oss-fuzz/docs/advanced-topics/reproducing.md

161 lines
5.9 KiB
Markdown
Raw Normal View History

2019-08-07 14:37:16 +00:00
---
layout: default
title: Reproducing
parent: Advanced topics
nav_order: 5
2019-08-22 18:33:39 +00:00
permalink: /advanced-topics/reproducing/
2019-08-07 14:37:16 +00:00
---
# Reproducing OSS-Fuzz issues
{: .no_toc}
2019-08-07 14:37:16 +00:00
You've been CCed on an OSS-Fuzz issue
([examples](https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=Type%3ABug%2CBug-Security)).
Now what? Before attempting to fix the bug, you should be able to reliably
2019-08-07 14:37:16 +00:00
reproduce it.
- TOC
{:toc}
---
## Fuzz target bugs
Every issue has a [reproducer file]({{ site.baseurl
}}/reference/glossary/#reproducer) (also know as a "testcase" file) attached.
Download it. This file contains the bytes that were fed to the [fuzz
target](https://llvm.org/docs/LibFuzzer.html#fuzz-target).
**Note:** If the issue is not public, you will need to login using a
2019-08-07 14:37:16 +00:00
[Google account](https://support.google.com/accounts/answer/176347?hl=en)
([why?]({{ site.baseurl
}}/faq/#why-do-you-require-a-google-account-for-authentication)) that the bug
report CCs.
2019-08-07 14:37:16 +00:00
If you have already
[integrated]({{ site.baseurl }}/advanced-topics/ideal-integration/)
the fuzz target with your build and test system, all you have to do is run this command:
2019-08-07 14:37:16 +00:00
```bash
$ ./fuzz_target_binary <testcase_path>
```
For timeout bugs, add the `-timeout=65` argument. For OOM bugs, add the
2020-01-08 03:50:44 +00:00
`-rss_limit_mb=2560` argument. Read more on [how timeouts and OOMs are
handled]({{ site.baseurl }}/faq/#how-do-you-handle-timeouts-and-ooms).
2019-08-07 14:37:16 +00:00
Depending on the nature of the bug, the fuzz target binary needs to be built
with the appropriate [sanitizer](https://github.com/google/sanitizers)
(for example, if it's a buffer overflow, build with
2019-08-07 14:37:16 +00:00
[AddressSanitizer](http://clang.llvm.org/docs/AddressSanitizer.html)).
If you're not sure how to build the fuzzer using the project's build system,
you can also use Docker commands to replicate the exact build steps used by
OSS-Fuzz, then feed the reproducer input to the fuzz target ([how?]({{
site.baseurl }}/getting-started/new-project-guide/#prerequisites), [why?]({{
site.baseurl }}/faq/#why-do-you-use-docker)).
2019-08-07 14:37:16 +00:00
## Building using Docker
### Cloning OSS-Fuzz
To use the following `infra/helper.py` commands, you need a checkout of OSS-Fuzz:
```bash
$ git clone --depth=1 https://github.com/google/oss-fuzz.git
$ cd oss-fuzz
```
2019-08-07 14:37:16 +00:00
### Pull the latest Docker images
Docker images get regularly updated with a newer version of build tools, build
configurations, scripts, and other changes. In some cases, a particular issue
can be reproduced only with a fresh image being used. Pull the latest images
by running the following command:
2019-08-07 14:37:16 +00:00
```bash
$ python infra/helper.py pull_images
```
### Build the image and the fuzzers
Run the following commands:
2019-08-07 14:37:16 +00:00
```bash
$ python infra/helper.py build_image $PROJECT_NAME
2019-08-19 23:14:15 +00:00
$ python infra/helper.py build_fuzzers --sanitizer <address/memory/undefined> \
--architecture <x86_64/i386> $PROJECT_NAME
2019-08-07 14:37:16 +00:00
```
The `sanitizer` used in the report is the value in the
**Sanitizer** column. It's one of the following:
2020-06-20 15:31:59 +00:00
* **address** for AddressSanitizer.
* **memory** for MemorySanitizer.
* **undefined** for UndefinedBehaviorSanitizer.
**Notes**:
* The `architecture` argument is only necessary if you want to specify
`i386` configuration.
* Some bugs (specially ones related to pointer and integer overflows) are reproducible only in 32 bit mode or only in 64 bit mode.
If you can't reproduce a particular bug building for x86_64, try building for i386.
2019-08-19 21:07:33 +00:00
2019-08-07 14:37:16 +00:00
## Reproducing bugs
After you build an image and a fuzzer, you can reproduce a bug by running the following command:
2019-08-07 14:37:16 +00:00
```bash
$ python infra/helper.py reproduce $PROJECT_NAME <fuzz_target_name> <testcase_path>
```
For example, to build the [libxml2](https://github.com/google/oss-fuzz/tree/master/projects/libxml2)
project with UndefinedBehaviorSanitizer (`undefined`) instrumentation and
2019-08-07 14:37:16 +00:00
reproduce a crash testcase for a fuzzer named `libxml2_xml_read_memory_fuzzer`,
you would run:
2019-08-07 14:37:16 +00:00
```bash
$ python infra/helper.py build_image libxml2
$ python infra/helper.py build_fuzzers --sanitizer undefined libxml2
$ python infra/helper.py reproduce libxml2 libxml2_xml_read_memory_fuzzer ~/Downloads/testcase
```
## Reproduce using local source checkout
You can also mount local sources into the running container by using these commands:
2019-08-07 14:37:16 +00:00
```bash
2019-08-15 22:07:23 +00:00
$ python infra/helper.py build_fuzzers \
--sanitizer <address/memory/undefined> $PROJECT_NAME <source_path>
2019-08-07 14:37:16 +00:00
$ python infra/helper.py reproduce $PROJECT_NAME <fuzz_target_name> <testcase_path>
```
Once you reproduce the bug, you can do the following:
2019-08-07 14:37:16 +00:00
- **Fix issue:** Write a patch to fix the issue in your local checkout, then
2019-08-07 14:37:16 +00:00
use the previous command to verify the fix (i.e. no crash occurred).
