Merge pull request #336 from AFLplusplus/dev

pull again ...
author: van Hauser <vh@thc.org> 2020-04-26 16:51:21 +0200
committer: GitHub <noreply@github.com> 2020-04-26 16:51:21 +0200
commit: 62ec52dd956d62957b431ef804b7956124823f00 (patch)
tree: 706a66892726df089a9d8bf6e8a6e8b1665ff5a8 /src
parent: ce9c6df45639db922feafb55259e20c7e82af0bf (diff)
parent: ea876e59a8c1abc979ea05aa4dbe660608aaa9ba (diff)
download: afl++-62ec52dd956d62957b431ef804b7956124823f00.tar.gz
7 files changed, 124 insertions, 35 deletions
diff --git a/src/afl-common.c b/src/afl-common.c
index 1dae8509..dda62219 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -67,10 +67,11 @@ char *afl_environment_variables[] = {
     "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES",
     "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS",
     "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES",
-    "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO",
-    "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID",
-    "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN",
-    "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON",
+    "AFL_LLVM_MAP_ADDR", "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE",
+    "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST",
+    "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID",
+    "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV",
+    "AFL_NO_UI", "AFL_NO_PYTHON",
     "AFL_NO_X86",  // not really an env but we dont want to warn on it
     "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE",
     //"AFL_PERSISTENT", // not implemented anymore, so warn additionally
@@ -917,7 +918,7 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms,
 
 }
 
-u32 get_map_size() {
+u32 get_map_size(void) {
 
   uint32_t map_size = MAP_SIZE;
   char *   ptr;
@@ -927,7 +928,8 @@ u32 get_map_size() {
     map_size = atoi(ptr);
     if (map_size < 8 || map_size > (1 << 29)) {
 
-      FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size);
+      FATAL("illegal AFL_MAP_SIZE %u, must be between %u and %u", map_size, 8,
+            1 << 29);
 
     }
 
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 0c795f9c..d5a60077 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -53,7 +53,7 @@
 
 /* Describe integer as memory size. */
 
-list_t fsrv_list = {.element_prealloc_count = 0};
+static list_t fsrv_list = {.element_prealloc_count = 0};
 
 static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) {
 
@@ -67,7 +67,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
 
   // this structure needs default so we initialize it if this was not done
   // already
-
   fsrv->out_fd = -1;
   fsrv->out_dir_fd = -1;
   fsrv->dev_null_fd = -1;
@@ -83,7 +82,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
 
   /* exec related stuff */
   fsrv->child_pid = -1;
-  fsrv->map_size = MAP_SIZE;
+  fsrv->map_size = get_map_size();
   fsrv->use_fauxsrv = 0;
   fsrv->last_run_timed_out = 0;
 
@@ -201,6 +200,44 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
 
 }
 
+/* Report on the error received via the forkserver controller and exit */
+static void report_error_and_exit(int error) {
+
+  switch (error) {
+
+    case FS_ERROR_MAP_SIZE:
+      FATAL(
+          "AFL_MAP_SIZE is not set and fuzzing target reports that the "
+          "required size is very large. Solution: Run the fuzzing target "
+          "stand-alone with the environment variable AFL_DEBUG=1 set and set "
+          "the value for __afl_final_loc in the AFL_MAP_SIZE environment "
+          "variable for afl-fuzz.");
+      break;
+    case FS_ERROR_MAP_ADDR:
+      FATAL(
+          "the fuzzing target reports that hardcoded map address might be the "
+          "reason the mmap of the shared memory failed. Solution: recompile "
+          "the target with either afl-clang-lto and the environment variable "
+          "AFL_LLVM_MAP_DYNAMIC set or recompile with afl-clang-fast.");
+      break;
+    case FS_ERROR_SHM_OPEN:
+      FATAL("the fuzzing target reports that the shm_open() call failed.");
+      break;
+    case FS_ERROR_SHMAT:
+      FATAL("the fuzzing target reports that the shmat() call failed.");
+      break;
+    case FS_ERROR_MMAP:
+      FATAL(
+          "the fuzzing target reports that the mmap() call to the share memory "
+          "failed.");
+      break;
+    default:
+      FATAL("unknown error code %u from fuzzing target!", error);
+
+  }
+
+}
+
 /* Spins up fork server (instrumented mode only). The idea is explained here:
 
    http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
@@ -400,6 +437,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
     if (!be_quiet) { OKF("All right - fork server is up."); }
 
+    if ((status & FS_OPT_ERROR) == FS_OPT_ERROR)
+      report_error_and_exit(FS_OPT_GET_ERROR(status));
+
     if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) {
 
       if (!be_quiet && getenv("AFL_DEBUG")) {
@@ -434,9 +474,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
           FATAL(
               "Target's coverage map size of %u is larger than the one this "
-              "afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and "
-              "recompile or set AFL_MAP_SIZE)\n",
-              tmp_map_size, fsrv->map_size);
+              "afl++ is set with (%u). Either set AFL_MAP_SIZE=%u and restart "
+              " afl-fuzz, or change MAP_SIZE_POW2 in config.h and recompile "
+              "afl-fuzz",
+              tmp_map_size, fsrv->map_size, tmp_map_size);
 
         }
 
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 69fe6562..2289183c 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -721,7 +721,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 #else
 
       snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
-               afl->unique_crashes, afl->kill_signal);
+               afl->unique_crashes, afl->last_kill_signal);
 
