[mapserver-dev] Fuzzing MapServer

Even Rouault even.rouault at spatialys.com
Thu Apr 15 03:15:34 PDT 2021


I think we should not tie too many things to the 8.0 release, otherwise 
it will never see the light. There is no such thing as a perfect 
release. Fuzzing is a marathon-type of effort, not a sprint. Even if 
your code base doesn't change, fuzzers might take years to uncover some 
weird bugs. Although the pattern I've seen is more like a decreasing 
exponential one: you get flooded by bugs in the first weeks, and things 
calm down a bit then.

There are two parts:

- initial setup: for oss-fuzz, you need to setup script to do a fully 
static build of libmapserver (and all its dependencies, but you can 
generally use for that the static lib shipped with the .deb development 
packages). And you need to write one or several fuzzer programs that are 
made of one function that that accept a """random""" buffer and do 
something useful with it.  In a MapServer context, that buffer could be 
made of several parts: type of request (GET/POST), XML post content if 
POST, content of the QUERY_STRING (or maybe more generally KEY=VALUE 
environment variables), mapfile content inlined, (resources pointed by 
the mapfile?). Probably to make things simpler, a first step would be to 
have just a fuzzer on the QUERY_STRING content that would operate on a 
fixed mapfile, as most interesting vulnerabilities in a mapserver 
context come from QUERY_STRING content (to be opposed to bugs linked to 
mapfile content itself). That initial setup isn't necessary trivial to 
do. In the oss-fuzz case, you can use locally their Docker image to have 
things working (you known it works when it spots the first bug. My 
experience with code that hasn't been submitted to fuzzing is that it 
takes only a few seconds :-) Generally some memleak in an error code 
path). And then you can submit that for inclusion to the ossfuzz github 
repo so that this is run continuously on google infrastructure.

- fix the bugs as they flow in.


Le 15/04/2021 à 04:50, Steve Lime a écrit :
> Hi all: MapServer is a pretty old project w/relatively complex code. 
> What do folks think about making fuzzing MapServer as part of the 8.0 
> release? I'd feel better knowing that we did everything possible to 
> deliver a stable and secure platform for users. It seems like fuzz 
> testing would be particularly well suited to testing MapServer. I 
> can't imagine it's a trivial effort but doing so ahead of a major 
> release seems like the right time. I know GDAL has been through it and 
> maybe Even can offer some advice.
> --Steve
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev

My software is free, but my time generally not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210415/b0db52af/attachment.html>

More information about the mapserver-dev mailing list