
<div dir="ltr"><div>This seems very cool but also very involved and complicated :) <br></div><div>I think everyone is concomitantly afraid to step forward and pick it up. It's got it all: external services, big chains of dependencies, docker :) <br>I think everyone is a little afraid to pick it up, lest they own it.</div><div>P.</div><div><br></div><div><br></div><div class="gmail_extra"><div class="gmail_quote">On Sun, Jul 2, 2017 at 12:07 PM, Even Rouault <span dir="ltr"><<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>

<div style="font-family:'Sans Serif';font-size:9pt;font-weight:400;font-style:normal">

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Hi,</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">I've prototyped an integration of liblwgeom from PostGIS repository with oss-fuzz.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Quoting <a href="https://github.com/google/oss-fuzz/" target="_blank">https://github.com/google/oss-<wbr>fuzz/</a> ,</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">"""</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Fuzz testing is a well-known technique for uncovering various kinds of programming errors in software.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Many of these detectable errors (e.g. buffer overflow) can have serious security implications.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">security vulnerabilities and stability bugs. We now want to share the experience and the</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">service with the open source community.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">open source software more secure and stable by combining modern fuzzing techniques</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">and scalable distributed execution.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">""""</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">GDAL and proj.4 have joined oss-fuzz, for a few weeks  and this is really efficient. I've fixed between 300 and 400 bugs in GDAL...</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">So I just gave it a try with PostGIS, concentrating on liblwgeom, since it builds nicely in oss-fuzz environment</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">(plain "make" in top repository fails in oss-fuzz from some reason I haven't investigated)</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">As an example, I've created 2 fuzzers, one for lwgeom_from_wkb() and the other one for lwgeom_from_wkt().</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">More could be done, based on those examples. Left as an exercice to other developers.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Integration of a software with oss-fuzz is made of 2 parts:</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">- fuzzer entry points must be in the project repository : <a href="https://github.com/rouault/postgis/tree/ossfuzz/fuzzers" target="_blank">https://github.com/rouault/<wbr>postgis/tree/ossfuzz/fuzzers</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">- a metadata file (project.yaml), a Dockerfile (download needed packages & PostGIS source code) and</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">a "bootstrap" build.sh script  must be integrated in OSS-Fuzz own repo too :</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/oss-fuzz/tree/postgis/projects/postgis" target="_blank">https://github.com/rouault/<wbr>oss-fuzz/tree/postgis/<wbr>projects/postgis</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">For now, I've done this in my own postgis and ossz-fuzz git forks as you can see, but ultimately if the</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">project agrees we should merge this into their respective official repos.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">But pending that, you can already try this stuff locally</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">{{{</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Make sure you have Docker installed</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">git clone  --branch postgis <a href="https://github.com/rouault/oss-fuzz" target="_blank">https://github.com/rouault/<wbr>oss-fuzz</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">cd oss-fuzz</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Build the Docker image:</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">python infra/helper.py build_image postgis</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Build PostGIS and the fuzzer programs with the address sanitizer</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">python infra/helper.py build_fuzzers --sanitizer address postgis</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Run one of the fuzzer (you can try with wkt_import_fuzzer too)</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">python infra/helper.py run_fuzzer postgis wkb_import_fuzzer</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">}}}</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">My local experiments show that lwgeom_from_wkt() seems to be rather robust,</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">but lwgeom_from_wkb() has a few bugs. For the record, I found and fixed (in my fork) this memory leak</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">(memory leak = leak in a case where lw_error() is not called) in</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d" target="_blank">https://github.com/rouault/<wbr>postgis/commit/<wbr>cf179396b719223653eee56a011893<wbr>39e0abcc0d</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">There's