/src/fuzz_libunwind.c

Source (jump to first uncovered line)
/* Copyright 2023 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

/*
 * The main idea behind this fuzzer is the generate arbitrary stack traces
 * by way of recursive funcitons, and then using various calls to libunwind
 * apis arbitrarily.
 */
#define UNW_LOCAL_ONLY
#include <libunwind.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

void get_random_reg(int);
void get_proc_name();
void dispatch(const uint8_t *data, size_t size);
void check_is_signal();
void get_save_loc(int reg);
void recurse1(const uint8_t *data, size_t size);
void recurse2(const uint8_t *data, size_t size);
void recurse3(const uint8_t *data, size_t size);
void recurse4(const uint8_t *data, size_t size);

void get_save_loc(int regnum) {
  unw_cursor_t cursor;
  unw_context_t uc;
  unw_word_t reference_reg;

  unw_getcontext(&uc);
  unw_init_local(&cursor, &uc);
  unw_save_loc_t loc;
  while (unw_step(&cursor) > 0) {
    unw_get_save_loc(&cursor, regnum, &loc);
  }
}

void get_random_reg(int regnum) {
  unw_cursor_t cursor;
  unw_context_t uc;
  unw_word_t reference_reg;

  unw_getcontext(&uc);
  unw_init_local(&cursor, &uc);
  while (unw_step(&cursor) > 0) {
    unw_get_reg(&cursor, regnum, &reference_reg);
  }
}

void check_is_signal() {
  unw_cursor_t cursor;
  unw_context_t uc;
  unw_word_t reference_reg;

  unw_getcontext(&uc);
  unw_init_local(&cursor, &uc);
  while (unw_step(&cursor) > 0) {
    if (unw_is_signal_frame(&cursor)) {
      return;
    }
  }
}

void get_proc_name() {
  unw_cursor_t cursor;
  unw_context_t uc;

  unw_getcontext(&uc);
  unw_init_local(&cursor, &uc);
  while (unw_step(&cursor) > 0) {
    unw_word_t offset;
    char buf[512];
    unw_get_proc_name(&cursor, buf, sizeof(buf), &offset);
  }
}

void dispatch(const uint8_t *data, size_t size) {
  if (size < 8) {
    return;
  }
  uint8_t decider = data[0] % 4;
  data += 2;
  size -= 2;
  if (decider == 0) {
    recurse1(data, size);
  } else if (decider == 1) {
    recurse2(data, size);
  } else if (decider == 2) {
    recurse3(data, size);
  } else {
    recurse4(data, size);
  }
}

void recurse1(const uint8_t *data, size_t size) {
  if (data[0] == 0x01) {
    get_proc_name();
  }
  data += 2;
  size -= 2;

  dispatch(data, size);
  return;
}

void recurse2(const uint8_t *data, size_t size) {
  if (data[0] == 0x01) {
    get_random_reg((int)data[1]);
  }
  data += 2;
  size -= 2;

  dispatch(data, size);
  return;
}

void recurse3(const uint8_t *data, size_t size) {
  if (data[0] == 0x01) {
    check_is_signal((int)data[1]);
  }
  data += 2;
  size -= 2;

  dispatch(data, size);
  return;
}

void recurse4(const uint8_t *data, size_t size) {
  if (data[0] == 0x01) {
    get_save_loc((int)data[1]);
  }
  data += 2;
  size -= 2;

  dispatch(data, size);
  return;
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  // Ensure we have a bit of data but not too much to cause stackoverflows.
  if (size < 12 || size > 512) {
    return 0;
  }

