Support integration with luzer

[ligurio]

The patch enables using luzer for fuzzing Lua projects in OSS-Fuzz.

Usage:

sudo python infra/helper.py build_fuzzers lua-example
sudo python infra/helper.py check_build lua-example fuzz_basic
sudo python infra/helper.py run_fuzzer lua-example fuzz_basic

Closes #13782
Depends on ligurio/luzer#74

[github-actions]

ligurio is integrating a new project:
- Main repo: https://github.com/ligurio/luzer
- Criticality score: 0.23250

[ligurio]

@jonathanmetzman could you please review?

[jonathanmetzman]

I can take a look at this but to be honest we're concerned about the maintenance burden supporting Lua will impose and somewhat doubtful of the impact. Could you maybe help us with the latter? Is the electrical grid, or something else very important running on Lua?

[ligurio]

I can take a look at this but to be honest we're concerned about the maintenance burden supporting Lua will impose and somewhat doubtful of the impact.

Yeah, I remember this concern and took it into account when developing the patch. Hence, I avoid introducing the support for yet another language toolchain. Instead, my patch adds a wrapper generator for Lua tests and modifies the code to run these wrappers. The runtime itself will be compiled by the project. The patch with implementation is about 70 LOC, other changes is an example and documentation. I also want to say that I want to make this contribution on my own behalf, not on behalf of any company, so I'll be here; I won't run away immediately after the merge :)

Could you maybe help us with the latter?

There are two main scenarios for using Lua:

• First one is projects, where Lua is used as a standalone programming language. In this scenario, of course, you'd also want to test applications using fuzzing, but I agree with you, the impact is doubtful. Moreover, there are not so much projects written in Lua (but they exist: Kong API Gateway ¹, Prosody IM ², etc.).
• The second one scenario is projects, where Lua is embedded into C/C++ applications with C extensions, and I'm most concerned about this one, because there's a high risk of presence of the issues specific for C/C++. Testing Lua's API with LibFuzzer/AFL isn't very practical, so I suggest integrating a specialized fuzzing engine for Lua API. Like you did with Atheris, that supports fuzzing of native extensions written for CPython.

Is the electrical grid, or something else very important running on Lua?

Physicists at CERN use LuaJIT (the Just-In-Time compiler) for computing physics accelerator beams ³⁴.

Network infrastructure (applications and known Lua-related CVE's):

• Cloudflare uses Lua for programming LuaJIT-based WAF, latest outage was happen due to untested the second branch in a Lua condition ⁵⁶
• PowerDNS, CVE-2019-3806 ⁷⁸
• OpenResty (web platform based on NGINX and LuaJIT): CVE-2024-33452, CVE-2024-39702, CVE-2024-25178, CVE-2020-36309, CVE-2020-11724, CVE-2022-24834
• Redis: CVE-2025-49844 (RCE) ⁹, CVE-2025-46817 (RCE), CVE-2025-46818 (privilege escalation)
• HAProxy (HAProxy is used by a number of high-profile websites including GoDaddy, GitHub, Bitbucket, Stack Overflow, Reddit, Slack, Speedtest.net, Tumblr, Twitter and Tuenti and is used in the OpsWorks product from Amazon Web Services.)
• VoIP: FreeSWITCH and Asterisk ¹⁰
• Snort (IDS/IPS): CVE-2013-4863 / CVE-2016-6255, CVE-2024-20359, CVE-2023-20198
• Suricata (IDS/IPS): CVE-2025-64344 ¹¹
• Cisco (Cisco IOS SSL VPN ¹²): CVE-2025-41688
• NetBSD embedded Lua into the kernel (lua.4 ¹³, Scriptable Operating Systems with Lua ¹⁴)

Industrial cases:

