Merge pull request #691 from AFLplusplus/dev

push to stable

8 files changed, 85 insertions, 110 deletions

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 0bf0aebe..6342c8b6 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -37,10 +37,6 @@
   #define _FILE_OFFSET_BITS 64
 #endif
 
-#ifdef __ANDROID__
-  #include "android-ashmem.h"
-#endif
-
 #include "config.h"
 #include "types.h"
 #include "debug.h"
@@ -381,7 +377,7 @@ typedef struct afl_env_vars {
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,
       *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
       *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
-      *afl_testcache_entries;
+      *afl_testcache_entries, *afl_kill_signal;
 
 } afl_env_vars_t;
 
@@ -573,7 +569,7 @@ typedef struct afl_state {
 
   u8 stage_name_buf[STAGE_BUF_SIZE];    /* reused stagename buf with len 64 */
 
-  s32 stage_cur, stage_max;             /* Stage progression                */
+  u32 stage_cur, stage_max;             /* Stage progression                */
   s32 splicing_with;                    /* Splicing with which test case?   */
 
   u32 main_node_id, main_node_max;      /*   Main instance job splitting    */
@@ -590,9 +586,9 @@ typedef struct afl_state {
 
   u32 rand_cnt;                         /* Random number counter            */
 
-/*  unsigned long rand_seed[3]; would also work */
+  /*  unsigned long rand_seed[3]; would also work */
   AFL_RAND_RETURN rand_seed[3];
-  s64 init_seed;
+  s64             init_seed;
 
   u64 total_cal_us,                     /* Total calibration time (us)      */
       total_cal_cycles;                 /* Total calibration cycles         */
@@ -645,10 +641,10 @@ typedef struct afl_state {
 
   unsigned long long int last_avg_exec_update;
   u32                    last_avg_execs;
-  float                  last_avg_execs_saved;
+  double                 last_avg_execs_saved;
 
 /* foreign sync */
-#define FOREIGN_SYNCS_MAX 32
+#define FOREIGN_SYNCS_MAX 32U
   u8                  foreign_sync_cnt;
   struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX];
 
diff --git a/include/android-ashmem.h b/include/android-ashmem.h
index 41d4d2da..6939e06d 100644
--- a/include/android-ashmem.h
+++ b/include/android-ashmem.h
@@ -1,112 +1,81 @@
-/*
-   american fuzzy lop++ - android shared memory compatibility layer
-   ----------------------------------------------------------------
-
-   Originally written by Michal Zalewski
-
-   Now maintained by Marc Heuse <mh@mh-sec.de>,
-                     Heiko Eißfeldt <heiko.eissfeldt@hexco.de>,
-                     Andrea Fioraldi <andreafioraldi@gmail.com>,
-                     Dominik Maier <mail@dmnk.co>
-
-   Copyright 2016, 2017 Google Inc. All rights reserved.
-   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-   This header re-defines the shared memory routines used by AFL++
-   using the Andoid API.
-
- */
-
+#ifdef __ANDROID__
 #ifndef _ANDROID_ASHMEM_H
 #define _ANDROID_ASHMEM_H
 
-#ifdef __ANDROID__
-
-  #include <fcntl.h>
-  #include <linux/shm.h>
-  #include <linux/ashmem.h>
-  #include <sys/ioctl.h>
-  #include <sys/mman.h>
-
-  #if __ANDROID_API__ >= 26
-    #define shmat bionic_shmat
-    #define shmctl bionic_shmctl
-    #define shmdt bionic_shmdt
-    #define shmget bionic_shmget
-  #endif
-
-  #include <sys/shm.h>
-  #undef shmat
-  #undef shmctl
-  #undef shmdt
-  #undef shmget
-  #include <stdio.h>
+#include <fcntl.h>
+#include <linux/ashmem.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
 
-  #define ASHMEM_DEVICE "/dev/ashmem"
+#if __ANDROID_API__ >= 26
+#define shmat bionic_shmat
+#define shmctl bionic_shmctl
+#define shmdt bionic_shmdt
+#define shmget bionic_shmget
+#endif
+#include <sys/shm.h>
+#undef shmat
+#undef shmctl
+#undef shmdt
+#undef shmget
+#include <stdio.h>
 
-static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
+#define ASHMEM_DEVICE "/dev/ashmem"
 
+int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
   int ret = 0;
   if (__cmd == IPC_RMID) {
-
-    int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-    struct ashmem_pin pin = {0, (unsigned int)length};
+    int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
+    struct ashmem_pin pin = {0, length};
     ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
     close(__shmid);
-
   }
 
   return ret;
-
 }
 
-static inline int shmget(key_t __key, size_t __size, int __shmflg) {
-
-  (void)__shmflg;
-  int  fd, ret;
+int shmget(key_t __key, size_t __size, int __shmflg) {
+  (void) __shmflg;
+  int fd, ret;
   char ourkey[11];
 
   fd = open(ASHMEM_DEVICE, O_RDWR);
-  if (fd < 0) return fd;
+  if (fd < 0)
+    return fd;
 
   sprintf(ourkey, "%d", __key);
   ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
-  if (ret < 0) goto error;
+  if (ret < 0)
+    goto error;
 
   ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
-  if (ret < 0) goto error;
+  if (ret < 0)
+    goto error;
 
   return fd;
 
 error:
   close(fd);
   return ret;
-
 }
 
-static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
-
-  (void)__shmflg;
-  int   size;
+void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
+  (void) __shmflg;
+  int size;
   void *ptr;
 
   size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-  if (size < 0) { return NULL; }
+  if (size < 0) {
+    return NULL;
+  }
 
   ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
-  if (ptr == MAP_FAILED) { return NULL; }
+  if (ptr == MAP_FAILED) {
+    return NULL;
+  }
 
   return ptr;
-
 }
 
-#endif                                                       /* __ANDROID__ */
-
-#endif
-
+#endif /* !_ANDROID_ASHMEM_H */
+#endif /* !__ANDROID__ */
diff --git a/include/common.h b/include/common.h
index 125c3abf..9490ec5f 100644
--- a/include/common.h
+++ b/include/common.h
@@ -56,6 +56,11 @@ extern u8 *doc_path;                    /* path to documentation dir        */
 
 u8 *find_binary(u8 *fname);
 
+/* Parses the kill signal environment variable, FATALs on error.
+  If the env is not set, sets the env to default_signal for the signal handlers
+  and returns the default_signal. */
+int parse_afl_kill_signal_env(u8 *afl_kill_signal_env, int default_signal);
+
 /* Read a bitmap from file fname to memory
    This is for the -B option again. */
 
diff --git a/include/config.h b/include/config.h
index e8a49270..973bbcbb 100644
--- a/include/config.h
+++ b/include/config.h
@@ -80,11 +80,11 @@
 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
    also used for detecting hangs; the actual value is auto-scaled: */
 
-#define EXEC_TIMEOUT 1000
+#define EXEC_TIMEOUT 1000U
 
 /* Timeout rounding factor when auto-scaling (milliseconds): */
 
-#define EXEC_TM_ROUND 20
+#define EXEC_TM_ROUND 20U
 
 /* 64bit arch MACRO */
 #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
@@ -93,48 +93,48 @@
 
 /* Default memory limit for child process (MB) 0 = disabled : */
 
-#define MEM_LIMIT 0
+#define MEM_LIMIT 0U
 
 /* Default memory limit when running in QEMU mode (MB) 0 = disabled : */
 
-#define MEM_LIMIT_QEMU 0
+#define MEM_LIMIT_QEMU 0U
 
 /* Default memory limit when running in Unicorn mode (MB) 0 = disabled : */
 
-#define MEM_LIMIT_UNICORN 0
+#define MEM_LIMIT_UNICORN 0U
 
 /* Number of calibration cycles per every new test case (and for test
    cases that show variable behavior): */
 
-#define CAL_CYCLES 8
-#define CAL_CYCLES_LONG 40
+#define CAL_CYCLES 8U
+#define CAL_CYCLES_LONG 40U
 
 /* Number of subsequent timeouts before abandoning an input file: */
 
-#define TMOUT_LIMIT 250
+#define TMOUT_LIMIT 250U
 
 /* Maximum number of unique hangs or crashes to record: */
 
-#define KEEP_UNIQUE_HANG 500
-#define KEEP_UNIQUE_CRASH 5000
+#define KEEP_UNIQUE_HANG 500U
+#define KEEP_UNIQUE_CRASH 5000U
 
 /* Baseline number of random tweaks during a single 'havoc' stage: */
 
-#define HAVOC_CYCLES 256
-#define HAVOC_CYCLES_INIT 1024
+#define HAVOC_CYCLES 256U
+#define HAVOC_CYCLES_INIT 1024U
 
 /* Maximum multiplier for the above (should be a power of two, beware
    of 32-bit int overflows): */
 
-#define HAVOC_MAX_MULT 64
-#define HAVOC_MAX_MULT_MOPT 64
+#define HAVOC_MAX_MULT 64U
+#define HAVOC_MAX_MULT_MOPT 64U
 
 /* Absolute minimum number of havoc cycles (after all adjustments): */
 
-#define HAVOC_MIN 12
+#define HAVOC_MIN 12U
 
 /* Power Schedule Divisor */
-#define POWER_BETA 1
+#define POWER_BETA 1U
 #define MAX_FACTOR (POWER_BETA * 32)
 
 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated
@@ -146,19 +146,19 @@
    In other words, the default (n = 4) produces 2, 4, 8, 16
    stacked tweaks: */
 
