evverx
commented
1 year ago @UESuperGate I wonder if all that stuff comes from HKU System Security Lab?
Open evverx opened 1 year ago
evverx
commented
1 year ago @UESuperGate I wonder if all that stuff comes from HKU System Security Lab?
UESuperGate
commented
1 year ago @UESuperGate I wonder if all that stuff comes from HKU System Security Lab?
No, only libbpf/libbpf#634.
BTW, I'm still wondering that if there is an official way to check the existing bugs found in libbpf? Manually checking is really time-consuming and sometimes miss some.
evverx
commented
1 year ago I'm still wondering that if there is an official way to check the existing bugs found in libbpf?
In theory https://osv.dev/ could be used to pull bug reports OSS-Fuzz considers vulnerabilities (based on their backtraces mostly). The idea behind OSV is to make it easy to process OSS-Fuzz findings automatically but in practice https://oss-fuzz.com/testcases?project=libbpf is the only place where all the libbpf issues can be found. I think it should be public because libbpf lifted all the restrictions:
https://github.com/google/oss-fuzz/blob/0b0a3285a565c10e64fe76ad17e9ce1d64286382/projects/libbpf/project.yaml#L18
evverx
commented
1 year ago Before I forget this issue is somewhat related to https://github.com/google/oss-fuzz/issues/8921 (where projects with view_restrictions: none were discussed as well.
It would be great if it was possible to make https://oss-fuzz.com/testcases?project=libbpf public. It should help to point duplicates like https://github.com/libbpf/libbpf/issues/634, https://github.com/libbpf/libbpf/issues/682, https://github.com/libbpf/libbpf/issues/683 and https://github.com/libbpf/libbpf/issues/688 to that dashboard. All those issues have already been found by the libbpf fuzz target on OSS-Fuzz (and I suspect most of those issues were "discovered" by just building and running it as well) but, for example, https://oss-fuzz.com/testcase-detail/4792745105686528 hasn't been officially reported because it was delayed.
I don't think it can prevent anyone from spamming the libbpf issue tracker with those duplicates but at least it should help to close them with a link to the list of known issues.