Fuzzing: Instrument with new sanitizers#7396
Conversation
|
Hi @AdamKorcz. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| } | ||
|
|
||
| cd $SRC/instrumentation | ||
| go run main.go $SRC/containerd/images |
There was a problem hiding this comment.
Where is the main.go? In a different repository?
There was a problem hiding this comment.
Yes, "instrumentation" is being cloned here: google/oss-fuzz#8504
There was a problem hiding this comment.
Thanks! Can you mention the location in oss_fuzz_build.sh? It may be obvious for oss-fuzz folks, but not so for containerd folks.
Compared to cncf-fuzzing, https://github.com/AdamKorcz/instrumentation doesn't have much containerd stuff. So I'm fine having a separate repos for that.
There was a problem hiding this comment.
Also I'd like to merge this PR after google/oss-fuzz#8504. Would it work for you?
There was a problem hiding this comment.
Thanks! Can you mention the location in oss_fuzz_build.sh? It may be obvious for oss-fuzz folks, but not so for containerd folks.
In an inline comment or in this PR?
Compared to cncf-fuzzing, https://github.com/AdamKorcz/instrumentation doesn't have much containerd stuff. So I'm fine having a separate repos for that.
Yes, the instrumentation project is meant to be general.
Also I'd like to merge this PR after google/oss-fuzz#8504. Would it work for you?
Sure, it has just been merged.
There was a problem hiding this comment.
In an inline comment or in this PR?
In the shell script itself.
There was a problem hiding this comment.
In the shell script itself.
Not sure I understand. Should I write in oss_fuzz_build.sh where it is in the containerd repo? If users have already found the oss_fuzz_build.sh script, do they need to know where it is?
There was a problem hiding this comment.
oh sorry, I meant, oss_fuzz_build.sh should explain how does it get main.go. You could just say something like "this is from https://github.com/AdamKorcz/instrumentation"
There was a problem hiding this comment.
Thanks for the elaboration and sorry for the misunderstanding. A comment has been added!
| func FuzzImportIndex(data []byte) int { | ||
| f := fuzz.NewConsumer(data) | ||
| tarBytes, err := f.TarBytes() | ||
| tarBytes, err := f.GetBytes() |
There was a problem hiding this comment.
Does it return arbitrary bytes or bytes that are valid as a tar archive?
There was a problem hiding this comment.
arbitrary bytes. It should work better with new bug detectors.
Signed-off-by: AdamKorcz <[email protected]>
4 participants
This instruments
images/with new sanitizers/bug detectors that AdaLogics are developing to work with fuzzing.The plan is to start with a small part of Containerd and if everything runs well move on to the entire project. I will observe the OSS-Fuzz dashboard closely for any breakages.
No extra work is required from the Containerd side. Everything should work as usual.
@kzys
Needs google/oss-fuzz#8504 to be merged first - this is why CIFuzz is failing.
Signed-off-by: AdamKorcz [email protected]