Similar to #8972, reproducing seems to assume architecture and doesn't
allow specifying a target. This PR adds the `--architecture` flag to the
reproduce command, allowing reproduction in the target platform.
Tested by running `build_fuzzers` and then `reproduce` with defaults.
Now using `--architecture aarch64` works to reproduce.
The corpus URL generated for fuzztest fuzzers is invalid due to the use
of `@` and `.` characters in the fuzzer names.
The current URL created is e.g.
`gs://fuzztest-raksha-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/fuzztest-raksha_value_test@NumberTest.RoundTripNumberThroughDatalogString/`
whereas the correct URL is
`gs://fuzztest-raksha-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/fuzztest-raksha_value_test-NumberTest-RoundTripNumberThroughDatalogString/`.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
cc @oliverchang @Alan32Liu after #9100 and #8448
After compiling locally, I can see that
`./SystemSan ./target_dns -dict=vuln.dict`
crashes in a few seconds with
```
===BUG DETECTED: Arbitrary domain name resolution===
===Domain resolved: .f.z===
===DNS request type: 0, class: 256===
==315== ERROR: libFuzzer: deadly signal
#0 0x539131 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x457c48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x43c923 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7fa57940041f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#4 0x7fa5793ff7db in send (/lib/x86_64-linux-gnu/libpthread.so.0+0x137db) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#5 0x503ba4 in __interceptor_send /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6802:17
#6 0x7fa578abf462 (/lib/x86_64-linux-gnu/libresolv.so.2+0xb462) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#7 0x7fa578abbc43 in __res_context_query (/lib/x86_64-linux-gnu/libresolv.so.2+0x7c43) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#8 0x7fa578abc8ed in __res_context_search (/lib/x86_64-linux-gnu/libresolv.so.2+0x88ed) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#9 0x7fa578ad2cc1 (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2cc1) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#10 0x7fa578ad2e8b in _nss_dns_gethostbyname3_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2e8b) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#11 0x7fa578ad2f41 in _nss_dns_gethostbyname2_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2f41) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#12 0x7fa5792fdc9d in gethostbyname2_r (/lib/x86_64-linux-gnu/libc.so.6+0x130c9d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#13 0x7fa5792d179e (/lib/x86_64-linux-gnu/libc.so.6+0x10479e) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#14 0x7fa5792d2f58 in getaddrinfo (/lib/x86_64-linux-gnu/libc.so.6+0x105f58) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#15 0x4d93ac in getaddrinfo /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2667:13
#16 0x56c8d9 in LLVMFuzzerTestOneInput /out/SystemSan/target_dns.cpp:35:11
#17 0x43dec3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#18 0x43d6aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#19 0x43ed79 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#20 0x43fa45 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#21 0x42edaf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#22 0x458402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#23 0x7fa5791f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#24 0x41f7ed in _start (/out/SystemSan/target_dns+0x41f7ed)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CrossOver-ManualDict- DE: "f.z"-; base unit: ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
0x66,0x2e,0x7a,
f.z
artifact_prefix='./'; Test unit written to ./crash-926813b2d6adde373f96a10594a5314951588384
Base64: Zi56
```
You can also try
```
echo -n f.z > toto
./SystemSan ./target_dns toto
```
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
Enable Fuzztest fuzzers for Tensorflow.
This depends on https://github.com/google/fuzztest/pull/79 and
eventually a PR on the tensorflow repo with the (to be refined) diff in
this PR.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
Some projects use `-Werror` to turn all warnings into errors.
This affects `Centipede` as we do not separate build and linking flags
as it expects, which leads to `unused-command-line-argument` warnings.
This PR disables turning that specific warning into errors and keeps the
rest the same.
`go-118-fuzz-build` is undergoing refactoring to fix some runtime issues
affecting Rekor and other projects. Currently none of Rekors fuzzers
run. This PR has been tested on all of Rekors fuzzers that will run with
this PR.
This PR modifies the infra OSS-Fuzz build script to adapt to the
upstream changes.
Cloning the `dev` branch of `go-118-fuzz-build` is a temporary solution
until it gets merged into `main` upstream.
Cloning go-118-fuzz-build in each build script is also a temporary
measure until `dev` gets merged into `main`.
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
- Pass coverage_url to both c/c++ and python report generation.
- Remove a double calling of introspector report generation.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Cross referencing https://github.com/google/fuzztest/pull/69
Signed-off-by: David Korczynski <david@adalogics.com>
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
Currently if you make a coverage build for a particular architecture
(e.g. aarch64), running the coverage command doesn't work as it assumes
`x86_64`. This PR adds the `--architecture` flag present in other
commands for parity, allowing to run coverage reports built for the
matching architecture.
Tested by running `build_fuzzers` and then `coverage` works as expected
with defaults (x86_64).
Now `build_fuzzers` and then `coverage` also work when `--architecture
aarch64` is used.
This has a fix for coverage urls for per-fuzzer coverage reports:
https://github.com/ossf/fuzz-introspector/pull/605
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
This is a follow-up to https://github.com/google/oss-fuzz/pull/8952
This bump is needed to have the Python projects work properly. Scan
should be done for all projects now, so have switched it on by default
in fuzz introspector.
Bump also contains
- Fix for util-linux where per-target coverage report links were broken.
- Reduced logging.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Co-authored-by: Navidem <navid.emamdoost@gmail.com>
With the python projects enabled, we need to broaden the coverage file
names that should to be downloaded.
This PR changes `download_coverage_data_steps()` function to download
all the contents of `textcov_reports` dir from the coverage bucket.
Bumps fuzz introspector and updates the way python fuzzers are build for
introspector builds.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Wrap wildcards in quotes as otherwise the script will autocomplete if
there is a e.g. .json file in the current directory. This causes the
wrong files to be moved, which means `all_cov.json` will not be moved to
the introspector folder and thus wrong (no) coverage data will be used.
This error happens in e.g. g-api-auth-library-python
Raphael Salas