blarsen
(Brad Larsen)
October 21, 2023, 10:01pm
1
I see that CPython has some fuzzing targets in its source tree: https://github.com/python/cpython/tree/main/Modules/_xxtestfuzz
What I see there looks like 9 fuzz targets for various APIs, integrated with Google’s OSS-Fuzz. I was semi-seriously and independently fuzzing CPython a few years back, and have a number of additional fuzz test targets for various C APIs. I’d like to contribute these to the Python project.
However, it looks like the fuzzing stuff in CPython hasn’t seen much activity recently. Is anyone actively responsible for that code these days?
Who should I talk to to coordinate this contribution of additional fuzz targets before I spend time cleaning up that code and making PRs?
Thanks,
Brad
2 Likes
@gpshead and I are the PoCs for oss-fuzz, so my recommendation would be to tag us on any PRs or questions you have about adding new fuzzers.
3 Likes
willingc
(Carol Willing)
October 22, 2023, 3:40pm
3
@gpshead and @alex_Gaynor ( ), Do you want to add this to the experts list (oss-fuzz) in the DevGuide?
1 Like
blarsen
(Brad Larsen)
October 30, 2023, 1:30am
4
Thank you!
@alex_Gaynor @gpshead I will tag you in PRs for new fuzzers. I have one PR with a new fuzz target nearly ready.
I’ve been poking at the online oss-fuzz results though, and don’t see much there for cpython. It sounds like oss-fuzz has been running Python fuzzers for quite a while though. Are the cpython results behind a login somewhere?
I notice also that I have no access to the oss-fuzz.com website.
Any suggestions for how I might see how the new fuzz targets are doing once they are merged in?
blarsen
(Brad Larsen)
October 30, 2023, 2:26am
5
You can see all the OSS-Fuzz issues here: Monorail - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail
Unfortunately there’s no mechanism for third party access to oss-fuzz: getting access means being able to see discovered, but undisclosed, vulnerabilities, so access needs tob e limited.
3 Likes
blarsen
(Brad Larsen)
December 10, 2023, 9:00pm
7
2 Likes
blarsen
(Brad Larsen)
January 16, 2024, 12:43am
8
For posterity: two interpreter-crashing bugs were found and fixed in the process of adding these fuzz targets:
4 Likes
blarsen
(Brad Larsen)
January 16, 2024, 12:43am
9
For posterity: an interpreter-crashing bug was found by the Py_CompileStringExFlags
fuzzer a few days after it was running in OSS-Fuzz:
opened 12:21PM - 13 Dec 23 UTC
closed 11:04AM - 19 Dec 23 UTC
type-bug
release-blocker
# Bug report
### Bug description:
The `fuzz_pycompile` identified an assertion… failure:
```
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-09bb1aea9610b3c790c03fc92383fb3d19f08654
--
| <fuzz input>:1: SyntaxWarning: invalid decimal literal
| <fuzz input>:1: SyntaxWarning: invalid decimal literal
| fuzz_pycompile: Python/flowgraph.c:1813: void insert_superinstructions(cfg_builder *): Assertion `no_redundant_nops(g)' failed.
