fix cast to c_void of the wrong object. (#1921)

2024-03-07 21:28:28 +01:00 · 2024-03-07 21:28:28 +01:00 · 781e830923
commit 781e830923
parent 6747a7dc2f
3 changed files with 21 additions and 7 deletions
--- a/libafl/src/executors/inprocess/inner.rs
+++ b/libafl/src/executors/inprocess/inner.rs
@ -102,13 +102,18 @@ where
    S: State,
 {
    /// This function marks the boundary between the fuzzer and the target
+    ///
+    /// # Safety
+    /// This function sets a bunch of raw pointers in global variables, reused in other parts of
+    /// the code.
    #[inline]
-    pub fn enter_target<EM, Z>(
+    pub unsafe fn enter_target<EM, Z>(
        &mut self,
        fuzzer: &mut Z,
        state: &mut <Self as UsesState>::State,
        mgr: &mut EM,
        input: &<Self as UsesInput>::Input,
+        executor_ptr: *const c_void,
    ) {
        unsafe {
            let data = addr_of_mut!(GLOBAL_STATE);
@ -116,10 +121,7 @@ where
                addr_of_mut!((*data).current_input_ptr),
                ptr::from_ref(input) as *const c_void,
            );
-            write_volatile(
-                addr_of_mut!((*data).executor_ptr),
-                ptr::from_ref(self) as *const c_void,
-            );
+            write_volatile(addr_of_mut!((*data).executor_ptr), executor_ptr);
            // Direct raw pointers access /aliasing is pretty undefined behavior.
            // Since the state and event may have moved in memory, refresh them right before the signal may happen
            write_volatile(
--- a/libafl/src/executors/inprocess/mod.rs
+++ b/libafl/src/executors/inprocess/mod.rs
@ -9,8 +9,10 @@ use alloc::boxed::Box;
 use core::ptr::addr_of_mut;
 use core::{
    borrow::BorrowMut,
+    ffi::c_void,
    fmt::{self, Debug, Formatter},
    marker::PhantomData,
+    ptr,
    time::Duration,
 };

@ -125,7 +127,11 @@ where
        input: &Self::Input,
    ) -> Result<ExitKind, Error> {
        *state.executions_mut() += 1;
-        self.inner.enter_target(fuzzer, state, mgr, input);
+        unsafe {
+            let executor_ptr = ptr::from_ref(self) as *const c_void;
+            self.inner
+                .enter_target(fuzzer, state, mgr, input, executor_ptr);
+        }
        self.inner.hooks.pre_exec_all(fuzzer, state, mgr, input);

        let ret = (self.harness_fn.borrow_mut())(input);
--- a/libafl/src/executors/inprocess/stateful.rs
+++ b/libafl/src/executors/inprocess/stateful.rs
@ -1,8 +1,10 @@
 use alloc::boxed::Box;
 use core::{
    borrow::BorrowMut,
+    ffi::c_void,
    fmt::{self, Debug, Formatter},
    marker::PhantomData,
+    ptr,
    time::Duration,
 };

@ -116,7 +118,11 @@ where
        input: &Self::Input,
    ) -> Result<ExitKind, Error> {
        *state.executions_mut() += 1;
-        self.inner.enter_target(fuzzer, state, mgr, input);
+        unsafe {
+            let executor_ptr = ptr::from_ref(self) as *const c_void;
+            self.inner
+                .enter_target(fuzzer, state, mgr, input, executor_ptr);
+        }
        self.inner.hooks.pre_exec_all(fuzzer, state, mgr, input);

        let ret = (self.harness_fn.borrow_mut())(input, &mut self.exposed_executor_state);