diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2018-05-14 11:17:58 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-05-14 11:17:58 +0200 |
| commit | faf3e3d2299100f0fccf2f6187d58e398cab06be (patch) | |
| tree | dbf468be98cbcc72b4b88104c572fe8e821a8146 /executor/executor.h | |
| parent | d5dc4006db71f4d27934000be3a499d9e56ff7fe (diff) | |
executor: filter out invalid PCs on linux/x86_64
Fuzzer manages to corrupt output region and write random coverage again and again.
Do a sanity range check on coverage PCs to filter out invalid ones.
Diffstat (limited to 'executor/executor.h')
| -rw-r--r-- | executor/executor.h | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/executor/executor.h b/executor/executor.h index 6210fa136..c12f4f169 100644 --- a/executor/executor.h +++ b/executor/executor.h @@ -183,6 +183,8 @@ void cover_open(); void cover_enable(thread_t* th); void cover_reset(thread_t* th); uint32 read_cover_size(thread_t* th); +bool cover_check(uint32 pc); +bool cover_check(uint64 pc); static uint32 hash(uint32 a); static bool dedup(uint32 sig); @@ -494,10 +496,12 @@ void write_coverage_signal(thread_t* th, uint32* signal_count_pos, uint32* cover // Currently it is code edges computed as xor of two subsequent basic block PCs. cover_t* cover_data = ((cover_t*)th->cover_data) + 1; uint32 nsig = 0; - uint32 prev = 0; + cover_t prev = 0; for (uint32 i = 0; i < th->cover_size; i++) { - uint32 pc = cover_data[i]; - uint32 sig = pc ^ prev; + cover_t pc = cover_data[i]; + if (!cover_check(pc)) + break; + cover_t sig = pc ^ prev; prev = hash(pc); if (dedup(sig)) continue; |