[llvm] r298746 - [libFuzzer] be more careful when calling strlen of strcmp parameters, PR32357
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Mar 24 15:19:52 PDT 2017
Author: kcc
Date: Fri Mar 24 17:19:52 2017
New Revision: 298746
URL: http://llvm.org/viewvc/llvm-project?rev=298746&view=rev
Log:
[libFuzzer] be more careful when calling strlen of strcmp parameters, PR32357
Added:
llvm/trunk/lib/Fuzzer/test/BadStrcmpTest.cpp
llvm/trunk/lib/Fuzzer/test/bad-strcmp.test
Modified:
llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=298746&r1=298745&r2=298746&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Fri Mar 24 17:19:52 2017
@@ -90,6 +90,14 @@ static size_t InternalStrnlen(const char
return Len;
}
+// Finds min of (strlen(S1), strlen(S2)).
+// Needed bacause one of these strings may actually be non-zero terminated.
+static size_t InternalStrnlen2(const char *S1, const char *S2) {
+ size_t Len = 0;
+ for (; S1[Len] && S2[Len]; Len++) {}
+ return Len;
+}
+
} // namespace fuzzer
using fuzzer::TS;
@@ -128,9 +136,7 @@ ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZ
void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
const char *s2, int result) {
if (result == 0) return; // No reason to mutate.
- size_t Len1 = strlen(s1);
- size_t Len2 = strlen(s2);
- size_t N = std::min(Len1, Len2);
+ size_t N = fuzzer::InternalStrnlen2(s1, s2);
if (N <= 1) return; // Not interesting.
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/true);
}
Added: llvm/trunk/lib/Fuzzer/test/BadStrcmpTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/BadStrcmpTest.cpp?rev=298746&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/BadStrcmpTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/BadStrcmpTest.cpp Fri Mar 24 17:19:52 2017
@@ -0,0 +1,19 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we don't creash in case of bad strcmp params.
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ if (Size != 10) return 0;
+ // Data is not zero-terminated, so this call is bad.
+ // Still, there are cases when such calles appear, see e.g.
+ // https://bugs.llvm.org/show_bug.cgi?id=32357
+ Sink = strcmp(reinterpret_cast<const char*>(Data), "123456789");
+ return 0;
+}
+
Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=298746&r1=298745&r2=298746&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Fri Mar 24 17:19:52 2017
@@ -76,6 +76,7 @@ set(Tests
AbsNegAndConstantTest
AbsNegAndConstant64Test
AccumulateAllocationsTest
+ BadStrcmpTest
BogusInitializeTest
BufferOverflowOnInput
CallerCalleeTest
Added: llvm/trunk/lib/Fuzzer/test/bad-strcmp.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/bad-strcmp.test?rev=298746&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/bad-strcmp.test (added)
+++ llvm/trunk/lib/Fuzzer/test/bad-strcmp.test Fri Mar 24 17:19:52 2017
@@ -0,0 +1 @@
+RUN: LLVMFuzzer-BadStrcmpTest -runs=100000
More information about the llvm-commits
mailing list