| Message ID | 20171010162011.9629-1-george.dunlap@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
George Dunlap writes ("[PATCH v3 01/12] fuzz/x86_emulate: Clear errors after each iteration"):
> Once feof() returns true for a stream, it will continue to return true
> for that stream until clearerr() is called (or the stream is closed
> and re-opened).
>
> In llvm-clang-fast-mode, the same file descriptor is used for each
> iteration of the loop, meaning that the "Input too large" check was
> broken -- feof() would return true even if the fread() hadn't hit the
> end of the file. The result is that AFL generates testcases of
> arbitrary size.
>
> Fix this by fseek'ing to the beginning of the file on every iteration;
> this resets the EOF marker and other state.
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
> This is a candidate for backport to 4.9.
Please let me know when it is committed and I will add it to my
backport list.
Ian.
>>> On 10.10.17 at 19:22, <ian.jackson@eu.citrix.com> wrote: > George Dunlap writes ("[PATCH v3 01/12] fuzz/x86_emulate: Clear errors after > each iteration"): >> Once feof() returns true for a stream, it will continue to return true >> for that stream until clearerr() is called (or the stream is closed >> and re-opened). >> >> In llvm-clang-fast-mode, the same file descriptor is used for each >> iteration of the loop, meaning that the "Input too large" check was >> broken -- feof() would return true even if the fread() hadn't hit the >> end of the file. The result is that AFL generates testcases of >> arbitrary size. >> >> Fix this by fseek'ing to the beginning of the file on every iteration; >> this resets the EOF marker and other state. > > Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> > >> This is a candidate for backport to 4.9. > > Please let me know when it is committed and I will add it to my > backport list. I have the original one on mine already, so I can easily add this one then as well; perhaps I would want to even fold the two into just a single (good) commit). Jan
diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c index b4d15451b5..57b4542556 100644 --- a/tools/fuzz/x86_instruction_emulator/afl-harness.c +++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c @@ -77,6 +77,17 @@ int main(int argc, char **argv) exit(-1); } } +#ifdef __AFL_HAVE_MANUAL_CONTROL + else + { + /* + * This will ensure we're dealing with a clean stream + * state after the afl-fuzz process messes with the open + * file handle. + */ + fseek(fp, 0, SEEK_SET); + } +#endif size = fread(input, 1, INPUT_SIZE, fp);
Once feof() returns true for a stream, it will continue to return true for that stream until clearerr() is called (or the stream is closed and re-opened). In llvm-clang-fast-mode, the same file descriptor is used for each iteration of the loop, meaning that the "Input too large" check was broken -- feof() would return true even if the fread() hadn't hit the end of the file. The result is that AFL generates testcases of arbitrary size. Fix this by fseek'ing to the beginning of the file on every iteration; this resets the EOF marker and other state. Signed-off-by: George Dunlap <george.dunlap@citrix.com> --- Changes in v3: - Fix the issue in the official sanctioned way This is a candidate for backport to 4.9. CC: Ian Jackson <ian.jackson@citrix.com> CC: Wei Liu <wei.liu2@citrix.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <jbeulich@suse.com> --- tools/fuzz/x86_instruction_emulator/afl-harness.c | 11 +++++++++++ 1 file changed, 11 insertions(+)