  dispatch(data, size);
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/* Copyright 2023 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		/*
14		* The main idea behind this fuzzer is the generate arbitrary stack traces
15		* by way of recursive funcitons, and then using various calls to libunwind
16		* apis arbitrarily.
17		*/
18		#define UNW_LOCAL_ONLY
19		#include <libunwind.h>
20		#include <stdint.h>
21		#include <stdlib.h>
22		#include <string.h>
23
24		void get_random_reg(int);
25		void get_proc_name();
26		void dispatch(const uint8_t *data, size_t size);
27		void check_is_signal();
28		void get_save_loc(int reg);
29		void recurse1(const uint8_t *data, size_t size);
30		void recurse2(const uint8_t *data, size_t size);
31		void recurse3(const uint8_t *data, size_t size);
32		void recurse4(const uint8_t *data, size_t size);
33
34	738	void get_save_loc(int regnum) {
35	738	unw_cursor_t cursor;
36	738	unw_context_t uc;
37	738	unw_word_t reference_reg;
38
39	738	unw_getcontext(&uc);
40	738	unw_init_local(&cursor, &uc);
41	738	unw_save_loc_t loc;
42	6.64k	while (unw_step(&cursor) > 0) {
43	5.90k	unw_get_save_loc(&cursor, regnum, &loc);
44	5.90k	}
45	738	}
46
47	2.13k	void get_random_reg(int regnum) {
48	2.13k	unw_cursor_t cursor;
49	2.13k	unw_context_t uc;
50	2.13k	unw_word_t reference_reg;
51
52	2.13k	unw_getcontext(&uc);
53	2.13k	unw_init_local(&cursor, &uc);
54	19.2k	while (unw_step(&cursor) > 0) {
55	17.1k	unw_get_reg(&cursor, regnum, &reference_reg);
56	17.1k	}
57	2.13k	}
58
59	164	void check_is_signal() {
60	164	unw_cursor_t cursor;
61	164	unw_context_t uc;
62	164	unw_word_t reference_reg;
63
64	164	unw_getcontext(&uc);
65	164	unw_init_local(&cursor, &uc);
66	1.47k	while (unw_step(&cursor) > 0) {
67	1.31k	if (unw_is_signal_frame(&cursor)) {
68	0	return;
69	0	}
70	1.31k	}
71	164	}
72
73	2.82k	void get_proc_name() {
74	2.82k	unw_cursor_t cursor;
75	2.82k	unw_context_t uc;
76
77	2.82k	unw_getcontext(&uc);
78	2.82k	unw_init_local(&cursor, &uc);
79	25.4k	while (unw_step(&cursor) > 0) {
80	22.6k	unw_word_t offset;
81	22.6k	char buf[512];
82	22.6k	unw_get_proc_name(&cursor, buf, sizeof(buf), &offset);
83	22.6k	}
84	2.82k	}
85
86	7.65k	void dispatch(const uint8_t *data, size_t size) {
87	7.65k	if (size < 8) {
88	348	return;
89	348	}
90	7.30k	uint8_t decider = data[0] % 4;
91	7.30k	data += 2;
92	7.30k	size -= 2;
93	7.30k	if (decider == 0) {
94	3.27k	recurse1(data, size);
95	4.03k	} else if (decider == 1) {
96	2.66k	recurse2(data, size);
97	2.66k	} else if (decider == 2) {
98	359	recurse3(data, size);
99	1.01k	} else {
100	1.01k	recurse4(data, size);
101	1.01k	}
102	7.30k	}
103
104	3.27k	void recurse1(const uint8_t *data, size_t size) {
105	3.27k	if (data[0] == 0x01) {
106	2.82k	get_proc_name();
107	2.82k	}
108	3.27k	data += 2;
109	3.27k	size -= 2;
110
111	3.27k	dispatch(data, size);
112	3.27k	return;
113	3.27k	}
114
115	2.66k	void recurse2(const uint8_t *data, size_t size) {
116	2.66k	if (data[0] == 0x01) {
117	2.13k	get_random_reg((int)data[1]);
118	2.13k	}
119	2.66k	data += 2;
120	2.66k	size -= 2;
121
122	2.66k	dispatch(data, size);
123	2.66k	return;
124	2.66k	}
125
126	359	void recurse3(const uint8_t *data, size_t size) {
127	359	if (data[0] == 0x01) {
128	164	check_is_signal((int)data[1]);
129	164	}
130	359	data += 2;
131	359	size -= 2;
132
133	359	dispatch(data, size);
134	359	return;
135	359	}
136
137	1.01k	void recurse4(const uint8_t *data, size_t size) {
138	1.01k	if (data[0] == 0x01) {
139	738	get_save_loc((int)data[1]);
140	738	}
141	1.01k	data += 2;
142	1.01k	size -= 2;
143
144	1.01k	dispatch(data, size);
145	1.01k	return;
146	1.01k	}
147
148	376	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
149		// Ensure we have a bit of data but not too much to cause stackoverflows.
150	376	if (size < 12 \|\| size > 512) {
151	28	return 0;
152	28	}
153
154	348	dispatch(data, size);
155	348	return 0;
156	376	}

Coverage Report

Created: 2025-07-02 06:03