[Use gdb]({{ site.baseurl }}/advanced-topics/debugging/#debugging-fuzzers-with-gdb)
if needed.
- **Submit fix:** Submit the fix in the project's repository. ClusterFuzz will
automatically pick up the changes, recheck the testcase, and close the
2019-08-07 14:37:16 +00:00
issue (in &lt; 1 day).
- **Improve fuzzing support:** Consider
[improving your integration with OSS-Fuzz]({{ site.baseurl }}/advanced-topics/ideal-integration/).
2019-08-07 14:37:16 +00:00
## Reproducing build failures
2019-08-07 14:37:16 +00:00
Our infrastructure runs some sanity tests to make sure that your build was
correctly configured, even if it succeeded. To reproduce these locally, run these commands:
2019-08-07 14:37:16 +00:00
```bash
$ python infra/helper.py build_image $PROJECT_NAME
2019-08-15 22:07:23 +00:00
$ python infra/helper.py build_fuzzers --sanitizer <address/memory/undefined> \
Centipede integration (#8046) * Add Centipede as a fuzzer * Specify dictionary param of Centipede * Update docs * Mark Centipede as experimental * More accurate description * Remove garbage * Simplify code * Move mkdir to dockerfile * Add the weak.c trick * Install deps with Centipede's script & uninstall new deps * Fix doc * Reuse libweak_sancov_stubs.so * Reorganise flags * format * Consistent file type * Reuse the weak references defined in Centipede * Replace the shared library of weak symbols with a static one * Correct the place to call mkdir * Allow 2G of SHM for Centipede * Create dirs in run_fuzzer * Keep Centipede up-to-date * Avoid duplicating Centipede's binary * The params of Centipede and their explanations * The engine info of centipede * Save the target binary (with san) in a subdir of the project * Set the target (with san) dir in check_build * Create the target (with san) first to avoid side-effects * Fic clone * Fix format * Add periods * Fix comments * Fix dirs * Fix parameters * Adding Centipede as a fuzzing engine for Scarecrow * Add CI support * Represent sanitizer with a variable * Remove the unnecessary definition of FUZZER_OUT * Reorganise binary directories * format * A minor note * Present issues with dirs that alread exist * Use os.path.join to join path * Make a function to get the out/ in check build * Reusing existing flags in .bazel * Avoid hardcoding sanitizer, set rss_limit_mb=4096, leave address_space_limit_mb disabled * Better ways to add bazel build options * A better way to add bazel flags * Remove redundant --bazelrc * Better Cohesion * Avoid code duplication * Simplify code * Exit on crash
2022-09-06 02:34:58 +00:00
--engine <libfuzzer/afl/honggfuzz/centipede> --architecture <x86_64/i386> $PROJECT_NAME
2019-08-15 22:07:23 +00:00
$ python infra/helper.py check_build --sanitizer <address/memory/undefined> \
Centipede integration (#8046) * Add Centipede as a fuzzer * Specify dictionary param of Centipede * Update docs * Mark Centipede as experimental * More accurate description * Remove garbage * Simplify code * Move mkdir to dockerfile * Add the weak.c trick * Install deps with Centipede's script & uninstall new deps * Fix doc * Reuse libweak_sancov_stubs.so * Reorganise flags * format * Consistent file type * Reuse the weak references defined in Centipede * Replace the shared library of weak symbols with a static one * Correct the place to call mkdir * Allow 2G of SHM for Centipede * Create dirs in run_fuzzer * Keep Centipede up-to-date * Avoid duplicating Centipede's binary * The params of Centipede and their explanations * The engine info of centipede * Save the target binary (with san) in a subdir of the project * Set the target (with san) dir in check_build * Create the target (with san) first to avoid side-effects * Fic clone * Fix format * Add periods * Fix comments * Fix dirs * Fix parameters * Adding Centipede as a fuzzing engine for Scarecrow * Add CI support * Represent sanitizer with a variable * Remove the unnecessary definition of FUZZER_OUT * Reorganise binary directories * format * A minor note * Present issues with dirs that alread exist * Use os.path.join to join path * Make a function to get the out/ in check build * Reusing existing flags in .bazel * Avoid hardcoding sanitizer, set rss_limit_mb=4096, leave address_space_limit_mb disabled * Better ways to add bazel build options * A better way to add bazel flags * Remove redundant --bazelrc * Better Cohesion * Avoid code duplication * Simplify code * Exit on crash
2022-09-06 02:34:58 +00:00
--engine <libfuzzer/afl/honggfuzz/centipede> --architecture <x86_64/i386> $PROJECT_NAME \
2019-08-19 23:14:15 +00:00
<fuzz_target_name>
2019-08-07 14:37:16 +00:00
```
**Note:** Unless you have a reason to think the build is an `i386` build, the build
2019-08-19 23:14:15 +00:00
is probably an `x86_64` build and the `architecture` argument can be omitted.
2019-08-19 21:07:33 +00:00
If you need to reproduce a `coverage` build failure, follow the
2019-08-07 14:37:16 +00:00
[Code Coverage page]({{ site.baseurl }}/advanced-topics/code-coverage) to build
2020-01-08 03:50:44 +00:00
your project and generate a code coverage report.