aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2020-12-04 11:31:05 +0100
committerAndreas Schneider <asn@cryptomilk.org>2020-12-08 14:54:25 +0100
commit455a161ed79a53a2f6f7ae57b51fc0e6e5fb6282 (patch)
treea7d859ab2426f27e46c0e2c6d6f3ed72d84e17ad
parent51f220fd414b4014aef68d133f1e0517e6f1d6ff (diff)
downloadlibssh-455a161ed79a53a2f6f7ae57b51fc0e6e5fb6282.tar.gz
libssh-455a161ed79a53a2f6f7ae57b51fc0e6e5fb6282.tar.xz
libssh-455a161ed79a53a2f6f7ae57b51fc0e6e5fb6282.zip
fuzz: Extend readme for reproducing and debugging tips
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--tests/fuzz/README.md64
1 files changed, 64 insertions, 0 deletions
diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md
index 12afbb51..c68ef3d1 100644
--- a/tests/fuzz/README.md
+++ b/tests/fuzz/README.md
@@ -67,3 +67,67 @@ to use none cipher for the key exchange to be plausible.
cp /tmp/ssh_client tests/fuzz/ssh_client_fuzzer_corpus/$(sha1sum /tmp/ssh_client | cut -d ' ' -f 1)
cp /tmp/ssh_server tests/fuzz/ssh_server_fuzzer_corpus/$(sha1sum /tmp/ssh_server | cut -d ' ' -f 1)
+
+## Debugging issues reported by oss-fuzz
+
+OSS Fuzz provides helper scripts to reproduce issues locally. Even though the
+fuzzing scripts can ran anywhere, the best bet for reproducing is to use
+their container infrastructure. There is a
+[complete documentation](https://google.github.io/oss-fuzz/advanced-topics/reproducing/)
+but I will try to focus here on the workflow I use and libssh specifics.
+
+### Environment
+
+The helper scripts are written in Python and use docker to run containers
+so these needs to be installed. I am using podman instead of docker for
+some time, but it has some quirks that needs to be addressed in advance
+and that I describe in the rejected [PR](https://github.com/google/oss-fuzz/pull/4774).
+You can either pick up my branch or workaround them locally:
+
+ * Package `podman-docker` installs symlink from `/bin/docker` to `/bin/podman`
+ * The directories mounted to the containers need to have `container_file_t`
+ SELinux labels -- this is needed for the `build` directory that is created
+ under the oss-fuzz repository, for testcases and for source files
+ * `podman` does not like combination of `--privileged` and
+ `--cap-add SYS_PTRACE` flags. Podman can work with non-privileged containers
+ so you can just remove the `--privileged` from the `infra/helper.py`
+
+### Reproduce locally
+
+Clone the above repository from https://github.com/google/oss-fuzz/, apply
+changes from previous secion if needed, setup local clone of libssh repository
+and build the fuzzers locally (where `~/devel/libssh` is path to local libssh
+checkout):
+
+ python infra/helper.py build_fuzzers libssh ~/devel/libssh/
+
+Now, download the testcase from oss-fuzz.com (the file under `~/Downloads`)
+and we are ready to reproduce the issue locally (replace the `ssh_client_fuzzer`
+with the fuzzer name if the issue happens in other fuzzer):
+
+ python infra/helper.py reproduce libssh ssh_client_fuzzer ~/Downloads/clusterfuzz-testcase-ssh_client_fuzzer-4637376441483264
+
+This should give you the same error/leak/crash as you see on the testcase
+detail in oss-fuzz.com.
+
+I find it very useful to run libssh in debug mode, to see what happened and
+what exit path was taken to get to the error. Fortunatelly, we can simply
+pass environment variables to the container:
+
+ python infra/helper.py reproduce -eLIBSSH_VERBOSITY=9 libssh ssh_client_fuzzer ~/Downloads/clusterfuzz-testcase-ssh_client_fuzzer-4637376441483264
+
+### Fix the issue and verify the fix
+
+Now, we can properly investigate the issue and once we have a fix, we can
+make changes in our local checkout and repeat the steps above (from building
+fuzzers) to verify the issue is no longer present.
+
+### Fuzzing locally
+
+We can use the oss-fuzz tools even further and run the fuzzing process
+locally, to verify there are no similar issues happening very close to
+existing code paths and which would cause more reports very soon after
+we would fix the current issue. The following command will run fuzzer
+until it finds an issue or until killed:
+
+ python infra/helper.py run_fuzzer libssh ssh_client_fuzzer