For reference, read https://github.com/google/oss-fuzz.

We should investigate creating fuzz targets for the Python re module (_sre.c) at a minimum.  There are probably other good targets as well such as _json.c and _csv.c.

pickle and marshal are not intended to be secure so ignore those.

It does not appear to me that targets have to be security critical, though that is certainly a good place to start.  The Chrome tests found 100s of "security vulnerabilities and stability bugs".

The important thing is that there be someone willing to receive and act on reports.  Would 'make public after 90 days' ever be a problem?  AFAIK, most Python security issues are already public here on the tracker from day 1.

Aha, I found an existing issue!

For adding to oss-fuzz, is there a contact email we can use that is connected to a google account? I am tempted to just put gregory.p.smith on there if not. :)




I can volunteer to fuzz some interesting subset of the stdlib. The list I've come up with (by counting uses in my code) is:

the XML parser (which seems to be written in C)
struct (unpack)
the various builtins that parse strings (like int())
hashlib
binascii
datetime's parsing
json


I'd also suggest the ast module, since people do use ast.literal_eval on untrusted strings, but I probably won't do that one myself.



I wrote a fuzz test for json via upstream simplejson, but the bug on github is getting stale: https://github.com/simplejson/simplejson/issues/163

Should I add it to CPython instead?



> We should investigate creating fuzz targets for the Python re module (_sre.c) at a minimum.

If we prioritize based on security risk, I'd argue that this is lower priority than things like json's speedup extension module, because people should generally not pass untrusted strings to the re module: it's very easy to DOS a service with regexes unless you're using RE2 or similar -- which is fuzzed.  In contrast, json is supposed to accept untrusted input and people do that very often.

(OTOH, I would be willing to bet that fuzzing re will yield more bugs than fuzzing json.)

you can list me as a oss-fuzz contact.  use my work email address.

simplejson is worthy but as both it and the python standard library ship separately people use both so they both ultimately deserve fuzzing and fixing on their own so I'd add it to CPython as well.

https://github.com/google/oss-fuzz/pull/583 is the PR to oss-fuzz to add the project. I'm working on actual tests to be submitted here.

As I read 583, they are planning to fuzz 3.6.  Why not branch master?  I think it more likely that we accidentally add a vulnerability to master then that we accidentally close one.

I think they misspoke, it's normal with fuzzing to test against master. The current draft of the code runs this git pull before building/launching any tests:

    git clone --depth 1 https://github.com/python/cpython.git cpython

Speaking of which, I forgot to update this bug thread with the followup PR to actually run CPython's fuzz tests (when they exist): https://github.com/google/oss-fuzz/pull/731. That's where I grabbed the git clone statement from. I think that will be merged after some version of PR 2878 lands in CPython (still in code review / broken).



For Python 2 I guess it's different, and we will test against the 2.7 branch, right?

New changeset c5bace2bf7874cf47ef56e1d8d19f79ad892eef5 by Gregory P. Smith (Devin Jeanpierre) in branch 'master':
bpo-29505: Add fuzz tests for float(str), int(str), unicode(str) (#2878)
https://github.com/python/cpython/commit/c5bace2bf7874cf47ef56e1d8d19f79ad892eef5

alright, with that in, feel free to figure out the oss-fuzz configuration side and fire things up Devin. :)

GCC complains about the patch:

/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c: In function ‘LLVMFuzzerTestOneInput’:
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:109:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_float)
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:109:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:112:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_int)
 ^~~~~~~~~~~~~~~~~~~~~~~~~
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:112:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:115:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]
 #if _Py_FUZZ_YES(fuzz_builtin_unicode)
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:115:1: warning: this use of "defined" may not be portable [-Wexpansion-to-defined]

Huh. I would not have predicted that.

https://gcc.gnu.org/onlinedocs/cpp/Defined.html

I'll send a fix.

So here's an interesting issue: oss-fuzz requires that the built location be movable. IOW, we build Python into $OUT, and then the $OUT directory gets moved somewhere else and the fuzz test gets run from there. This causes problems because Python can no longer find where the modules it needs are (encodings for example).

First thought: wouldn't it be nice if we could make a prepackaged and hermetic executable that we can move around freely?

Second thought: isn't that "Hermetic Python", as used within Google?

Third thought: doesn't Google have an internal fuzz testing environment we can use, instead of oss-fuzz?

So unless someone says this is a bad idea, I'd propose we not run these in oss-fuzz and instead run them in Google proper. The alternative is if there's a way to make it easy to move Python around -- is there a way to build it s.t. the import path is relative and so on?

i'd rather make this work in oss-fuzz on cpython.  can you point me to how oss-fuzz works and what it wants to do so i can better understand what it needs?

it it has an expectation that the thing being fuzzed is a single binary with no data or directory tree layout dependencies that can just be plopped somewhere else is not a great assumption to make.

but environment variables _should_ be able to be set to point the python binary at what it needs if it must work that way.

> i'd rather make this work in oss-fuzz on cpython.  can you point me to how oss-fuzz works and what it wants to do so i can better understand what it needs?

