diff options
| author | van Hauser <vh@thc.org> | 2020-06-25 22:02:02 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-06-25 22:02:02 +0200 |
| commit | 171b1923e94b7157d9c0574fae890d31fd880e4c (patch) | |
| tree | c0b8718e0c002ab6e1a84cc228bcb7a5d9a872e9 /src | |
| parent | 8d5eb9487d891a7e5c8e68a5b71e0721ef83427a (diff) | |
| download | afl++-171b1923e94b7157d9c0574fae890d31fd880e4c.tar.gz | |
shmem release fix
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-run.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 38 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 2 | ||||
| -rw-r--r-- | src/afl-showmap.c | 51 | ||||
| -rw-r--r-- | src/afl-tmin.c | 49 |
5 files changed, 102 insertions, 39 deletions
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d5c80cb3..da5b6bc4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2f23aec7..e7a855ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -26,6 +26,13 @@ #include "afl-fuzz.h" #include "cmplog.h" #include <limits.h> +#ifndef USEMMAP + #include <sys/mman.h> + #include <sys/stat.h> + #include <fcntl.h> + #include <sys/ipc.h> + #include <sys/shm.h> +#endif #ifdef PROFILING extern u64 time_spent_working; @@ -34,6 +41,7 @@ extern u64 time_spent_working; static void at_exit() { int i; + char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); @@ -42,7 +50,28 @@ static void at_exit() { if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); - // anything else? shared memory? + i = 0; + while (list[i] != NULL) { + + ptr = getenv(list[i]); + + if (ptr && *ptr) { + +#ifdef USEMMAP + + shm_unlink(ptr); + +#else + + shmctl(atoi(ptr), IPC_RMID, NULL); + +#endif + + } + + i++; + + } } @@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) { check_crash_handling(); check_cpu_governor(afl); + atexit(at_exit); + afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); @@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) { } - atexit(at_exit); - perform_dry_run(afl); cull_queue(afl); @@ -1326,10 +1355,13 @@ stop_fuzzing: destroy_queue(afl); destroy_extras(afl); destroy_custom_mutators(afl); + unsetenv(SHM_ENV_VAR); + unsetenv(CMPLOG_SHM_ENV_VAR); afl_shm_deinit(&afl->shm); if (afl->shm_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f8bbebc8..44a91a97 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + if (shm == NULL) return; + list_remove(&shm_list, shm); #ifdef USEMMAP diff --git a/src/afl-showmap.c b/src/afl-showmap.c index de25e427..1ab7d0a8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -82,11 +82,16 @@ static u8 quiet_mode, /* Hide non-essential messages? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ binary_mode, /* Write output as a binary map */ - keep_cores; /* Allow coredumps? */ + keep_cores, /* Allow coredumps? */ + remove_shm = 1; /* remove shmem? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ +static sharedmem_t shm; +static afl_forkserver_t *fsrv; +static sharedmem_t * shm_fuzz; + /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ @@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Get rid of temp files (atexit handler). */ static void at_exit_handler(void) { if (stdin_file) { unlink(stdin_file); } + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + + afl_fsrv_killall(); + } /* Write results. */ @@ -566,17 +591,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) { } - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) { } + remove_shm = 0; afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) { ck_free(fsrv->target_path); } - if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - afl_fsrv_deinit(fsrv); if (stdin_file) { ck_free(stdin_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8b028327..5e4bdb6c 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -80,10 +80,16 @@ static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ - exact_mode; /* Require path match for crashes? */ + exact_mode, /* Require path match for crashes? */ + remove_out_file, /* remove out_file on exit? */ + remove_shm = 1; /* remove shmem on exit? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */ +static afl_forkserver_t *fsrv; +static sharedmem_t shm; +static sharedmem_t * shm_fuzz; + /* * forkserver section */ @@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = { }; +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Apply mask to classified bitmap (if set). */ static void apply_mask(u32 *mem, u32 *mask) { @@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) { static void at_exit_handler(void) { + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + afl_fsrv_killall(); + if (remove_out_file) unlink(out_file); } @@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid()); + remove_out_file = 1; } @@ -802,17 +828,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); + remove_shm = 0; afl_shm_deinit(&shm); if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); |