|
1 | 1 | # Reproducing OSS-Fuzz issues |
2 | 2 |
|
3 | | -You've been CC'ed on an OSS-Fuzz issue, now what? Before attempting a fix you should be able to reliably reproduce an issue. |
| 3 | +You've been CC'ed on an OSS-Fuzz issue ([examples](https://bugs.chromium.org/p/oss-fuzz/issues/list)), |
| 4 | +now what? |
| 5 | +Before attempting a fix the bug you should be able to reliably reproduce it. |
4 | 6 |
|
5 | | -The process is much simpler if you have Docker installed ([how?](installing_docker.md), [why?](faq.md#why-do-you-use-docker)), but |
| 7 | +Every issue has a reproducer file attached. |
| 8 | +This file contains the bytes that were fed to the [Fuzz Target](http://libfuzzer.info/#fuzz-target). |
| 9 | + |
| 10 | +If you have [properly integrated](ideal_integration.md) the fuzz target with your build and test system |
| 11 | +all you need is to download the reproducer file and run |
| 12 | +``` |
| 13 | +./fuzz_target_binary REPRODUCER_FILE |
| 14 | +``` |
| 15 | +Depending on the nature of the bug, the fuzz target binary needs to be build with the appropriate sanitizer |
| 16 | +(e.g. if this is a buffer overflow, with [AddressSanitizer](http://clang.llvm.org/docs/AddressSanitizer.html)). |
| 17 | + |
| 18 | +**TODO** |
| 19 | + |
| 20 | +Another option is to use the Docker commands (**TODO: link**) to replicate the exact build steps |
| 21 | +used by OSS-Fuzz and then feed the reproducer input to the target. |
| 22 | + |
| 23 | +([how?](installing_docker.md), [why?](faq.md#why-do-you-use-docker)), but |
6 | 24 | is entirely possible to do without. |
7 | 25 |
|
| 26 | +## **TODO Move into a separate file with docker commands** |
| 27 | + |
8 | 28 | ## Bug tracker reports |
9 | 29 |
|
10 | 30 | Bug reports in our bug tracker have the format: |
@@ -70,16 +90,3 @@ docker run --rm -v <b><i>$target_checkout_dir</i></b>:/src/<b><i>$target</i></b |
70 | 90 | [Use gdb](debugging.md#debugging-fuzzers-with-gdb) if needed. |
71 | 91 | - *Submit the fix.* ClusterFuzz will automatically pick up the changes, recheck the testcase |
72 | 92 | and will close the issue. |
73 | | - |
74 | | -## Manual |
75 | | - |
76 | | -Manual process is fully documented on main [libFuzzer page](http://llvm.org/docs/LibFuzzer.html). |
77 | | -To manully reproduce the issue you have to: |
78 | | -- fetch the toolchain: http://llvm.org/docs/LibFuzzer.html#versions |
79 | | -- build the target with toolchain and sanitizer: http://llvm.org/docs/LibFuzzer.html#building |
80 | | -- build the fuzzer from target-related code in [targets/](../targets/) |
81 | | -- run the fuzzer on downloaded testcase |
82 | | -- develop a fix and submit it upstream |
83 | | - |
84 | | -ClusterFuzz will automatically pick up the changes, recheck the testcase and will close the issue. |
85 | | - |
|
0 commit comments