fuzz: add libFuzzer harness suite for SCAP parsing#2365
Open
edznux-dd wants to merge 1 commit into
Open
Conversation
Five harnesses (scap_parse, xccdf_policy, validate, arf, xccdf_tailoring), a parallel driver script (run-all.sh), a cleaned-up README, and 27 curated regression inputs — one per bug found during the fuzzing campaign. Reproducers are minimized to the smallest document that faithfully triggers each bug: 12–545 bytes, hand-crafted or auto-minimized via libFuzzer's -minimize_crash where the multi-bug branch didn't cause drift. Includes ENABLE_FUZZING CMake option that instruments the library with -fsanitize=fuzzer-no-link,address,undefined (Clang only).
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(more context in #2361)
This is the last, sort of "extra" PR of the series 😅.
Sorry if it's larger than the other ones but it contains all the fuzz tests in there, with the minified reproducers, build steps, readme...
I've validated that the reproducers are findings the expected bugs (because this branch doesn't contains the fixes, minifying the inputs caused it to trigger other bugs, most notably the null pointers deref)
I'm not exactly sure on if or what you want to keep these as is, but this is what discovered the ~30 bugs.
I've put some instruction, in the readme, on how to:
These fuzzers ran for 24h on a dedicated machine, (with 4 core each I believe), and reported 0 new findings.
There's likely some improvements to be made to increase their coverage, and increasing the number of fuzz test as well.
This PR does not introduce any CI-level integration, but if interested, it may be possible for you to use OSS-Fuzz infrastructure to run these for you.