From fe4ed9bd854d1230723568a8cc6289bf9da7fff7 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 9 May 2017 01:17:29 +0000 Subject: [PATCH] [libFuzzer] make sure the input data is not overwritten in the fuzz target (if it is -- report an error) llvm-svn: 302494 --- llvm/lib/Fuzzer/FuzzerDriver.cpp | 3 ++- llvm/lib/Fuzzer/FuzzerInternal.h | 1 + llvm/lib/Fuzzer/FuzzerLoop.cpp | 20 ++++++++++++++++++++ llvm/lib/Fuzzer/test/CMakeLists.txt | 1 + llvm/lib/Fuzzer/test/OverwriteInputTest.cpp | 13 +++++++++++++ llvm/lib/Fuzzer/test/overwrite-input.test | 2 ++ 6 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 llvm/lib/Fuzzer/test/OverwriteInputTest.cpp create mode 100644 llvm/lib/Fuzzer/test/overwrite-input.test diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp index b85ba210afb3..e93c79cfcec6 100644 --- a/llvm/lib/Fuzzer/FuzzerDriver.cpp +++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp @@ -656,7 +656,8 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { SMR.WaitClient(); size_t Size = SMR.ReadByteArraySize(); SMR.WriteByteArray(nullptr, 0); - F->RunOne(SMR.GetByteArray(), Size); + const Unit tmp(SMR.GetByteArray(), SMR.GetByteArray() + Size); + F->RunOne(tmp.data(), tmp.size()); SMR.PostServer(); } return 0; diff --git a/llvm/lib/Fuzzer/FuzzerInternal.h b/llvm/lib/Fuzzer/FuzzerInternal.h index ad067ee2c0d9..5f184c2316e2 100644 --- a/llvm/lib/Fuzzer/FuzzerInternal.h +++ b/llvm/lib/Fuzzer/FuzzerInternal.h @@ -91,6 +91,7 @@ public: private: void AlarmCallback(); void CrashCallback(); + void CrashOnOverwrittenData(); void InterruptCallback(); void MutateAndTestOne(); void ReportNewCoverage(InputInfo *II, const Unit &U); diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp index d84c3dbdaf77..14caa203c5ef 100644 --- a/llvm/lib/Fuzzer/FuzzerLoop.cpp +++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp @@ -422,6 +422,24 @@ size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const { return CurrentUnitSize; } +void Fuzzer::CrashOnOverwrittenData() { + Printf("==%d== ERROR: libFuzzer: fuzz target overwrites it's const input\n", + GetPid()); + DumpCurrentUnit("crash-"); + Printf("SUMMARY: libFuzzer: out-of-memory\n"); + _Exit(Options.ErrorExitCode); // Stop right now. +} + +// Compare two arrays, but not all bytes if the arrays are large. +static bool LooseMemeq(const uint8_t *A, const uint8_t *B, size_t Size) { + const size_t Limit = 64; + if (Size <= 64) + return !memcmp(A, B, Size); + // Compare first and last Limit/2 bytes. + return !memcmp(A, B, Limit / 2) && + !memcmp(A + Size - Limit / 2, B + Size - Limit / 2, Limit / 2); +} + void Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) { assert(InFuzzingThread()); if (SMR.IsClient()) @@ -443,6 +461,8 @@ void Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) { (void)Res; assert(Res == 0); HasMoreMallocsThanFrees = AllocTracer.Stop(); + if (!LooseMemeq(DataCopy, Data, Size)) + CrashOnOverwrittenData(); CurrentUnitSize = 0; delete[] DataCopy; } diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt index cd049d3f03d8..b39938a705f6 100644 --- a/llvm/lib/Fuzzer/test/CMakeLists.txt +++ b/llvm/lib/Fuzzer/test/CMakeLists.txt @@ -104,6 +104,7 @@ set(Tests OneHugeAllocTest OutOfMemoryTest OutOfMemorySingleLargeMallocTest + OverwriteInputTest RepeatedMemcmp RepeatedBytesTest SimpleCmpTest diff --git a/llvm/lib/Fuzzer/test/OverwriteInputTest.cpp b/llvm/lib/Fuzzer/test/OverwriteInputTest.cpp new file mode 100644 index 000000000000..e688682346a6 --- /dev/null +++ b/llvm/lib/Fuzzer/test/OverwriteInputTest.cpp @@ -0,0 +1,13 @@ +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. + +// Simple test for a fuzzer. Make sure we abort if Data is overwritten. +#include +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size) + *const_cast(Data) = 1; + return 0; +} + diff --git a/llvm/lib/Fuzzer/test/overwrite-input.test b/llvm/lib/Fuzzer/test/overwrite-input.test new file mode 100644 index 000000000000..81c27909e8df --- /dev/null +++ b/llvm/lib/Fuzzer/test/overwrite-input.test @@ -0,0 +1,2 @@ +RUN: not LLVMFuzzer-OverwriteInputTest 2>&1 | FileCheck %s +CHECK: ERROR: libFuzzer: fuzz target overwrites it's const input