cleaned up AFL_KILL_SIGNAL

author: Dominik Maier <domenukk@gmail.com> 2021-01-07 23:21:10 +0100
committer: Dominik Maier <domenukk@gmail.com> 2021-01-07 23:21:10 +0100
commit: a06b25538fd7b6eef6755094aa4678c2cb5333fd (patch)
tree: 1a9a5cc3c56687faca12f654e4b2323bfbf16ddd /src
parent: 9cdf5c415015e4e80b577c021b8b9fcf8a3d58fb (diff)
download: afl++-a06b25538fd7b6eef6755094aa4678c2cb5333fd.tar.gz
4 files changed, 98 insertions, 43 deletions
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 70fb9572..b7aa87f8 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -84,6 +84,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
   fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT;
   fsrv->mem_limit = MEM_LIMIT;
   fsrv->out_file = NULL;
+  fsrv->kill_signal = SIGKILL;
 
   /* exec related stuff */
   fsrv->child_pid = -1;
@@ -95,30 +96,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
   fsrv->uses_asan = false;
 
   fsrv->init_child_func = fsrv_exec_child;
-  fsrv->kill_signal = SIGKILL;
-
-  char *kill_signal_env = get_afl_env("AFL_KILL_SIGNAL");
-  if (kill_signal_env) {
-
-    char *endptr;
-    u8    signal_code;
-    signal_code = (u8)strtoul(kill_signal_env, &endptr, 10);
-    /* Did we manage to parse the full string? */
-    if (*endptr != '\0' || endptr == kill_signal_env) {
-
-      FATAL("Invalid kill signal value!");
-
-    }
-
-    fsrv->kill_signal = signal_code;
-
-  } else {
-
-    /* Using hardcoded code for SIGKILL for the sake of simplicity */
-    setenv("AFL_KILL_SIGNAL", "9", 1);
-
-  }
-
   list_append(&fsrv_list, fsrv);
 
 }
@@ -139,6 +116,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->no_unlink = from->no_unlink;
   fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode;
   fsrv_to->crash_exitcode = from->crash_exitcode;
+  fsrv_to->kill_signal = from->kill_signal;
 
   // These are forkserver specific.
   fsrv_to->out_dir_fd = -1;
@@ -149,8 +127,6 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
   fsrv_to->init_child_func = from->init_child_func;
   // Note: do not copy ->add_extra_func
 
-  fsrv_to->kill_signal = from->kill_signal;
-
   list_append(&fsrv_list, fsrv_to);
 
 }
@@ -1162,25 +1138,18 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
 
   /* Report outcome to caller. */
 
-  /* TODO We use SIGTERM here as an indicator of Xen mode,
-     although it's not equivalent! */
-  if (fsrv->kill_signal == SIGTERM && !*stop_soon_p &&
-      fsrv->last_run_timed_out) {
+  /* Did we timeout? */
+  if (unlikely(fsrv->last_run_timed_out)) {
 
+    fsrv->last_kill_signal = fsrv->kill_signal;
     return FSRV_RUN_TMOUT;
 
   }
 
-  if (WIFSIGNALED(fsrv->child_status) && !*stop_soon_p) {
+  /* Did we crash? */
+  if (unlikely(WIFSIGNALED(fsrv->child_status) && !*stop_soon_p)) {
 
     fsrv->last_kill_signal = WTERMSIG(fsrv->child_status);
-
-    if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) {
-
-      return FSRV_RUN_TMOUT;
-
-    }
-
     return FSRV_RUN_CRASH;
 
   }
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 00625f2e..5c363c63 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -194,10 +194,11 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n"
       "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
       "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
-      "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
       "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
+      "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
       "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n"
       "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
+      "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
       "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
       "              the target was compiled for\n"
       "AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value\n"
@@ -986,6 +987,33 @@ int main(int argc, char **argv_orig, char **envp) {
 
   #endif
 
+  afl->fsrv.kill_signal = SIGKILL;
+  if (afl->afl_env.afl_kill_signal) {
+
+    char *endptr;
+    u8    signal_code;
+    signal_code = (u8)strtoul(afl->afl_env.afl_kill_signal, &endptr, 10);
+    /* Did we manage to parse the full string? */
+    if (*endptr != '\0' || endptr == (char *)afl->afl_env.afl_kill_signal) {
+
+      FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
+            afl->afl_env.afl_kill_signal);
+
+    }
+
+    afl->fsrv.kill_signal = signal_code;
+
+  } else {
+
+    char *sigstr = alloc_printf("%d", (int)SIGKILL);
+    if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
+
+    /* Set the env for signal handler */
+    setenv("AFL_KILL_SIGNAL", sigstr, 1);
+    free(sigstr);
+
+  }
+
   setup_signal_handlers();
   check_asan_opts(afl);
 
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index d50601fc..2c9c38ed 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -693,12 +693,13 @@ static void usage(u8 *argv0) {
       "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as "
       "crash\n"
       "AFL_DEBUG: enable extra developer output\n"
-      "AFL_MAP_SIZE: the shared memory size for that target. must be >= the "
-      "size\n"
-      "              the target was compiled for\n"
-      "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
       "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during "
       "startup (in milliseconds)\n"
+      "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, "
+      "etc. (default: SIGKILL)\n"
+      "AFL_MAP_SIZE: the shared memory size for that target. must be >= the "
+      "size the target was compiled for\n"
+      "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
       "AFL_QUIET: do not print extra informational output\n",
       argv0, MEM_LIMIT, doc_path);
 
@@ -1115,6 +1116,34 @@ int main(int argc, char **argv_orig, char **envp) {
 
     }
 
+    fsrv->kill_signal = SIGKILL;
+    char *afl_kill_signal_env = getenv("AFL_KILL_SIGNAL");
+    if (afl_kill_signal_env && afl_kill_signal_env[0]) {
+
+      char *endptr;
+      u8    signal_code;
+      signal_code = (u8)strtoul(afl_kill_signal_env, &endptr, 10);
+      /* Did we manage to parse the full string? */
+      if (*endptr != '\0' || endptr == afl_kill_signal_env) {
+
+        FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
+              afl_kill_signal_env);
+
+      }
+
+      fsrv->kill_signal = signal_code;
+
+    } else {
+
+      char *sigstr = alloc_printf("%d", (int)SIGKILL);
+      if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
+
+      /* Set the env for signal handler */
+      setenv("AFL_KILL_SIGNAL", sigstr, 1);
+      free(sigstr);
+
+    }
+
     if (getenv("AFL_CRASH_EXITCODE")) {
 
       long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 09d97f58..342de9c8 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -855,6 +855,7 @@ static void usage(u8 *argv0) {
       "Environment variables used:\n"
       "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
       "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
+      "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
       "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
       "              the target was compiled for\n"
       "AFL_PRELOAD:  LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
@@ -1134,6 +1135,34 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
+  fsrv->kill_signal = SIGKILL;
+  char *afl_kill_signal_env = getenv("AFL_KILL_SIGNAL");
+  if (afl_kill_signal_env && afl_kill_signal_env[0]) {
+
+    char *endptr;
+    u8    signal_code;
+    signal_code = (u8)strtoul(afl_kill_signal_env, &endptr, 10);
+    /* Did we manage to parse the full string? */
+    if (*endptr != '\0' || endptr == afl_kill_signal_env) {
+
+      FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
+            afl_kill_signal_env);
+
+    }
+
+    fsrv->kill_signal = signal_code;
+
+  } else {
+
+    char *sigstr = alloc_printf("%d", (int)SIGKILL);
+    if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
+
+    /* Set the env for signal handler */
+    setenv("AFL_KILL_SIGNAL", sigstr, 1);
+    free(sigstr);
+
+  }
+
   if (getenv("AFL_CRASH_EXITCODE")) {
 
     long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);
author	Dominik Maier <domenukk@gmail.com>	2021-01-07 23:21:10 +0100
committer	Dominik Maier <domenukk@gmail.com>	2021-01-07 23:21:10 +0100
commit	a06b25538fd7b6eef6755094aa4678c2cb5333fd (patch)
tree	1a9a5cc3c56687faca12f654e4b2323bfbf16ddd /src
parent	9cdf5c415015e4e80b577c021b8b9fcf8a3d58fb (diff)
download	afl++-a06b25538fd7b6eef6755094aa4678c2cb5333fd.tar.gz