OSS Fuzzing

[niccokunzmann]

@ennamarie19 has added fuzzing to our automated tests (GitHub Actions) on Pull Requests (#562).

Some background on OSS FUZZ:

Fuzz testing is a well-known technique for uncovering programming errors in software.

• https://google.github.io/oss-fuzz/

The first PR seemed quite promising when it comes to detecting edge case errors: #577

[niccokunzmann]

@ennamarie19 According to the new projects' page , this is required for access:

	email	google account email
access to filed bugs in the issue tracker	✔️	✔️
access to ClusterFuzz	❌	✔️

Would it be alright with you if you manage our access or is there a way that we can create Pull Requests to add ourselves?

[ennamarie19]

Yes I can add you! I just need your email to add you to the auto_cc's in the project.yaml file hosted on OSS-Fuzz.

[niccokunzmann]

It seems to be hosted here: https://github.com/google/oss-fuzz/blob/master/projects/icalendar/project.yaml So, I will create a pull request for myself.

[niccokunzmann]

Here you go... google/oss-fuzz#11180

[niccokunzmann]

@ennamarie19 This is an email that I received:

Labels: Restrict-View-Commit ClusterFuzz Stability-LibFuzzer Reproducible Engine-libfuzzer OS-Linux Proj-icalendar Reported-2023-11-07
Type: Bug

New issue 63959 by ClusterFuzz-External: icalendar:ical_fuzzer: Uncaught exception in init
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63959

Detailed Report: https://oss-fuzz.com/testcase?key=6484029419159552

Project: icalendar
Fuzzing Engine: libFuzzer
Fuzz Target: ical_fuzzer
Job Type: libfuzzer_ubsan_icalendar
Platform Id: linux

Crash Type: Uncaught exception
Crash Address:
Crash State:
init

from_ical

Sanitizer: undefined (UBSAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_ubsan_icalendar&range=202311060615:202311070621

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6484029419159552

Issue filed automatically.

See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.
When you fix this bug, please

• mention the fix revision(s).
• state whether the bug was a short-lived regression or an old bug in any stable releases.
• add any other useful information.
  This information can help downstream consumers.

If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

--
You received this message because:

1. You were specifically CC'd on the issue

When I access the links: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63959 and https://oss-fuzz.com/testcase?key=6484029419159552, I get an Access Denied

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

I think that since this is a public project and the reports (12 already) might create lot's of new little issues for people to solve, it might be good to make them public instantly. We do not have a security policy when it comes to potentially exploitable code but I also think that we might not have such an issue in the normal case. From my perspective, the normal case should be easy access to the information and an easy way to start fixing the issues.

So the question is: Can you add me somehow to these projects so I can change settings or is it possible to instantly disclose the reports? Then, I can have a look at them and create new small issues to solve.

[ennamarie19]

Your access to those links should start working in the next several days. it took a while for me to be let in as well. I believe that the 90 day timeframe is an OSS-Fuzz policy. I do not think that can be changed to immediately disclose reports.Feel free to check into this once you get access though! On Nov 8, 2023, at 4:41 AM, Nicco Kunzmann ***@***.***> wrote: @ennamarie19 This is an email that I received: Labels: Restrict-View-Commit ClusterFuzz Stability-LibFuzzer Reproducible Engine-libfuzzer OS-Linux Proj-icalendar Reported-2023-11-07 Type: Bug New issue 63959 by ClusterFuzz-External: icalendar:ical_fuzzer: Uncaught exception in init https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63959 Detailed Report: https://oss-fuzz.com/testcase?key=6484029419159552 Project: icalendar Fuzzing Engine: libFuzzer Fuzz Target: ical_fuzzer Job Type: libfuzzer_ubsan_icalendar Platform Id: linux Crash Type: Uncaught exception Crash Address: Crash State: init from_ical Sanitizer: undefined (UBSAN) Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_ubsan_icalendar&range=202311060615:202311070621 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=6484029419159552 Issue filed automatically. See https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally. When you fix this bug, please mention the fix revision(s). state whether the bug was a short-lived regression or an old bug in any stable releases. add any other useful information. This information can help downstream consumers. If you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without an upstream patch, then the bug report will automatically become visible to the public. -- You received this message because: You were specifically CC'd on the issue When I access the links: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63959 and https://oss-fuzz.com/testcase?key=6484029419159552, I get an Access Denied This bug is subject to a 90 day disclosure deadline. If 90 days elapse without an upstream patch, then the bug report will automatically become visible to the public. I think that since this is a public project and the reports (12 already) might create lot's of new little issues for people to solve, it might be good to make them public instantly. We do not have a security policy when it comes to potentially exploitable code but I also think that we might not have such an issue in the normal case. From my perspective, the normal case should be easy access to the information and an easy way to start fixing the issues. So the question is: Can you add me somehow to these projects so I can change settings or is it possible to instantly disclose the reports? Then, I can have a look at them and create new small issues to solve. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[niccokunzmann]

@ennamarie19, I would value to add some information for maintainers about the OSS Fuzzing here: https://icalendar.readthedocs.io/en/latest/maintenance.html#new-releases
I guess that after some time, we will know what to write. If you have any idea already, then, feel free to discuss it or create a PR.
Probably, it would be good to add how to get access to the OSS fuzzing there. Let's see what else might come up.

[ennamarie19]

I'd probably recommend making a group email list for all maintainers that could be added to the auto_CC list on OSSFuzz. Then you just have to add them to that list to get access, without needing a PR