also a heap buffer overflow it just detected in</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">ptarray_from_wkb_state /src/postgis/liblwgeom/lwin_<wbr>wkb.c:367</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">So if the community is interested in a closer integration in OSS Fuzz, next steps are :</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">1) someone with PostGIS commit rights merges <a href="https://github.com/rouault/postgis/commit/0181a28ab01764b4e6d11a5d2ffe7edce96498c6" target="_blank">https://github.com/rouault/<wbr>postgis/commit/<wbr>0181a28ab01764b4e6d11a5d2ffe7e<wbr>dce96498c6</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">into PostGIS SVN (as well as the bug fix <a href="https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d" target="_blank">https://github.com/rouault/<wbr>postgis/commit/<wbr>cf179396b719223653eee56a011893<wbr>39e0abcc0d</a> while you are it)</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">2) interested core PostGIS developers give me a @<a href="http://gmail.com" target="_blank">gmail.com</a> email, so I add it in</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/project.yaml" target="_blank">https://github.com/rouault/<wbr>oss-fuzz/blob/postgis/<wbr>projects/postgis/project.yaml</a> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">This way they will then have access to the bug reports that are embargoed for</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">90 days (or 30 days after OSS Fuzz has found them to be fixed)</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">3) I then modify <a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile" target="_blank">https://github.com/rouault/<wbr>oss-fuzz/blob/postgis/<wbr>projects/postgis/Dockerfile</a> to</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">point to PostGIS official github mirror instead of my fork</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">4) I then submit a pull request to <a href="https://github.com/google/oss-fuzz/" target="_blank">https://github.com/google/oss-<wbr>fuzz/</a> with my</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/oss-fuzz" target="_blank">https://github.com/rouault/<wbr>oss-fuzz</a> postgis branch . They may accept or not the application, but I guess they will accept.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">If they don't, you can also play with it locally as I showed above. And this is strongly recommended</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">to do so when adding a new fuzzer for example.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">5) once the project is accepted, monitor <a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=postgis" target="_blank">https://bugs.chromium.org/p/<wbr>oss-fuzz/issues/list?q=postgis</a> and fix the bugs !</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">6) add more fuzzers. Hint: in PostGIS "fuzzers" directory, "make dummyfuzzers" to check that your fuzzer builds.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Note: I don't volunteer to fix all bugs that will be found. I have already enough to do with GDAL... I wouldn't</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">mind if someone wants to be the declared maintainer in oss-fuzz projects/postgis/project.yaml and projects/postgis/Dockerfile</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Note 2: if you look closely at <a href="https://github.com/rouault/postgis/blob/ossfuzz/fuzzers/wkb_import_fuzzer.cpp" target="_blank">https://github.com/rouault/<wbr>postgis/blob/ossfuzz/fuzzers/<wbr>wkb_import_fuzzer.cpp</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">you will notice that it is a bit messy since it stubs GEOS and geod_ symbols. This is due to the fact</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">that OSS-Fuzz requires that the fuzzer programs are completely statically linked, and Ubuntu doesn't ship</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">with static builds of geos (actually just libgeos.a but no libgeos_c.a) as far as I can see.</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">All this could be improved by adding a download of GEOS source code in</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile" target="_blank">https://github.com/rouault/<wbr>oss-fuzz/blob/postgis/<wbr>projects/postgis/Dockerfile</a> and building it manually in</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/build.sh" target="_blank">https://github.com/rouault/<wbr>oss-fuzz/blob/postgis/<wbr>projects/postgis/build.sh</a></p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Thoughts ?</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Even</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"> </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">-- </p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px">Spatialys - Geospatial professional services</p>

<p style="margin-top:0px;margin-bottom:0px;margin-left:0px;margin-right:0px;text-indent:0px"><a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a></p></div><br>______________________________<wbr>_________________<br>

postgis-devel mailing list<br>

<a href="mailto:postgis-devel@lists.osgeo.org">postgis-devel@lists.osgeo.org</a><br>

<a href="https://lists.osgeo.org/mailman/listinfo/postgis-devel" rel="noreferrer" target="_blank">https://lists.osgeo.org/<wbr>mailman/listinfo/postgis-devel</a><br></blockquote></div><br></div></div>