From an OSS-Fuzz Report to LKML Patch Submission: A Hands-on Journey – Shung-Hsi Yu, SUSE
Launched in 2016, OSS-Fuzz is a free fuzzing service for open source projects created by Google. As of August 2023, OSS-Fuzz stated that it has helped identify and fix over 10,000 vulnerabilities and 36,000 bugs across 1,000 projects, underscoring its significant impact on open source software quality. To the uninitiated, the term fuzzing can be intimidating, prompting questions about how to engage with such a project. But security vulnerabilities discovered by OSS-Fuzz are, after all, bugs. Armed with debugging skill, programming knowledge, collaboration with maintainers, and most importantly, perseverance, you too can make contribution. In fact, as you will soon discover, OSS-Fuzz gives you quite a head start. This presentation aims encourage attendees to get involved in contributing to important open source projects by leveraging OSS-Fuzz report. Join Shung-Hsi as he shares the comprehensive journey of fixing CVE-2021-45940 based of OSS-Fuzz report 40868 and 40957. He will go through the practical step he took, including using the reproducers provided by OSS-Fuzz to aid in debugging, pinpointing the root cause, and going through the process of sending patches to Linux Kernel Mailing List (LKML) and code review.
