fuzz: unpoison result of mutate_{byte,integer}()

LLVMFuzzerMutate() may return data marked as uninitialized but our value mutators assume that the entire region is initialized. MSAN recently got stricter in how it checks use of these potentially uninitialized values. Manually unpoison the response from LLVMFuzzerMutate() for these two functions.
Yubico · May 10, 2024 · a4ddd91 · a4ddd91
1 parent f315e8c
commit a4ddd91
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/fuzz/mutator_aux.c b/fuzz/mutator_aux.c
@@ -135,12 +135,18 @@ void
 mutate_byte(uint8_t *b)
 {
 	LLVMFuzzerMutate(b, sizeof(*b), sizeof(*b));
+#ifdef WITH_MSAN
+	__msan_unpoison(b, sizeof(*b));
+#endif
 }
 
 void
 mutate_int(int *i)
 {
 	LLVMFuzzerMutate((uint8_t *)i, sizeof(*i), sizeof(*i));
+#ifdef WITH_MSAN
+	__msan_unpoison(i, sizeof(*i));
+#endif
 }
 
 void