Close to zero coverage in oss-fuzz

[phi-go]

Hey, I'm currently looking into projects that have low coverage in oss-fuzz. (You can find an overview of this project here: https://introspector.oss-fuzz.com/project-profile?project=tpm2-tss.)

This project seems to have close to zero covered lines. Running some fuzz targets manually it seems that there is just a configuration/environment error:

ERROR:test:test/integration/test-common.c:320:test_sys_setup() TCTI module not specified. Use environment variable: TPM20TEST_TCTI

example coverage report

I tried a little bit to fix this by setting: TPM20TEST_TCTI=libtpms but it seems I'm failing to install libpms correctly, which is probably just my missing familiarity with this project.

I'm happy to help but before spending more time I wanted to ask: Is this issue already known and should it be fixed? If yes, how would you want to approach the fix?

[phi-go]

Also it seems that the info on the main_repo might be outdated as that url is not used in the Dockerfile: https://github.com/google/oss-fuzz/blob/master/projects/tpm2-tss/project.yaml

[AndreasFuchsTPM]

Would love to help, but honestly I'm a bit lost here.
Yes, main_repo makes absolutely no sense to point to tsruk namespace, should be our namespace here.
This would also explain why libtpms is not working, since we only added it "recently".
Maybe we start by using this upstream repo here and then start fixing issues from there ?

[phi-go]

Hello @AndreasFuchsTPM, thank you for offering to help.

Yes, main_repo makes absolutely no sense to point to tsruk namespace, should be our namespace here.
This would also explain why libtpms is not working, since we only added it "recently".
Maybe we start by using this upstream repo here and then start fixing issues from there ?

The value for main_repo is only used for documentation / reference, not for the source of the code. So if I understand your suggestion correctly, I'm afraid it is not quite that easy. Just to get on the same page let me give some context. If you have some questions I'll try my best to answer.

OSS-Fuzz takes the Dockerfile and build.sh in this directory to build the executables and set up the container in which they are executed for the fuzzing process. It already clones this repo. The main question we need to answer is how to set up the environment correctly so that we actually meaningfully execute the code. This function is the fuzzer entry point that is executed (many times) during fuzzing. Currently it runs into the test_sys_setup function and then exits because of the error above.

What I tried to fix this error is to install libtpms as part of the Dockerfile and set the env variable as above. I thought libtpms would be a good fit as it is does not seem to require available hardware and should be quite performant as the state can be in-memory. To fuzz tpm2-tss, we want something performant that can meaningfully interact with most of tpm2-tss so that we can explore the behavior of the code. Do you think libtpms would be a good choice for that?

Next we would need to figure out how to correctly install and setup everything in the Dockerfile so that it can be used during fuzzing. I'm happy to share my current attempt if you think libtpms could work.