• Volvo (Volvo cars like the V40 Cross Country embed Lua in their combined instrument panel)
• Fairino Robots ¹⁵, ¹⁶
• Automation using NodeMCU (This open-source hardware platform allows users to run Lua directly on the ESP8266 Wi-Fi chip.)
• Schneider Electric (SpaceLogic Room Controllers) ¹⁷, ¹⁸
• Samsung SmartThings ¹⁹

Footnotes

1. https://github.com/Kong/kong ↩

2. https://github.com/bjc/prosody/tree/master ↩

3. https://indico.cern.ch/event/487416/contributions/2174904/ ↩

4. https://videos.cern.ch/record/3016478 ↩

5. https://blog.cloudflare.com/5-december-2025-outage/ ↩

6. https://blog.cloudflare.com/tag/lua/ ↩

7. https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html ↩

8. https://doc.powerdns.com/recursor/lua-scripting/index.html ↩

9. https://redis.io/blog/security-advisory-cve-2025-49844/ ↩

10. https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Databases/Lua-FreeSWITCH-Dbh_3965358/ ↩

11. https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx ↩

12. https://www.cisco.com/c/en/us/support/docs/security/ios-ssl-vpn/224470-configure-lua-script-for-dap.html ↩

13. https://man.netbsd.org/lua.4 ↩

14. https://netbsd.org/~lneto/dls14.pdf ↩

15. https://www.fairino.be/tips/hands-on-with-lua-programming-fairino-cobots-made-simple ↩

16. https://fairino-doc-en.readthedocs.io/latest/LuaProgram/lua_intro.html ↩

17. https://www.se.com/uk/en/download/document/AN046/ ↩

18. https://www.se.com/ca/en/download/document/028-6163/ ↩

19. https://developer.smartthings.com/docs/devices/hub-connected/first-lua-driver ↩

[jonathanmetzman]

nit: Just do 2025

[ligurio]

Fixed:

--- a/projects/lua-example/build.sh
+++ b/projects/lua-example/build.sh
@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# Copyright 2023-2025 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

[jonathanmetzman]

Needs a license header

[ligurio]

Fixed:

--- a/projects/lua-example/example_basic.lua
+++ b/projects/lua-example/example_basic.lua
@@ -1,3 +1,19 @@
+-- Copyright 2023-2025 Google LLC
+
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the
+-- License.
+-- You may obtain a copy of the License at
+
+--      http://www.apache.org/licenses/LICENSE-2.0
+
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+-- either express or implied.
+-- See the License for the specific language governing permissions
+-- and limitations under the License.
+
 local luzer = require("luzer")
 
 local function TestOneInput(buf)

[ligurio]

@jonathanmetzman The OSS Fuzz environment has some differences ¹ in comparison to usual Linux environment (for example, a name of sanitizers libraries and libclang_rt.fuzzer_no_main). What is a proper way to detect OSS Fuzz environment? There is no env like OSS_FUZZ among other env variables ².

Footnotes

1. https://github.com/ligurio/luzer/pull/74 ↩

2. https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/README.md#provided-environment-variables ↩

[jonathanmetzman]

Feel free to add one to base-images/base

[evverx]

I wonder if it would make sense to define OSS_FUZZ everywhere? Currently it's necessary to do weird things like avahi/avahi@c01a63b to make scripts work in various environments including OSS-Fuzz. With OSS_FUZZ it should be possible to add if properly and take the OSS-Fuzz differences into account.

[ligurio]

@jonathanmetzman this file will be used in every project for building wrappers for Lua tests. Where should we place it: in infra/base-images/base-builder/ (with other compile_*_fuzzer scripts), or in the project dirs (there will be some code duplication)?

[jonathanmetzman]

I'm going to double check that others internally don't think this is a bad idea before proceeding.

[jonathanmetzman]

Just 2025 for copyright.

[ligurio]

Fixed:

--- a/projects/lua-example/example_basic.lua
+++ b/projects/lua-example/example_basic.lua
@@ -1,12 +1,12 @@
--- Copyright 2023-2025 Google LLC
+-- Copyright 2025 Google LLC
 
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the
 -- License.

