[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 03 Feb 2020 16:13:10 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 03 Feb 2020 11:13:21 -0500
In-reply-to: <051.95cca56958938c8833d0833abf5f3b7e@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.95cca56958938c8833d0833abf5f3b7e@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#33140: Clusterfuzz environment flags reused for dependencies
-----------------------------------+------------------------
 Reporter:  cypherpunks            |          Owner:  (none)
     Type:  defect                 |         Status:  new
 Priority:  Medium                 |      Milestone:
Component:  Core Tor               |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:  clusterfuzz, oss-fuzz  |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------

Comment (by nickm):

 >This sounds wrong. If we're fuzzing tor then why are we also
 instrumenting dependencies for clusterfuzz? It looks like the dependencies
 should override these flags when built to avoid conflicts.

 I'm no fuzzing expert, but here is my understanding:

 I think we want to instrument everything, so that we can find it when code
 outside of Tor is caused by Tor to leak memory, invoke undefined behavior,
 or whatever.

 Even though openssl is fuzzed itself, that's no guarantee that Tor is
 using openssl correctly: we might be invoking an openssl function with a
 too-short buffer, or using it with an uninitialized object.  If we did,
 then the fuzzers might not find that unless the openssl code that we're
 using is also implemented.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33140#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #33086 [Core Tor/Tor]: Support brotli compression for directory requests
Next by Author: Re: [tor-bugs] #31239 [Internal Services/Tor Sysadmin Team]: automate installs
Previous by thread: [tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies
Next by thread: Re: [tor-bugs] #33140 [Core Tor]: Clusterfuzz environment flags reused for dependencies
Index(es):
- Author
- Thread