From 543ae58454520dcf83a497105bd9145b1c2b0720 Mon Sep 17 00:00:00 2001
From: Ludvig Michaelsson <ludvig.michaelsson@yubico.com>
Date: Wed, 8 May 2024 15:26:47 +0200
Subject: [PATCH] fuzz: unpoison result of mutate_{byte,int}()

LLVMFuzzerMutate() may return data marked as uninitialized but our value
mutators assume that the entire region is initialized. MSAN recently got
stricter in how it checks use of these potentially uninitialized values.
Manually unpoison the response from LLVMFuzzerMutate() for these two
functions.
---
 fuzz/mutator_aux.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c
index 64c633f1..ebddf104 100644
--- a/fuzz/mutator_aux.c
+++ b/fuzz/mutator_aux.c
@@ -135,12 +135,18 @@ void
 mutate_byte(uint8_t *b)
 {
 	LLVMFuzzerMutate(b, sizeof(*b), sizeof(*b));
+#ifdef WITH_MSAN
+	__msan_unpoison(b, sizeof(*b));
+#endif
 }
 
 void
 mutate_int(int *i)
 {
 	LLVMFuzzerMutate((uint8_t *)i, sizeof(*i), sizeof(*i));
+#ifdef WITH_MSAN
+	__msan_unpoison(i, sizeof(*i));
+#endif
 }
 
 void