[jonathanmetzman]

/gcbrun trial_build.py lua

[ligurio]

I'm going to double check that others internally don't think this is a bad idea before proceeding.

@jonathanmetzman is there any decision to this?

[jonathanmetzman]

We'll accept it.
/gcbrun trial_build.py lua

[jonathanmetzman]

/gcbrun trial_build.py lua

[jonathanmetzman]

The partial support we have here (you may need to hunt down more places in infra/) breaks CI. Do you think we can pretend these are C projects or would you rather do more thorough support (I think the later makes sense).
There's another issue where we may not be able to test the lua runtime in CI after this change because it has the name "lua" which is expanded to all the lua projects.

[ligurio]

The partial support we have here (you may need to hunt down more places in infra/) breaks CI.

I looked at the logs ¹² to figure out the cause, but it looks like the problem is the lack of Docker-image:

Step #7: Using default tag: latest
Step #15: Error response from daemon: manifest for gcr.io/oss-fuzz-base/base-builder-rust-testing-ubuntu-24-04-ligurio-gh-13782-enable-support-lua-luzer:latest not found: manifest unknown: Failed to fetch "latest"
Step #17: Error response from daemon: manifest for gcr.io/oss-fuzz-base/base-runner-testing-ubuntu-24-04-ligurio-gh-13782-enable-support-lua-luzer:latest not found: manifest unknown: Failed to fetch "latest"
Step #7: Error response from daemon: manifest for gcr.io/oss-fuzz-base/base-builder-jvm-testing-ubuntu-24-04-ligurio-gh-13782-enable-support-lua-luzer:latest not found: manifest unknown: Failed to fetch "latest"

Can you tell me where to look?

Do you think we can pretend these are C projects or would you rather do more thorough support (I think the later makes sense).
There's another issue where we may not be able to test the lua runtime in CI after this change because it has the name "lua" which is expanded to all the lua projects.

Let me explain how I see Lua integration to OSS Fuzz. With luzer, you can test both code written in plain Lua and native Lua extensions (that is, those implemented in C, for example lua-cmsgpack ³ or modules built into Lua runtimes). For native extensions written in C/C++, it's better to use the "C" name, because this is essentially a regular C project, and code coverage support and Fuzz Introspector analysis are already implemented for this language in OSS Fuzz. For extensions written in Lua, it's better to use a separate name, "lua." Without a separate category ("lua"), it will be difficult to implement coverage and Fuzz Introspector support for Lua in the future. What do you think?

OSS Fuzz already have two C projects with native Lua extensions: tarantool and lua. For both, there are WIP pull requests:
#14656 and #14610 and both depends on this PR.

Technically for both cases the requirements to infra are similar:

• Have installed luarocks in runner image, it will set a proper LUA_PATH and LUA_CPATH before fuzzing
• Fixes in bad_build_check

Other things can be done on the side of the projects: create a wrapper script compile_lua_fuzzer, install Lua dependencies and luzer itself to a separate directory, create test wrappers using compile_lua_fuzzer.

Footnotes

1. https://github.com/google/oss-fuzz/pull/13929/checks?check_run_id=59481661602 ↩

2. https://oss-fuzz-gcb-logs.storage.googleapis.com/log-4e23c0f0-58d0-4a2c-aff9-ff57de744b40.txt ↩

3. https://github.com/antirez/lua-cmsgpack ↩

[ligurio]

@jonathanmetzman kind reminder

[jonathanmetzman]

Can you remove the use of lua as a language so that it piggybacks off of base-builder? I don't want our devs to think they need to maintain this so I'd rather the support remain a bit hacky.

[ligurio]

@jonathanmetzman thanks for the help!

[jonathanmetzman]

I actually want to test everything since we modified the base builders: #14808

[ligurio]

I'm here if something will go bad and help will be required.

