diff options
| author | van Hauser <vh@thc.org> | 2022-10-24 20:46:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-24 20:46:31 +0200 |
| commit | a075cddef6ae71516a960116f3d944efd5671e5d (patch) | |
| tree | 724dd6978ebb10f52c4bdda86eb44a5494b33409 | |
| parent | d1e1bbc713b22d620956143634ecdf97223aa59f (diff) | |
| parent | 05e0825d66d938308842c25c4c74b5cdd4a885eb (diff) | |
| download | afl++-a075cddef6ae71516a960116f3d944efd5671e5d.tar.gz | |
Merge pull request #1561 from AFLplusplus/dev
push to stable
| -rw-r--r-- | GNUmakefile.llvm | 1 | ||||
| -rwxr-xr-x | afl-cmin | 3 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/env_variables.md | 15 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 4 | ||||
| -rw-r--r-- | include/common.h | 17 | ||||
| -rw-r--r-- | include/envs.h | 1 | ||||
| -rw-r--r-- | include/forkserver.h | 4 | ||||
| -rw-r--r-- | instrumentation/afl-compiler-rt.o.c | 1 | ||||
| -rw-r--r-- | qemu_mode/QEMUAFL_VERSION | 2 | ||||
| -rwxr-xr-x | qemu_mode/build_qemu_support.sh | 5 | ||||
| m--------- | qemu_mode/qemuafl | 0 | ||||
| -rw-r--r-- | src/afl-analyze.c | 5 | ||||
| -rw-r--r-- | src/afl-cc.c | 2 | ||||
| -rw-r--r-- | src/afl-common.c | 54 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 18 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 23 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 8 | ||||
| -rw-r--r-- | src/afl-showmap.c | 21 | ||||
| -rw-r--r-- | src/afl-tmin.c | 8 | ||||
| -rwxr-xr-x | test/test-qemu-mode.sh | 23 |
22 files changed, 160 insertions, 69 deletions
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 2349e587..4dc5a56e 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -89,7 +89,6 @@ endif ifeq "$(LLVM_HAVE_LTO)" "1" $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation) LLVM_LTO = 1 - #TEST_MMAP = 1 endif ifeq "$(LLVM_LTO)" "0" @@ -123,6 +123,9 @@ function usage() { "AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the forkserver to come up\n" \ "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \ "AFL_KILL_SIGNAL: Signal delivered to child processes on timeout (default: SIGKILL)\n" \ +"AFL_FORK_SERVER_KILL_SIGNAL: Signal delivered to fork server processes on termination\n" \ +" (default: SIGTERM). If this is not set and AFL_KILL_SIGNAL is set,\n" \ +" this will be set to the same value as AFL_KILL_SIGNAL.\n" \ "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" \ "AFL_CMIN_ALLOW_ANY: write tuples for crashing inputs also\n" \ "AFL_PATH: path for the afl-showmap binary if not found anywhere in PATH\n" \ diff --git a/docs/Changelog.md b/docs/Changelog.md index 80916858..38e2e6bc 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,8 @@ scripts - afl-fuzz: - force writing all stats on exit + - ensure targets are killed on exit + - `AFL_FORK_SERVER_KILL_SIGNAL` added - afl-cc: - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6 - qemu_mode: diff --git a/docs/env_variables.md b/docs/env_variables.md index 1abe9438..d1c13e15 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -409,11 +409,22 @@ checks or alter some of the more exotic semantics of the tool: the afl-fuzz -g/-G command line option to control the minimum/maximum of fuzzing input generated. - - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on - timeout. Unless you implement your own targets or instrumentation, you + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes + on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. + - `AFL_FORK_SERVER_KILL_SIGNAL`: Set the signal ID to be delivered to the + fork server when AFL++ is terminated. Unless you implement your + fork server, you likely do not have to set it. By default, `SIGTERM` + (`AFL_FORK_SERVER_KILL_SIGNAL=15`) will be delivered to the fork server. + If only `AFL_KILL_SIGNAL` is provided, `AFL_FORK_SERVER_KILL_SIGNAL` will + be set to same value as `AFL_KILL_SIGNAL` to provide backward compatibility. + If `AFL_FORK_SERVER_KILL_SIGNAL` is also set, it takes precedence. + + NOTE: Uncatchable signals, such as `SIGKILL`, cause child processes of + the fork server to be orphaned and leaves them in a zombie state. + - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz, afl-showmap, and afl-tmin create to gather instrumentation data from the target. This must be equal or larger than the size the target was