3.0 KiB
Reproducing OSS-Fuzz issues
You've been CC'ed on an OSS-Fuzz issue (examples), now what? Before attempting a fix the bug you should be able to reliably reproduce it.
Every issue has a reproducer file attached. Download it. If the issue is not public, you will need to login using your Google account that is CC-ed to the bug report. This file contains the bytes that were fed to the Fuzz Target.
If you have properly integrated the fuzz target with your build and test system all you is to run
./fuzz_target_binary REPRODUCER_FILE
Depending on the nature of the bug, the fuzz target binary needs to be built with the appropriate sanitizer (e.g. if this is a buffer overflow, with AddressSanitizer).
TODO
Another option is to use the Docker commands (TODO: link) to replicate the exact build steps used by OSS-Fuzz and then feed the reproducer input to the target.
TODO careate separate file with all docker commands
(how?, why?), but is entirely possible to do without.
Click the testcase download link to download the testcase (you may need to login, using the same Google account that you've been CC'ed with). The "Detailed report" link provides the full stack trace, as well as some additional details that may be useful.
For the following instructions, $target
is the text after Target:
in the
report, and $fuzzer
is the text after Fuzzer binary:
. $testcase_file
is
the path to the testcase you just downloaded.
Note that for older reports, Fuzzer binary:
and Target:
may not exist. In
this case, please extract this information from the Fuzzer:
field. This is
usually in the format libFuzzer_$target_$fuzzer
.
Docker
If you have docker installed, follow these steps:
-
Reproduce from nightly sources:
docker run --rm -v $testcase_file:/testcase -t ossfuzz/$target reproduce $fuzzer
It builds the fuzzer from nightly sources (in the image) and runs it with testcase input. E.g. for libxml2 it will be:
docker run --rm -ti -v ~/Downloads/testcase:/testcase ossfuzz/libxml2 reproduce libxml2_xml_read_memory_fuzzer
-
Reproduce from local sources:
docker run --rm -v $target_checkout_dir:/src/$target
-v $reproducer_file:/testcase -t ossfuzz/$target reproduce $fuzzer
This is essentially the previous command that additionally mounts local sources into the running container.
- Fix the issue. Use the previous command to verify you fixed the issue locally. Use gdb if needed.
- Submit the fix. ClusterFuzz will automatically pick up the changes, recheck the testcase and will close the issue.