[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 03/10] tools/insn-fuzz: Don't use memcpy() for zero-length reads

To: Xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 27 Mar 2017 10:56:31 +0100
Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Mon, 27 Mar 2017 09:56:55 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

For control-flow changes, the emulator needs to perform a zero-length
instruction fetch at the target offset.  It also passes NULL for the
destination buffer, as there is no instruction stream to collect.

This trips up UBSAN, even with a size of 0.  Exclude zero-length reads from
using memcpy(), rather than excluding NULL destination pointers, to still
catch unintentional uses of NULL.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
CC: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
---
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 
b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 890642c..cbdb3dd 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -77,7 +77,7 @@ static int data_read(const char *why, void *dst, unsigned int 
bytes)
     else
         rc = maybe_fail(why, true);
 
-    if ( rc == X86EMUL_OKAY )
+    if ( rc == X86EMUL_OKAY && bytes )
     {
         memcpy(dst,  input.data + data_index, bytes);
         data_index += bytes;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 03/10] tools/insn-fuzz: Don't use memcpy() for zero-length reads
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 03/10] tools/insn-fuzz: Don't use memcpy() for zero-length reads
  - From: George Dunlap

References:
- [Xen-devel] [PATCH 00/10] x86 emulation bugfixes and fuzzer improvements
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH 05/10] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode
Next by Date: [Xen-devel] [PATCH 06/10] tools/insn-fuzz: Correct hook prototypes, and assert() appropriate segments
Previous by thread: Re: [Xen-devel] [PATCH 05/10] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode
Next by thread: Re: [Xen-devel] [PATCH 03/10] tools/insn-fuzz: Don't use memcpy() for zero-length reads
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.