compiled diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 23c20cc4..c8ca8e9b 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -393,8 +393,8 @@ typedef struct afl_env_vars { *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, - *afl_testcache_entries, *afl_kill_signal, *afl_target_env, - *afl_persistent_record, *afl_exit_on_time; + *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal, + *afl_target_env, *afl_persistent_record, *afl_exit_on_time; } afl_env_vars_t; diff --git a/include/common.h b/include/common.h index a983bb0e..f6d1dd1a 100644 --- a/include/common.h +++ b/include/common.h @@ -32,6 +32,7 @@ #include <unistd.h> #include <sys/time.h> #include <stdbool.h> +#include "forkserver.h" #include "types.h" /* STRINGIFY_VAL_SIZE_MAX will fit all stringify_ strings. */ @@ -67,10 +68,18 @@ u8 *find_binary(u8 *fname); u8 *find_afl_binary(u8 *own_loc, u8 *fname); -/* Parses the kill signal environment variable, FATALs on error. - If the env is not set, sets the env to default_signal for the signal handlers - and returns the default_signal. */ -int parse_afl_kill_signal_env(u8 *afl_kill_signal_env, int default_signal); +/* Parses the (numeric) kill signal environment variable passed + via `numeric_signal_as_str`. + If NULL is passed, the `default_signal` value is returned. + FATALs if `numeric_signal_as_str` is not a valid integer .*/ +int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal); + +/* Configure the signals that are used to kill the forkserver + and the forked childs. If `afl_kill_signal_env` or `afl_fsrv_kill_signal_env` + is NULL, the appropiate values are read from the environment. */ +void configure_afl_kill_signals(afl_forkserver_t *fsrv, + char *afl_kill_signal_env, + char *afl_fsrv_kill_signal_env); /* Read a bitmap from file fname to memory This is for the -B option again. */ diff --git a/include/envs.h b/include/envs.h index 2204a100..0731e86e 100644 --- a/include/envs.h +++ b/include/envs.h @@ -110,6 +110,7 @@ static char *afl_environment_variables[] = { "AFL_INST_RATIO", "AFL_KEEP_TIMEOUTS", "AFL_KILL_SIGNAL", + "AFL_FORK_SERVER_KILL_SIGNAL", "AFL_KEEP_TRACES", "AFL_KEEP_ASSEMBLY", "AFL_LD_HARD_FAIL", diff --git a/include/forkserver.h b/include/forkserver.h index 59ce0ee7..a8a7e777 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -163,7 +163,9 @@ typedef struct afl_forkserver { void (*add_extra_func)(void *afl_ptr, u8 *mem, u32 len); - u8 kill_signal; + u8 child_kill_signal; + u8 fsrv_kill_signal; + u8 persistent_mode; #ifdef __linux__ diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 20069824..b46759d0 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -159,6 +159,7 @@ static void at_exit(int signal) { if (unlikely(child_pid > 0)) { kill(child_pid, SIGKILL); + waitpid(child_pid, NULL, 0); child_pid = -1; } diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 8f4db04a..8d384d31 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -ff9de4fbeb +fa07ebfff5 diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index c108675e..f31f3cef 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -251,6 +251,7 @@ else --disable-qom-cast-debug \ --disable-stack-protector \ --disable-werror \ + --disable-docs \ " fi @@ -375,8 +376,10 @@ else make -C libcompcov CC="$CROSS $CROSS_FLAGS" && echo "[+] libcompcov ready" echo "[+] Building unsigaction ..." make -C unsigaction CC="$CROSS $CROSS_FLAGS" && echo "[+] unsigaction ready" + echo "[+] Building fastexit ..." + make -C fastexit CC="$CROSS $CROSS_FLAGS" && echo "[+] fastexit ready" echo "[+] Building libqasan ..." - make -C libqasan CC="$CROSS $CROSS_FLAGS" && echo "[+] unsigaction ready" + make -C libqasan CC="$CROSS $CROSS_FLAGS" && echo "[+] libqasan ready" fi echo "[+] All done for qemu_mode, enjoy!" diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject ff9de4fbeb33088b0273f9bb05ecf374a749222 +Subproject fa07ebfff5de3d7a531caf2f9e0306960953a5e diff --git a/src/afl-analyze.c b/src/afl-analyze.c index a21f014f..757c9306 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -114,7 +114,7 @@ static void kill_child() { if (fsrv.child_pid > 0) { - kill(fsrv.child_pid, fsrv.kill_signal); + kill(fsrv.child_pid, fsrv.child_kill_signal); fsrv.child_pid = -1; } @@ -1115,8 +1115,7 @@ int main(int argc, char **argv_orig, char **envp) { } - fsrv.kill_signal = - parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); + configure_afl_kill_signals(&fsrv, NULL, NULL); read_initial_file(); (void)check_binary_signatures(fsrv.target_path); diff --git a/src/afl-cc.c b/src/afl-cc.c index 469aa825..cd2061e6 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -955,7 +955,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (plusplus_mode && strlen(libdir) && strncmp(libdir, "/usr", 4) && strncmp(libdir, "/lib", 4)) { - cc_params[cc_par_cnt++] = "-rpath"; + cc_params[cc_par_cnt++] = "-Wl,-rpath"; cc_params[cc_par_cnt++] = libdir; } else { diff --git a/src/afl-common.c b/src/afl-common.c index f3e78ac5..6f5e4a38 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -25,6 +25,7 @@ #include <stdlib.h> #include <stdio.h> +#include "forkserver.h" #ifndef _GNU_SOURCE #define _GNU_SOURCE #endif @@ -47,6 +48,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <signal.h> u8 be_quiet = 0; u8 *doc_path = ""; @@ -456,38 +458,56 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname) { } -/* Parses the kill signal environment variable, FATALs on error. - If the env is not set, sets the env to default_signal for the signal handlers - and returns the default_signal. */ -int parse_afl_kill_signal_env(u8 *afl_kill_signal_env, int default_signal) { +int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal) { - if (afl_kill_signal_env && afl_kill_signal_env[0]) { + if (numeric_signal_as_str && numeric_signal_as_str[0]) { char *endptr; u8 signal_code; - signal_code = (u8)strtoul(afl_kill_signal_env, &endptr, 10); + signal_code = (u8)strtoul(numeric_signal_as_str, &endptr, 10); /* Did we manage to parse the full string? */ - if (*endptr != '\0' || endptr == (char *)afl_kill_signal_env) { + if (*endptr != '\0' || endptr == (char *)numeric_signal_as_str) { - FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)", - afl_kill_signal_env); + FATAL("Invalid signal name: %s", numeric_signal_as_str); + + } else { + + return signal_code; } - return signal_code; + } - } else { + return default_signal; - char *sigstr = alloc_printf("%d", default_signal); - if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); } +} - /* Set the env for signal handler */ - setenv("AFL_KILL_SIGNAL", sigstr, 1); - free(sigstr); - return default_signal; +void configure_afl_kill_signals(afl_forkserver_t *fsrv, + char *afl_kill_signal_env, + char *afl_fsrv_kill_signal_env) { + + afl_kill_signal_env = + afl_kill_signal_env ? afl_kill_signal_env : getenv("AFL_KILL_SIGNAL"); + afl_fsrv_kill_signal_env = afl_fsrv_kill_signal_env + ? afl_fsrv_kill_signal_env + : getenv("AFL_FORK_SERVER_KILL_SIGNAL"); + + fsrv->child_kill_signal = parse_afl_kill_signal(afl_kill_signal_env, SIGKILL); + + if (afl_kill_signal_env && !afl_fsrv_kill_signal_env) { + + /* + Set AFL_FORK_SERVER_KILL_SIGNAL to the value of AFL_KILL_SIGNAL for + backwards compatibility. However, if AFL_FORK_SERVER_KILL_SIGNAL is set, is + takes precedence. + */ + afl_fsrv_kill_signal_env = afl_kill_signal_env; } + fsrv->fsrv_kill_signal = + parse_afl_kill_signal(afl_fsrv_kill_signal_env, SIGTERM); + } static inline unsigned int helper_min3(unsigned int a, unsigned int b, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 628ff590..a241f2c6 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -100,7 +100,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT; fsrv->mem_limit = MEM_LIMIT; fsrv->out_file = NULL; - fsrv->kill_signal = SIGKILL; + fsrv->child_kill_signal = SIGKILL; /* exec related stuff */ fsrv->child_pid = -1; @@ -134,7 +134,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->no_unlink = from->no_unlink; fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode; fsrv_to->crash_exitcode = from->crash_exitcode; - fsrv_to->kill_signal = from->kill_signal; + fsrv_to->child_kill_signal = from->child_kill_signal; fsrv_to->debug = from->debug; // These are forkserver specific. @@ -793,7 +793,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, s32 tmp_pid = fsrv->fsrv_pid; if (tmp_pid > 0) { - kill(tmp_pid, fsrv->kill_signal); + kill(tmp_pid, fsrv->child_kill_signal); fsrv->fsrv_pid = -1; } @@ -804,7 +804,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, s32 tmp_pid = fsrv->fsrv_pid; if (tmp_pid > 0) { - kill(tmp_pid, fsrv->kill_signal); + kill(tmp_pid, fsrv->child_kill_signal); fsrv->fsrv_pid = -1; } @@ -1242,11 +1242,11 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, void afl_fsrv_kill(afl_forkserver_t *fsrv) { - if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } + if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->child_kill_signal); } if (fsrv->fsrv_pid > 0) { - kill(fsrv->fsrv_pid, fsrv->kill_signal); - if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + kill(fsrv->fsrv_pid, fsrv->fsrv_kill_signal); + waitpid(fsrv->fsrv_pid, NULL, 0); } @@ -1545,7 +1545,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, s32 tmp_pid = fsrv->child_pid; if (tmp_pid > 0) { - kill(tmp_pid, fsrv->kill_signal); + kill(tmp_pid, fsrv->child_kill_signal); fsrv->child_pid = -1; } @@ -1605,7 +1605,7 @@ afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* Did we timeout? */ if (unlikely(fsrv->last_run_timed_out)) { - fsrv->last_kill_signal = fsrv->kill_signal; + fsrv->last_kill_signal = fsrv->child_kill_signal; return FSRV_RUN_TMOUT; } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 5199f7e6..8bd465f0 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -23,6 +23,7 @@ */ +#include <signal.h> #include "afl-fuzz.h" #include "envs.h" @@ -487,7 +488,14 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_kill_signal = + afl->afl_env.afl_child_kill_signal = + (u8 *)get_afl_env(afl_environment_variables[i]); + + } else if (!strncmp(env, "AFL_FORK_SERVER_KILL_SIGNAL", + + afl_environment_variable_len)) { + + afl->afl_env.afl_fsrv_kill_signal = (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_TARGET_ENV", @@ -654,8 +662,17 @@ void afl_states_stop(void) { LIST_FOREACH(&afl_states, afl_state_t, { - if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, el->fsrv.kill_signal); - if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, el->fsrv.kill_signal); + /* NOTE: We need to make sure that the parent (the forkserver) reap the + * child (see below). */ + if (el->fsrv.child_pid > 0) + kill(el->fsrv.child_pid, el->fsrv.child_kill_signal); + if (el->fsrv.fsrv_pid > 0) { + + kill(el->fsrv.fsrv_pid, el->fsrv.fsrv_kill_signal); + /* Make sure the forkserver does not end up as zombie. */ + waitpid(el->fsrv.fsrv_pid, NULL, 0); + + } }); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 713f3a3c..61956dc3 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -1410,9 +1410,15 @@ void show_stats_pizza(afl_state_t *afl) { /* AFL_EXIT_ON_TIME. */ - if (unlikely(afl->last_find_time && !afl->non_instrumented_mode && - afl->afl_env.afl_exit_on_time && - (cur_ms - afl->last_find_time) > afl->exit_on_time)) { + /* If no coverage was found yet, check whether run time is greater than + * exit_on_time. */ + + if (unlikely( + !afl->non_instrumented_mode && afl->afl_env.afl_exit_on_time && + ((afl->last_find_time && + (cur_ms - afl->last_find_time) > afl->exit_on_time) || + (!afl->last_find_time && (afl->prev_run_time + cur_ms - + afl->start_time) > afl->exit_on_time)))) { afl->stop_soon = 2; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index d116822a..6ff4d266 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -25,6 +25,7 @@ #include "afl-fuzz.h" #include "cmplog.h" +#include "common.h" #include <limits.h> #include <stdlib.h> #ifndef USEMMAP @@ -261,6 +262,9 @@ static void usage(u8 *argv0, int more_help) { "AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced\n" "AFL_PIZZA_MODE: 1 - enforce pizza mode, 0 - disable for April 1st\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" + "AFL_FORK_SERVER_KILL_SIGNAL: Signal delivered to fork server processes on termination\n" + " (default: SIGTERM). If this is not set and AFL_KILL_SIGNAL is set,\n" + " this will be set to the same value.