[llvm] r283675 - [libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 10 11:37:26 PDT 2016
No. :(
I want to avoid introducing new STL into this code since STL causes
parasitic coverage in the process.
(libFuzzer's code is ont instrumented for coverage, but the STL code it
uses *is* instrumented).
In fact, I will probably be removing some of the STL...
--kcc
On Mon, Oct 10, 2016 at 11:30 AM, David Blaikie <dblaikie at gmail.com> wrote:
> Any chance of using unique_ptr here?
>
> On Sat, Oct 8, 2016 at 3:06 PM Kostya Serebryany via llvm-commits <
> llvm-commits at lists.llvm.org> wrote:
>
>> Author: kcc
>> Date: Sat Oct 8 16:57:48 2016
>> New Revision: 283675
>>
>> URL: http://llvm.org/viewvc/llvm-project?rev=283675&view=rev
>> Log:
>> [libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.
>>
>> Modified:
>> llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
>>
>> Modified: llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
>> URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/
>> FuzzerCorpus.h?rev=283675&r1=283674&r2=283675&view=diff
>> ============================================================
>> ==================
>> --- llvm/trunk/lib/Fuzzer/FuzzerCorpus.h (original)
>> +++ llvm/trunk/lib/Fuzzer/FuzzerCorpus.h Sat Oct 8 16:57:48 2016
>> @@ -36,25 +36,28 @@ class InputCorpus {
>> public:
>> static const size_t kFeatureSetSize = 1 << 16;
>> InputCorpus() {
>> - Inputs.reserve(1 << 14); // Avoid too many resizes.
>> memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
>> memset(SmallestElementPerFeature, 0, sizeof(
>> SmallestElementPerFeature));
>> }
>> + ~InputCorpus() {
>> + for (auto II : Inputs)
>> + delete II;
>> + }
>> size_t size() const { return Inputs.size(); }
>> size_t SizeInBytes() const {
>> size_t Res = 0;
>> - for (auto &II : Inputs)
>> - Res += II.U.size();
>> + for (auto II : Inputs)
>> + Res += II->U.size();
>> return Res;
>> }
>> size_t NumActiveUnits() const {
>> size_t Res = 0;
>> - for (auto &II : Inputs)
>> - Res += !II.U.empty();
>> + for (auto II : Inputs)
>> + Res += !II->U.empty();
>> return Res;
>> }
>> bool empty() const { return Inputs.empty(); }
>> - const Unit &operator[] (size_t Idx) const { return Inputs[Idx].U; }
>> + const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
>> void AddToCorpus(const Unit &U, size_t NumFeatures) {
>> assert(!U.empty());
>> uint8_t Hash[kSHA1NumBytes];
>> @@ -62,8 +65,8 @@ class InputCorpus {
>> Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
>> ComputeSHA1(U.data(), U.size(), Hash);
>> Hashes.insert(Sha1ToString(Hash));
>> - Inputs.push_back(InputInfo());
>> - InputInfo &II = Inputs.back();
>> + Inputs.push_back(new InputInfo());
>> + InputInfo &II = *Inputs.back();
>> II.U = U;
>> II.NumFeatures = NumFeatures;
>> memcpy(II.Sha1, Hash, kSHA1NumBytes);
>> @@ -71,14 +74,10 @@ class InputCorpus {
>> ValidateFeatureSet();
>> }
>>
>> - typedef const std::vector<InputInfo>::const_iterator ConstIter;
>> - ConstIter begin() const { return Inputs.begin(); }
>> - ConstIter end() const { return Inputs.end(); }
>> -
>> bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
>> bool HasUnit(const std::string &H) { return Hashes.count(H); }
>> InputInfo &ChooseUnitToMutate(Random &Rand) {
>> - InputInfo &II = Inputs[ChooseUnitIdxToMutate(Rand)];
>> + InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)];
>> assert(!II.U.empty());
>> return II;
>> };
>> @@ -94,7 +93,7 @@ class InputCorpus {
>>
>> void PrintStats() {
>> for (size_t i = 0; i < Inputs.size(); i++) {
>> - const auto &II = Inputs[i];
>> + const auto &II = *Inputs[i];
>> Printf(" [%zd %s]\tsz: %zd\truns: %zd\tsucc: %zd\n", i,
>> Sha1ToString(II.Sha1).c_str(), II.U.size(),
>> II.NumExecutedMutations, II.NumSuccessfullMutations);
>> @@ -108,7 +107,7 @@ class InputCorpus {
>> }
>> Printf("\n\t");
>> for (size_t i = 0; i < Inputs.size(); i++)
>> - if (size_t N = Inputs[i].NumFeatures)
>> + if (size_t N = Inputs[i]->NumFeatures)
>> Printf(" %zd=>%zd ", i, N);
>> Printf("\n");
>> }
>> @@ -119,7 +118,7 @@ class InputCorpus {
>> uint32_t OldSize = GetFeature(Idx);
>> if (OldSize == 0 || (Shrink && OldSize > NewSize)) {
>> if (OldSize > 0) {
>> - InputInfo &II = Inputs[SmallestElementPerFeature[Idx]];
>> + InputInfo &II = *Inputs[SmallestElementPerFeature[Idx]];
>> assert(II.NumFeatures > 0);
>> II.NumFeatures--;
>> if (II.NumFeatures == 0) {
>> @@ -157,12 +156,12 @@ private:
>> PrintFeatureSet();
>> for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++)
>> if (GetFeature(Idx))
>> - Inputs[SmallestElementPerFeature[Idx]].Tmp++;
>> - for (auto &II: Inputs) {
>> - if (II.Tmp != II.NumFeatures)
>> - Printf("ZZZ %zd %zd\n", II.Tmp, II.NumFeatures);
>> - assert(II.Tmp == II.NumFeatures);
>> - II.Tmp = 0;
>> + Inputs[SmallestElementPerFeature[Idx]]->Tmp++;
>> + for (auto II: Inputs) {
>> + if (II->Tmp != II->NumFeatures)
>> + Printf("ZZZ %zd %zd\n", II->Tmp, II->NumFeatures);
>> + assert(II->Tmp == II->NumFeatures);
>> + II->Tmp = 0;
>> }
>> }
>>
>> @@ -175,7 +174,7 @@ private:
>> std::iota(Intervals.begin(), Intervals.end(), 0);
>> if (CountingFeatures)
>> for (size_t i = 0; i < N; i++)
>> - Weights[i] = Inputs[i].NumFeatures * (i + 1);
>> + Weights[i] = Inputs[i]->NumFeatures * (i + 1);
>> else
>> std::iota(Weights.begin(), Weights.end(), 1);
>> CorpusDistribution = std::piecewise_constant_distribution<double>(
>> @@ -187,7 +186,7 @@ private:
>> std::vector<double> Weights;
>>
>> std::unordered_set<std::string> Hashes;
>> - std::vector<InputInfo> Inputs;
>> + std::vector<InputInfo*> Inputs;
>>
>> bool CountingFeatures = false;
>> uint32_t InputSizesPerFeature[kFeatureSetSize];
>>
>>
>> _______________________________________________
>> llvm-commits mailing list
>> llvm-commits at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20161010/15d966f2/attachment-0001.html>
More information about the llvm-commits
mailing list