From a5d8f2df0923ffc583631e8a3f49cd59a6175bed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20L=C3=B3pez?= <00xc@protonmail.com>
Date: Mon, 6 Nov 2023 21:43:37 +0100
Subject: [PATCH] fuzz: remove potential undefined behavior in chaos harness
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chaos harness has a potential UB bug reported by Miri due to
mutable pointer aliasing. The `heap` object has a mutable reference
to `HEAP_MEM`, which gets invalidated when calculating
`remaining_space`, as it does so through a mut pointer. Thus, using
`heap` after using the pointer is technically undefined behavior
under Rust's aliasing rules.

Fix this by creating a const pointer via the `addr_of!()` macro.

Note that it is very unlikely this caused any actual issues under the
current state of the compiler.

Signed-off-by: Carlos López <00xc@protonmail.com>
---
 fuzz/fuzz_targets/chaos.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fuzz/fuzz_targets/chaos.rs b/fuzz/fuzz_targets/chaos.rs
index 795b211..315ccd8 100644
--- a/fuzz/fuzz_targets/chaos.rs
+++ b/fuzz/fuzz_targets/chaos.rs
@@ -3,7 +3,7 @@ use arbitrary::Arbitrary;
 use libfuzzer_sys::fuzz_target;
 use linked_list_allocator::Heap;
 use std::alloc::Layout;
-use std::ptr::NonNull;
+use std::ptr::{addr_of, NonNull};
 
 #[derive(Debug, Arbitrary)]
 enum Action {
@@ -81,8 +81,8 @@ fn fuzz(size: u16, actions: Vec<Action>) {
             Extend { additional } =>
             // safety: new heap size never exceeds MAX_HEAP_SIZE
             unsafe {
-                let remaining_space = HEAP_MEM
-                    .as_mut_ptr()
+                let remaining_space = addr_of!(HEAP_MEM)
+                    .cast::<u8>()
                     .add(MAX_HEAP_SIZE)
                     .offset_from(heap.top());
                 assert!(remaining_space >= 0);