Proposed fix for issue #3094, whereby all conditional comparisons are treat as 1 byte (rather than 2, 4, or 8) (#3095)

DanBlackwell · web-flow · commit 9195245998ac · 2025-03-21T12:55:58.000+01:00
diff --git a/libafl_targets/src/sancov_cmp.c b/libafl_targets/src/sancov_cmp.c
@@ -8,31 +8,33 @@
   #include "cmplog.h"
 #endif
 
-// Note: for RETADDR to give us the fuzz target caller address we need 
+// Note: for RETADDR to give us the fuzz target caller address we need
 //       to guarantee that this code is inlined. `inline` keyword provides
 //       no such guarantees, but a macro does.
 #ifdef SANCOV_VALUE_PROFILE
   #define SANCOV_VALUE_PROFILE_CALL(k, arg_size, arg1, arg2, arg1_is_const) \
-    k &= CMP_MAP_SIZE - 1; \
-    __libafl_targets_value_profile1(k, arg1, arg2);
+    k &= CMP_MAP_SIZE - 1;                                                  \
+    __libafl_targets_value_profile##arg_size(k, arg1, arg2);
 #else
   #define SANCOV_VALUE_PROFILE_CALL(k, arg_size, arg1, arg2, arg1_is_const)
 #endif
 
 #ifdef SANCOV_CMPLOG
-  #define SANCOV_CMPLOG_CALL(k, arg_size, arg1, arg2, arg1_is_const) \
-    k &= CMPLOG_MAP_W - 1; \
-    cmplog_instructions_checked(k, arg_size, (uint64_t)arg1, (uint64_t)arg2, arg1_is_const);
+  #define SANCOV_CMPLOG_CALL(k, arg_size, arg1, arg2, arg1_is_const)         \
+    k &= CMPLOG_MAP_W - 1;                                                   \
+    cmplog_instructions_checked(k, arg_size, (uint64_t)arg1, (uint64_t)arg2, \
+                                arg1_is_const);
 #else
   #define SANCOV_CMPLOG_CALL(k, arg_size, arg1, arg2, arg1_is_const)
 #endif
 
-#define HANDLE_SANCOV_TRACE_CMP(arg_size, arg1, arg2, arg1_is_const) { \
-  uintptr_t k = RETADDR; \
-  k = (k >> 4) ^ (k << 8); \
-  SANCOV_VALUE_PROFILE_CALL(k, arg_size, arg1, arg2, arg1_is_const) \
-  SANCOV_CMPLOG_CALL(k, arg_size, arg1, arg2, arg1_is_const) \
-}
+#define HANDLE_SANCOV_TRACE_CMP(arg_size, arg1, arg2, arg1_is_const)  \
+  {                                                                   \
+    uintptr_t k = RETADDR;                                            \
+    k = (k >> 4) ^ (k << 8);                                          \
+    SANCOV_VALUE_PROFILE_CALL(k, arg_size, arg1, arg2, arg1_is_const) \
+    SANCOV_CMPLOG_CALL(k, arg_size, arg1, arg2, arg1_is_const)        \
+  }
 
 void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {
   HANDLE_SANCOV_TRACE_CMP(1, arg1, arg2, 0);
@@ -80,7 +82,8 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
 #endif
 #ifdef SANCOV_CMPLOG
     k &= CMPLOG_MAP_W - 1;
-    // Note: cases[i + 2] are the constant values, so keep them in arg1 and indicate that it's const
+    // Note: cases[i + 2] are the constant values, so keep them in arg1 and
+    // indicate that it's const
     cmplog_instructions_checked(k, cases[1] / 8, cases[i + 2], val, 1);
 #endif
   }
diff --git a/libafl_targets/src/windows_asan.rs b/libafl_targets/src/windows_asan.rs
@@ -29,11 +29,8 @@ unsafe extern "C" {
 ///
 /// # Safety
 /// Calls the unsafe `__sanitizer_set_death_callback` symbol, but should be safe to call otherwise.
-pub unsafe fn setup_asan_callback<E, EM, I, OF, S, Z>(
-    _executor: &E,
-    _event_mgr: &EM,
-    _fuzzer: &Z,
-) where
+pub unsafe fn setup_asan_callback<E, EM, I, OF, S, Z>(_executor: &E, _event_mgr: &EM, _fuzzer: &Z)
+where
     E: Executor<EM, I, S, Z> + HasObservers,
     E::Observers: ObserversTuple<I, S>,
     EM: EventFirer<I, S> + EventRestarter<S>,
