Liza Burakova | f3d929b6 | 2023-05-01 16:31:12 | [diff] [blame^] | 1 | # Security Shepherd ClusterFuzz instructions |
Adrian Taylor | d8d168a | 2020-04-30 00:46:15 | [diff] [blame] | 2 | |
| 3 | [TOC] |
| 4 | |
Liza Burakova | f3d929b6 | 2023-05-01 16:31:12 | [diff] [blame^] | 5 | This page has instructions for [Security Shepherds](shepherd.md) in how best to use |
Adrian Taylor | d8d168a | 2020-04-30 00:46:15 | [diff] [blame] | 6 | [ClusterFuzz](https://clusterfuzz.com) to reproduce and label bugs. |
| 7 | |
| 8 | ## Basics |
| 9 | |
| 10 | [https://clusterfuzz.com/upload-testcase](https://clusterfuzz.com/upload-testcase) |
| 11 | allows you to upload files to reproduce crashes on various platforms and will |
| 12 | identify revision ranges when the regression was introduced. If a test case |
| 13 | requires multiple files, they can be uploaded together in a zip or tar |
Hubert Chao | baffb60 | 2022-09-29 19:48:55 | [diff] [blame] | 14 | archive: the main file needs to contain the words `run`, `fuzz-` `index.` or |
| 15 | `crash.`. |
Adrian Taylor | d8d168a | 2020-04-30 00:46:15 | [diff] [blame] | 16 | |
| 17 | Please *do* specify the crbug number when uploading the test case. This will allow |
| 18 | ClusterFuzz to keep the crbug updated with progress. |
| 19 | |
Adrian Taylor | ce1cad6 | 2022-03-31 03:14:44 | [diff] [blame] | 20 | Please *don't* upload test cases unless they're obviously harmless. Currently |
| 21 | ClusterFuzz does not support untrusted workloads. |
| 22 | |
Adrian Taylor | d8d168a | 2020-04-30 00:46:15 | [diff] [blame] | 23 | ## Useful jobs |
| 24 | |
| 25 | You should chose the right job type depending on the format of file you want to |
| 26 | test: |
| 27 | |
| 28 | * repro.html [linux_asan_chrome_mp](https://clusterfuzz.com/upload-testcase?upload=true&job=linux_asan_chrome_mp) |
| 29 | or [windows_asan_chrome](https://clusterfuzz.com/upload-testcase?upload=true&job=windows_asan_chrome) |
| 30 | * repro.js [linux_asan_d8](https://clusterfuzz.com/upload-testcase?upload=true&job=linux_asan_d8) |
| 31 | * repro.pdf [libfuzzer_pdfium_asan / pdfium_fuzzer](https://clusterfuzz.com/upload-testcase?upload=true&job=libfuzzer_pdfium_asan&target=pdfium_fuzzer) |
| 32 | or [libfuzzer_pdfium_asan / pdfium_xfa_fuzzer](https://clusterfuzz.com/upload-testcase?upload=true&job=libfuzzer_pdfium_asan&target=pdfium_xfa_fuzzer) |
| 33 | |
| 34 | ## MojoJS |
| 35 | |
| 36 | [MojoJS](../../mojo/public/js/README.md) is a means for a renderer process to use |
| 37 | Mojo IPCs directly from JavaScript. Although it's not enabled in normal production |
| 38 | Chrome builds, it's a great way to simulate how a compromised renderer can attack |
| 39 | other processes over IPC. |
| 40 | |
| 41 | Because Mojo IPCs change with each version of Chrome, the test case needs to |
| 42 | use exactly the right MojoJS bindings. MojoJS bugs typically specify to use |
| 43 | `python ./copy_mojo_bindings.py` to put such bindings in place, but that does not |
| 44 | work for ClusterFuzz where it will need to bisect across many versions of Chrome |
| 45 | with many versions of Mojo. |
| 46 | |
| 47 | Therefore, do this instead: |
| 48 | |
| 49 | * In the PoC, replace all paths where it's loading MojoJS scripts to be prefixed |
| 50 | with `file:///gen` instead. For example: |
| 51 | ``` |
| 52 | <script src="file:///gen/mojo/public/js/mojo_bindings_lite.js"> |
| 53 | ``` |
| 54 | This works because most of the ClusterFuzz Chrome binaries are [now built with](https://chromium-review.googlesource.com/c/chromium/src/+/1119727) `enable_ipc_fuzzer=true`. |
| 55 | * If you believe the bug will reproduce on Linux, use the [linux_asan_chrome_mojo](https://clusterfuzz.com/upload-testcase?upload=true&job=linux_asan_chrome_mojo) job type. |
| 56 | * If you believe the bug will only reproduce on Android, [ClusterFuzz can't help right now](https://crbug.com/1067103). |
| 57 | * Otherwise, use any job type but specify extra command-line flags `--enable-blink-features=MojoJS`. In this case, ClusterFuzz might declare that a browser process crash is Critical severity, whereas because of the precondition of a compromised renderer [you may wish to adjust it down to High](severity-guidelines.md). |
| 58 | |
| 59 | [Example bug where these instructions have worked](https://crbug.com/1072983). |