tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix fuzzer so it doesn't add overlapping maps.

Browse source 
The fuzzer was creating individual maps that overlapped with other maps.
Since this is not possible in the real world unless the kernel is broken,
do not let the fuzzer do this. This resulted in memory leaks, because some
parts of the code have this assumption baked in.

Bug: 160895854

Test: Ran fuzzer test case that leaked memory and verified it no longer does.
Change-Id: I9f3c1e28781093b041b747e1566fb51d40d2bf71
This commit is contained in:
Christopher Ferris 2020-08-04 13:58:43 -07:00
parent fe8dec0447
commit 63525c8d6c
1 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
libunwindstack/tests/fuzz/UnwinderComponentCreator.cpp
View file

@ -16,6 +16,11 @@
#include "UnwinderComponentCreator.h"
#include <map>
#include <memory>
#include <string>
#include <vector>
std::unique_ptr<Regs> GetRegisters(ArchEnum arch) {
switch (arch) {
case unwindstack::ARCH_ARM: {
@ -109,13 +114,28 @@ ElfFake* PopulateElfFake(FuzzedDataProvider* data_provider) {
return elf;
}
static constexpr size_t kPageSize = 4096;
static constexpr uint64_t AlignToPage(uint64_t address) {
return (address + kPageSize - 1) & ~(kPageSize - 1);
}
std::unique_ptr<Maps> GetMaps(FuzzedDataProvider* data_provider) {
std::unique_ptr<Maps> maps = std::make_unique<Maps>();
std::map<uint64_t, uint64_t> map_ends;
uint8_t entry_count = data_provider->ConsumeIntegralInRange<uint8_t>(0, kMaxMapEntryCount);
for (uint8_t i = 0; i < entry_count; i++) {
uint64_t start = data_provider->ConsumeIntegral<uint64_t>();
uint64_t end = data_provider->ConsumeIntegralInRange<uint64_t>(start, UINT64_MAX);
uint64_t offset = data_provider->ConsumeIntegral<uint64_t>();
uint64_t start = AlignToPage(data_provider->ConsumeIntegral<uint64_t>());
uint64_t end = AlignToPage(data_provider->ConsumeIntegralInRange<uint64_t>(start, UINT64_MAX));
// Make sure not to add overlapping maps, that is not something that can
// happen in the real world.
auto entry = map_ends.upper_bound(start);
if (entry != map_ends.end() && end > entry->second) {
continue;
}
map_ends[end] = start;
uint64_t offset = AlignToPage(data_provider->ConsumeIntegral<uint64_t>());
std::string map_info_name = data_provider->ConsumeRandomLengthString(kMaxMapInfoNameLen);
uint8_t flags = PROT_READ | PROT_WRITE;