[llvm-bugs] [Bug 31318] New: libFuzzer buffer overrun in Fuzzer::RecordMaxCoverage()
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu Dec 8 11:45:33 PST 2016
https://llvm.org/bugs/show_bug.cgi?id=31318
Bug ID: 31318
Summary: libFuzzer buffer overrun in
Fuzzer::RecordMaxCoverage()
Product: new-bugs
Version: trunk
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P
Component: new bugs
Assignee: unassignedbugs at nondot.org
Reporter: ttaubert at mozilla.com
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
Created attachment 17741
--> https://llvm.org/bugs/attachment.cgi?id=17741&action=edit
Possible patch to properly resize C->CounterBitmap
I've been running into weird fuzzer behavior until I realized the libFuzzer
itself is overriding the fuzzing corpora held in memory.
>From FuzzerLoop.cpp:102:
EF->__sanitizer_update_counter_bitset_and_clear_counters(
C->CounterBitmap.data());
C->CounterBitmap.size() is smaller than the number returned by
EF->__sanitizer_get_number_of_counters().
A possible fix that seems to work well for us is attached. In
Fuzzer::ShuffleAndMinimize(), calling PrepareCounters() after
ExecuteCallback(&dummy, 0) resizes C->CounterBitmap to the appropriate size.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20161208/f7aad3dc/attachment.html>
More information about the llvm-bugs
mailing list