Message ID | 35063a0ab4edbaa5bd5b0138e6a6a5b36a8664c5.1591397562.git.steadmon@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | fuzz-commit-graph: properly free graph struct | expand |
Josh Steadmon wrote: > Use the provided free_commit_graph() to properly free the commit graph > in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the > struct contains pointers to allocated memory. > > Signed-off-by: Josh Steadmon <steadmon@google.com> > --- > fuzz-commit-graph.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) How can I reproduce this? > diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c > index 9fd1c04edd..430817214d 100644 > --- a/fuzz-commit-graph.c > +++ b/fuzz-commit-graph.c > @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > initialize_the_repository(); > g = parse_commit_graph((void *)data, size); > repo_clear(the_repository); > - free(g); > + free_commit_graph(g); In any event, the patch itself is sensible, so Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Thanks.
On 2020.06.05 16:02, Jonathan Nieder wrote: > Josh Steadmon wrote: > > > Use the provided free_commit_graph() to properly free the commit graph > > in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the > > struct contains pointers to allocated memory. > > > > Signed-off-by: Josh Steadmon <steadmon@google.com> > > --- > > fuzz-commit-graph.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > How can I reproduce this? Building the fuzzer is dependent on the exact versions of clang & libFuzzer that you have installed; on my machine, with clang 9.0.1-10 and libFuzzer 9, I build as follows: $ make CC=clang \ CXX=clang++ \ CFLAGS="-fsanitize=fuzzer-no-link,address" \ LIB_FUZZING_ENGINE=/usr/lib/llvm-9/lib/libFuzzer.a \ fuzz-all Then you can run fuzz-commit-graph on the attached test case: $ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak When built from master, I get a leak error: $ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak INFO: Seed: 2332984289 INFO: Loaded 1 modules (70798 inline 8-bit counters): 70798 [0x15c8b82, 0x15da010), INFO: Loaded 1 PC tables (70798 PCs): 70798 [0x12a7db8,0x13bc698), ./fuzz-commit-graph: Running 1 inputs 1 time(s) each. Running: /tmp/testcase-5725798091980800 ================================================================= ==192153==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12 byte(s) in 1 object(s) allocated from: #0 0x49be6d in malloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x49be6d) #1 0xc2ff15 in do_xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2ff15) #2 0xc2fe66 in xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2fe66) #3 0x5cfc4e in parse_commit_graph (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x5cfc4e) #4 0x1085b39 in LLVMFuzzerTestOneInput (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x1085b39) #5 0x109b41c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x109b41c) SUMMARY: AddressSanitizer: 12 byte(s) leaked in 1 allocation(s). INFO: a leak has been found in the initial corpus. INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. When run with this patch, the fuzzer does not report a leak. > > diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c > > index 9fd1c04edd..430817214d 100644 > > --- a/fuzz-commit-graph.c > > +++ b/fuzz-commit-graph.c > > @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) > > initialize_the_repository(); > > g = parse_commit_graph((void *)data, size); > > repo_clear(the_repository); > > - free(g); > > + free_commit_graph(g); > > In any event, the patch itself is sensible, so > Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> > > Thanks.
diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c index 9fd1c04edd..430817214d 100644 --- a/fuzz-commit-graph.c +++ b/fuzz-commit-graph.c @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) initialize_the_repository(); g = parse_commit_graph((void *)data, size); repo_clear(the_repository); - free(g); + free_commit_graph(g); return 0; }
Use the provided free_commit_graph() to properly free the commit graph in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the struct contains pointers to allocated memory. Signed-off-by: Josh Steadmon <steadmon@google.com> --- fuzz-commit-graph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)