mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2025-12-06 06:13:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

libfuzzer: fix looking at wrong memory for pc counters

Browse Source 
this fix bypasses the slice bounds, reading garbage data for up to the
last 7 bits (which are technically supposed to be ignored). that's going
to need to be fixed, let's fix that along with switching from byte elems
to usize elems.
This commit is contained in:
Andrew Kelley 2024-08-05 18:37:19 -07:00
parent 5f5a7b53a4
commit 529df8c007
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
lib/fuzzer.zig
View File

@ -276,7 +276,7 @@ const Fuzzer = struct {
.score = 0, .score = 0,
}, {}); }, {});
} else { } else {
if (f.n_runs % 1000 == 0) f.dumpStats(); if (f.n_runs % 10000 == 0) f.dumpStats();
const analysis = f.analyzeLastRun(); const analysis = f.analyzeLastRun();
const gop = f.recent_cases.getOrPutAssumeCapacity(.{ const gop = f.recent_cases.getOrPutAssumeCapacity(.{
@ -303,16 +303,16 @@ const Fuzzer = struct {
{ {
const seen_pcs = f.seen_pcs.items[@sizeOf(SeenPcsHeader) + f.flagged_pcs.len * @sizeOf(usize) ..]; const seen_pcs = f.seen_pcs.items[@sizeOf(SeenPcsHeader) + f.flagged_pcs.len * @sizeOf(usize) ..];
for (seen_pcs, 0..) |*elem, i| { for (seen_pcs, 0..) |*elem, i| {
const byte_i = i / 8; const byte_i = i * 8;
const mask: u8 = const mask: u8 =
(@as(u8, @intFromBool(f.pc_counters[byte_i + 0] != 0)) << 0) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 0] != 0)) << 0) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 1] != 0)) << 1) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 1] != 0)) << 1) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 2] != 0)) << 2) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 2] != 0)) << 2) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 3] != 0)) << 3) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 3] != 0)) << 3) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 4] != 0)) << 4) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 4] != 0)) << 4) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 5] != 0)) << 5) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 5] != 0)) << 5) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 6] != 0)) << 6) | (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 6] != 0)) << 6) |
(@as(u8, @intFromBool(f.pc_counters[byte_i + 7] != 0)) << 7); (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 7] != 0)) << 7);
_ = @atomicRmw(u8, elem, .Or, mask, .monotonic); _ = @atomicRmw(u8, elem, .Or, mask, .monotonic);
} }