|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] tools/insn-fuzz: Don't hit memcpy() for zero-length reads
commit 654740b4bd8dfb358a9cf6876e60b79395a1d1fb
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Mar 2 18:36:54 2017 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Thu Apr 6 18:42:49 2017 +0100
tools/insn-fuzz: Don't hit memcpy() for zero-length reads
For control-flow changes, the emulator needs to perform a zero-length
instruction fetch at the target offset. It also passes NULL for the
destination buffer, as there is no instruction stream to collect.
This trips up UBSAN when passed to memcpy(), as passing NULL is undefined
behaviour per the C spec (irrespective of passing a size of 0).
Special case these fetches in fuzz_insn_fetch() before reaching data_read().
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: George Dunlap <george.dunlap@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 65c5a3b..64b7fb2 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -117,6 +117,16 @@ static int fuzz_insn_fetch(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
+ /*
+ * Zero-length instruction fetches are made at the destination of jumps,
+ * to perform segmentation checks. No data needs returning.
+ */
+ if ( bytes == 0 )
+ {
+ assert(p_data == NULL);
+ return maybe_fail("insn_fetch", true);
+ }
+
return data_read("insn_fetch", p_data, bytes);
}
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |