From 0cd0d789f0749356003dfc0914ff5581329458c1 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Sun, 13 Aug 2023 13:30:41 -0700
Subject: [PATCH] Fix mismatched alloc/free in verifier_fuzzer

The verifier_fuzzer used ebpf_allocate() but then called free()

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 ebpf-for-windows.sln                          | 11 +++----
 external/usersim                              |  2 +-
 .../kernel/ebpf_store_helper_km.vcxproj       | 31 ++++++++++++++++++
 .../user/ebpf_store_helper_um.vcxproj         | 32 +++++++++++++++++--
 .../verifier_fuzzer/libfuzz_harness.cpp       |  4 +--
 5 files changed, 69 insertions(+), 11 deletions(-)

diff --git a/ebpf-for-windows.sln b/ebpf-for-windows.sln
index eca64a2fd1..26714daf90 100644
--- a/ebpf-for-windows.sln
+++ b/ebpf-for-windows.sln
@@ -2645,9 +2645,8 @@ Global
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|ARM64.Build.0 = Debug|x64
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|ARM64.Deploy.0 = Debug|x64
-		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x64.ActiveCfg = Debug|x64
-		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x64.Build.0 = Debug|x64
-		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x64.Deploy.0 = Debug|x64
+		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
+		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x86.ActiveCfg = Debug|x64
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x86.Build.0 = Debug|x64
 		{3569E946-C8B4-49EE-A89D-EDD09DC9F36E}.FuzzerDebug|x86.Deploy.0 = Debug|x64
@@ -2708,9 +2707,9 @@ Global
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|ARM64.Build.0 = Debug|x64
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|ARM64.Deploy.0 = Debug|x64
-		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.ActiveCfg = Debug|x64
-		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.Build.0 = Debug|x64
-		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.Deploy.0 = Debug|x64
+		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
+		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
+		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x64.Deploy.0 = FuzzerDebug|x64
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x86.ActiveCfg = Debug|x64
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x86.Build.0 = Debug|x64
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}.FuzzerDebug|x86.Deploy.0 = Debug|x64
diff --git a/external/usersim b/external/usersim
index 82ee9300dc..f9ca4039e8 160000
--- a/external/usersim
+++ b/external/usersim
@@ -1 +1 @@
-Subproject commit 82ee9300dcbc4320e1207ca8b8a8a28bdf26ff63
+Subproject commit f9ca4039e8e36909b896a685dd985bedf56d0b5f
diff --git a/libs/store_helper/kernel/ebpf_store_helper_km.vcxproj b/libs/store_helper/kernel/ebpf_store_helper_km.vcxproj
index bd43de23e8..926c8ee092 100644
--- a/libs/store_helper/kernel/ebpf_store_helper_km.vcxproj
+++ b/libs/store_helper/kernel/ebpf_store_helper_km.vcxproj
@@ -9,6 +9,10 @@
       <Configuration>Debug</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
+    <ProjectConfiguration Include="FuzzerDebug|x64">
+      <Configuration>FuzzerDebug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
     <ProjectConfiguration Include="NativeOnlyDebug|x64">
       <Configuration>NativeOnlyDebug</Configuration>
       <Platform>x64</Platform>
@@ -42,6 +46,15 @@
     <CharacterSet>Unicode</CharacterSet>
     <EnableASAN>false</EnableASAN>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <DriverTargetPlatform>Universal</DriverTargetPlatform>
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>Unicode</CharacterSet>
+    <EnableASAN>false</EnableASAN>
+  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='NativeOnlyDebug|x64'" Label="Configuration">
     <TargetVersion>Windows10</TargetVersion>
     <UseDebugLibraries>true</UseDebugLibraries>
@@ -80,6 +93,10 @@
     <IncludePath>$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH);$(SolutionDir)\include;$(SolutionDir)\libs\store_helper\kernel;$(SolutionDir)\libs\platform\kernel;$(SolutionDir)\external\ebpf-verifier\src</IncludePath>
     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'">
+    <IncludePath>$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH);$(SolutionDir)\include;$(SolutionDir)\libs\store_helper\kernel;$(SolutionDir)\libs\platform\kernel;$(SolutionDir)\external\ebpf-verifier\src</IncludePath>
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='NativeOnlyDebug|x64'">
     <IncludePath>$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH);$(SolutionDir)\include;$(SolutionDir)\libs\store_helper\kernel;$(SolutionDir)\libs\platform\kernel;$(SolutionDir)\external\ebpf-verifier\src</IncludePath>
     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
@@ -105,6 +122,20 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
     </Link>
   </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+    </ClCompile>
+    <Link>
+      <SubSystem>
+      </SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='NativeOnlyDebug|x64'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
diff --git a/libs/store_helper/user/ebpf_store_helper_um.vcxproj b/libs/store_helper/user/ebpf_store_helper_um.vcxproj
index af15e950dd..668236237c 100644
--- a/libs/store_helper/user/ebpf_store_helper_um.vcxproj
+++ b/libs/store_helper/user/ebpf_store_helper_um.vcxproj
@@ -9,6 +9,10 @@
       <Configuration>Debug</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
+    <ProjectConfiguration Include="FuzzerDebug|x64">
+      <Configuration>FuzzerDebug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
     <ProjectConfiguration Include="Release|x64">
       <Configuration>Release</Configuration>
       <Platform>x64</Platform>
@@ -29,7 +33,13 @@
     <PlatformToolset>v143</PlatformToolset>
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <CharacterSet>Unicode</CharacterSet>
-    <EnableASAN>false</EnableASAN>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <TargetVersion>Windows10</TargetVersion>
@@ -37,7 +47,6 @@
     <PlatformToolset>v143</PlatformToolset>
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <CharacterSet>Unicode</CharacterSet>
-    <EnableASAN>false</EnableASAN>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -51,6 +60,11 @@
     <LibraryPath>$(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64)</LibraryPath>
     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'">
+    <IncludePath>$(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir)\include;$(SolutionDir)\libs\store_helper\user;$(SolutionDir)\libs\platform;$(SolutionDir)\libs\platform\user;$(SolutionDir)\external\ebpf-verifier\src;$(SolutionDir)external\usersim\inc</IncludePath>
+    <LibraryPath>$(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64)</LibraryPath>
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <IncludePath>$(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir)\include;$(SolutionDir)\libs\store_helper\user;$(SolutionDir)\libs\platform;$(SolutionDir)\libs\platform\user;$(SolutionDir)\external\ebpf-verifier\src;$(SolutionDir)external\usersim\inc</IncludePath>
     <LibraryPath>$(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64)</LibraryPath>
@@ -69,6 +83,20 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
     </Link>
   </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_LIB;USER_MODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+    </ClCompile>
+    <Link>
+      <SubSystem>
+      </SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
diff --git a/tests/libfuzzer/verifier_fuzzer/libfuzz_harness.cpp b/tests/libfuzzer/verifier_fuzzer/libfuzz_harness.cpp
index 2cf90052ec..dc2d5c8316 100644
--- a/tests/libfuzzer/verifier_fuzzer/libfuzz_harness.cpp
+++ b/tests/libfuzzer/verifier_fuzzer/libfuzz_harness.cpp
@@ -19,8 +19,8 @@ FUZZ_EXPORT int __cdecl LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
         const char* error_message = nullptr;
         ebpf_api_elf_verify_section_from_memory(
             reinterpret_cast<const char*>(data), size, "", nullptr, false, &report, &error_message, nullptr);
-        free(const_cast<char*>(report));
-        free(const_cast<char*>(error_message));
+        ebpf_free_string(report);
+        ebpf_free_string(error_message);
     } catch (std::runtime_error&) {
     }