\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" "AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value\n" @@ -1358,8 +1362,8 @@ int main(int argc, char **argv_orig, char **envp) { #endif - afl->fsrv.kill_signal = - parse_afl_kill_signal_env(afl->afl_env.afl_kill_signal, SIGKILL); + configure_afl_kill_signals(&afl->fsrv, afl->afl_env.afl_child_kill_signal, + afl->afl_env.afl_fsrv_kill_signal); setup_signal_handlers(); check_asan_opts(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 0b724758..ce1f8004 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -129,7 +129,7 @@ static void kill_child() { timed_out = 1; if (fsrv->child_pid > 0) { - kill(fsrv->child_pid, fsrv->kill_signal); + kill(fsrv->child_pid, fsrv->child_kill_signal); fsrv->child_pid = -1; } @@ -822,8 +822,8 @@ static void usage(u8 *argv0) { " -o file - file to write the trace data to\n\n" "Execution control settings:\n" - " -t msec - timeout for each run (none)\n" - " -m megs - memory limit for child process (%u MB)\n" + " -t msec - timeout for each run (default: 1000ms)\n" + " -m megs - memory limit for child process (default: none)\n" #if defined(__linux__) && defined(__aarch64__) " -A - use binary-only instrumentation (ARM CoreSight mode)\n" #endif @@ -864,8 +864,14 @@ static void usage(u8 *argv0) { "AFL_DEBUG: enable extra developer output\n" "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during " "startup (in milliseconds)\n" - "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, " - "etc. (default: SIGKILL)\n" + "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout,\n" + " etc. (default: SIGKILL)\n" + "AFL_FORK_SERVER_KILL_SIGNAL: Signal delivered to fork server processes " + "on termination\n" + " (default: SIGTERM). If this is not set and " + "AFL_KILL_SIGNAL is set,\n" + " this will be set to the same value as " + "AFL_KILL_SIGNAL.\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the " "size the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -873,7 +879,7 @@ static void usage(u8 *argv0) { "printed to stdout\n" "AFL_QUIET: do not print extra informational output\n" "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n", - argv0, MEM_LIMIT, doc_path); + argv0, doc_path); exit(1); @@ -1258,8 +1264,7 @@ int main(int argc, char **argv_orig, char **envp) { : 0); be_quiet = save_be_quiet; - fsrv->kill_signal = - parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); + configure_afl_kill_signals(fsrv, NULL, NULL); if (new_map_size) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 694c9c21..3a27b879 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -113,7 +113,7 @@ static void kill_child() { if (fsrv->child_pid > 0) { - kill(fsrv->child_pid, fsrv->kill_signal); + kill(fsrv->child_pid, fsrv->child_kill_signal); fsrv->child_pid = -1; } @@ -881,6 +881,9 @@ static void usage(u8 *argv0) { "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" + "AFL_FORK_SERVER_KILL_SIGNAL: Signal delivered to fork server processes on termination\n" + " (default: SIGTERM). If this is not set and AFL_KILL_SIGNAL is set,\n" + " this will be set to the same value as AFL_KILL_SIGNAL.\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -1195,8 +1198,7 @@ int main(int argc, char **argv_orig, char **envp) { } - fsrv->kill_signal = - parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL); + configure_afl_kill_signals(fsrv, NULL, NULL); if (getenv("AFL_CRASH_EXITCODE")) { diff --git a/test/test-qemu-mode.sh b/test/test-qemu-mode.sh index 46b138ff..c7734217 100755 --- a/test/test-qemu-mode.sh +++ b/test/test-qemu-mode.sh @@ -107,14 +107,21 @@ test -e ../afl-qemu-trace && { test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc" -o "$SYS" = "aarch64" -o ! "${SYS%%arm*}" && { $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" { - if file test-instr | grep -q "32-bit"; then - # for 32-bit reduce 8 nibbles to the lower 7 nibbles - ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'` - else - # for 64-bit reduce 16 nibbles to the lower 9 nibbles - ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'` - fi - export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}` + IS_STATIC="" + file test-instr | grep -q 'statically linked' && IS_STATIC=1 + test -z "$IS_STATIC" && { + if file test-instr | grep -q "32-bit"; then + # for 32-bit reduce 8 nibbles to the lower 7 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.//'` + else + # for 64-bit reduce 16 nibbles to the lower 9 nibbles + ADDR_LOWER_PART=`nm test-instr | grep "T main" | awk '{print $1}' | sed 's/^.......//'` + fi + export AFL_QEMU_PERSISTENT_ADDR=`expr 0x4${ADDR_LOWER_PART}` + } + test -n "$IS_STATIC" && { + export AFL_QEMU_PERSISTENT_ADDR=0x`nm test-instr | grep "T main" | awk '{print $1}'` + } export AFL_QEMU_PERSISTENT_GPR=1 $ECHO "Info: AFL_QEMU_PERSISTENT_ADDR=$AFL_QEMU_PERSISTENT_ADDR <= $(nm test-instr | grep "T main" | awk '{print $1}')" env|grep AFL_|sort |