base_json_reader_fuzzer: Sanitizer-poison memory around the input buffer.

This enables better detection of small-byte buffer-overreads. Bug: 489301 Change-Id: I568136a4bd2f44984f92e9bd3b4e4c6911db610b Reviewed-on: https://chromium-review.googlesource.com/951742Reviewed-by: Abhishek Arya <inferno@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#541238}

base_json_reader_fuzzer: Sanitizer-poison memory around the input buffer.
This enables better detection of small-byte buffer-overreads. Bug: 489301 Change-Id: I568136a4bd2f44984f92e9bd3b4e4c6911db610b Reviewed-on: https://chromium-review.googlesource.com/951742Reviewed-by: Abhishek Arya <inferno@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#541238}
845bbd0e · Robert Sesek · Commit Bot · 60a15293 · 845bbd0e
Commit 845bbd0e authored Mar 06, 2018 by Robert Sesek Committed by Commit Bot Mar 06, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 1 deletion

testing/libfuzzer/fuzzers/base_json_reader_fuzzer.cc testing/libfuzzer/fuzzers/base_json_reader_fuzzer.cc +29 -1

No files found.
--- a/testing/libfuzzer/fuzzers/base_json_reader_fuzzer.cc
+++ b/testing/libfuzzer/fuzzers/base_json_reader_fuzzer.cc
@@ -10,6 +10,21 @@
 #include "base/json/json_reader.h"
 #include "base/values.h"

+#if defined(ADDRESS_SANITIZER)
+#include <sanitizer/asan_interface.h>
+#define POISON(address, size) __asan_poison_memory_region(address, size)
+#define UNPOISON(address, size) __asan_unpoison_memory_region(address, size)
+#elif defined(MEMORY_SANITIZER)
+#include <sanitizer/msan_interface.h>
+#define POISON(address, size) __msan_poison(address, size)
+#define UNPOISON(address, size) __msan_unpoison(address, size)
+#else
+#define POISON(address, size)
+#define UNPOISON(address, size)
+#endif
+
+constexpr size_t kPoisonSize = 1024;
+
 int error_code, error_line, error_column;
 std::string error_message;

@@ -18,10 +33,23 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < 1)
    return 0;

-  const std::string input_string(reinterpret_cast<const char*>(data), size - 1);
+  // Create a larger buffer than |size|, tell the sanitizer to poison
+  // around the edges, and copy the input into the middle. This will help
+  // detect buffer over-reads.
+  std::unique_ptr<uint8_t[]> input(new uint8_t[size + 2 * kPoisonSize]);
+  POISON(input.get(), kPoisonSize);
+  POISON(input.get() + kPoisonSize + size, kPoisonSize);
+  memcpy(input.get() + kPoisonSize, data, size);
+
+  base::StringPiece input_string(
+      reinterpret_cast<char*>(input.get() + kPoisonSize), size);
+
  const int options = data[size - 1];
  base::JSONReader::ReadAndReturnError(input_string, options, &error_code,
                                       &error_message, &error_line,
                                       &error_column);
+
+  UNPOISON(input.get(), size + 2 * kPoisonSize);
+
  return 0;
 }