Ramping up Continuous Fuzzing of Virtual Devices in QEMU

[Alexander Bulekov]

Hello,
QEMU was accepted into Google's oss-fuzz continuous-fuzzing platform [1]
earlier this year. The fuzzers currently running on oss-fuzz are based on my
2019 Google Summer of Code Project, which leveraged libfuzzer, qtest and libqos
to provide a framework for writing virtual-device fuzzers. At the moment, there
are a handful of fuzzers upstream and running on oss-fuzz(located in
tests/qtest/fuzz/). They fuzz only a few devices and serve mostly as
examples.

If everything goes well, soon a generic fuzzer [2] will land upstream, which
allows us to fuzz many configurations of QEMU, without any device-specific
code. To date this fuzzer has led to ~50 bug reports on launchpad. Once the
generic-fuzzer lands upstream, OSS-Fuzz will automatically start fuzzing a
bunch [3] of fuzzer configurations, and it is likely to find bugs.  Others will
also be able to send simple patches to add additional device configurations for
fuzzing.

The oss-fuzz process looks roughly like this:
    1. oss-fuzz fuzzes QEMU
    2. When oss-fuzz finds a bug, it reports it to a few [4] people that have
    access to reports and reproducers.
    3. If a fix is merged upstream, oss-fuzz will figure this out and mark the
    bug as fixed and make the report public 30 days later.
    3. After 90 days the bug(fixed or not) becomes public, so anyone can view
    it here https://bugs.chromium.org/p/oss-fuzz/issues/list

The oss-fuzz reports look like this:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23701&q=qemu&can=2

This means that when oss-fuzz find new bugs, the relevant developers do not
know about them unless someone with access files a separate report to the
list/launchpad. So far this hasn't been a problem, since oss-fuzz has only been
running some small example fuzzers. Once [2] lands upstream, we should
see a significant uptick in oss-fuzz reports, and I hope that we can develop a
process to ensure these bugs are properly dealt with. One option we have is to
make the reports public immediately and send notifications to
qemu-devel. This is the approach taken by some other projects on
oss-fuzz, such as LLVM. Though its not on oss-fuzz, bugs found by
syzkaller in the kernel, are also automatically sent to a public list.
The question is: 

What approach should we take for dealing with bugs found on oss-fuzz?

[1] https://github.com/google/oss-fuzz
[2] https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg06331.html
[3] https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg06345.html
[4] 
https://github.com/google/oss-fuzz/blob/fbf916ce14952ba192e58fe8550096b868fcf62d/projects/qemu/project.yaml#L4

For further reference, the vast majority of these bugs, were found with the
generic-fuzzer:
https://bugs.launchpad.net/~a1xndr/+bugs

There are more that I haven't yet had time to write reports for.
Thank you
-Alex