[llvm] r276006 - [libFuzzer] properly intercept memmem

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Tue Jul 19 11:29:10 PDT 2016 

Author: kcc
Date: Tue Jul 19 13:29:06 2016
New Revision: 276006

URL: http://llvm.org/viewvc/llvm-project?rev=276006&view=rev
Log:
[libFuzzer] properly intercept memmem

Modified:
    llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
    llvm/trunk/lib/Fuzzer/test/StrstrTest.cpp

Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=276006&r1=276005&r2=276006&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Tue Jul 19 13:29:06 2016
@@ -173,6 +173,12 @@ struct TraceBasedMutation {
 static bool RecordingTraces = false;
 static bool RecordingMemcmp = false;
 static bool RecordingMemmem = false;
+static bool DoingMyOwnMemmem = false;
+
+struct ScopedDoingMyOwnMemmem {
+  ScopedDoingMyOwnMemmem() { DoingMyOwnMemmem = true; }
+  ~ScopedDoingMyOwnMemmem() { DoingMyOwnMemmem = false; }
+};
 
 class TraceState {
 public:
@@ -400,6 +406,7 @@ void TraceState::DFSanSwitchCallback(uin
 int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
                                     size_t DataSize) {
   if (NumMutations >= kMaxMutations || !WantToHandleOneMoreMutation()) return 0;
+  ScopedDoingMyOwnMemmem scoped_doing_my_own_memmem;
   const uint8_t *UnitData;
   auto UnitSize = F->GetCurrentUnitInFuzzingThead(&UnitData);
   int Res = 0;
@@ -423,6 +430,7 @@ int TraceState::TryToAddDesiredData(cons
                                     const uint8_t *DesiredData,
                                     size_t DataSize) {
   if (NumMutations >= kMaxMutations || !WantToHandleOneMoreMutation()) return 0;
+  ScopedDoingMyOwnMemmem scoped_doing_my_own_memmem;
   const uint8_t *UnitData;
   auto UnitSize = F->GetCurrentUnitInFuzzingThead(&UnitData);
   int Res = 0;
@@ -639,7 +647,8 @@ void __sanitizer_weak_hook_strcasestr(vo
 }
 void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
                                   const void *s2, size_t len2, void *result) {
-  // TODO: can't hook memmem since memmem is used by libFuzzer.
+  if (fuzzer::DoingMyOwnMemmem) return;
+  TS->AddInterestingWord(reinterpret_cast<const uint8_t *>(s2), len2);
 }
 
 #endif  // LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS

Modified: llvm/trunk/lib/Fuzzer/test/StrstrTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/StrstrTest.cpp?rev=276006&r1=276005&r2=276006&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/StrstrTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/StrstrTest.cpp Tue Jul 19 13:29:06 2016
@@ -9,8 +9,12 @@
 #include <cstdlib>
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 4) return 0;
   std::string s(reinterpret_cast<const char*>(Data), Size);
-  if (strstr(s.c_str(), "FUZZ") && strcasestr(s.c_str(), "aBcD")) {
+  if (strstr(s.c_str(), "FUZZ") &&
+      strcasestr(s.c_str(), "aBcD") &&
+      memmem(s.data(), s.size(), "kuku", 4)
+      ) {
     fprintf(stderr, "BINGO\n");
     exit(1);
   }

More information about the llvm-commits mailing list