[ligurio]

@jonathanmetzman Sorry for bothering. For unknown reasons, Lua tests cannot start (see full log https://github.com/tarantool/tarantool/actions/runs/21443723445/job/61753664347#step:5:451) when execution is triggered by Github Action:

2026-01-28 15:28:08,985 - root - INFO - Starting fuzzing
2026-01-28 15:28:09,404 - root - INFO - Fuzzer: table_sort_test. Detected bug.
Fuzzing logs:
/github/workspace/build-out/table_sort_test.lua:14: module 'luzer' not found:
	no field package.preload['luzer']
	no file '/github/workspace/override/luzer.lua'
	no file '/github/workspace/override/luzer/init.lua'
	no file '/github/workspace/build-out/override/luzer.lua'
	no file '/github/workspace/build-out/override/luzer/init.lua'
	no file '/github/workspace/override/luzer.so'
	no file '/github/workspace/build-out/override/luzer.so'
	no file '/github/workspace/.rocks/share/tarantool/override/luzer.lua'
	no file '/github/workspace/.rocks/share/tarantool/override/luzer/init.lua'
	no file '/github/.rocks/share/tarantool/override/luzer.lua'
	no file '/github/.rocks/share/tarantool/override/luzer/init.lua'
	no file '/.rocks/share/tarantool/override/luzer.lua'
	no file '/.rocks/share/tarantool/override/luzer/init.lua'
	no file '/github/workspace/build-out/.rocks/share/tarantool/override/luzer.lua'
	no file '/github/workspace/build-out/.rocks/share/tarantool/override/luzer/init.lua'
	no file '/github/workspace/.rocks/lib/tarantool/override/luzer.so'
	no file '/github/.rocks/lib/tarantool/override/luzer.so'
	no file '/.rocks/lib/tarantool/override/luzer.so'
	no file '/github/workspace/build-out/.rocks/lib/tarantool/override/luzer.so'
	no file '/github/workspace/lua_modules/share/lua/5.1/override/luzer.lua'
	no file '/github/workspace/lua_modules/share/lua/5.1/override/luzer/init.lua'
	no file '/github/home/.luarocks/share/lua/5.1/override/luzer.lua'
	no file '/github/home/.luarocks/share/lua/5.1/override/luzer/init.lua'
	no file '/usr/local/share/lua/5.1/override/luzer.lua'
	no file '/usr/local/share/lua/5.1/override/luzer/init.lua'
	no file './override/luzer.lua'
	no file '/usr/local/lib/lua/5.1/override/luzer.lua'
	no file '/usr/local/lib/lua/5.1/override/luzer/init.lua'
	no file '/usr/share/lua/5.1/override/luzer.lua'
	no file '/usr/share/lua/5.1/override/luzer/init.lua'
	no file '/github/workspace/lua_modules/lib/lua/5.1/override/luzer.so'
	no file '/github/home/.luarocks/lib/lua/5.1/override/luzer.so'
	no file '/usr/local/lib/lua/5.1/override/luzer.so'
	no file './override/luzer.so'
	no file '/usr/lib/x86_64-linux-gnu/lua/5.1/override/luzer.so'
	no file '/usr/lib/lua/5.1/override/luzer.so'
	no file '/usr/local/lib/lua/5.1/loadall.so'
	no field loaders.builtin['luzer']
	no file '/github/workspace/luzer.lua'
	no file '/github/workspace/luzer/init.lua'
	no file '/github/workspace/build-out/luzer.lua'
	no file '/github/workspace/build-out/luzer/init.lua'
	no file '/github/workspace/luzer.so'
	no file '/github/workspace/build-out/luzer.so'
	no file '/github/workspace/.rocks/share/tarantool/luzer.lua'
	no file '/github/workspace/.rocks/share/tarantool/luzer/init.lua'
	no file '/github/.rocks/share/tarantool/luzer.lua'
	no file '/github/.rocks/share/tarantool/luzer/init.lua'
	no file '/.rocks/share/tarantool/luzer.lua'
	no file '/.rocks/share/tarantool/luzer/init.lua'
	no file '/github/workspace/build-out/.rocks/share/tarantool/luzer.lua'
	no file '/github/workspace/build-out/.rocks/share/tarantool/luzer/init.lua'
	no file '/github/workspace/.rocks/lib/tarantool/luzer.so'
	no file '/github/.rocks/lib/tarantool/luzer.so'
	no file '/.rocks/lib/tarantool/luzer.so'
	no file '/github/workspace/build-out/.rocks/lib/tarantool/luzer.so'
	no file '/github/workspace/lua_modules/share/lua/5.1/luzer.lua'
	no file '/github/workspace/lua_modules/share/lua/5.1/luzer/init.lua'
	no file '/github/home/.luarocks/share/lua/5.1/luzer.lua'
	no file '/github/home/.luarocks/share/lua/5.1/luzer/init.lua'
	no file '/usr/local/share/lua/5.1/luzer.lua'
	no file '/usr/local/share/lua/5.1/luzer/init.lua'
	no file './luzer.lua'
	no file '/usr/local/lib/lua/5.1/luzer.lua'
	no file '/usr/local/lib/lua/5.1/luzer/init.lua'
	no file '/usr/share/lua/5.1/luzer.lua'
	no file '/usr/share/lua/5.1/luzer/init.lua'
	no file '/github/workspace/lua_modules/lib/lua/5.1/luzer.so'
	no file '/github/home/.luarocks/lib/lua/5.1/luzer.so'
	no file '/usr/local/lib/lua/5.1/luzer.so'
	no file './luzer.so'
	no file '/usr/lib/x86_64-linux-gnu/lua/5.1/luzer.so'
	no file '/usr/lib/lua/5.1/luzer.so'
	no file '/usr/local/lib/lua/5.1/loadall.so'
	no file '/github/workspace/lua_modules/lib/lua/5.1/luzer.so'
	no file '/github/home/.luarocks/lib/lua/5.1/luzer.so'
	no file '/usr/local/lib/lua/5.1/luzer.so'
	no file './luzer.so'
	no file '/usr/lib/x86_64-linux-gnu/lua/5.1/luzer.so'
	no file '/usr/lib/lua/5.1/luzer.so'
	no file '/usr/local/lib/lua/5.1/loadall.so' {"type":"LuajitError","trace":[{"file":"src/lua/utils.c","line":700}]}
fatal error, exiting the event loop

