mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
turn off fuzzit part 2
it's just a follow-up to https://github.com/systemd/systemd/pull/16064
This commit is contained in:
parent
60950f3c25
commit
135a1add7b
@ -6,7 +6,6 @@ System and Service Manager
|
||||
<a href="https://in.waw.pl/systemd-github-state/systemd-systemd-pull-requests.svg"><img align="right" src="https://in.waw.pl/systemd-github-state/systemd-systemd-pull-requests-small.svg" alt="Count of open pull requests over time"></a>
|
||||
[![Semaphore CI Build Status](https://semaphoreci.com/api/v1/projects/28a5a3ca-3c56-4078-8b5e-7ed6ef912e14/443470/shields_badge.svg)](https://semaphoreci.com/systemd/systemd)<br/>
|
||||
[![Coverity Scan Status](https://scan.coverity.com/projects/350/badge.svg)](https://scan.coverity.com/projects/350)<br/>
|
||||
[![Fuzzit Status](https://app.fuzzit.dev/badge?org_id=systemd&branch=master)](https://app.fuzzit.dev/orgs/systemd/dashboard)<br/>
|
||||
[![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/systemd.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#systemd)<br/>
|
||||
[![CIFuzz](https://github.com/systemd/systemd/workflows/CIFuzz/badge.svg)](https://github.com/systemd/systemd/actions)<br/>
|
||||
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1369/badge)](https://bestpractices.coreinfrastructure.org/projects/1369)<br/>
|
||||
|
@ -98,7 +98,7 @@ Happy hacking!
|
||||
## Fuzzers
|
||||
|
||||
systemd includes fuzzers in `src/fuzz/` that use libFuzzer and are automatically
|
||||
run by [OSS-Fuzz](https://github.com/google/oss-fuzz) and [Fuzzit](https://fuzzit.dev) with sanitizers.
|
||||
run by [OSS-Fuzz](https://github.com/google/oss-fuzz) with sanitizers.
|
||||
To add a fuzz target, create a new `src/fuzz/fuzz-foo.c` file with a `LLVMFuzzerTestOneInput`
|
||||
function and add it to the list in `src/fuzz/meson.build`.
|
||||
|
||||
@ -118,10 +118,6 @@ python infra/helper.py build_fuzzers --sanitizer memory systemd ../systemd
|
||||
python infra/helper.py run_fuzzer systemd fuzz-foo
|
||||
```
|
||||
|
||||
When you add a new target you should also add the target on [Fuzzit](https://app.fuzzit.dev/admin/RxqRpGNXquIvqrmp4iJS/dashboard)
|
||||
(Please ask someone with permissions). One the target is configured on Fuzzit you need to add it to
|
||||
`travis-ci/managers/fuzzit.sh` so the new target will run sanity tests on every pull-request and periodic fuzzing jobs.
|
||||
|
||||
If you find a bug that impacts the security of systemd, please follow the
|
||||
guidance in [CONTRIBUTING.md](CONTRIBUTING.md) on how to report a security vulnerability.
