[PATCH] D61753: [libFuzzer] Unpoison parameters before calling user callback.
Matt Morehouse via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu May 9 15:46:45 PDT 2019
This revision was automatically updated to reflect the committed changes.
Closed by commit rCRT360390: [libFuzzer] Unpoison parameters before calling user callback. (authored by morehouse, committed by ).
Herald added a project: Sanitizers.
Herald added a subscriber: Sanitizers.
Changed prior to commit:
https://reviews.llvm.org/D61753?vs=198888&id=198928#toc
Repository:
rCRT Compiler Runtime
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D61753/new/
https://reviews.llvm.org/D61753
Files:
lib/fuzzer/FuzzerExtFunctions.def
lib/fuzzer/FuzzerLoop.cpp
test/fuzzer/MsanParamUnpoison.cpp
test/fuzzer/msan-param-unpoison.test
Index: test/fuzzer/MsanParamUnpoison.cpp
===================================================================
--- test/fuzzer/MsanParamUnpoison.cpp
+++ test/fuzzer/MsanParamUnpoison.cpp
@@ -0,0 +1,28 @@
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+// Triggers the bug described here:
+// https://github.com/google/oss-fuzz/issues/2369#issuecomment-490240627
+//
+// In a nutshell, MSan's parameter shadow does not get unpoisoned before calls
+// to LLVMFuzzerTestOneInput. This test case causes the parameter shadow to be
+// poisoned by the call to foo(), which will trigger an MSan false positive on
+// the Size == 0 check if the parameter shadow is still poisoned.
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+
+volatile int zero = 0;
+__attribute__((noinline)) int foo(int arg1, int arg2) { return zero; }
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ if (Size == 0)
+ return 0;
+
+ // Pass uninitialized values to foo(). Since foo doesn't do anything with
+ // them, MSan should not report an error here.
+ int a, b;
+ return foo(a, b);
+}
Index: test/fuzzer/msan-param-unpoison.test
===================================================================
--- test/fuzzer/msan-param-unpoison.test
+++ test/fuzzer/msan-param-unpoison.test
@@ -0,0 +1,5 @@
+REQUIRES: msan
+RUN: %msan_compiler %S/MsanParamUnpoison.cpp -o %t
+RUN: %run %t -seed=1 -runs=1000 2>&1 | FileCheck %s
+
+CHECK-NOT: MemorySanitizer: use-of-uninitialized-value
Index: lib/fuzzer/FuzzerLoop.cpp
===================================================================
--- lib/fuzzer/FuzzerLoop.cpp
+++ lib/fuzzer/FuzzerLoop.cpp
@@ -542,6 +542,8 @@
memcpy(DataCopy, Data, Size);
if (EF->__msan_unpoison)
EF->__msan_unpoison(DataCopy, Size);
+ if (EF->__msan_unpoison_param)
+ EF->__msan_unpoison_param(2);
if (CurrentUnitData && CurrentUnitData != Data)
memcpy(CurrentUnitData, Data, Size);
CurrentUnitSize = Size;
@@ -702,7 +704,7 @@
break; // We will mutate this input more in the next rounds.
}
if (Options.ReduceDepth && !FoundUniqFeatures)
- break;
+ break;
}
}
Index: lib/fuzzer/FuzzerExtFunctions.def
===================================================================
--- lib/fuzzer/FuzzerExtFunctions.def
+++ lib/fuzzer/FuzzerExtFunctions.def
@@ -46,3 +46,4 @@
EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
+EXT_FUNC(__msan_unpoison_param, void, (size_t n), false);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D61753.198928.patch
Type: text/x-patch
Size: 2815 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190509/2bea7f6f/attachment.bin>
More information about the llvm-commits
mailing list