[llvm-bugs] [Bug 31318] New: libFuzzer buffer overrun in Fuzzer::RecordMaxCoverage()

via llvm-bugs Thu, 08 Dec 2016 11:56:02 -0800

https://llvm.org/bugs/show_bug.cgi?id=31318


            Bug ID: 31318
           Summary: libFuzzer buffer overrun in
                    Fuzzer::RecordMaxCoverage()
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedb...@nondot.org
          Reporter: ttaub...@mozilla.com
                CC: llvm-bugs@lists.llvm.org
    Classification: Unclassified

Created attachment 17741
  --> https://llvm.org/bugs/attachment.cgi?id=17741&action=edit
Possible patch to properly resize C->CounterBitmap

I've been running into weird fuzzer behavior until I realized the libFuzzer
itself is overriding the fuzzing corpora held in memory.

>From FuzzerLoop.cpp:102:

EF->__sanitizer_update_counter_bitset_and_clear_counters(
            C->CounterBitmap.data());

C->CounterBitmap.size() is smaller than the number returned by
EF->__sanitizer_get_number_of_counters().

A possible fix that seems to work well for us is attached. In
Fuzzer::ShuffleAndMinimize(), calling PrepareCounters() after
ExecuteCallback(&dummy, 0) resizes C->CounterBitmap to the appropriate size.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 31318] New: libFuzzer buffer overrun in Fuzzer::RecordMaxCoverage()

Reply via email to