fuzz: unpoison result of mutate_{byte,int}()

LLVMFuzzerMutate() may return data marked as uninitialized but our value mutators assume that the entire region is initialized. MSAN recently got stricter in how it checks use of these potentially uninitialized values. Manually unpoison the response from LLVMFuzzerMutate() for these two functions.
Yubico · May 10, 2024 · 543ae58 · 543ae58
1 parent c23ed8c
commit 543ae58
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c
@@ -135,12 +135,18 @@ void
 mutate_byte(uint8_t *b)
 {
 	LLVMFuzzerMutate(b, sizeof(*b), sizeof(*b));
+#ifdef WITH_MSAN
+	__msan_unpoison(b, sizeof(*b));
+#endif
 }
 
 void
 mutate_int(int *i)
 {
 	LLVMFuzzerMutate((uint8_t *)i, sizeof(*i), sizeof(*i));
+#ifdef WITH_MSAN
+	__msan_unpoison(i, sizeof(*i));
+#endif
 }
 
 void