 #endif                                                    /* ^!SIMPLE_FILES */
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 4dd31ac9..32481887 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1903,7 +1903,7 @@ void fix_up_sync(afl_state_t *afl) {
 
 static void handle_resize(int sig) {
 
-  LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; });
+  afl_states_clear_screen();
 
 }
 
@@ -1954,14 +1954,7 @@ void check_asan_opts(void) {
 
 static void handle_stop_sig(int sig) {
 
-  LIST_FOREACH(&afl_states, afl_state_t, {
-
-    el->stop_soon = 1;
-
-    if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, SIGKILL);
-    if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, SIGKILL);
-
-  });
+  afl_states_stop();
 
 }
 
@@ -1969,7 +1962,7 @@ static void handle_stop_sig(int sig) {
 
 static void handle_skipreq(int sig) {
 
-  LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; });
+  afl_states_request_skip();
 
 }
 
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index b38c9ec5..4f5389e3 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -71,7 +71,7 @@ static void init_mopt_globals(afl_state_t *afl) {
 /* A global pointer to all instances is needed (for now) for signals to arrive
  */
 
-list_t afl_states = {.element_prealloc_count = 0};
+static list_t afl_states = {.element_prealloc_count = 0};
 
 /* Initializes an afl_state_t. */
 
@@ -81,7 +81,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   and out_size are NULL/0 by default. */
   memset(afl, 0, sizeof(afl_state_t));
 
-  if (!map_size) { afl->shm.map_size = MAP_SIZE; }
+  afl->shm.map_size = map_size ? map_size : MAP_SIZE;
 
   afl->w_init = 0.9;
   afl->w_end = 0.3;
@@ -398,3 +398,34 @@ void afl_state_deinit(afl_state_t *afl) {
 
 }
 
+void afl_states_stop(void) {
+
+  /* We may be inside a signal handler.
+   Set flags first, send kill signals to child proceses later. */
+  LIST_FOREACH(&afl_states, afl_state_t, {
+
+    el->stop_soon = 1;
+
+  });
+
+  LIST_FOREACH(&afl_states, afl_state_t, {
+
+    if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, SIGKILL);
+    if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, SIGKILL);
+
+  });
+
+}
+
+void afl_states_clear_screen(void) {
+
+  LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; });
+
+}
+
+void afl_states_request_skip(void) {
+
+  LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; });
+
+}
+
diff --git a/src/afl-gcc.c b/src/afl-gcc.c
index 6c6bd1f1..7eb01c0c 100644
--- a/src/afl-gcc.c
+++ b/src/afl-gcc.c
@@ -149,11 +149,16 @@ static void edit_params(u32 argc, char **argv) {
       u8 *alt_cxx = getenv("AFL_CXX");
       cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)"clang++";
 
-    } else {
+    } else if (!strcmp(name, "afl-clang")) {
 
       u8 *alt_cc = getenv("AFL_CC");
       cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"clang";
 
+    } else {
+
+      fprintf(stderr, "Name of the binary: %s\n", argv[0]);
+      FATAL("Name of the binary is not a known name, expected afl-clang(++)");
+
     }
 
   } else {
@@ -166,13 +171,25 @@ static void edit_params(u32 argc, char **argv) {
 
 #ifdef __APPLE__
 
-    if (!strcmp(name, "afl-g++"))
+    if (!strcmp(name, "afl-g++")) {
+
       cc_params[0] = getenv("AFL_CXX");
-    else if (!strcmp(name, "afl-gcj"))
+
+    } else if (!strcmp(name, "afl-gcj")) {
+
       cc_params[0] = getenv("AFL_GCJ");
-    else
+
+    } else if (!strcmp(name, "afl-gcc")) {
+
       cc_params[0] = getenv("AFL_CC");
 
+    } else {
+
+      fprintf(stderr, "Name of the binary: %s\n", argv[0]);
+      FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
+
+    }
+
     if (!cc_params[0]) {
 
       SAYF("\n" cLRD "[-] " cRST
@@ -199,11 +216,16 @@ static void edit_params(u32 argc, char **argv) {
       u8 *alt_cc = getenv("AFL_GCJ");
       cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcj";
 
-    } else {
+    } else if (!strcmp(name, "afl-gcc")) {
 
       u8 *alt_cc = getenv("AFL_CC");
       cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcc";
 
+    } else {
+
+      fprintf(stderr, "Name of the binary: %s\n", argv[0]);
+      FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
+
     }
 
 #endif                                                         /* __APPLE__ */
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 90754b75..e024eb18 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -127,12 +127,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
   }
 
   /* map the shared memory segment to the address space of the process */
-  shm->map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
-                  map_size->g_shm_fd, 0);
-  if (map_size->map == MAP_FAILED) {
+  shm->map =
+      mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
+  if (shm->map == MAP_FAILED) {
 
-    close(map_size->g_shm_fd);
-    map_size->g_shm_fd = -1;
+    close(shm->g_shm_fd);
+    shm->g_shm_fd = -1;
     PFATAL("mmap() failed");
 
   }
author	van Hauser <vh@thc.org>	2020-04-26 16:51:21 +0200
committer	GitHub <noreply@github.com>	2020-04-26 16:51:21 +0200
commit	62ec52dd956d62957b431ef804b7956124823f00 (patch)
tree	706a66892726df089a9d8bf6e8a6e8b1665ff5a8 /src
parent	ce9c6df45639db922feafb55259e20c7e82af0bf (diff)
parent	ea876e59a8c1abc979ea05aa4dbe660608aaa9ba (diff)
download	afl++-62ec52dd956d62957b431ef804b7956124823f00.tar.gz