mirror of
https://github.com/capstone-engine/llvm-capstone.git
synced 2024-11-25 06:40:18 +00:00
[libFuzzer] Unpoison parameters before calling user callback.
Summary: Fixes an MSan false positive when compiling with -fsanitize=memory,fuzzer. See https://github.com/google/oss-fuzz/issues/2369 for more details. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits, metzman, eugenis Tags: #llvm Differential Revision: https://reviews.llvm.org/D61753 llvm-svn: 360390
This commit is contained in:
parent
992021335c
commit
3478494c1f
@ -46,3 +46,4 @@ EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
|
||||
EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
|
||||
EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
|
||||
EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
|
||||
EXT_FUNC(__msan_unpoison_param, void, (size_t n), false);
|
||||
|
@ -542,6 +542,8 @@ void Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) {
|
||||
memcpy(DataCopy, Data, Size);
|
||||
if (EF->__msan_unpoison)
|
||||
EF->__msan_unpoison(DataCopy, Size);
|
||||
if (EF->__msan_unpoison_param)
|
||||
EF->__msan_unpoison_param(2);
|
||||
if (CurrentUnitData && CurrentUnitData != Data)
|
||||
memcpy(CurrentUnitData, Data, Size);
|
||||
CurrentUnitSize = Size;
|
||||
|
28
compiler-rt/test/fuzzer/MsanParamUnpoison.cpp
Normal file
28
compiler-rt/test/fuzzer/MsanParamUnpoison.cpp
Normal file
@ -0,0 +1,28 @@
|
||||
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
||||
// See https://llvm.org/LICENSE.txt for license information.
|
||||
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
||||
|
||||
// Triggers the bug described here:
|
||||
// https://github.com/google/oss-fuzz/issues/2369#issuecomment-490240627
|
||||
//
|
||||
// In a nutshell, MSan's parameter shadow does not get unpoisoned before calls
|
||||
// to LLVMFuzzerTestOneInput. This test case causes the parameter shadow to be
|
||||
// poisoned by the call to foo(), which will trigger an MSan false positive on
|
||||
// the Size == 0 check if the parameter shadow is still poisoned.
|
||||
#include <cstdint>
|
||||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
#include <cstring>
|
||||
|
||||
volatile int zero = 0;
|
||||
__attribute__((noinline)) int foo(int arg1, int arg2) { return zero; }
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
if (Size == 0)
|
||||
return 0;
|
||||
|
||||
// Pass uninitialized values to foo(). Since foo doesn't do anything with
|
||||
// them, MSan should not report an error here.
|
||||
int a, b;
|
||||
return foo(a, b);
|
||||
}
|
5
compiler-rt/test/fuzzer/msan-param-unpoison.test
Normal file
5
compiler-rt/test/fuzzer/msan-param-unpoison.test
Normal file
@ -0,0 +1,5 @@
|
||||
REQUIRES: msan
|
||||
RUN: %msan_compiler %S/MsanParamUnpoison.cpp -o %t
|
||||
RUN: %run %t -seed=1 -runs=1000 2>&1 | FileCheck %s
|
||||
|
||||
CHECK-NOT: MemorySanitizer: use-of-uninitialized-value
|
Loading…
Reference in New Issue
Block a user