (Jan 23 2020 at 20:10):It is a good question. I don't know the answer.
Jonathan Foote (Jan 23 2020 at 20:10):Looks like this is the point at which they decided to put linker directives in LIB_FUZZING_ENGINE (rather than just a path to the library): https://github.com/google/oss-fuzz/pull/2312#issuecomment-482274830
Jonathan Foote (Jan 23 2020 at 20:40):I am so excited that I made this the subject of my annual tweet
Jonathan Foote (Jan 23 2020 at 21:35):Looks like the preference might be to simply use the libfuzzer library that is vendored into libfuzzer-sys after all. I will give give kcc and max a day or so to respond before I potentially update the branch (including adding -O) and make the PR.
Jonathan Foote (Jan 29 2020 at 15:17):@Nick Fitzgerald Are you seeing the crash reports from oss-fuzz? I have not dug into them yet myself. No rush at all, just want to confirm you are getting the reports.
fitzgen (he/him) (Jan 29 2020 at 15:37):I haven’t received any emails. FYI, not super available this week because of Mozilla all hands.
Jonathan Foote (Jan 29 2020 at 16:42):That is not good. Now that you mention it I haven't seen messages to "security@bytecodealliance.org" either. The project.yaml (https://github.com/google/oss-fuzz/blob/master/projects/wasmtime/project.yaml) looks OK to me.
Jonathan Foote (Jan 29 2020 at 16:47):The body of the email indicates the proper addresses were CC'd
Status: New Owner: ---- CC: fitz...@gmail.com, secur...@bytecodealliance.com, jonathan...@gmail.com Labels: Restrict-View-Commit ClusterFuzz Reproducible Engine-libfuzzer OS-Linux Proj-wasmtime Reported-2020-01-29 Type: Bug
https://oss-fuzz.com/testcase-detail/5199399699611648 is an example link. No rush at all -- but could you try accessing that (authenticating with fitzgen@gmail.com) when you get a chance?
Jonathan Foote (Jan 29 2020 at 16:58):-- I hope the all hands goes well for you :stop::point_up::point_down::point_left::point_right::raised_hands:
Jonathan Foote (Jan 30 2020 at 02:36):https://github.com/google/oss-fuzz/blob/master/projects/wasmtime/project.yaml#L4 bytecodealliance.com. D'oh. That explains why we didn't get a message to security@bytecodealliance.org.
Jonathan Foote (Jan 30 2020 at 02:40):PR for correction: https://github.com/google/oss-fuzz/pull/3307
Jonathan Foote (Jan 30 2020 at 13:40):I got the crash reports via the security@bytecodealliance.org list after that PR was merged
Last updated: Nov 22 2024 at 16:03 UTC