From f7db29d21319ef6213cb5f833cd86a86fae38c30 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 10 Mar 2021 19:40:31 +0100 Subject: [PATCH] workaround for recursive malloc in release mode --- fuzzers/libfuzzer_libpng/test.sh | 5 +++-- fuzzers/libfuzzer_runtime/rt.c | 7 ++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/fuzzers/libfuzzer_libpng/test.sh b/fuzzers/libfuzzer_libpng/test.sh index f707f77271..156cf1de04 100755 --- a/fuzzers/libfuzzer_libpng/test.sh +++ b/fuzzers/libfuzzer_libpng/test.sh @@ -1,17 +1,18 @@ #!/bin/sh mkdir -p ./crashes +rm -rf ./.libfuzzer_test.elf cargo build --example libfuzzer_libpng --release || exit 1 cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf # The broker -RUST_BACKTRACE=full taskset 0 ./.libfuzzer_test.elf & +RUST_BACKTRACE=full taskset -c 0 ./.libfuzzer_test.elf & # Give the broker time to spawn sleep 2 echo "Spawning client" # The 1st fuzzer client, pin to cpu 0x1 -RUST_BACKTRACE=full taskset 1 ./.libfuzzer_test.elf 2>/dev/null +RUST_BACKTRACE=full taskset -c 1 ./.libfuzzer_test.elf 2>/dev/null killall .libfuzzer_test.elf rm -rf ./.libfuzzer_test.elf diff --git a/fuzzers/libfuzzer_runtime/rt.c b/fuzzers/libfuzzer_runtime/rt.c index ec90be0d7e..21c308a8d4 100644 --- a/fuzzers/libfuzzer_runtime/rt.c +++ b/fuzzers/libfuzzer_runtime/rt.c @@ -138,7 +138,12 @@ void *malloc(size_t size) { k &= MAP_SIZE - 1; __lafl_alloc_map[k] = MAX(__lafl_alloc_map[k], size); - return realloc(NULL, size); + // We cannot malloc in malloc. + // Hence, even realloc(NULL, size) would loop in an optimized build. + // We fall back to a stricter allocation function. Fingers crossed. + void *ret = NULL; + posix_memalign(&ret, 1<<6, size); + return ret; }