about summary refs log tree commit diff
path: root/qemu_mode
diff options
context:
space:
mode:
Diffstat (limited to 'qemu_mode')
-rw-r--r--qemu_mode/QEMUAFL_VERSION2
-rw-r--r--qemu_mode/libqasan/hooks.c2
-rw-r--r--qemu_mode/libqasan/malloc.c6
m---------qemu_mode/qemuafl0
4 files changed, 9 insertions, 1 deletions
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index a7f25da3..8d95c359 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-d1ca56b84e
+ddc4a9748d
diff --git a/qemu_mode/libqasan/hooks.c b/qemu_mode/libqasan/hooks.c
index 9c406c74..0e6c3e08 100644
--- a/qemu_mode/libqasan/hooks.c
+++ b/qemu_mode/libqasan/hooks.c
@@ -51,6 +51,7 @@ ssize_t write(int fd, const void *buf, size_t count) {
   void *rtv = __builtin_return_address(0);
 
   QASAN_DEBUG("%14p: write(%d, %p, %zu)\n", rtv, fd, buf, count);
+  QASAN_LOAD(buf, count);
   ssize_t r = __lq_libc_write(fd, buf, count);
   QASAN_DEBUG("\t\t = %zd\n", r);
 
@@ -63,6 +64,7 @@ ssize_t read(int fd, void *buf, size_t count) {
   void *rtv = __builtin_return_address(0);
 
   QASAN_DEBUG("%14p: read(%d, %p, %zu)\n", rtv, fd, buf, count);
+  QASAN_STORE(buf, count);
   ssize_t r = __lq_libc_read(fd, buf, count);
   QASAN_DEBUG("\t\t = %zd\n", r);
 
diff --git a/qemu_mode/libqasan/malloc.c b/qemu_mode/libqasan/malloc.c
index 5a2d2a0c..6fe6fc8c 100644
--- a/qemu_mode/libqasan/malloc.c
+++ b/qemu_mode/libqasan/malloc.c
@@ -159,6 +159,9 @@ size_t __libqasan_malloc_usable_size(void *ptr) {
   char *p = ptr;
   p -= sizeof(struct chunk_begin);
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   return ((struct chunk_begin *)p)->requested_size;
 
 }
@@ -225,6 +228,9 @@ void __libqasan_free(void *ptr) {
   struct chunk_begin *p = ptr;
   p -= 1;
 
+  // Validate that the chunk marker is readable (a crude check
+  // to verify that ptr is a valid malloc region before we dereference it)
+  QASAN_LOAD(p, sizeof(struct chunk_begin) - REDZONE_SIZE);
   size_t n = p->requested_size;
 
   QASAN_STORE(ptr, n);
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
-Subproject d1ca56b84e78f821406eef28d836918edfc8d61
+Subproject 0fb212daab492411b3e323bc18a3074c1aecfd3
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-19 07:25:20 +0000