|
||||
|
||||
|
@ -1,73 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -x
|
||||
set -u
|
||||
|
||||
# This should help to protect the systemd organization on Fuzzit from forks
|
||||
# that are activated on Travis CI.
|
||||
[[ "$TRAVIS_REPO_SLUG" = "systemd/systemd" ]] || exit 0
|
||||
|
||||
REPO_ROOT=${REPO_ROOT:-$(pwd)}
|
||||
|
||||
sudo bash -c "echo 'deb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse' >>/etc/apt/sources.list"
|
||||
sudo apt-get update -y
|
||||
sudo apt-get build-dep systemd -y
|
||||
sudo apt-get install -y python3-pip python3-setuptools
|
||||
# The following should be dropped when debian packaging has been updated to include them
|
||||
sudo apt-get install -y libfdisk-dev libp11-kit-dev libssl-dev libpwquality-dev
|
||||
pip3 install ninja meson
|
||||
|
||||
cd $REPO_ROOT
|
||||
export PATH="$HOME/.local/bin/:$PATH"
|
||||
|
||||
# TODO: figure out what to do about unsigned-integer-overflow: https://github.com/google/oss-fuzz/issues/910
|
||||
export SANITIZER="address -fsanitize=undefined,unsigned-integer-overflow"
|
||||
tools/oss-fuzz.sh
|
||||
|
||||
FUZZING_TYPE=${1:-regression}
|
||||
if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then
|
||||
FUZZIT_BRANCH="${TRAVIS_BRANCH}"
|
||||
else
|
||||
FUZZIT_BRANCH="PR-${TRAVIS_PULL_REQUEST}"
|
||||
fi
|
||||
|
||||
# Because we want Fuzzit to run on every pull-request and Travis/Azure doesn't support encrypted keys
|
||||
# on pull-request we use a write-only key which is ok for now. maybe there will be a better solution in the future
|
||||
export FUZZIT_API_KEY=af6992074353998676713818cc6435ef4a750439932dab58b51e9354d6742c54d740a3cd9fc1fc001db82f51734a24bc
|
||||
FUZZIT_ADDITIONAL_FILES="./out/src/shared/libsystemd-shared-*.so"
|
||||
|
||||
# ASan options are borrowed almost verbatim from OSS-Fuzz
|
||||
ASAN_OPTIONS=redzone=32:print_summary=1:handle_sigill=1:allocator_release_to_os_interval_ms=500:print_suppressions=0:strict_memcmp=1:allow_user_segv_handler=0:allocator_may_return_null=1:use_sigaltstack=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:handle_abort=1:check_malloc_usable_size=0:quarantine_size_mb=64:detect_odr_violation=0:handle_segv=1:fast_unwind_on_fatal=0
|
||||
UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1:silence_unsigned_overflow=1
|
||||
FUZZIT_ARGS="--type ${FUZZING_TYPE} --branch ${FUZZIT_BRANCH} --revision ${TRAVIS_COMMIT} -e ASAN_OPTIONS=${ASAN_OPTIONS} -e UBSAN_OPTIONS=${UBSAN_OPTIONS}"
|
||||
wget -O fuzzit https://github.com/fuzzitdev/fuzzit/releases/latest/download/fuzzit_Linux_x86_64
|
||||
chmod +x fuzzit
|
||||
|
||||
# Simple wrapper which retries given command up to three times if it fails
|
||||
_retry() {
|
||||
local EC=1
|
||||
|
||||
for _ in {0..2}; do
|
||||
if "$@"; then
|
||||
EC=0
|
||||
break
|
||||
fi
|
||||
|
||||
sleep 1
|
||||
done
|
||||
|
||||
return $EC
|
||||
}
|
||||
|
||||
find out/ -maxdepth 1 -name 'fuzz-*' -executable -type f -exec basename '{}' \; | while read -r fuzzer; do
|
||||
_retry ./fuzzit create job ${FUZZIT_ARGS} ${fuzzer}-asan-ubsan out/${fuzzer} ${FUZZIT_ADDITIONAL_FILES}
|
||||
done
|
||||
|
||||
export SANITIZER="memory -fsanitize-memory-track-origins"
|
||||
FUZZIT_ARGS="--type ${FUZZING_TYPE} --branch ${FUZZIT_BRANCH} --revision ${TRAVIS_COMMIT}"
|
||||
tools/oss-fuzz.sh
|
||||
|
||||
find out/ -maxdepth 1 -name 'fuzz-*' -executable -type f -exec basename '{}' \; | while read -r fuzzer; do
|
||||
_retry ./fuzzit create job ${FUZZIT_ARGS} ${fuzzer}-msan out/${fuzzer} ${FUZZIT_ADDITIONAL_FILES}
|
||||
done
|
Loading…
Reference in New Issue
Block a user