I don't have any details except for what's in the PR to oss-fuzz (https://github.com/google/oss-fuzz/pull/731)  My understanding is matches what you've said so far:

Python is built to one directory (/out/), but then needs to be run from another directory (/out/ is renamed to /foo/bar/baz/out/). We need python to still work. I have no idea how to do this.

The only suggestion on #python-dev IRC was to statically link a libpython.a, but this doesn't avoid needing to import libraries like "encodings" dynamically, so they still need to be locatable on disk.

Is there a way to build python so that it doesn't use absolute paths to everything, and so that the install can be moved at will? Or is there a way to tell it that it was moved at runtime? (I am unconvinced PYTHONPATH is a maintainable solution, if it works at all...)


oss-fuzz is not going to change away from its model (I asked if they could, they said no), so we're stuck with making Python compatible with it one way or another.  This is why I am so drawn to running the test internally on Google's infrastructure anyway: we already _did_ all this work already, via hermetic python. Doing it a second time, but worse, seems annoying.

kcc strongly disagrees though. Copying latest comment:

"""
fwiw - I object to us running any of this internally at Google. We need to be part of the main oss-fuzz project pulling from upstream revisions. Doing this testing within our blackhole of internal stuff adds more work for us internally (read: which we're not going to do) and wouldn't provide results feedback to the upstream CPython project in a useful timely manner.

We must figure out how to get this to build and run on the external oss-fuzz infrastructure
"""

misquote.  that was me objecting to running it internally. :)

i believe this is solvable, i haven't had time to spend on this part yet.

Oops, so it is. I can't read apparently.

I'll spend my time on making more fuzz tests in the meantime.

Seems like it ought to be possible to use the same hooks that venv uses to make this work, but I haven't looked at the details of how those work.

New changeset a15a7bcaea54e1845ab2abe27e6f583294cd715b by Gregory P. Smith (Ammar Askar) in branch 'master':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/a15a7bcaea54e1845ab2abe27e6f583294cd715b

New changeset 22b69da4c38042e923d633530bdafc1b5fb94928 by Miss Islington (bot) in branch '3.8':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/22b69da4c38042e923d633530bdafc1b5fb94928

New changeset 6692d35317a45905a043dccae3940ea5d5d84352 by Miss Islington (bot) in branch '3.7':
bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)
https://github.com/python/cpython/commit/6692d35317a45905a043dccae3940ea5d5d84352

New changeset a6e190e94b47324f14e22a09200c68b722d55699 by Gregory P. Smith (Ammar Askar) in branch 'master':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/a6e190e94b47324f14e22a09200c68b722d55699

New changeset 534136ac6790a701e24f364a9b7f1e34bf5f3ce7 by Miss Islington (bot) in branch '3.7':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/534136ac6790a701e24f364a9b7f1e34bf5f3ce7

New changeset 878227e7217f3363f9c095b7fb8c1dbdde1ec34f by Miss Islington (bot) in branch '3.8':
bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)
https://github.com/python/cpython/commit/878227e7217f3363f9c095b7fb8c1dbdde1ec34f

New changeset 5cbbbd73a6acb6f96f5d6646aa7498d3dfb1706d by Gregory P. Smith (Ammar Askar) in branch 'master':
bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)
https://github.com/python/cpython/commit/5cbbbd73a6acb6f96f5d6646aa7498d3dfb1706d

New changeset ffcc161c753a72e7c4237c1e3c433d47b020978e by Miss Islington (bot) in branch '3.8':
bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)
https://github.com/python/cpython/commit/ffcc161c753a72e7c4237c1e3c433d47b020978e

Hi,

I've built a generic Python fuzzer and submitted it to OSS-Fuzz.

It works by implementing a "def FuzzerRunOne(FuzzerInput):" function in Python in which some arbitrary code is run based on FuzzerInput, which is a bytes object.

This is a more versatile solution than the current re, json, csv fuzzers as it requires no custom C code and adding more fuzzing targets is as easy as writing a new harness in Python and adding a build rule.

Code coverage is measured at both the CPython level (*.c) and the Python level (*.py). CPython is compiled with AddressSanitizer. What this means is that both CPython memory bugs and Python library bugs (excessive memory consumption, hangs, slowdowns, unexpected exceptions) are expected to transpire.

You can see my current set of fuzzers here: https://github.com/guidovranken/python-library-fuzzers

The PR to OSS-Fuzz is https://github.com/google/oss-fuzz/pull/2567

Currently, the only Python maintainer who will be receiving automated bug reports is gpshead. Are there any other developers who normally process Python security bug reports and would like to receive notifications?

Feel free to respond directly in the OSS-Fuzz PR thread.

All the modules prescribed in the original bug are now actively being fuzzed, thank you to Devin for the original work on this and Gregory for reviewing all these changes.

I'm closing this now, feel free to make a new bug and nosy me in if there are any other C-based modules commonly exposed to user input that should be fuzzed.

New changeset db72e58ea5940c3942ede9f70cb897510b52fc36 by Ammar Askar in branch 'main':
bpo-29505: Add fuzzer for ast.literal_eval (GH-28777)
https://github.com/python/cpython/commit/db72e58ea5940c3942ede9f70cb897510b52fc36