shmem release fix

5 files changed, 102 insertions, 39 deletions

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index d5c80cb3..da5b6bc4 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
     if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) {
 
+      unsetenv(SHM_FUZZ_ENV_VAR);
       afl_shm_deinit(afl->shm_fuzz);
       ck_free(afl->shm_fuzz);
       afl->shm_fuzz = NULL;
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 2f23aec7..e7a855ff 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -26,6 +26,13 @@
 #include "afl-fuzz.h"
 #include "cmplog.h"
 #include <limits.h>
+#ifndef USEMMAP
+  #include <sys/mman.h>
+  #include <sys/stat.h>
+  #include <fcntl.h>
+  #include <sys/ipc.h>
+  #include <sys/shm.h>
+#endif
 
 #ifdef PROFILING
 extern u64 time_spent_working;
@@ -34,6 +41,7 @@ extern u64 time_spent_working;
 static void at_exit() {
 
   int   i;
+  char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL};
   char *ptr = getenv("__AFL_TARGET_PID1");
 
   if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL);
@@ -42,7 +50,28 @@ static void at_exit() {
 
   if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL);
 
-  // anything else? shared memory?
+  i = 0;
+  while (list[i] != NULL) {
+
+    ptr = getenv(list[i]);
+
+    if (ptr && *ptr) {
+
+#ifdef USEMMAP
+
+      shm_unlink(ptr);
+
+#else
+
+      shmctl(atoi(ptr), IPC_RMID, NULL);
+
+#endif
+
+    }
+
+    i++;
+
+  }
 
 }
 
@@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) {
   check_crash_handling();
   check_cpu_governor(afl);
 
+  atexit(at_exit);
+
   afl->fsrv.trace_bits =
       afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
 
@@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
-  atexit(at_exit);
-
   perform_dry_run(afl);
 
   cull_queue(afl);
@@ -1326,10 +1355,13 @@ stop_fuzzing:
   destroy_queue(afl);
   destroy_extras(afl);
   destroy_custom_mutators(afl);
+  unsetenv(SHM_ENV_VAR);
+  unsetenv(CMPLOG_SHM_ENV_VAR);
   afl_shm_deinit(&afl->shm);
 
   if (afl->shm_fuzz) {
 
+    unsetenv(SHM_FUZZ_ENV_VAR);
     afl_shm_deinit(afl->shm_fuzz);
     ck_free(afl->shm_fuzz);
 
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index f8bbebc8..44a91a97 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0};
 
 void afl_shm_deinit(sharedmem_t *shm) {
 
+  if (shm == NULL) return;
+
   list_remove(&shm_list, shm);
 
 #ifdef USEMMAP
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index de25e427..1ab7d0a8 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -82,11 +82,16 @@ static u8 quiet_mode,                  /* Hide non-essential messages?      */
     raw_instr_output,                  /* Do not apply AFL filters          */
     cmin_mode,                         /* Generate output in afl-cmin mode? */
     binary_mode,                       /* Write output as a binary map      */
-    keep_cores;                        /* Allow coredumps?                  */
+    keep_cores,                        /* Allow coredumps?                  */
+    remove_shm = 1;                    /* remove shmem?                     */
 
 static volatile u8 stop_soon,          /* Ctrl-C pressed?                   */
     child_crashed;                     /* Child crashed?                    */
 
+static sharedmem_t       shm;
+static afl_forkserver_t *fsrv;
+static sharedmem_t *     shm_fuzz;
+
 /* Classify tuple counts. Instead of mapping to individual bits, as in
    afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */
 
@@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) {
 
 }
 
+static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
+                                 sharedmem_t *     shm_fuzz) {
+
+  afl_shm_deinit(shm_fuzz);
+  fsrv->support_shmem_fuzz = 0;
+  fsrv->shmem_fuzz = NULL;
+  ck_free(shm_fuzz);
+  return NULL;
+
+}
+
 /* Get rid of temp files (atexit handler). */
 
 static void at_exit_handler(void) {
 
   if (stdin_file) { unlink(stdin_file); }
 
+  if (remove_shm) {
+
+    if (shm.map) afl_shm_deinit(&shm);
+    if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz);
+
+  }
+
+  afl_fsrv_killall();
+
 }
 
