Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
oss-fuzz/docs/reproducing.md

3.1 KiB
Raw Blame History

Reproducing oss-fuzz issues

You've been CC'ed on an oss-fuzz issue, now what? Before attempting a fix you should be able to reliably reproduce an issue.

The process is much simpler if you have Docker installed (how?, why?), but is entirely possible to do without.

Bug tracker reports

Bug reports in our bug tracker have the format:

Detailed report: <link to ClusterFuzz report>

Target: target
Fuzzer: libFuzzer_target_fuzzer
Fuzzer binary: fuzzer
Job Type: libFuzzer_asan_libchewing

Crash Type: Heap-use-after-free
Crash Address: 0x1337
Crash State
  Frame1
  Frame2
  Frame3

Regressed: <Regression range link>

Minimized Testcase (size): <Testcase download link>

Click the testcase download link to download the testcase (you may need to login, using the same Google account that you've been CC'ed with). The "Detailed report" link provides the full stack trace, as well as some additional details that may be useful.

For the following instructions, $target is the text after Target: in the report, and $fuzzer is the text after Fuzzer binary: . $testcase_file is the path to the testcase you just downloaded.

Note that for older reports, Fuzzer binary: and Target: may not exist. In this case, please extract this information from the Fuzzer: field. This is usually in the format libFuzzer_$target_$fuzzer.

Docker

If you have docker installed, follow these steps:

  • Reproduce from nightly sources:

    • 



docker run --rm -v $testcase_file:/testcase -t ossfuzz/$target reproduce $fuzzer



It builds the fuzzer from nightly sources (in the image) and runs it with testcase input.
E.g. for libxml2 it will be:

   
docker run --rm -ti -v ~/Downloads/testcase:/testcase ossfuzz/libxml2 reproduce libxml2_xml_read_memory_fuzzer
   


    

  • 

    Reproduce from local sources:
    
  
    • 



docker run --rm  -v $target_checkout_dir:/src/$target 

-v $reproducer_file:/testcase -t ossfuzz/$target reproduce $fuzzer



This is essentially the previous command that additonally mounts local sources into the running container.


    

  • Fix the issue. Use the previous command to verify you fixed the issue locally.
Use gdb if needed.
    • 

  • Submit the fix. ClusterFuzz will automatically pick up the changes, recheck the testcase
and will close the issue.
    • 



Manual


Manual process is fully documented on main libFuzzer page.
To manully reproduce the issue you have to:



ClusterFuzz will automatically pick up the changes, recheck the testcase and will close the issue.