[libvirt] How about fuzz testing on oss-fuzz?

Michal Privoznik mprivozn at redhat.com
Tue May 9 09:12:24 UTC 2017 

On 05/09/2017 11:01 AM, Daniel P. Berrange wrote:
> On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote:
>> On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote:
>>> Hi all,
>>>
>>> I have seen libxml2 has already been added as a project in oss-fuzz [1].
>>> Any idea about libvirt? While we could do our own fuzzing of some form, do
>>> we want to also try it out using google's free resource?
>>
>> The oss-fuzz project  requires you to integrate the project with
>> the libfuzz fuzzer in the first place so you have to make it run locally
>> first anyways.
>>
>> Doing it on the oss-fuzz project is still the step after that.
> 
> FYI, google is now offering rewards to projects that integrate
> with oss-fuzz
> 
>   "To qualify for these rewards, a project needs to have a large
>    user base and/or be critical to global IT infrastructure. 
>    Eligible projects will receive $1,000 for initial integration,
>    and up to $20,000 for ideal integration (the final amount is
>    at our discretion). You have the option of donating these 
>    rewards to charity instead, and Google will double the amount."
> 
> I'd like to think libvirt qualifies under "large user base" and
> "critical to global IT" given prevelance of the cloud these days,
> but no guarantees
> 
>   https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

Right. I've read this on G+ during the weekend. And now that we have
accepted a student for the fuzzing GSoC project, we can work towards
that goal.

> 
> Not that libvirt really has any current need for monetary funds. If it ever
> came to pass, we could just have a poll amongst active contributors to
> vote on suggestions of what todo with it (donate it, spend it, fund something,
> etc).

I don't know any details, but I know from the past that receiving money
for orgs wasn't trivial (at least for GSoC). We had to have an law
entity that covers the project. Since there was none, we donated our
mentor money to Tor foundation. But it has changed a while ago (again,
at least for GSoC), so maybe we are eligible to receive money after all.

Michal

More information about the libvir-list mailing list