ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 18:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Integer overflow/underflow fixes in libdislocator (#889)

Browse Source 
* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'

* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads
This commit is contained in:
Dmitry Zheregelya
2021-04-28 18:42:20 +03:00
committed by GitHub
parent da65eef572
commit f112357e61
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
utils/libdislocator/libdislocator.so.c
View File

@ -144,7 +144,7 @@ typedef struct {
/* Configurable stuff (use AFL_LD_* to set): */ /* Configurable stuff (use AFL_LD_* to set): */
static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */ static size_t max_mem = MAX_ALLOC; /* Max heap usage to permit */
static u8 alloc_verbose, /* Additional debug messages */ static u8 alloc_verbose, /* Additional debug messages */
hard_fail, /* abort() when max_mem exceeded? */ hard_fail, /* abort() when max_mem exceeded? */
no_calloc_over, /* abort() on calloc() overflows? */ no_calloc_over, /* abort() on calloc() overflows? */
@ -154,7 +154,7 @@ static u8 alloc_verbose, /* Additional debug messages */
#define __thread #define __thread
#warning no thread support available #warning no thread support available
#endif #endif
static __thread size_t total_mem; /* Currently allocated mem */ static _Atomic size_t total_mem; /* Currently allocated mem */
static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static __thread u32 call_depth; /* To avoid recursion via fprintf() */
static u32 alloc_canary; static u32 alloc_canary;
@ -172,9 +172,9 @@ static void *__dislocator_alloc(size_t len) {
if (total_mem + len > max_mem || total_mem + len < total_mem) { if (total_mem + len > max_mem || total_mem + len < total_mem) {
if (hard_fail) FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024); if (hard_fail) FATAL("total allocs exceed %zu MB", max_mem / 1024 / 1024);
DEBUGF("total allocs exceed %u MB, returning NULL", max_mem / 1024 / 1024); DEBUGF("total allocs exceed %zu MB, returning NULL", max_mem / 1024 / 1024);
return NULL; return NULL;
@ -500,19 +500,20 @@ size_t malloc_usable_size(const void *ptr) {
__attribute__((constructor)) void __dislocator_init(void) { __attribute__((constructor)) void __dislocator_init(void) {
u8 *tmp = (u8 *)getenv("AFL_LD_LIMIT_MB"); char *tmp = getenv("AFL_LD_LIMIT_MB");
if (tmp) { if (tmp) {
u8 *tok; char *tok;
s32 mmem = (s32)strtol((char *)tmp, (char **)&tok, 10); unsigned long long mmem = strtoull(tmp, &tok, 10);
if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB"); if (*tok != '\0' || errno == ERANGE || mmem > SIZE_MAX / 1024 / 1024)
FATAL("Bad value for AFL_LD_LIMIT_MB");
max_mem = mmem * 1024 * 1024; max_mem = mmem * 1024 * 1024;
} }
alloc_canary = ALLOC_CANARY; alloc_canary = ALLOC_CANARY;
tmp = (u8 *)getenv("AFL_RANDOM_ALLOC_CANARY"); tmp = getenv("AFL_RANDOM_ALLOC_CANARY");
if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary)); if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary));
@ -549,4 +550,3 @@ void *erealloc(void *ptr, size_t len) {
return realloc(ptr, len); return realloc(ptr, len);
} }