RPCSX/llvm
1
0
Fork 0
mirror of https://github.com/RPCSX/llvm.git synced 2024-12-02 16:56:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[libFuzzer] fix the strncmp interceptor -- it should respect short strings.

Browse Source 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243691 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany 2015-07-30 21:22:22 +00:00
parent f4745ecbb4
commit dd6dcb6cee
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lib/Fuzzer/FuzzerTraceState.cpp
View File

@ -366,6 +366,12 @@ void Fuzzer::InitializeTraceState() {
}
}
static size_t InternalStrnlen(const char *S, size_t MaxLen) {
size_t Len = 0;
for (; Len < MaxLen && S[Len]; Len++) {}
return Len;
}
} // namespace fuzzer
using fuzzer::TS;
@ -399,7 +405,17 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label) {
dfsan_weak_hook_memcmp(caller_pc, s1, s2, n, s1_label, s2_label, n_label);
if (!TS) return;
uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
uint64_t S1 = 0, S2 = 0;
n = std::min(n, fuzzer::InternalStrnlen(s1, n));
n = std::min(n, fuzzer::InternalStrnlen(s2, n));
// Simplification: handle only first 8 bytes.
memcpy(&S1, s1, std::min(n, sizeof(S1)));
memcpy(&S2, s2, std::min(n, sizeof(S2)));
dfsan_label L1 = dfsan_read_label(s1, n);
dfsan_label L2 = dfsan_read_label(s2, n);
TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
}
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
@ -415,7 +431,15 @@ void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
const char *s2, size_t n) {
__sanitizer_weak_hook_memcmp(caller_pc, s1, s2, n);
if (!TS) return;
uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
uint64_t S1 = 0, S2 = 0;
n = std::min(n, fuzzer::InternalStrnlen(s1, n));
n = std::min(n, fuzzer::InternalStrnlen(s2, n));
// Simplification: handle only first 8 bytes.
memcpy(&S1, s1, std::min(n, sizeof(S1)));
memcpy(&S2, s2, std::min(n, sizeof(S2)));
TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
}
void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,

4
lib/Fuzzer/test/StrncmpTest.cpp
View File

@ -4,9 +4,13 @@
#include <cstdio>
#include <cstdlib>
static volatile int sink;
extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// TODO: check other sizes.
char *S = (char*)Data;
if (Size >= 8 && strncmp(S, "123", 8))
sink = 1;
if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {

2
lib/Fuzzer/test/fuzzer-dfsan.test
View File

@ -7,5 +7,5 @@ RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -
RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback
RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback