[postgis-devel] PostGIS (actually liblwgeom) integration with oss-fuzz

Thu Jul 13 15:20:09 PDT 2017

Even,

Thanks for the input.  I managed to create a docker build I could bash into
using the oss-fuzz plain build and some logic I borrowed from strks
postgis-docker.

I was able to get as far as:

cd fuzzers

make dummyfuzzers

and it generates /tmp/wkb_import_fuzzer and /tmp/wkt_import_fuzzer

then ran /tmp/wkb_import_fuzzer test-case-file-from-bug-report-here

and that segfaulted as expected.  Then I made changes to
ptarray_is_closed_2d and ptarray_is_closed_3d  and tested with my new
version

and didn't get a segfault anymore, though I'm not confident with my solution
so I'll commit that into my own repo for strk and pramsey to inspect.

The regress still pass with the change I made so I guess that's promising

That said, when trying to build with 

CFLAGS="-fsanitize=undefined,address",

My configure just gives error 

checking for gcc... gcc

checking whether the C compiler works... no

configure: error: in `/postgis-trunk':

configure: error: C compiler cannot create executables

See `config.log' for more details

So I'm missing something here, perhaps a typo.

Thanks,

Regina

From: Even Rouault [mailto:even.rouault at spatialys.com] 
Sent: Thursday, July 13, 2017 5:19 AM
To: postgis-devel at lists.osgeo.org
Cc: Regina Obe <lr at pcorp.us>
Subject: Re: [postgis-devel] PostGIS (actually liblwgeom) integration with
oss-fuzz

On mercredi 12 juillet 2017 18:38:24 CEST Regina Obe wrote:

> Yah I think your email has to be a gmail. I can see them, but my account
is

> under gmail.

> 

> And yes I think we can setup locally if we want. I think Even had

> experimented with that. We'd probably want to setup locally anyway so we

> can test out changes before we add to our fuzz list. I haven't done the
leg

> work to figure out how to set up locally though and not sure when I'll
have

> time to do that. Strk -- if you want to take a stab at it, I'd be so happy

> :)

There are 2 different things :

- reproduce locally a bug found by oss-fuzz. You can just build the dummy
fuzzer in PostGIS by doing

cd fuzzers

make dummyfuzzers

and it generates /tmp/wkb_import_fuzzer and /tmp/wkt_import_fuzzer

Then download the reproducer test cases from the oss-fuzz ticket and do

/tmp/wkb_import_fuzzer the_file (or /tmp/wkt_import_fuzzer the_file
depending on which fuzzer found the issue)

Possibly under Valgrind, or with a PostGIS build configured with

CFLAGS="-fsanitize=undefined,address", so as to catch the issues that don't
systemetically translate to crashes.

- fuzz the code yourself. Then you need to use the oss-fuzz Python scripts
that rely on Docker underneath. See instructions in fuzzers/README.TXT

Even

> 

> 

> Thanks,

> Regina

> 

> 

> 

> -----Original Message-----

> From: postgis-devel [mailto:postgis-devel-bounces at lists.osgeo.org] On
Behalf

> Of Sandro Santilli Sent: Wednesday, July 12, 2017 4:23 PM

> To: PostGIS Development Discussion <postgis-devel at lists.osgeo.org
<mailto:postgis-devel at lists.osgeo.org> >

> Subject: Re: [postgis-devel] PostGIS (actually liblwgeom) integration with

> oss-fuzz

> 

> RE: fuzzers and Google buying us all

> 

> I received a few (~5) email notification about bugs found by the fuzzer.
But

> when I clicked on the links I got a permission denied. Supposedly, I'd
have

> to create an account on Google, and be given permission to read that

> report. Is this correct ?

> 

> Can we get those fuzz tests be run by our own bots ?

> Like drone ? Drone is already docker based, if that was the problem...

> 

> --strk;

> _______________________________________________

> postgis-devel mailing list

> postgis-devel at lists.osgeo.org <mailto:postgis-devel at lists.osgeo.org> 

> https://lists.osgeo.org/mailman/listinfo/postgis-devel

> 

> _______________________________________________

> postgis-devel mailing list

> postgis-devel at lists.osgeo.org <mailto:postgis-devel at lists.osgeo.org> 

> https://lists.osgeo.org/mailman/listinfo/postgis-devel

-- 

Spatialys - Geospatial professional services

http://www.spatialys.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-devel/attachments/20170713/dec6f2ed/attachment.html>