[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test

llvm-svn: 243611
2024-11-23 03:02:36 +01:00 · 2015-07-30 02:33:45 +00:00 · 2015-07-30 02:33:45 +00:00 · 433c6e8b4b
commit 433c6e8b4b
parent 1dbdf92b9c
6 changed files with 45 additions and 4 deletions
--- a/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/lib/Fuzzer/FuzzerTraceState.cpp
@ -138,7 +138,9 @@ static bool ComputeCmp(size_t CmpSize, size_t CmpType, uint64_t Arg1,
  if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
  if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
  if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
-  assert(0 && "unsupported type size");
+  // Other size, ==
+  if (CmpType == ICMP_EQ) return Arg1 == Arg2;
+  assert(0 && "unsupported cmp and type size combination");
  return true;
 }

@ -394,6 +396,12 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
  TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }

+void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
+                             size_t n, dfsan_label s1_label,
+                             dfsan_label s2_label, dfsan_label n_label) {
+  dfsan_weak_hook_memcmp(caller_pc, s1, s2, n, s1_label, s2_label, n_label);
+}
+
 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
                                  const void *s2, size_t n) {
  if (!TS) return;
@ -403,7 +411,11 @@ void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
  memcpy(&S1, s1, std::min(n, sizeof(S1)));
  memcpy(&S2, s2, std::min(n, sizeof(S2)));
  TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
-  // fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n);
+}
+
+void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
+                                   const char *s2, size_t n) {
+  __sanitizer_weak_hook_memcmp(caller_pc, s1, s2, n);
 }

 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@ -7,6 +7,7 @@ set(CMAKE_CXX_FLAGS_RELEASE "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize-coverage=edg
 set(DFSanTests
  MemcmpTest
  SimpleCmpTest
+  StrncmpTest
  )

 set(Tests
@ -19,6 +20,7 @@ set(Tests
  NullDerefTest
  SimpleCmpTest
  SimpleTest
+  StrncmpTest
  TimeoutTest
  )

--- a/lib/Fuzzer/test/MemcmpTest.cpp
+++ b/lib/Fuzzer/test/MemcmpTest.cpp
@ -9,8 +9,10 @@ extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
    if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
      if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
-        fprintf(stderr, "BINGO\n");
-        exit(1);
+        if (Size >= 16 && memcmp(Data + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
      }
    }
  }
--- a/lib/Fuzzer/test/StrncmpTest.cpp
+++ b/lib/Fuzzer/test/StrncmpTest.cpp
@ -0,0 +1,20 @@
+// Simple test for a fuzzer. The fuzzer must find a particular string.
+#include <cstring>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  // TODO: check other sizes.
+  char *S = (char*)Data;
+  if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
+    if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
+      if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {
+        if (Size >= 16 && strncmp(S + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
+      }
+    }
+  }
+}
--- a/lib/Fuzzer/test/fuzzer-dfsan.test
+++ b/lib/Fuzzer/test/fuzzer-dfsan.test
@ -7,3 +7,5 @@ RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -
 RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback

+RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
--- a/lib/Fuzzer/test/fuzzer.test
+++ b/lib/Fuzzer/test/fuzzer.test
@ -28,3 +28,6 @@ RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck
 RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 Done1000000: Done 1000000 runs in
+
+RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-StrncmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000