| MemorySanitizer:DEADLYSIGNAL
| ==53716==ERROR: MemorySanitizer: ABRT on unknown address 0x05390000d1d4 (pc 0x7eaab279400b bp 0x7eaab2909588 sp 0x7ffd50f56110 T53716)
| #0 0x7eaab279400b in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
| #1 0x7eaab2773858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
| #2 0x7eaab2773728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
| #3 0x7eaab2784fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
| #4 0xc79572 in insert_superinstructions cpython3/Python/flowgraph.c:1813:5
| #5 0xc79572 in _PyCfg_OptimizeCodeUnit cpython3/Python/flowgraph.c:2424:5
| #6 0xb388cf in optimize_and_assemble_code_unit cpython3/Python/compile.c:7597:9
| #7 0xb388cf in optimize_and_assemble cpython3/Python/compile.c:7639:12
| #8 0xb296b6 in compiler_mod cpython3/Python/compile.c:1802:24
| #9 0xb296b6 in _PyAST_Compile cpython3/Python/compile.c:555:24
| #10 0xe531b9 in Py_CompileStringObject cpython3/Python/pythonrun.c:1452:10
| #11 0xe53554 in Py_CompileStringExFlags cpython3/Python/pythonrun.c:1465:10
| #12 0x54f518 in fuzz_pycompile cpython3/Modules/_xxtestfuzz/fuzzer.c:550:24
| #13 0x54f518 in _run_fuzz cpython3/Modules/_xxtestfuzz/fuzzer.c:563:14
| #14 0x54f518 in LLVMFuzzerTestOneInput cpython3/Modules/_xxtestfuzz/fuzzer.c:704:11
| #15 0x458603 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
| #16 0x443d62 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
| #17 0x44960c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
| #18 0x472b42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
| #19 0x7eaab2775082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
| #20 0x439f2d in _start
|
<br class="Apple-interchange-newline">Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-09bb1aea9610b3c790c03fc92383fb3d19f08654
<fuzz input>:1: SyntaxWarning: invalid decimal literal
<fuzz input>:1: SyntaxWarning: invalid decimal literal
fuzz_pycompile: Python/flowgraph.c:1813: void insert_superinstructions(cfg_builder *): Assertion `no_redundant_nops(g)' failed.
MemorySanitizer:DEADLYSIGNAL
==53716==ERROR: MemorySanitizer: ABRT on unknown address 0x05390000d1d4 (pc 0x7eaab279400b bp 0x7eaab2909588 sp 0x7ffd50f56110 T53716)
#0 0x7eaab279400b in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
#1 0x7eaab2773858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
#2 0x7eaab2773728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
#3 0x7eaab2784fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
#4 0xc79572 in insert_superinstructions [cpython3/Python/flowgraph.c:1813](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/flowgraph.c#L1813):5
#5 0xc79572 in _PyCfg_OptimizeCodeUnit [cpython3/Python/flowgraph.c:2424](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/flowgraph.c#L2424):5
#6 0xb388cf in optimize_and_assemble_code_unit [cpython3/Python/compile.c:7597](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/compile.c#L7597):9
#7 0xb388cf in optimize_and_assemble [cpython3/Python/compile.c:7639](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/compile.c#L7639):12
#8 0xb296b6 in compiler_mod [cpython3/Python/compile.c:1802](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/compile.c#L1802):24
#9 0xb296b6 in _PyAST_Compile [cpython3/Python/compile.c:555](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/compile.c#L555):24
#10 0xe531b9 in Py_CompileStringObject [cpython3/Python/pythonrun.c:1452](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/pythonrun.c#L1452):10
#11 0xe53554 in Py_CompileStringExFlags [cpython3/Python/pythonrun.c:1465](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Python/pythonrun.c#L1465):10
#12 0x54f518 in fuzz_pycompile [cpython3/Modules/_xxtestfuzz/fuzzer.c:550](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Modules/_xxtestfuzz/fuzzer.c#L550):24
#13 0x54f518 in _run_fuzz [cpython3/Modules/_xxtestfuzz/fuzzer.c:563](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Modules/_xxtestfuzz/fuzzer.c#L563):14
#14 0x54f518 in LLVMFuzzerTestOneInput [cpython3/Modules/_xxtestfuzz/fuzzer.c:704](https://github.com/python/cpython/blob/e0fb7004ede71389c9dd462cd03352cc3c3a4d8c/Modules/_xxtestfuzz/fuzzer.c#L704):11
#15 0x458603 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#16 0x443d62 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#17 0x44960c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#18 0x472b42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#19 0x7eaab2775082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
#20 0x439f2d in _start
```
Reproducer (note that the first two bytes are metadata for the fuzzer):
```
00000000: 2020 6966 2035 6966 2035 656c 7365 2054 if 5if 5else T
00000010: 3a79 :y
```
cc: @bradlarsen
### CPython versions tested on:
CPython main branch
### Operating systems tested on:
_No response_
### Linked PRs
* gh-113139
* gh-113636
4 Likes
Also:
As bugs are reported by OSS-Fuzz, I report them in the CPython tracker.
2 Likes