[xen stable-4.9] fuzz/x86_emulate: clear errors after each iteration

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[xen stable-4.9] fuzz/x86_emulate: clear errors after each iteration

commit a8377a38217025d969100241bc29d4ee20cbcf14
Author:     George Dunlap <[hidden email]>
AuthorDate: Tue Oct 24 16:13:22 2017 +0200
Commit:     Jan Beulich <[hidden email]>
CommitDate: Tue Oct 24 16:13:22 2017 +0200

    fuzz/x86_emulate: clear errors after each iteration
    Once feof() returns true for a stream, it will continue to return true
    for that stream until clearerr() is called (or the stream is closed
    and re-opened).
    In llvm-clang-fast-mode, the same file descriptor is used for each
    iteration of the loop, meaning that the "Input too large" check was
    broken -- feof() would return true even if the fread() hadn't hit the
    end of the file.  The result is that AFL generates testcases of
    arbitrary size.
    Fix this by clearing the error after each iteration.
    Signed-off-by: George Dunlap <[hidden email]>
    Reviewed-by: Jan Beulich <[hidden email]>
    fuzz/x86_emulate: Clear errors in the officially sanctioned way
    Commit 849a1f10c9 was checked in inappropriately; review flagged up
    that clearerr() was too big a hammer, as it would clear both the EOF
    flag and stream errors.
    Stream errors shouldn't be cleared; we only want the EOF and other
    stream-related state reset.  To do this, it is sufficient to fseek()
    to zero.
    Signed-off-by: George Dunlap <[hidden email]>
    Acked-by: Andrew Cooper <[hidden email]>
    master commit: 849a1f10c937ce0782db95b85da391a49317c49e
    master date: 2017-10-09 16:04:11 +0200
    master commit: cf72cfb0c8513c3f83dc9541312b12e7325f5c02
    master date: 2017-10-11 23:35:21 +0100
 tools/fuzz/x86_instruction_emulator/afl-harness.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c
index 1548693..31ae1da 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -77,6 +77,17 @@ int main(int argc, char **argv)
+        else
+        {
+            /*
+             * This will ensure we're dealing with a clean stream
+             * state after the afl-fuzz process messes with the open
+             * file handle.
+             */
+            fseek(fp, 0, SEEK_SET);
+        }
         size = fread(input, 1, INPUT_SIZE, fp);
generated by git-patchbot for /home/xen/git/xen.git#stable-4.9

Xen-changelog mailing list
[hidden email]