Fix C Allocation Function Taint Propagation

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Apache License 2.0

916 stars 166 forks source link

Fix C Allocation Function Taint Propagation #25

Closed maverick117 closed 5 years ago

maverick117 commented 5 years ago

Fixed taint propagation in realloc().

Previously, taint propagations in *alloc() functions were discarded. This resulted in the seemingly poor performance in the LAVA-M dataset.

The current approach is to record each allocation in a HashMap and propagate the taint labels on reallocation. This fix improved the who benchmark in LAVA-M to around 2400 bugs found.

TODO: add support for non-standard reallocarray() function

maverick117 commented 5 years ago

Please check if this implementation produces any new bugs. Currently, it is tested using the LAVA-M dataset.