[tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 3 16:05:41 UTC 2020 

#33140: Clusterfuzz environment flags reused for dependencies
-----------------------------------+--------------------------
 Reporter:  cypherpunks            |          Owner:  (none)
     Type:  defect                 |         Status:  new
 Priority:  Medium                 |      Component:  Core Tor
  Version:                         |       Severity:  Normal
 Keywords:  clusterfuzz, oss-fuzz  |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+--------------------------
 The build script for tor at oss-fuzz currently reuses clusterfuzz
 environment variables to compile dependencies. This has consequences when
 the dependencies themselves are upstream projects at oss-fuzz. The build
 environment sets the following flags to enable fuzzing of a target
 project:

 {{{
 CC=clang
 CXX=clang++
 CFLAGS=-O1 -fno-omit-frame-pointer -gline-tables-only
 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-
 address-use-after-scope -fsanitize=fuzzer-no-link
 CXXFLAGS=-O1 -fno-omit-frame-pointer -gline-tables-only
 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-
 address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++
 }}}

 In the case of zlib: Using the environment flags above as-is results in
 activating oss-fuzz instrumentation. Eventually resulting in ambiguously
 placed `undefined symbol __sancov_lowest_stack` because stack depth
 tracing was not instrumented properly. Which leads to a rabbit-hole of why
 are we fixing instrumenting fuzzers in tor's dependencies?

 Now Openssl also has an upstream clusterfuzz instance and so leaving the
 environment flags as-is also results in instrumenting openssl for oss-
 fuzz.

 This sounds wrong. If we're fuzzing tor then why are we also instrumenting
 dependencies for clusterfuzz? It looks like the dependencies **should**
 override these flags when built to avoid conflicts.

 When the flags are overridden to build debug dependencies, followed by
 building tor's fuzzers as usual, `check_build tor` passes all tests.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33140>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list