 /* Write results. */
@@ -566,17 +591,6 @@ static void usage(u8 *argv0) {
 
 }
 
-static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
-                                 sharedmem_t *     shm_fuzz) {
-
-  afl_shm_deinit(shm_fuzz);
-  fsrv->support_shmem_fuzz = 0;
-  fsrv->shmem_fuzz = NULL;
-  ck_free(shm_fuzz);
-  return NULL;
-
-}
-
 /* Main entry point */
 
 int main(int argc, char **argv_orig, char **envp) {
@@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   char **argv = argv_cpy_dup(argc, argv_orig);
 
-  afl_forkserver_t  fsrv_var = {0};
-  afl_forkserver_t *fsrv = &fsrv_var;
+  afl_forkserver_t fsrv_var = {0};
+  fsrv = &fsrv_var;
   afl_fsrv_init(fsrv);
   map_size = get_map_size();
   fsrv->map_size = map_size;
@@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
   //  if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }
 
-  sharedmem_t shm = {0};
   fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
   setup_signal_handlers();
 
@@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
-  sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t));
-  u8 *         map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
+  shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+  u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
   if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 #ifdef USEMMAP
   setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
+  remove_shm = 0;
   afl_shm_deinit(&shm);
+  if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
 
   u32 ret = child_crashed * 2 + fsrv->last_run_timed_out;
 
   if (fsrv->target_path) { ck_free(fsrv->target_path); }
 
-  if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
-
   afl_fsrv_deinit(fsrv);
 
   if (stdin_file) { ck_free(stdin_file); }
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 8b028327..5e4bdb6c 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -80,10 +80,16 @@ static u8 crash_mode,                  /* Crash-centric mode?               */
     hang_mode,                         /* Minimize as long as it hangs      */
     exit_crash,                        /* Treat non-zero exit as crash?     */
     edges_only,                        /* Ignore hit counts?                */
-    exact_mode;                        /* Require path match for crashes?   */
+    exact_mode,                        /* Require path match for crashes?   */
+    remove_out_file,                   /* remove out_file on exit?          */
+    remove_shm = 1;                    /* remove shmem on exit?             */
 
 static volatile u8 stop_soon;          /* Ctrl-C pressed?                   */
 
+static afl_forkserver_t *fsrv;
+static sharedmem_t       shm;
+static sharedmem_t *     shm_fuzz;
+
 /*
  * forkserver section
  */
@@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = {
 
 };
 
+static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
+                                 sharedmem_t *     shm_fuzz) {
+
+  afl_shm_deinit(shm_fuzz);
+  fsrv->support_shmem_fuzz = 0;
+  fsrv->shmem_fuzz = NULL;
+  ck_free(shm_fuzz);
+  return NULL;
+
+}
+
 /* Apply mask to classified bitmap (if set). */
 
 static void apply_mask(u32 *mem, u32 *mask) {
@@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) {
 
 static void at_exit_handler(void) {
 
+  if (remove_shm) {
+
+    if (shm.map) afl_shm_deinit(&shm);
+    if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz);
+
+  }
+
   afl_fsrv_killall();
+  if (remove_out_file) unlink(out_file);
 
 }
 
@@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
     }
 
     out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid());
+    remove_out_file = 1;
 
   }
 
@@ -802,17 +828,6 @@ static void usage(u8 *argv0) {
 
 }
 
-static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
-                                 sharedmem_t *     shm_fuzz) {
-
-  afl_shm_deinit(shm_fuzz);
-  fsrv->support_shmem_fuzz = 0;
-  fsrv->shmem_fuzz = NULL;
-  ck_free(shm_fuzz);
-  return NULL;
-
-}
-
 /* Main entry point */
 
 int main(int argc, char **argv_orig, char **envp) {
@@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   char **argv = argv_cpy_dup(argc, argv_orig);
 
-  afl_forkserver_t  fsrv_var = {0};
-  afl_forkserver_t *fsrv = &fsrv_var;
+  afl_forkserver_t fsrv_var = {0};
+  fsrv = &fsrv_var;
   afl_fsrv_init(fsrv);
   map_size = get_map_size();
   fsrv->map_size = map_size;
@@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) {
 
   check_environment_vars(envp);
 
-  sharedmem_t shm = {0};
   fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
 
   atexit(at_exit_handler);
@@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   SAYF("\n");
 
-  sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t));
-  u8 *         map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
+  shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+  u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
   if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 #ifdef USEMMAP
   setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
   OKF("We're done here. Have a nice day!\n");
 
+  remove_shm = 0;
   afl_shm_deinit(&shm);
   if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
   afl_fsrv_deinit(fsrv);