Skip to content

Commit

Permalink
Unpoison results from LLVMFuzzerMutate.
Browse files Browse the repository at this point in the history 
LLVMFuzzerMutate was returning data marked as uninitialized, but it
should be treated at initialized when running with the memory sanitzer.
  • Loading branch information
@Allen-Webb @vitalybuka
Allen-Webb authored and vitalybuka committed Jan 17, 2024
1 parent 86f0d4a commit e49cb00
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions src/libfuzzer/libfuzzer_mutator.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@

#include "src/libfuzzer/libfuzzer_mutator.h"

#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
#include <sanitizer/msan_interface.h>
# endif
#endif
#include <string.h>

#include <algorithm>
Expand Down Expand Up @@ -65,6 +70,12 @@ T MutateValue(T v) {
size_t size =
LLVMFuzzerMutate(reinterpret_cast<uint8_t*>(&v), sizeof(v), sizeof(v));
memset(reinterpret_cast<uint8_t*>(&v) + size, 0, sizeof(v) - size);
// The value from LLVMFuzzerMutate needs to be treated as initialized.
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
__msan_unpoison(&v, sizeof(v));
# endif
#endif
return v;
}

Expand Down Expand Up @@ -93,6 +104,12 @@ std::string Mutator::MutateString(const std::string& value,
result.resize(std::max(1, new_size));
result.resize(LLVMFuzzerMutate(reinterpret_cast<uint8_t*>(&result[0]),
value.size(), result.size()));
// The value from LLVMFuzzerMutate needs to be treated as initialized.
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
__msan_unpoison(&result[0], result.size());
# endif
#endif
return result;
}

Expand Down

0 comments on commit e49cb00

Please sign in to comment.