-#define HAVOC_STACK_POW2 4
+#define HAVOC_STACK_POW2 4U
 
 /* Caps on block sizes for cloning and deletion operations. Each of these
    ranges has a 33% probability of getting picked, except for the first
    two cycles where smaller blocks are favored: */
 
-#define HAVOC_BLK_SMALL 32
-#define HAVOC_BLK_MEDIUM 128
-#define HAVOC_BLK_LARGE 1500
+#define HAVOC_BLK_SMALL 32U
+#define HAVOC_BLK_MEDIUM 128U
+#define HAVOC_BLK_LARGE 1500U
 
 /* Extra-large blocks, selected very rarely (<5% of the time): */
 
-#define HAVOC_BLK_XL 32768
+#define HAVOC_BLK_XL 32768U
 
 /* Probabilities of skipping non-favored entries in the queue, expressed as
    percentages: */
@@ -186,9 +186,11 @@
 #define TRIM_START_STEPS 16
 #define TRIM_END_STEPS 1024
 
-/* Maximum size of input file, in bytes (keep under 100MB): */
+/* Maximum size of input file, in bytes (keep under 100MB, default 1MB):
+   (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c
+   and afl-fuzz-state.c have to be changed as well! */
 
-#define MAX_FILE (1 * 1024 * 1024)
+#define MAX_FILE (1 * 1024 * 1024U)
 
 /* The same, for the test case minimizer: */
 
@@ -380,7 +382,7 @@
    after changing this - otherwise, SEGVs may ensue. */
 
 #define MAP_SIZE_POW2 16
-#define MAP_SIZE (1 << MAP_SIZE_POW2)
+#define MAP_SIZE (1U << MAP_SIZE_POW2)
 
 /* Maximum allocator request size (keep well under INT_MAX): */
 
diff --git a/include/debug.h b/include/debug.h
index 7f4a6be1..ef5b195b 100644
--- a/include/debug.h
+++ b/include/debug.h
@@ -295,7 +295,7 @@ static inline const char *colorfilter(const char *x) {
                                                                          \
     SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                            \
          "\n[-] PROGRAM ABORT : " cRST   x);                               \
-    SAYF(cLRD "\n         Location : " cRST "%s(), %s:%u\n\n", __func__, \
+    SAYF(cLRD "\n         Location : " cRST "%s(), %s:%d\n\n", __func__, \
          __FILE__, __LINE__);                                            \
     exit(1);                                                             \
                                                                          \
@@ -308,7 +308,7 @@ static inline const char *colorfilter(const char *x) {
                                                                          \
     SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                            \
          "\n[-] PROGRAM ABORT : " cRST   x);                               \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n\n", __func__, \
+    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%d\n\n", __func__, \
          __FILE__, __LINE__);                                            \
     abort();                                                             \
                                                                          \
@@ -322,7 +322,7 @@ static inline const char *colorfilter(const char *x) {
     fflush(stdout);                                                    \
     SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD                          \
          "\n[-]  SYSTEM ERROR : " cRST   x);                             \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n", __func__, \
+    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%d\n", __func__, \
          __FILE__, __LINE__);                                          \
     SAYF(cLRD "       OS message : " cRST "%s\n", strerror(errno));    \
     exit(1);                                                           \
diff --git a/include/envs.h b/include/envs.h
index e4e49c4d..97367fae 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -61,6 +61,7 @@ static char *afl_environment_variables[] = {
     "AFL_IMPORT_FIRST",
     "AFL_INST_LIBS",
     "AFL_INST_RATIO",
+    "AFL_KILL_SIGNAL",
     "AFL_KEEP_TRACES",
     "AFL_KEEP_ASSEMBLY",
     "AFL_LD_HARD_FAIL",
diff --git a/include/forkserver.h b/include/forkserver.h
index 8e029266..3019e289 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -99,6 +99,8 @@ typedef struct afl_forkserver {
 
   void (*add_extra_func)(void *afl_ptr, u8 *mem, u32 len);
 
+  u8 kill_signal;
+
 } afl_forkserver_t;
 
 typedef enum fsrv_run_result {
diff --git a/include/types.h b/include/types.h
index 39f599a0..3e3bc953 100644
--- a/include/types.h
+++ b/include/types.h
@@ -50,7 +50,7 @@ typedef uint32_t u32;
 #define FS_OPT_SHDMEM_FUZZ 0x01000000
 #define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000
 // FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22
-#define FS_OPT_MAX_MAPSIZE ((0x00fffffe >> 1) + 1)
+#define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1)
 #define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1)
 #define FS_OPT_SET_MAPSIZE(x) \
   (x <= 1 || x > FS_OPT_MAX_MAPSIZE ? 0 : ((x - 1) << 1))