This is an archive of the discontinued LLVM Phabricator instance.

Differential D94507

Bugfix for collecting features from very small DSOs.
ClosedPublic

Authored by aarongreen on Jan 12 2021, 9:20 AM.

Details

Reviewers
morehouse
kcc
charco
Commits
rG10993bf072d9: Bugfix for collecting features from very small DSOs.
Summary

During unit tests, it was observed that crafting an artificially small DSO could cause OOB memory to be accessed. This change fixes that (but again, the affected DSOs are unlikely to ever occur outside unit tests).

Diff Detail

Event Timeline

aarongreen requested review of this revision.Jan 12 2021, 9:20 AM
aarongreen created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJan 12 2021, 9:20 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B84848: Diff 316121.Jan 12 2021, 10:07 AM
charco accepted this revision.Jan 20 2021, 6:19 PM
This revision is now accepted and ready to land.Jan 20 2021, 6:19 PM
morehouse accepted this revision.Jan 21 2021, 8:24 AM

LGTM, thanks!

aarongreen updated this revision to Diff 321574.Feb 4 2021, 3:01 PM

Rebase

aarongreen added a child revision: D94508: Add functions to encode/decode feature files.Feb 5 2021, 9:05 AM
aarongreen added a parent revision: D94506: Expand unit tests for fuzzer::Merger.
Closed by commit rG10993bf072d9: Bugfix for collecting features from very small DSOs. (authored by aarongreen, committed by charco). · Explain WhyFeb 17 2021, 1:05 PM
This revision was automatically updated to reflect the committed changes.
charco added a commit: rG10993bf072d9: Bugfix for collecting features from very small DSOs..
arichardson added a subscriber: arichardson.Mar 30 2021, 2:06 PM
arichardson added inline comments.
compiler-rt/lib/fuzzer/FuzzerTracePC.h
196

Just saw this while merging from upstream since we have a similar but conflicting diff. Shouldn't it be < rather than <=? I believe end is a one-past-the end pointer but it's been a while since I looked at this code? The loop below also uses <.

I made this change for CHERI a long time ago when porting libfuzzer but forgot to upstream it despite marking at as such: https://github.com/CTSRD-CHERI/llvm-project/commit/a09ee83464be3e287cdf82ff22e67d66f476a6c0

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
2 lines

Diff 324401

compiler-rt/lib/fuzzer/FuzzerTracePC.h

Show First 20 LinesShow All 187 Lines▼ Show 20 Linessize_t ForEachNonZeroByte(const uint8_t *Begin, const uint8_t *End,
const size_t StepMask = Step - 1; const size_t StepMask = Step - 1;
auto P = Begin; auto P = Begin;
// Iterate by 1 byte until either the alignment boundary or the end. // Iterate by 1 byte until either the alignment boundary or the end.
for (; reinterpret_cast<uintptr_t>(P) & StepMask && P < End; P++) for (; reinterpret_cast<uintptr_t>(P) & StepMask && P < End; P++)
if (uint8_t V = *P) if (uint8_t V = *P)
Handle8bitCounter(FirstFeature, P - Begin, V); Handle8bitCounter(FirstFeature, P - Begin, V);
// Iterate by Step bytes at a time. // Iterate by Step bytes at a time.
for (; P < End; P += Step) for (; P + Step <= End; P += Step)
arichardsonUnsubmitted
Not Done
ReplyInline Actions

Just saw this while merging from upstream since we have a similar but conflicting diff. Shouldn't it be < rather than <=? I believe end is a one-past-the end pointer but it's been a while since I looked at this code? The loop below also uses <.

I made this change for CHERI a long time ago when porting libfuzzer but forgot to upstream it despite marking at as such: https://github.com/CTSRD-CHERI/llvm-project/commit/a09ee83464be3e287cdf82ff22e67d66f476a6c0

arichardson: Just saw this while merging from upstream since we have a similar but conflicting diff.
if (LargeType Bundle = *reinterpret_cast<const LargeType *>(P)) { if (LargeType Bundle = *reinterpret_cast<const LargeType *>(P)) {
Bundle = HostToLE(Bundle); Bundle = HostToLE(Bundle);
for (size_t I = 0; I < Step; I++, Bundle >>= 8) for (size_t I = 0; I < Step; I++, Bundle >>= 8)
if (uint8_t V = Bundle & 0xff) if (uint8_t V = Bundle & 0xff)
Handle8bitCounter(FirstFeature, P - Begin + I, V); Handle8bitCounter(FirstFeature, P - Begin + I, V);
} }
// Iterate by 1 byte until the end. // Iterate by 1 byte until the end.
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines