Community post by Adam Korczynski, Adalogics and Jan Dubois, Lima maintainer
Lima, a CNCF sandbox project for launching virtual machines with automatic file sharing and port forwarding, recently completed a fuzzing audit. As part of the audit, Lima integrated into Google’s OSS-Fuzz project and added fuzz coverage of various packages in the Lima code base. OSS-Fuzz is a service by Google that runs critical open source projects’ fuzzers continuously and with large amounts of compute power. OSS-Fuzz also handles the infrastructure of building the fuzzers against integrated projects’ latest source tree, and it reports crashes to maintainers and automatically marks them as fixed when it can no longer reproduce them. As a result, OSS-Fuzz will regularly build Lima’s fuzzers against its latest source code and run them with excess compute. As such, if bugs make it into Lima’s code base – either directly or in a dependency – OSS-Fuzz can catch it before the bugs make it to a release.
The build files for Limas OSS-Fuzz integration and Limas fuzz test exist in Lima’s own repository, so that the project itself can manage the build and future new fuzz tests.
Ada Logics, who carried out the audit, added fuzz coverage for multiple packages in Lima. The fuzzers found several issues in 3rd-party libraries. They found several crashes in dependencies that handle YAML parsing. Coincidentally, these crashes sparked a discussion about why Lima imports three different libraries to process YAML. The fuzzers also found crashes in image conversion routines in Limas own underlying image processing library.
Lima has opened a public tracker for the crashes that have come as a result of the audit here. In addition, Ada Logics have published a report about the audit which can be found here.
With the completion of its fuzzing audit, Lima joins many other CNCF projects which have integrated fuzzing into their testing efforts and are integrated into OSS-Fuzz. Other notable projects are Kubernetes, containerd, Helm, Dapr, Envoy, Vitess and Linkerd. The CNCF has led the efforts on adoption across its ecosystem which has led to finding both bugs and vulnerabilities in sandbox and graduated projects.