[llvm] r243691 - [libFuzzer] fix the strncmp interceptor -- it should respect short strings.

Kostya Serebryany kcc at google.com
Thu Jul 30 14:22:22 PDT 2015


Author: kcc
Date: Thu Jul 30 16:22:22 2015
New Revision: 243691

URL: http://llvm.org/viewvc/llvm-project?rev=243691&view=rev
Log:
[libFuzzer] fix the strncmp interceptor -- it should respect short strings. 

Modified:
    llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
    llvm/trunk/lib/Fuzzer/test/StrncmpTest.cpp
    llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test

Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=243691&r1=243690&r2=243691&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Thu Jul 30 16:22:22 2015
@@ -366,6 +366,12 @@ void Fuzzer::InitializeTraceState() {
   }
 }
 
+static size_t InternalStrnlen(const char *S, size_t MaxLen) {
+  size_t Len = 0;
+  for (; Len < MaxLen && S[Len]; Len++) {}
+  return Len;
+}
+
 }  // namespace fuzzer
 
 using fuzzer::TS;
@@ -399,7 +405,17 @@ void dfsan_weak_hook_memcmp(void *caller
 void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
                              size_t n, dfsan_label s1_label,
                              dfsan_label s2_label, dfsan_label n_label) {
-  dfsan_weak_hook_memcmp(caller_pc, s1, s2, n, s1_label, s2_label, n_label);
+  if (!TS) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+  uint64_t S1 = 0, S2 = 0;
+  n = std::min(n, fuzzer::InternalStrnlen(s1, n));
+  n = std::min(n, fuzzer::InternalStrnlen(s2, n));
+  // Simplification: handle only first 8 bytes.
+  memcpy(&S1, s1, std::min(n, sizeof(S1)));
+  memcpy(&S2, s2, std::min(n, sizeof(S2)));
+  dfsan_label L1 = dfsan_read_label(s1, n);
+  dfsan_label L2 = dfsan_read_label(s2, n);
+  TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }
 
 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
@@ -415,7 +431,15 @@ void __sanitizer_weak_hook_memcmp(void *
 
 void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
                                    const char *s2, size_t n) {
-  __sanitizer_weak_hook_memcmp(caller_pc, s1, s2, n);
+  if (!TS) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+  uint64_t S1 = 0, S2 = 0;
+  n = std::min(n, fuzzer::InternalStrnlen(s1, n));
+  n = std::min(n, fuzzer::InternalStrnlen(s2, n));
+  // Simplification: handle only first 8 bytes.
+  memcpy(&S1, s1, std::min(n, sizeof(S1)));
+  memcpy(&S2, s2, std::min(n, sizeof(S2)));
+  TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
 }
 
 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,

Modified: llvm/trunk/lib/Fuzzer/test/StrncmpTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/StrncmpTest.cpp?rev=243691&r1=243690&r2=243691&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/StrncmpTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/StrncmpTest.cpp Thu Jul 30 16:22:22 2015
@@ -4,9 +4,13 @@
 #include <cstdio>
 #include <cstdlib>
 
+static volatile int sink;
+
 extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   // TODO: check other sizes.
   char *S = (char*)Data;
+  if (Size >= 8 && strncmp(S, "123", 8))
+    sink = 1;
   if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
     if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
       if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {

Modified: llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test?rev=243691&r1=243690&r2=243691&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test Thu Jul 30 16:22:22 2015
@@ -7,5 +7,5 @@ RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use
 RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
-RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback





More information about the llvm-commits mailing list