From a5dbd430e216c19b40593c047b622c3a8149a41d Mon Sep 17 00:00:00 2001 From: Yuchuan Liu Date: Fri, 24 Jun 2022 00:51:09 +0800 Subject: syz-manager, executor: fix out-of-bound access due to NextInstructionPC --- executor/cov_filter.h | 2 +- syz-manager/covfilter.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/executor/cov_filter.h b/executor/cov_filter.h index f43b57738..61f8f9e3f 100644 --- a/executor/cov_filter.h +++ b/executor/cov_filter.h @@ -31,7 +31,7 @@ static void init_coverage_filter(char* filename) cov_filter = (cov_filter_t*)mmap(preferred, st.st_size, PROT_READ, MAP_PRIVATE, f, 0); if (cov_filter != preferred) failmsg("failed to mmap coverage filter bitmap", "want=%p, got=%p", preferred, cov_filter); - if ((uint32)st.st_size != sizeof(uint32) * 2 + ((cov_filter->pcsize >> 4) / 8 + 1)) + if ((uint32)st.st_size != sizeof(uint32) * 2 + ((cov_filter->pcsize >> 4) / 8 + 2)) fail("bad coverage filter bitmap size"); close(f); } diff --git a/syz-manager/covfilter.go b/syz-manager/covfilter.go index 6cf70fffa..bad615cce 100644 --- a/syz-manager/covfilter.go +++ b/syz-manager/covfilter.go @@ -134,9 +134,9 @@ func createCoverageBitmap(target *targets.Target, pcs map[uint32]uint32) []byte start, size := coverageFilterRegion(pcs) log.Logf(0, "coverage filter from 0x%x to 0x%x, size 0x%x, pcs %v", start, start+size, size, len(pcs)) // The file starts with two uint32: covFilterStart and covFilterSize, - // and a bitmap with size ((covFilterSize>>4)/8+1 bytes follow them. + // and a bitmap with size ((covFilterSize>>4)/8+2 bytes follow them. // 8-bit = 1-byte - data := make([]byte, 8+((size>>4)/8+1)) + data := make([]byte, 8+((size>>4)/8+2)) order := binary.ByteOrder(binary.BigEndian) if target.LittleEndian { order = binary.LittleEndian -- cgit mrf-deployment