Security Sheriff ClusterFuzz instructions
[TOC]
This page has instructions for Security Sheriffs in how best to use ClusterFuzz to reproduce and label bugs.
Basics
https://clusterfuzz.com/upload-testcase
allows you to upload files to reproduce crashes on various platforms and will
identify revision ranges when the regression was introduced. If a test case
requires multiple files, they can be uploaded together in a zip or tar
archive: the main file needs to contain the words run, fuzz- index. or
crash..
Please do specify the crbug number when uploading the test case. This will allow ClusterFuzz to keep the crbug updated with progress.
Please don't upload test cases unless they're obviously harmless. Currently ClusterFuzz does not support untrusted workloads.
Useful jobs
You should chose the right job type depending on the format of file you want to test:
- repro.html linux_asan_chrome_mp or windows_asan_chrome
- repro.js linux_asan_d8
- repro.pdf libfuzzer_pdfium_asan / pdfium_fuzzer or libfuzzer_pdfium_asan / pdfium_xfa_fuzzer
MojoJS
MojoJS is a means for a renderer process to use Mojo IPCs directly from JavaScript. Although it's not enabled in normal production Chrome builds, it's a great way to simulate how a compromised renderer can attack other processes over IPC.
Because Mojo IPCs change with each version of Chrome, the test case needs to
use exactly the right MojoJS bindings. MojoJS bugs typically specify to use
python ./copy_mojo_bindings.py to put such bindings in place, but that does not
work for ClusterFuzz where it will need to bisect across many versions of Chrome
with many versions of Mojo.
Therefore, do this instead:
- In the PoC, replace all paths where it's loading MojoJS scripts to be prefixed
with
file:///geninstead. For example:
This works because most of the ClusterFuzz Chrome binaries are now built with<script src="file:///gen/mojo/public/js/mojo_bindings_lite.js">enable_ipc_fuzzer=true. - If you believe the bug will reproduce on Linux, use the linux_asan_chrome_mojo job type.
- If you believe the bug will only reproduce on Android, ClusterFuzz can't help right now.
- Otherwise, use any job type but specify extra command-line flags
--enable-blink-features=MojoJS. In this case, ClusterFuzz might declare that a browser process crash is Critical severity, whereas because of the precondition of a compromised renderer you may wish to adjust it down to High.