From faf3e3d2299100f0fccf2f6187d58e398cab06be Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 14 May 2018 11:17:58 +0200
Subject: executor: filter out invalid PCs on linux/x86_64

Fuzzer manages to corrupt output region and write random coverage again and again.
Do a sanity range check on coverage PCs to filter out invalid ones.
---
 executor/executor.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'executor/executor.h')

diff --git a/executor/executor.h b/executor/executor.h
index 6210fa136..c12f4f169 100644
--- a/executor/executor.h
+++ b/executor/executor.h
@@ -183,6 +183,8 @@ void cover_open();
 void cover_enable(thread_t* th);
 void cover_reset(thread_t* th);
 uint32 read_cover_size(thread_t* th);
+bool cover_check(uint32 pc);
+bool cover_check(uint64 pc);
 static uint32 hash(uint32 a);
 static bool dedup(uint32 sig);
 
@@ -494,10 +496,12 @@ void write_coverage_signal(thread_t* th, uint32* signal_count_pos, uint32* cover
 	// Currently it is code edges computed as xor of two subsequent basic block PCs.
 	cover_t* cover_data = ((cover_t*)th->cover_data) + 1;
 	uint32 nsig = 0;
-	uint32 prev = 0;
+	cover_t prev = 0;
 	for (uint32 i = 0; i < th->cover_size; i++) {
-		uint32 pc = cover_data[i];
-		uint32 sig = pc ^ prev;
+		cover_t pc = cover_data[i];
+		if (!cover_check(pc))
+			break;
+		cover_t sig = pc ^ prev;
 		prev = hash(pc);
 		if (dedup(sig))
 			continue;
-- 
cgit mrf-deployment