Before the start the command eval \$(luarocks --lua-version 5.1 --tree lua_modules path) ¹ should be executed for setting LUA_PATH and LUA_CPATH, but seems it is failed.

I suspect it is because luarocks is not available inside the container. But I don't know how it can be possible, you added luarocks in commit google/clusterfuzz@f7aa481.

Moreover, the problem cannot be reproduced locally. Any ideas why it could be?

Footnotes

1. https://github.com/google/oss-fuzz/blob/f7a32e792e47372ced282f7be5d0ae4d706f1f81/projects/tarantool/compile_lua_fuzzer#L32 ↩

[jonathanmetzman]

Weird. Note that this is not the image that is used in ClusterFuzz.
I think you need to do some docker inheritance exploration to debug this. the actions images inherit from gcr.io/oss-fuzz-base/cifuzz-base (that dockrfile is in a subdir of infra/cifuzz). I guess I would see if any of the relevant docker images are missing this package.

[jonathanmetzman]

The fuzzers in cifuzz are run in cifuzz-run-fuzzers but this descends from cifuzz-base which descends from base-runner so things should be working.
Also note by hitting the docker URL for an image in your browser you can see the push history

[ligurio]

Thanks for the answer! I suppose the problem is found - in cifuzz tests are executed not in the same directory where tests are located. I've used relative path instead absolute path to a directory with Lua modules in the compile_lua_fuzzer and LUA_PATH/LUA_CPATH were constructed incorrectly. I've addressed this issue in #14834.