The infrastructure for continuous fuzzing testing OSS-Fuzz has expanded its capabilities by adding the ability to test projects written in the Lua language, in addition to the previously supported languages C/C++, Go, Swift, Rust, Python, JavaScript, and Java. This integration has been implemented using the luzer project, which specializes in developing tools for fuzz testing code in Lua and its extensions written in C/C++.
The project utilizes the libFuzzer library and can be combined with tools such as AddressSanitizer, MemorySanitizer, LeakSanitizer, ThreadSanitizer, and Undefined Behavior Sanitizer to identify potential vulnerabilities like buffer overflows, integer overflows, uninitialized memory access, memory leaks, pointer dereferences, and lock setting issues. The project code is available under the ISC license.
During testing, luzer goes through possible input data combinations and generates a report of detected failures and uncaught exceptions. For example, while testing the MsgPack format parsing library in luzer, it was found that data containing a large number of arrays could lead to stack overflow.
Within the lunapark project, the luzer toolkit is utilized to test various Lua-based projects such as the Rio Lua PUC, LuaJIT trace compiler, a high-performance DBMS, the Tarantool application server, and third-party Lua modules.
Developers of open projects can add their repositories for testing by preparing a fuzzing testing template and submitting a request via a pull request. Upon detecting errors, developers are automatically notified, and a private fix request is generated. To prevent premature leakage of vulnerability information, a ticket with limited access is created in a bug tracking system. OSS Fuzz monitors the bug fix status and closes the ticket automatically if the issue is resolved. Information about the problem becomes publicly available 7 days after the fix or 90 days after the error is identified if it remains unfixed.