Merge remote-tracking branch 'origin/topic/jsiwek/gh-1329-fuzzer-driver-cleanup'

* origin/topic/jsiwek/gh-1329-fuzzer-driver-cleanup: Rename a 'do_net_run' variable to 'do_run_loop' GH-1329: call Zeek's cleanup function from standalone fuzzer driver
2025-10-02 06:38:20 +00:00 · 2020-12-14 14:27:45 -08:00 · 2020-12-14 14:27:45 -08:00 · 5f8b79ee3b
commit 5f8b79ee3b
parent 144ca0f45b faf6d4ec1a
6 changed files with 26 additions and 10 deletions
--- a/13
+++ b/13
@ -1,4 +1,17 @@

+3.3.0-dev.663 | 2020-12-14 14:27:45 -0800
+
+  * Rename a 'do_net_run' variable to 'do_run_loop'
+
+    For clarity, since the net_run() function was renamed to run_loop(). (Jon Siwek, Corelight)
+
+  * GH-1329: call Zeek's cleanup function from standalone fuzzer driver (Jon Siwek, Corelight)
+
+    Otherwise, the global Broker manager object containing CAF/threading
+    logic is never destructed and can result in a heap-use-after-free if it
+    tries to access other global objects after they're cleaned up from
+    __cxa_finalize().
+
 3.3.0-dev.660 | 2020-12-14 10:55:15 -0800

  * Fix typo in table iterator invalidation test comment (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-3.3.0-dev.660
+3.3.0-dev.663
--- a/src/fuzzers/standalone-driver.cc
+++ b/src/fuzzers/standalone-driver.cc
@ -6,6 +6,8 @@
 #include <memory>
 #include <chrono>

+#include "zeek/zeek-setup.h"
+
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);

@ -64,4 +66,5 @@ int main(int argc, char** argv)
 	auto fuzz_dt = duration<double>(agg_stop - fuzz_start).count();
 	printf("Processed %d inputs in %fs (%fs w/ initialization), avg = %fs\n",
 	       num_inputs, fuzz_dt, agg_dt, fuzz_dt / num_inputs);
+	return zeek::detail::cleanup(false);
 	}
--- a/src/main.cc
+++ b/src/main.cc
@ -16,11 +16,11 @@ int main(int argc, char** argv)
 		return setup_result.code;

 	auto& options = setup_result.options;
-	auto do_net_run = zeek::iosource_mgr->Size() > 0 ||
-	                  zeek::run_state::detail::have_pending_timers ||
-	                  zeek::BifConst::exit_only_after_terminate;
+	auto do_run_loop = zeek::iosource_mgr->Size() > 0 ||
+	                   zeek::run_state::detail::have_pending_timers ||
+	                   zeek::BifConst::exit_only_after_terminate;

-	if ( do_net_run )
+	if ( do_run_loop )
 		{
 		if ( zeek::detail::profiling_logger )
 			zeek::detail::profiling_logger->Log();
@ -78,5 +78,5 @@ int main(int argc, char** argv)
 			}
 		}

-	return zeek::detail::cleanup(do_net_run);
+	return zeek::detail::cleanup(do_run_loop);
 	}
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@ -908,9 +908,9 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 	return {0, std::move(options)};
 	}

-int cleanup(bool did_net_run)
+int cleanup(bool did_run_loop )
 	{
-	if ( did_net_run )
+	if ( did_run_loop )
 		done_with_network();

 	run_state::detail::delete_run();
--- a/src/zeek-setup.h
+++ b/src/zeek-setup.h
@ -24,8 +24,8 @@ SetupResult setup(int argc, char** argv, Options* options = nullptr);

 /**
 * Cleans up Zeek's global state.
- * @param did_net_run  whether the net_run() was called.
+ * @param did_run_loop  whether the run_loop() function was called.
 */
-int cleanup(bool did_net_run);
+int cleanup(bool did_run_loop);

 } // namespace zeek::detail