Open Bug 1505277 Opened 6 years ago Updated 2 years ago

Integrate OSS-Fuzz

Categories

(Thunderbird :: Build Config, enhancement, P3)

Product:
Thunderbird
Component:
Build Config
Type:
enhancement

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: ovari123, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: Integrate the Thunderbird project into OSS-Fuzz: https://github.com/google/oss-fuzz/tree/master/projects As Firefox is listed, can Thunderbird copy what Firefox has done? Ideal integration with OSS-Fuzz https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md Thank you Actual results: Thunderbird seems to be not integrated with OSS-Fuzz Expected results: Thunderbird should be integrated with OSS-Fuzz
So you mean port bug 1466021?
Component: Security → Build Config
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=465797
Can you change the status from UNCONFIRMED to NEW?
Rob, we're not currently doing any fuzzing of Thunderbird code, correct? Are there other fuzz projects/methods that Firefox is doing that we would want to implement before trying this one?
Flags: needinfo?(rob)
FF might use other tools as well, I'll have to ask. As for us, I'm probably not the person to ask if we should implement this. From reading the FF bug it looks like the setup and maintenance process is pretty involved and can get into more compiler options and fixing C++ code than I'm comfortable with. It also doesn't seem to be integrated with Taskcluster so I don't know that I would be involved much anyway. Personally I think we should look into it, but maybe Magnus should make the call on if/when to implement.
Flags: needinfo?(rob)

Gary, are you familiar with how Firefox is configured to fuzz? Or who does?

Flags: needinfo?(nth10sd)

I think Thunderbird shares platform code common to both, so fuzzing those that are also in Firefox, should end up as duplicated work and would probably not be a wise initial decision.

What should be focused on are those mail-specific - things like MIME stuff come to mind. With that said, I'd probably agree that Magnus is the right person to think about this. Moving needinfo? to him.

Here's some tips - having a shell specific to that region of code to test would probably be best. With JS, there's the JS shell, and I believe there is a media shell for testing media code. We could have shells for mail-specific code.

Also, a (long) while ago, I wrote a mail fuzzer (bug 465797) then fed its input into Thunderbird, that could be a way forward. Detecting crashes and assertion failures in a debug build would be a good first start. (I found a Terminal.app bug using this, which was an interesting experience)

Flags: needinfo?(nth10sd) → needinfo?(mkmelin+mozilla)

Sure, but what commands (etc.) do you run to fuzz Firefox?

Flags: needinfo?(mkmelin+mozilla) → needinfo?(nth10sd)

It depends on what fuzzers you want to run, and which parts of code to test.

Our fuzzers are mostly here in this namespace: https://github.com/MozillaSecurity/

Christoph (passing the baton to him) may know what fuzzing frameworks you can use to test mail-related code.

Flags: needinfo?(nth10sd) → needinfo?(cdiehl)

There are some possible options coming to mind.

If you really want to run this in OSS-Fuzz then a LibFuzzer implementation is required and probably as a stand-alone executable. They do have a Firefox target running with LibFuzzer integration but I am unsure right now in what state this is at OSS-Fuzz.

What we use in our own cluster is a LibFuzzer fuzzing interface, this is defined here.

The other option would be to write a grammar with Dharma which we then can hook up into our fuzzing cluster.

Flags: needinfo?(cdiehl)
Priority: -- → P3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Type: defect → enhancement
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX

Firefox still does this

Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

from choller "yes, we are still running some Firefox targets in oss-fuzz. However, we are considering moving some of them back to our own fuzzing infrastructure, in particular those that require a full Firefox build, and leave only the third party stuff to be tested there. The problem we are facing is that we can't use our own CI builds in oss-fuzz and maintaining the full build process in oss-fuzz is time-consuming."

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.