Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rust]: Fix calltree discovery logic #1826

Merged
merged 1 commit into from
Nov 20, 2024
Merged

[Rust]: Fix calltree discovery logic #1826

merged 1 commit into from
Nov 20, 2024

Conversation

arthurscchan
Copy link
Contributor

This PR fixes the calltree discovery logic to correctly interpret function calls initiated from fuzzing harness for rust frontend.

@arthurscchan
Copy link
Contributor Author

arthurscchan commented Nov 20, 2024
edited
Loading

The newest calltree in .data format for some fuzzing harnesses of project httparse.
parse_header

Call tree
fuzz_target /src/httparse/fuzz/fuzz_targets/parse_headers.rs linenumber=-1
 parse_headers /src/httparse/fuzz/fuzz_targets/parse_headers.rs linenumber=6
   Bytes::new /src/httparse/src/lib.rs linenumber=1012
     a[u8]::as_ptr /src/httparse/src/iter.rs linenumber=17
   parse_headers_iter /src/httparse/src/lib.rs linenumber=1013
     parse_headers_iter_uninit /src/httparse/src/lib.rs linenumber=1023
       Err /src/httparse/src/lib.rs linenumber=1091
       iter_mut /src/httparse/src/lib.rs linenumber=1093
   Ok /src/httparse/src/lib.rs linenumber=1014
   Status::Complete /src/httparse/src/lib.rs linenumber=1014

parse_response_multspaces

Call tree
fuzz_target /src/httparse/fuzz/fuzz_targets/parse_response_multspaces.rs linenumber=-1
 Response::new /src/httparse/fuzz/fuzz_targets/parse_response_multspaces.rs linenumber=7
 httparse::ParserConfig::default /src/httparse/fuzz/fuzz_targets/parse_response_multspaces.rs linenumber=8
 ParserConfig::allow_multiple_spaces_in_response_status_delimiters /src/httparse/fuzz/fuzz_targets/parse_response_multspaces.rs linenumber=9
 ParserConfig::parse_response /src/httparse/fuzz/fuzz_targets/parse_response_multspaces.rs linenumber=10
   Response::parse_with_config /src/httparse/src/lib.rs linenumber=469
     core::mem::replace /src/httparse/src/lib.rs linenumber=686

parse_chunk_size

Call tree
fuzz_target /src/httparse/fuzz/fuzz_targets/parse_chunk_size.rs linenumber=-1
 parse_chunk_size /src/httparse/fuzz/fuzz_targets/parse_chunk_size.rs linenumber=5
   Bytes::new /src/httparse/src/lib.rs linenumber=1313
     a[u8]::as_ptr /src/httparse/src/iter.rs linenumber=17
   Ok /src/httparse/src/lib.rs linenumber=1385
   Status::Complete /src/httparse/src/lib.rs linenumber=1385
   Bytes::pos /src/httparse/src/lib.rs linenumber=1385

@arthurscchan
Copy link
Contributor Author

arthurscchan commented Nov 20, 2024
edited
Loading

The newest logic successfully identified most of the call, with some exceptions that is known to be limitations. for example, in the call tree for parse_response_multspaces, it does not identify any function calls within the unsafe block, it seems that the syn approach failed to identify those blocked code. Will be working on finding alternative ways to identify those call.

    fn parse_with_config(&mut self, buf: &'b [u8], config: &ParserConfig) -> Result<usize> {
        let headers = core::mem::replace(&mut self.headers, &mut []);

        /* SAFETY: see `parse_headers_iter_uninit` guarantees */
        unsafe {
            let headers: *mut [Header<'_>] = headers;
            let headers = headers as *mut [MaybeUninit<Header<'_>>];
            match self.parse_with_config_and_uninit_headers(buf, config, &mut *headers) {
                Ok(Status::Complete(idx)) => Ok(Status::Complete(idx)),
                other => {
                    // put the original headers back
                    self.headers = &mut *(headers as *mut [Header<'_>]);
                    other
                },
            }
        }
    }

@arthurscchan arthurscchan marked this pull request as ready for review November 20, 2024 17:21
@DavidKorczynski DavidKorczynski merged commit 69456a9 into ossf:main Nov 20, 2024
10 checks passed
@arthurscchan arthurscchan mentioned this pull request Nov 20, 2024
Merged
@arthurscchan arthurscchan deleted the fix-calltree-expr branch January 16, 2025 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DavidKorczynski DavidKorczynski DavidKorczynski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arthurscchan @DavidKorczynski