From c01d39e6b8a913856c39b4e1345435640718fa31 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 30 Jul 2015 01:34:58 +0000 Subject: [PATCH] [libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243603 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/FuzzerTraceState.cpp | 12 ++++++++++++ lib/Fuzzer/test/CMakeLists.txt | 1 + lib/Fuzzer/test/MemcmpTest.cpp | 9 +++++++-- lib/Fuzzer/test/fuzzer-dfsan.test | 2 +- lib/Fuzzer/test/fuzzer.test | 3 +++ 5 files changed, 24 insertions(+), 3 deletions(-) diff --git a/lib/Fuzzer/FuzzerTraceState.cpp b/lib/Fuzzer/FuzzerTraceState.cpp index 60524a91320..9c7f9966708 100644 --- a/lib/Fuzzer/FuzzerTraceState.cpp +++ b/lib/Fuzzer/FuzzerTraceState.cpp @@ -394,6 +394,18 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2, TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2); } +void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1, + const void *s2, size_t n) { + if (!TS) return; + uintptr_t PC = reinterpret_cast(caller_pc); + uint64_t S1 = 0, S2 = 0; + // Simplification: handle only first 8 bytes. + memcpy(&S1, s1, std::min(n, sizeof(S1))); + memcpy(&S2, s2, std::min(n, sizeof(S2))); + TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2); + // fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n); +} + void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1, uint64_t Arg2) { if (!TS) return; diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt index 2769f6a114a..5247f001cb4 100644 --- a/lib/Fuzzer/test/CMakeLists.txt +++ b/lib/Fuzzer/test/CMakeLists.txt @@ -15,6 +15,7 @@ set(Tests FourIndependentBranchesTest FullCoverageSetTest InfiniteTest + MemcmpTest NullDerefTest SimpleCmpTest SimpleTest diff --git a/lib/Fuzzer/test/MemcmpTest.cpp b/lib/Fuzzer/test/MemcmpTest.cpp index 510a2439800..cabdff8f075 100644 --- a/lib/Fuzzer/test/MemcmpTest.cpp +++ b/lib/Fuzzer/test/MemcmpTest.cpp @@ -5,8 +5,13 @@ #include extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + // TODO: check other sizes. if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) { - fprintf(stderr, "BINGO\n"); - exit(1); + if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) { + if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) { + fprintf(stderr, "BINGO\n"); + exit(1); + } + } } } diff --git a/lib/Fuzzer/test/fuzzer-dfsan.test b/lib/Fuzzer/test/fuzzer-dfsan.test index c8dac945581..9a3c9e05d94 100644 --- a/lib/Fuzzer/test/fuzzer-dfsan.test +++ b/lib/Fuzzer/test/fuzzer-dfsan.test @@ -4,6 +4,6 @@ CHECK_DFSanCmpCallback: DFSanCmpCallback: PC RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback -RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 2>&1 | FileCheck %s +RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback diff --git a/lib/Fuzzer/test/fuzzer.test b/lib/Fuzzer/test/fuzzer.test index 55f081980a1..fdabbb1c814 100644 --- a/lib/Fuzzer/test/fuzzer.test +++ b/lib/Fuzzer/test/fuzzer.test @@ -25,3 +25,6 @@ RUN: not LLVMFuzzer-CxxTokensTest -seed=1 -timeout=15 -tokens=%S/../cxx_fuzzer_t RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s +RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s +RUN: LLVMFuzzer-MemcmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 +Done1000000: Done 1000000 runs in -- 2.34.1