Potential new projects to integrate with OSS-Fuzz

[kcc]

Let's use this issue to maintain a list of projects that we want to see on oss-fuzz. Volunteers welcome!

• [x] binutils, e.g. cplus_demangle (seen fuzzable bugs in the past)
• [x] more fuzz targets from LLVM, we currently have only llvm_libcxxabi
• [ ] libstdc++ regex (e.g. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79539)
• [x] libexif
• [x] PCRE (we have PCRE2, but not PCRE)
• [x] python (https://bugs.python.org/issue29505)
• [x] gstreamer (https://lwn.net/Articles/708196/ and also https://github.com/google/oss-fuzz/issues/93)
• [x] mysql
• [x] http://www.gfwx.org/
• [x] http://www.libtiff.org/
• [x] https://sourceforge.net/projects/giflib/
• [x] https://github.com/jrmuizel/qcms/
• [x] imagemagick @dlemstra (https://github.com/google/oss-fuzz/issues/430)
• [x] ~~graphviz @emdenrg (https://github.com/google/oss-fuzz/issues/182)~~ (upstream not interested)
• [x] gstreamer @bilboed (https://github.com/google/oss-fuzz/issues/93)
• [ ] vim/neovim @dpelle (https://github.com/google/oss-fuzz/issues/96)
• [ ] s2n @raycoll, @alexw91, @colmmacc (https://github.com/google/oss-fuzz/issues/238)
• [ ] libelf, libdwarf (https://github.com/google/oss-fuzz/issues/64) (add to this list instead of creating a new comment)
• [ ] more/better fuzzing for ICU https://github.com/google/oss-fuzz/tree/master/projects/icu
• [x] apache httpd
• [x] https://xerces.apache.org/xerces-c/
• [x] https://github.com/google/piex
• [x] libidn2
• [x] libzip
• [x] dovecot
• [x] Node.js
• [ ] tcpdump
• [ ] bluez
• [x] cairo
• [ ] coreboot
• [x] dbus
• [ ] dhcpcd
• [ ] dtc (device tree compiler)
• [ ] laptop-mode-tools
• [ ] libcamera
• [ ] libevdev
• [ ] libiio
• [ ] libpciaccess
• [ ] modemmanager
• [ ] xf86-input-synaptics
• [x] vlc
• [x] php-src
• [x] bind9
• [ ] projects from Cloud Native Computing Foundation(https://www.cncf.io/projects/)

[kroeckx]

Some potential others:

• gzip
• bzip2
• xz
• lzma
• p7zip
• unzip
• libzip
• libarchive (I think there are plenty of others like this.)
• tar
• cpio
• ar
• rpm
• dpkg
• elfutils
• ntp
• gimp
• inkscape
• cups
• ghostscript
• postfix
• dovecot
• libidn
• poppler
• clamav
• flac
• mutt
• vim
• libpcap
• privoxy
• samba

[bilboed]

Added GStreamer : https://github.com/google/oss-fuzz/pull/905

[Dor1s]

• VLC: https://github.com/videolan/vlc, https://www.videolan.org/security/

[inferno-chromium]

from Dor1s,

There are few new fuzz targets in Chromium, need to add those (ideally, upstream all the targets); https://cs.chromium.org/chromium/src/third_party/zlib/contrib/tests/fuzzers/

[pwithnall]

Some suggestions:

• Wayland (specifically, its display protocol handling from clients)
• gdk-pixbuf (image loaders)
• tracker-miners (extracts data from a variety of file types)

[bshastry]

Hello,

I was wondering if adding the solidity compiler, the official "smart contract" compiler implementation, to oss-fuzz makes sense. See ethereum/solidity#5278

Thank you.

Edit: The fact that solidity team find memory leaks low priority (see ethereum/solidity#4517) is a bit discouraging from a continuous fuzzing point of view. Also, the current harness is pretty slow (about 200 execs/s on an [email protected]).

[Dor1s]

@bshastry, yes, most likely we would accept a PR for https://github.com/ethereum/solidity.

[bshastry]

@bshastry, yes, most likely we would accept a PR for https://github.com/ethereum/solidity.

Thank you, I will initiate a PR once ethereum/solidity#5278 has been approved and merged into upstream solidity.

