[PATCH] fuzz-commit-graph: properly free graph struct

[PATCH] fuzz-commit-graph: properly free graph struct

[Josh Steadmon]

Use the provided free_commit_graph() to properly free the commit graph
in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the
struct contains pointers to allocated memory.

Signed-off-by: Josh Steadmon <steadmon@google.com>
---
 fuzz-commit-graph.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c
index 9fd1c04edd..430817214d 100644
--- a/fuzz-commit-graph.c
+++ b/fuzz-commit-graph.c
@@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	initialize_the_repository();
 	g = parse_commit_graph((void *)data, size);
 	repo_clear(the_repository);
-	free(g);
+	free_commit_graph(g);
 
 	return 0;
 }
-- 
2.27.0.278.ge193c7cf3a9-goog

Re: [PATCH] fuzz-commit-graph: properly free graph struct

[Jonathan Nieder]

Josh Steadmon wrote:

> Use the provided free_commit_graph() to properly free the commit graph
> in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the
> struct contains pointers to allocated memory.
>
> Signed-off-by: Josh Steadmon <steadmon@google.com>
> ---
>  fuzz-commit-graph.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

How can I reproduce this?

> diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c
> index 9fd1c04edd..430817214d 100644
> --- a/fuzz-commit-graph.c
> +++ b/fuzz-commit-graph.c
> @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
>  	initialize_the_repository();
>  	g = parse_commit_graph((void *)data, size);
>  	repo_clear(the_repository);
> -	free(g);
> +	free_commit_graph(g);

In any event, the patch itself is sensible, so
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>

Thanks.

Re: [PATCH] fuzz-commit-graph: properly free graph struct

[Josh Steadmon]

[-- Attachment #1: Type: text/plain, Size: 2876 bytes --]

On 2020.06.05 16:02, Jonathan Nieder wrote:
> Josh Steadmon wrote:
> 
> > Use the provided free_commit_graph() to properly free the commit graph
> > in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the
> > struct contains pointers to allocated memory.
> >
> > Signed-off-by: Josh Steadmon <steadmon@google.com>
> > ---
> >  fuzz-commit-graph.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> How can I reproduce this?

Building the fuzzer is dependent on the exact versions of clang &
libFuzzer that you have installed; on my machine, with clang 9.0.1-10
and libFuzzer 9, I build as follows:

$ make CC=clang \
    CXX=clang++ \
    CFLAGS="-fsanitize=fuzzer-no-link,address" \
    LIB_FUZZING_ENGINE=/usr/lib/llvm-9/lib/libFuzzer.a \
    fuzz-all

Then you can run fuzz-commit-graph on the attached test case:

$ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak

When built from master, I get a leak error:


$ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak
INFO: Seed: 2332984289
INFO: Loaded 1 modules   (70798 inline 8-bit counters): 70798 [0x15c8b82, 0x15da010), 
INFO: Loaded 1 PC tables (70798 PCs): 70798 [0x12a7db8,0x13bc698), 
./fuzz-commit-graph: Running 1 inputs 1 time(s) each.
Running: /tmp/testcase-5725798091980800

=================================================================
==192153==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 12 byte(s) in 1 object(s) allocated from:
    #0 0x49be6d in malloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x49be6d)
    #1 0xc2ff15 in do_xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2ff15)
    #2 0xc2fe66 in xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2fe66)
    #3 0x5cfc4e in parse_commit_graph (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x5cfc4e)
    #4 0x1085b39 in LLVMFuzzerTestOneInput (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x1085b39)
    #5 0x109b41c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x109b41c)

SUMMARY: AddressSanitizer: 12 byte(s) leaked in 1 allocation(s).

INFO: a leak has been found in the initial corpus.

INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.


When run with this patch, the fuzzer does not report a leak.


> > diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c
> > index 9fd1c04edd..430817214d 100644
> > --- a/fuzz-commit-graph.c
> > +++ b/fuzz-commit-graph.c
> > @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
> >  	initialize_the_repository();
> >  	g = parse_commit_graph((void *)data, size);
> >  	repo_clear(the_repository);
> > -	free(g);
> > +	free_commit_graph(g);
> 
> In any event, the patch itself is sensible, so
> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
> 
> Thanks.

[-- Attachment #2: testcase-fuzzer-leak --]
[-- Type: application/octet-stream, Size: 1100 bytes --]