Oss-fuzz helps find bugs and security issues and has already done so for many projects.
I already reported thee minor bugs in gnupg thanks to it (more to come)
A gnupg patch is available here
https://github.com/catenacyber/gnupg/tree/fuzz
It works with oss-fuzz using this patch
https://github.com/google/oss-fuzz/pull/1310
The big question is how fuzz tests should be used without oss-fuzz.
Maybe a non-default configure option could set the C flags appropriately ?
Sorry, I do not understand your request. Please describe what you want; linking to some arbitrary external sites is not sufficient.
Sorry myself.
I will try to be clearer :
I would like to add tests using fuzzing to gnupg.
I would like more precisely to use oss-fuzz which is a framework for testing by fuzzing.
To do so, I propose the following patch to gnupg, available at
https://github.com/catenacyber/gnupg/commit/2c361e82c4019565c8b70a4c92d0ce24ad9c56fc
or here
It consists of :
For the moment, two fuzz targets are implemented :
Is it clear ?
I can be available for a chat if you want.
Thanks for the description and the patch. I know what fuzzing is and GnuPG underwent quite some public and non-public fuzzing already. You may want to check with Hanno Böck to see how fuzzing can be done with gpg.
Problems I see:
You can't build gpg as a library. it is simply not designed for this and thus you are working out of the design constraints. Changing error messages for example from log_fatal to log_error is a major semantic change.
gpg has a well defined way to report errors and other stati (hint: --status-fd): This is what needs to be used and tested.
Glancing at the code reveals for example this:
mkdir("/tmp/ramfuzz/", 0777);
filename=strdup("/tmp/ramfuzz/fuzz.gpg");
if (!filename) {
free(ctrlGlobal);
return 0;
}
fd = open("/tmp/ramfuzz/fuzz.gpg", O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);This does not make me confident enough to consider applying other code.
You may want to check with Hanno Böck
Thanks, I just did.
You can't build gpg as a library. it is simply not designed for this and thus you are working out of the design constraints.
Indeed.
But the patch that does it is quite simple.
Pragmatically, if this helps to find some bugs, it can still be useful, or not ?
This does not make me confident enough to consider applying other code.
All your remarks are correct.
This is a first Proof of Concept, that gets gnupg and oss-fuzz integrated.
I will rework on the code, and split this patch in more commits.
Work is in progress, but you can already see :
I now have all three fuzz targets stable now, and not finding more bugs besides the reported memory leaks
https://github.com/gpg/gnupg/compare/master...catenacyber:7651c60
What do you think of it ? Do you want to use it for continuous integration ?
No, we won't cripple GnuPG for testing purposes. You intended to test something else than the provided GnuPG.