Edit: libFuzzer already found a compiler bug ethereum/solidity#5279 :-)

[bshastry]

Hello everyone,

Would you consider adding mruby to oss-fuzz? Hackerone features a bounty program for memory corruption bugs in the mruby compiler which goes to show that the software is used in security-critical scenarios. Moreover, reviewing past submissions, afl-fuzz has been routinely used to flag heap overflows which makes it an interesting oss-fuzz target.

[Dor1s]

@bshastry, yes!

[fancycode]

lzma

Would you still accept fuzzers for lzma? I recently started writing some for the LZMA SDK (https://www.7-zip.org/sdk.html) and would like to submit them here when they are ready.

[Dor1s]

Would you still accept fuzzers for lzma?

Yes, definitely.

[bshastry]

Dear all,

What are top 5 projects you would like integrated into ossfuzz by the end of this year? I'm looking for work in my spare time, perhaps others following this thread are as well :-)

Thank you.

[DarkDimius]

Dear all, would you be interested in adding https://sorbet.org/ to oss-fuzz? We already use fuzzing to find crashes in IDE before our users do, and we've found bugs through the entire typechecking pipeline via fuzzing before.

[inferno-chromium]

@DarkDimius - please submit a simple PR similar to https://github.com/google/oss-fuzz/pull/2536#issue-290927443, citing who is using Sorbet ide.

[catenacyber]

About elfutils (libelf, libdwarf see #64) clang compiler is currently not supported. (you can google clang elfutils for some references) Is there a way to use another compiler with oss-fuzz ?

[Dor1s]

Is there a way to use another compiler with oss-fuzz ?

No, it will not be feasible for us to support another toolchain. Even for existing LLVM toolchain, OSS-Fuzz actually relies on Chromium's judgement w.r.t. which revision is stable to use. We typically don't update it ourselves, but in the worst case we're capable of making some changes, which is not the case for other toolchains.

[catenacyber]

So, the prerequisite for integrating elfutils in oss-fuzz is to manage to build it with clang...

[Dor1s]

VLC keeps receiving memory corruption bugs: https://hackerone.com/vlc_h1c/hacktivity

[cmeister2]

First: @kcc, any chance your first post can be updated to remove projects that are now in OSS-Fuzz? This is a really useful list of potential projects for people to pick up.

Second: I've been trawling around for projects to add (I now have a lovely spreadsheet of projects and their functional areas), and I thought I'd list some here that might be useful in future.

• https://github.com/nothings/stb/ : Audio, Image, Font parsing.
  • There does appear to be a PR for an stb_image fuzzer: https://github.com/nothings/stb/pull/737
  • https://github.com/SFML/SFML uses the stb_image file; SFML is a fairly prevalent game development engine.
• https://pjsip.org: SIP (Internet Telephony)
  • PJSIP is a pretty well known SIP library, used in Asterisk.
  • I might take this on if I have the time, but the API is daunting 😅

[Dor1s]

First: @kcc, any chance your first post can be updated to remove projects that are now in OSS-Fuzz?

Updated the first comment on behalf of Kostya :)

[Dor1s]

Maybe Perl: https://hackerone.com/reports/424447

[practicalswift]

Bitcoin Core would be great to have fuzzed as part of oss-fuzz :)

I contribute to Bitcoin Core and would be very glad to help any volunteer who wants to give it a try!

https://github.com/bitcoin/bitcoin/blob/master/doc/fuzzing.md is a good starting point.

[bshastry]

https://github.com/sctplab/usrsctp ?

Edit: Sorry, just realized this is upstream already

[bshastry]

libexpat has one fuzzer in this repo and two fuzzers in its upstream repo. Would you be interested in using the upstream version?

[inferno-chromium]

@bshastry - definitely, we can switch to upstream version, can delete current one in oss-fuzz repo, and see any of it needs to be upstreamed in either of those two fuzzers.

[catenacyber]

@bshastry there is this related open PR https://github.com/libexpat/libexpat/pull/292

[Dor1s]

libexpat has one fuzzer in this repo

also note that that one fuzz target is complied into six different binaries to fuzz different encoding formats

[bshastry]

@Dor1s upstream libexpat also does the same thing i.e., create 6 variants per harness, one per encoding type. In total, upstream contains two harnesses which means 12 fuzzers in total as against the 6 fuzzers in the oss fuzz repo

[abartlet]

Samba is in and working after #3094 and #2993