[libvirt] Should Libvirt apply for OSS-Fuzz?

Daniel P. Berrange berrange at redhat.com
Fri Dec 2 09:15:26 UTC 2016 

On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
> Google announced OSS-Fuzz project [1]. It's aim is to test projects with
> significant user base and/or critical projects to the global
> infrastructure. I like to think that libvirt falls in both categories :-)
> You can find a list of already accepted projects here [2]. Once accepted
> to the project we would have to provide some scripts that build libvirt
> and run some tests.
> 
> One of the disadvantages is that we have to provide a docker(!) image
> where the scripts would run from.
> 
> What are your thoughts on this? Should we apply?

I think we'd certainly benefit from some fuzzing of libvirt / libvirtd.

I was a little unclear on exactly how they're doing the fuzzing from those
docs, but looking at some of the project's they're already got it seems they
rely on providing some custom test programs that call the APIs.

eg

https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_fuzzer.cc

https://github.com/google/oss-fuzz/blob/master/projects/libxml2/libxml2_xml_read_memory_fuzzer.cc

https://github.com/google/oss-fuzz/blob/master/projects/libxml2/libxml2_xml_regexp_compile_fuzzer.cc


OpenSSL is a little different as it seems they've natively integrated
support for libfuzz in their code base, so google merely turns that
on at configure stage

  https://github.com/google/oss-fuzz/blob/master/projects/openssl/build.sh


So someone is going to need to write the test harness to actually
exercise libvirt via the fuzzer still, which is work we've long had
an outstanding todo for - its even a GSoC suggestion

  https://wiki.libvirt.org/page/Google_Summer_of_Code_2017#QEMU_command_line_generator_XML_fuzzing


Once that's done we could leverage google's infra to actually run it.
The XML parser is only half the story though - it'd be nice to get
fuzzing on the main public APIs too (and thus the remote RPC protocol
handling and QEMU driver code). Writing fuzzer test harnesses for all
the public APIs is an even bigger bit of work

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list