I'm an active contributor in OSS Fuzz (https://github.com/google/oss-fuzz/graphs/contributors), I'm maintaining PUC Rio Lua and Tarantool integrations in OSS Fuzz for the last three years, and we found a lot of bugs in PUC Rio and LuaJIT, see trophies. We do fuzzing via Lua C API and also via Lua API and luzer help us with this. Lua is not popular language (see a position in ratings: TIOBE - 31 ¹, PYPL PopularitY of Programming Language - 19 ², IEEE Spectrum - 34 ³, "Fastest growing language" in 2022 ⁴, StackOverflow - 23), but Lua language quite often is embedded to C/C++ projects for programming business logic (see ⁵ and ⁶). Fuzzing these projects via Lua API will allow finding additional issues. Also, luzer can help with fuzzing native extensions like cmsgpack implemented in Lua C API, because fuzzing such extensions as a C code is not straightforward.

I'm creating this issue to discuss the details of adding Lua language support to OSS-Fuzz. The goal is to incorporate Lua support into OSS-Fuzz via luzer, a Lua fuzzer that has been developed by me. You can read about luzer in the blog post Introducing luzer, a coverage-guided Lua fuzzer.

Please note that we already use luzer locally:

• We do use it for fuzzing PUC Rio Lua and LuaJIT, see https://github.com/ligurio/lua-c-api-tests/tree/master/tests/lapi
• We do use it for fuzzing of Tarantool Lua API, see https://github.com/ligurio/tarantool-lua-api-tests

I will focus on those concerns below first, as the rest will be easier to discuss once we create a PR with the complete code.

Installing Lua

luzer requires at least version Lua 5.1, meaning we can use any version available in popular Linux distributives. As it stands, we are installing Lua library and headers and then Lua within it in the base-builder (it's also required later in the base-runner, so it needs to be copied there).

Does that sound acceptable to you?

Do you have any specific preferences?

Building a project

I'm seeking the most efficient method to transfer a project from the build environment to the execution environment, potentially necessitating a custom directory for building. If you have prior experience with this, I would appreciate your insights on its usage. Additionally, if you have suggestions on how to compile in the build location and relocate the project to the execution docker environment, I would like to hear them. This implementation will likely be similar to the Python + Atheris OSS-Fuzz language support, so I may draw inspiration from there.

Overall

If you’d like to have a more concrete discussion, I can finish a Proof of Concept and create a pull request so we will discuss implementation details while reviewing the current implementation. I would greatly value your feedback and expertise while we work on the final implementation - I believe the remainder of my implementation is fairly straightforward. If you have any general questions or suggestions, I'm more than happy to answer them.

References

• Ruby support:
  • Adding Ruby Support into OSS-Fuzz via Ruzzy #12034
  • Teach build infra about ruby #12153
  • [RFC] Introducing Ruby Support to OSS-Fuzz via Ruzzy #11967
• Javascript support, Support Fuzzing JavaScript with Jazzer.js #8324
• Python support:
  • [CIFuzz] Support for python? #5195
  • Fuzzing support for Python projects? #4121