[postgis-devel] PostGIS (actually liblwgeom) integration with oss-fuzz

Regina Obe lr at pcorp.us
Fri Jul 7 15:46:31 PDT 2017 

Okay Even sold me on this and convinced me it's not as much work as I'm expecting it to be.  I guess I'll step forward.

 

I'll submit a request to OSS fuzz hopefully this weekend for the continuous integration service and pull in Even's setup.

 

I'll also commit the memory leak fix that Even found and provided a patch for.

 

Even did you by chance see anything funny with Kmeans?  That cunit thing is driving me nuts cause it fails 25% of the time on windows (more on 32-bit runs)with some crash.

There's probably something amiss there.

 

Thanks,

Regina

 

From: postgis-devel [mailto:postgis-devel-bounces at lists.osgeo.org] On Behalf Of Paul Ramsey
Sent: Tuesday, July 04, 2017 5:38 PM
To: PostGIS Development Discussion <postgis-devel at lists.osgeo.org>
Subject: Re: [postgis-devel] PostGIS (actually liblwgeom) integration with oss-fuzz

 

This seems very cool but also very involved and complicated :) 

I think everyone is concomitantly afraid to step forward and pick it up. It's got it all: external services, big chains of dependencies, docker :) 
I think everyone is a little afraid to pick it up, lest they own it.

P.

 

 

On Sun, Jul 2, 2017 at 12:07 PM, Even Rouault <even.rouault at spatialys.com <mailto:even.rouault at spatialys.com> > wrote:

Hi,

 

I've prototyped an integration of liblwgeom from PostGIS repository with oss-fuzz.

 

Quoting https://github.com/google/oss-fuzz/ ,

"""

Fuzz testing is a well-known technique for uncovering various kinds of programming errors in software.

Many of these detectable errors (e.g. buffer overflow) can have serious security implications.

 

We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of

security vulnerabilities and stability bugs. We now want to share the experience and the

service with the open source community.

 

In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common

open source software more secure and stable by combining modern fuzzing techniques

and scalable distributed execution.

""""

 

GDAL and proj.4 have joined oss-fuzz, for a few weeks and this is really efficient. I've fixed between 300 and 400 bugs in GDAL...

 

So I just gave it a try with PostGIS, concentrating on liblwgeom, since it builds nicely in oss-fuzz environment

(plain "make" in top repository fails in oss-fuzz from some reason I haven't investigated)

As an example, I've created 2 fuzzers, one for lwgeom_from_wkb() and the other one for lwgeom_from_wkt().

More could be done, based on those examples. Left as an exercice to other developers.

 

Integration of a software with oss-fuzz is made of 2 parts:

- fuzzer entry points must be in the project repository : https://github.com/rouault/postgis/tree/ossfuzz/fuzzers

- a metadata file (project.yaml), a Dockerfile (download needed packages & PostGIS source code) and

a "bootstrap" build.sh script must be integrated in OSS-Fuzz own repo too :

https://github.com/rouault/oss-fuzz/tree/postgis/projects/postgis

 

For now, I've done this in my own postgis and ossz-fuzz git forks as you can see, but ultimately if the

project agrees we should merge this into their respective official repos.

 

But pending that, you can already try this stuff locally

{{{

Make sure you have Docker installed

 

git clone --branch postgis https://github.com/rouault/oss-fuzz

cd oss-fuzz

 

Build the Docker image:

python infra/helper.py build_image postgis

 

Build PostGIS and the fuzzer programs with the address sanitizer

python infra/helper.py build_fuzzers --sanitizer address postgis

 

Run one of the fuzzer (you can try with wkt_import_fuzzer too)

python infra/helper.py run_fuzzer postgis wkb_import_fuzzer

}}}

 

My local experiments show that lwgeom_from_wkt() seems to be rather robust,

but lwgeom_from_wkb() has a few bugs. For the record, I found and fixed (in my fork) this memory leak

(memory leak = leak in a case where lw_error() is not called) in

https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d

There's also a heap buffer overflow it just detected in

ptarray_from_wkb_state /src/postgis/liblwgeom/lwin_wkb.c:367

 

So if the community is interested in a closer integration in OSS Fuzz, next steps are :

1) someone with PostGIS commit rights merges https://github.com/rouault/postgis/commit/0181a28ab01764b4e6d11a5d2ffe7edce96498c6

into PostGIS SVN (as well as the bug fix https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d while you are it)

2) interested core PostGIS developers give me a @gmail.com <http://gmail.com>  email, so I add it in

https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/project.yaml 

This way they will then have access to the bug reports that are embargoed for

90 days (or 30 days after OSS Fuzz has found them to be fixed)

3) I then modify https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile to

point to PostGIS official github mirror instead of my fork

4) I then submit a pull request to https://github.com/google/oss-fuzz/ with my

https://github.com/rouault/oss-fuzz postgis branch . They may accept or not the application, but I guess they will accept.

If they don't, you can also play with it locally as I showed above. And this is strongly recommended

to do so when adding a new fuzzer for example.

5) once the project is accepted, monitor https://bugs.chromium.org/p/oss-fuzz/issues/list?q=postgis and fix the bugs !

6) add more fuzzers. Hint: in PostGIS "fuzzers" directory, "make dummyfuzzers" to check that your fuzzer builds.

 

Note: I don't volunteer to fix all bugs that will be found. I have already enough to do with GDAL... I wouldn't

mind if someone wants to be the declared maintainer in oss-fuzz projects/postgis/project.yaml and projects/postgis/Dockerfile

 

Note 2: if you look closely at https://github.com/rouault/postgis/blob/ossfuzz/fuzzers/wkb_import_fuzzer.cpp

you will notice that it is a bit messy since it stubs GEOS and geod_ symbols. This is due to the fact

that OSS-Fuzz requires that the fuzzer programs are completely statically linked, and Ubuntu doesn't ship

with static builds of geos (actually just libgeos.a but no libgeos_c.a) as far as I can see.

All this could be improved by adding a download of GEOS source code in

https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile and building it manually in

https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/build.sh

 

Thoughts ?

 

Even

 

 

-- 

Spatialys - Geospatial professional services

http://www.spatialys.com


_______________________________________________
postgis-devel mailing list
postgis-devel at lists.osgeo.org <mailto:postgis-devel at lists.osgeo.org> 
https://lists.osgeo.org/mailman/listinfo/postgis-devel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-devel/attachments/20170707/7fd88b41/attachment.html>

More information about the postgis-devel mailing list