Fix crash in execution context fuzzer (#4037)

EBPF_OPERATION_PROGRAM_TEST_RUN buffer was too short. EBPF_OPERATION_GET_OBJECT_INFO handled the equivalent already so applied the same fix to TEST_RUN. Signed-off-by: Dave Thaler <[email protected]>
microsoft · Nov 23, 2024 · 06f9b48 · 06f9b48
1 parent 98f00df
commit 06f9b48
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/tests/libfuzzer/execution_context/corpus/82ce31909fa0e89e62ab1d13f98d474dd7374dca b/tests/libfuzzer/execution_context/corpus/82ce31909fa0e89e62ab1d13f98d474dd7374dca
diff --git a/tests/libfuzzer/execution_context/libfuzz_harness.cpp b/tests/libfuzzer/execution_context/libfuzz_harness.cpp
@@ -517,8 +517,10 @@ fuzz_ioctl(std::vector<uint8_t>& random_buffer)
     if (operation_id == EBPF_OPERATION_PROGRAM_TEST_RUN) {
         ebpf_operation_program_test_run_request_t* test_request =
             reinterpret_cast<ebpf_operation_program_test_run_request_t*>(random_buffer.data());
-        if (test_request->repeat_count > 1024) {
-            test_request->repeat_count = 1024;
+        if (header->length >= EBPF_OFFSET_OF(ebpf_operation_program_test_run_request_t, data)) {
+            if (test_request->repeat_count > 1024) {
+                test_request->repeat_count = 1024;
+            }
         }
     }