This is an archive of the discontinued LLVM Phabricator instance.

Differential D101625

[libFuzzer] Fix off-by-one error in ApplyDictionaryEntry
ClosedPublic

Authored by fmeum on Apr 30 2021, 6:35 AM.

Details

Reviewers
morehouse
Commits
rG62e4dca94e25: [libFuzzer] Fix off-by-one error in ApplyDictionaryEntry
Summary

In the overwrite branch of MutationDispatcher::ApplyDictionaryEntry in
FuzzerMutate.cpp, the index Idx at which W.size() bytes are overwritten
with the word W is chosen uniformly at random in the interval
[0, Size - W.size()). This means that Idx + W.size() will always be
strictly less than Size, i.e., the last byte of the current unit will
never be overwritten.

This is fixed by adding 1 to the exclusive upper bound.

Addresses https://bugs.llvm.org/show_bug.cgi?id=49989.

Diff Detail

Event Timeline

fmeum requested review of this revision.Apr 30 2021, 6:35 AM
fmeum created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptApr 30 2021, 6:35 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B101912: Diff 341878.Apr 30 2021, 7:35 AM
morehouse accepted this revision.Apr 30 2021, 8:21 AM

Thanks for the fix!

This revision is now accepted and ready to land.Apr 30 2021, 8:21 AM
Closed by commit rG62e4dca94e25: [libFuzzer] Fix off-by-one error in ApplyDictionaryEntry (authored by fmeum, committed by morehouse). · Explain WhyMay 3 2021, 10:38 AM
This revision was automatically updated to reflect the committed changes.
morehouse added a commit: rG62e4dca94e25: [libFuzzer] Fix off-by-one error in ApplyDictionaryEntry.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
3 lines

Diff 342458

compiler-rt/lib/fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 189 Lines▼ Show 20 Linessize_t MutationDispatcher::ApplyDictionaryEntry(uint8_t *Data, size_t Size,
if (Rand.RandBool()) { // Insert W. if (Rand.RandBool()) { // Insert W.
if (Size + W.size() > MaxSize) return 0; if (Size + W.size() > MaxSize) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1); size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1);
memmove(Data + Idx + W.size(), Data + Idx, Size - Idx); memmove(Data + Idx + W.size(), Data + Idx, Size - Idx);
memcpy(Data + Idx, W.data(), W.size()); memcpy(Data + Idx, W.data(), W.size());
Size += W.size(); Size += W.size();
} else { // Overwrite some bytes with W. } else { // Overwrite some bytes with W.
if (W.size() > Size) return 0; if (W.size() > Size) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size()); size_t Idx =
UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1 - W.size());
memcpy(Data + Idx, W.data(), W.size()); memcpy(Data + Idx, W.data(), W.size());
} }
return Size; return Size;
} }
// Somewhere in the past we have observed a comparison instructions // Somewhere in the past we have observed a comparison instructions
// with arguments Arg1 Arg2. This function tries to guess a dictionary // with arguments Arg1 Arg2. This function tries to guess a dictionary
// entry that will satisfy that comparison. // entry that will satisfy that comparison.
▲ Show 20 LinesShow All 389 LinesShow Last 20 Lines