From 781e830923bf38b0ffac5d090140787d4e01c65b Mon Sep 17 00:00:00 2001
From: Romain Malmain <romain.malmain@pm.me>
Date: Thu, 7 Mar 2024 21:28:28 +0100
Subject: [PATCH] fix cast to c_void of the wrong object. (#1921)

---
 libafl/src/executors/inprocess/inner.rs    | 12 +++++++-----
 libafl/src/executors/inprocess/mod.rs      |  8 +++++++-
 libafl/src/executors/inprocess/stateful.rs |  8 +++++++-
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/libafl/src/executors/inprocess/inner.rs b/libafl/src/executors/inprocess/inner.rs
index 5069e3894e..8f84d5a4fd 100644
--- a/libafl/src/executors/inprocess/inner.rs
+++ b/libafl/src/executors/inprocess/inner.rs
@@ -102,13 +102,18 @@ where
     S: State,
 {
     /// This function marks the boundary between the fuzzer and the target
+    ///
+    /// # Safety
+    /// This function sets a bunch of raw pointers in global variables, reused in other parts of
+    /// the code.
     #[inline]
-    pub fn enter_target<EM, Z>(
+    pub unsafe fn enter_target<EM, Z>(
         &mut self,
         fuzzer: &mut Z,
         state: &mut <Self as UsesState>::State,
         mgr: &mut EM,
         input: &<Self as UsesInput>::Input,
+        executor_ptr: *const c_void,
     ) {
         unsafe {
             let data = addr_of_mut!(GLOBAL_STATE);
@@ -116,10 +121,7 @@ where
                 addr_of_mut!((*data).current_input_ptr),
                 ptr::from_ref(input) as *const c_void,
             );
-            write_volatile(
-                addr_of_mut!((*data).executor_ptr),
-                ptr::from_ref(self) as *const c_void,
-            );
+            write_volatile(addr_of_mut!((*data).executor_ptr), executor_ptr);
             // Direct raw pointers access /aliasing is pretty undefined behavior.
             // Since the state and event may have moved in memory, refresh them right before the signal may happen
             write_volatile(
diff --git a/libafl/src/executors/inprocess/mod.rs b/libafl/src/executors/inprocess/mod.rs
index 515ed0aa56..a6e6f09252 100644
--- a/libafl/src/executors/inprocess/mod.rs
+++ b/libafl/src/executors/inprocess/mod.rs
@@ -9,8 +9,10 @@ use alloc::boxed::Box;
 use core::ptr::addr_of_mut;
 use core::{
     borrow::BorrowMut,
+    ffi::c_void,
     fmt::{self, Debug, Formatter},
     marker::PhantomData,
+    ptr,
     time::Duration,
 };
 
@@ -125,7 +127,11 @@ where
         input: &Self::Input,
     ) -> Result<ExitKind, Error> {
         *state.executions_mut() += 1;
-        self.inner.enter_target(fuzzer, state, mgr, input);
+        unsafe {
+            let executor_ptr = ptr::from_ref(self) as *const c_void;
+            self.inner
+                .enter_target(fuzzer, state, mgr, input, executor_ptr);
+        }
         self.inner.hooks.pre_exec_all(fuzzer, state, mgr, input);
 
         let ret = (self.harness_fn.borrow_mut())(input);
diff --git a/libafl/src/executors/inprocess/stateful.rs b/libafl/src/executors/inprocess/stateful.rs
index 601d1428f0..ea4ce97812 100644
--- a/libafl/src/executors/inprocess/stateful.rs
+++ b/libafl/src/executors/inprocess/stateful.rs
@@ -1,8 +1,10 @@
 use alloc::boxed::Box;
 use core::{
     borrow::BorrowMut,
+    ffi::c_void,
     fmt::{self, Debug, Formatter},
     marker::PhantomData,
+    ptr,
     time::Duration,
 };
 
@@ -116,7 +118,11 @@ where
         input: &Self::Input,
     ) -> Result<ExitKind, Error> {
         *state.executions_mut() += 1;
-        self.inner.enter_target(fuzzer, state, mgr, input);
+        unsafe {
+            let executor_ptr = ptr::from_ref(self) as *const c_void;
+            self.inner
+                .enter_target(fuzzer, state, mgr, input, executor_ptr);
+        }
         self.inner.hooks.pre_exec_all(fuzzer, state, mgr, input);
 
         let ret = (self.harness_fn.borrow_mut())(input, &mut self.exposed_executor_state);