[compiler-rt] r300010 - [msan] fix iconv interceptor. before the fix the interceptor failed to mark memory as initialized if iconv returned -1. Found in a hard way while fuzzing libxml2 :(

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Tue Apr 11 17:12:34 PDT 2017 

Author: kcc
Date: Tue Apr 11 19:12:34 2017
New Revision: 300010

URL: http://llvm.org/viewvc/llvm-project?rev=300010&view=rev
Log:
[msan] fix iconv interceptor. before the fix the interceptor failed to mark memory as initialized if iconv returned -1. Found in a hard way while fuzzing libxml2 :(

Added:
    compiler-rt/trunk/test/sanitizer_common/TestCases/Linux/iconv_test.c
Modified:
    compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc

Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc?rev=300010&r1=300009&r2=300010&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc Tue Apr 11 19:12:34 2017
@@ -4637,7 +4637,7 @@ INTERCEPTOR(SIZE_T, iconv, void *cd, cha
   // its metadata. See
   // https://github.com/google/sanitizers/issues/321.
   SIZE_T res = REAL(iconv)(cd, inbuf, inbytesleft, outbuf, outbytesleft);
-  if (res != (SIZE_T) - 1 && outbuf && *outbuf > outbuf_orig) {
+  if (outbuf && *outbuf > outbuf_orig) {
     SIZE_T sz = (char *)*outbuf - (char *)outbuf_orig;
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, outbuf_orig, sz);
   }

Added: compiler-rt/trunk/test/sanitizer_common/TestCases/Linux/iconv_test.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/sanitizer_common/TestCases/Linux/iconv_test.c?rev=300010&view=auto
==============================================================================
--- compiler-rt/trunk/test/sanitizer_common/TestCases/Linux/iconv_test.c (added)
+++ compiler-rt/trunk/test/sanitizer_common/TestCases/Linux/iconv_test.c Tue Apr 11 19:12:34 2017
@@ -0,0 +1,28 @@
+// RUN: %clang %s -o %t && %run %t
+// Verify that even if iconv returned -1
+// we still treat the initialized part of outbuf as properly initialized.
+#include <iconv.h>
+#include <assert.h>
+#include <stdio.h>
+
+int main() {
+  iconv_t cd = iconv_open("UTF-8", "no");
+  assert(cd != (iconv_t)-1);
+  char in[11] = {0x7e, 0x7e, 0x5f, 0x53, 0x55, 0x3e,
+                 0x99, 0x3c, 0x7e, 0x7e, 0x7e};
+  fprintf(stderr, "cd: %p\n", (void*)cd);
+  char out[100];
+  char *inbuf = &in[0];
+  size_t inbytesleft = 11;
+  char *outbuf = &out[0];
+  size_t outbytesleft = 100;
+  int ret = iconv(cd, &inbuf, &inbytesleft, &outbuf, &outbytesleft);
+  assert(ret == -1);
+  assert(outbuf - &out[0] == 10);
+  for (int i = 0; i < 10; i++) {
+    if (out[i] == 0x77) return 1;
+    fprintf(stderr, "OUT%d 0x%x -- OK\n", i, (unsigned char)out[i]);
+  }
+  iconv_close(cd);
+}
+

More information about the llvm-commits mailing list