executor: filter out invalid PCs on linux/x86_64

Fuzzer manages to corrupt output region and write random coverage again and again.
Do a sanity range check on coverage PCs to filter out invalid ones.

6 files changed, 62 insertions, 3 deletions

diff --git a/executor/executor.h b/executor/executor.h
index 6210fa136..c12f4f169 100644
--- a/executor/executor.h
+++ b/executor/executor.h
@@ -183,6 +183,8 @@ void cover_open();
 void cover_enable(thread_t* th);
 void cover_reset(thread_t* th);
 uint32 read_cover_size(thread_t* th);
+bool cover_check(uint32 pc);
+bool cover_check(uint64 pc);
 static uint32 hash(uint32 a);
 static bool dedup(uint32 sig);
 
@@ -494,10 +496,12 @@ void write_coverage_signal(thread_t* th, uint32* signal_count_pos, uint32* cover
 	// Currently it is code edges computed as xor of two subsequent basic block PCs.
 	cover_t* cover_data = ((cover_t*)th->cover_data) + 1;
 	uint32 nsig = 0;
-	uint32 prev = 0;
+	cover_t prev = 0;
 	for (uint32 i = 0; i < th->cover_size; i++) {
-		uint32 pc = cover_data[i];
-		uint32 sig = pc ^ prev;
+		cover_t pc = cover_data[i];
+		if (!cover_check(pc))
+			break;
+		cover_t sig = pc ^ prev;
 		prev = hash(pc);
 		if (dedup(sig))
 			continue;
diff --git a/executor/executor_akaros.cc b/executor/executor_akaros.cc
index 70940dbb4..4523b736a 100644
--- a/executor/executor_akaros.cc
+++ b/executor/executor_akaros.cc
@@ -96,6 +96,16 @@ uint32 read_cover_size(thread_t* th)
 	return 0;
 }
 
+bool cover_check(uint32 pc)
+{
+	return true;
+}
+
+bool cover_check(uint64 pc)
+{
+	return true;
+}
+
 uint32* write_output(uint32 v)
 {
 	return &output;
diff --git a/executor/executor_bsd.cc b/executor/executor_bsd.cc
index 642b6a223..0e8767626 100644
--- a/executor/executor_bsd.cc
+++ b/executor/executor_bsd.cc
@@ -220,6 +220,16 @@ uint32 read_cover_size(thread_t* th)
 #endif
 }
 
+bool cover_check(uint32 pc)
+{
+	return true;
+}
+
+bool cover_check(uint64 pc)
+{
+	return true;
+}
+
 uint32* write_output(uint32 v)
 {
 	if (collide)
diff --git a/executor/executor_fuchsia.cc b/executor/executor_fuchsia.cc
index 506b65015..b0d4f0eef 100644
--- a/executor/executor_fuchsia.cc
+++ b/executor/executor_fuchsia.cc
@@ -56,6 +56,16 @@ uint32 read_cover_size(thread_t* th)
 	return 0;
 }
 
+bool cover_check(uint32 pc)
+{
+	return true;
+}
+
+bool cover_check(uint64 pc)
+{
+	return true;
+}
+
 uint32* write_output(uint32 v)
 {
 	return &output;
diff --git a/executor/executor_linux.cc b/executor/executor_linux.cc
index d9e84a66a..4b88946dd 100644
--- a/executor/executor_linux.cc
+++ b/executor/executor_linux.cc
@@ -188,6 +188,21 @@ uint32 read_cover_size(thread_t* th)
 	return n;
 }
 
+bool cover_check(uint32 pc)
+{
+	return true;
+}
+
+bool cover_check(uint64 pc)
+{
+#if defined(__i386__) || defined(__x86_64__)
+	// Text/modules range for x86_64.
+	return pc >= 0xffffffff80000000ull && pc < 0xffffffffff000000ull;
+#else
+	return true;
+#endif
+}
+
 uint32* write_output(uint32 v)
 {
 	if (collide)
diff --git a/executor/executor_windows.cc b/executor/executor_windows.cc
index 57c40279b..bb3848f33 100644
--- a/executor/executor_windows.cc
+++ b/executor/executor_windows.cc
@@ -59,6 +59,16 @@ uint32 read_cover_size(thread_t* th)
 	return 0;
 }
 
+bool cover_check(uint32 pc)
+{
+	return true;
+}
+
+bool cover_check(uint64 pc)
+{
+	return true;
+}
+
 uint32* write_output(uint32 v)
 {
 	return &output;