variable map size fix, error reporting through forkserver, code format

4 files changed, 70 insertions, 13 deletions

diff --git a/src/afl-common.c b/src/afl-common.c
index 8d444876..8ae03113 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -928,7 +928,8 @@ u32 get_map_size() {
     map_size = atoi(ptr);
     if (map_size < 8 || map_size > (1 << 29)) {
 
-      FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size);
+      FATAL("illegal AFL_MAP_SIZE %u, must be between %u and %u", map_size, 8,
+            1 << 29);
 
     }
 
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 0c795f9c..555b82a4 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -55,6 +55,8 @@
 
 list_t fsrv_list = {.element_prealloc_count = 0};
 
+void report_error_and_exit(int error);
+
 static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) {
 
   execv(fsrv->target_path, argv);
@@ -67,7 +69,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
 
   // this structure needs default so we initialize it if this was not done
   // already
-
   fsrv->out_fd = -1;
   fsrv->out_dir_fd = -1;
   fsrv->dev_null_fd = -1;
@@ -83,7 +84,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
 
   /* exec related stuff */
   fsrv->child_pid = -1;
-  fsrv->map_size = MAP_SIZE;
+  fsrv->map_size = get_map_size();
   fsrv->use_fauxsrv = 0;
   fsrv->last_run_timed_out = 0;
 
@@ -201,6 +202,44 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
 
 }
 
+/* Report on the error received via the forkserver controller and exit */
+void report_error_and_exit(int error) {
+
+  switch (error) {
+
+    case FS_ERROR_MAP_SIZE:
+      FATAL(
+          "AFL_MAP_SIZE is not set and fuzzing target reports that the "
+          "required size is very large. Solution: Run the fuzzing target "
+          "stand-alone with the environment variable AFL_DEBUG=1 set and set "
+          "the value for __afl_final_loc in the AFL_MAP_SIZE environment "
+          "variable for afl-fuzz.");
+      break;
+    case FS_ERROR_MAP_ADDR:
+      FATAL(
+          "the fuzzing target reports that hardcoded map address might be the "
+          "reason the mmap of the shared memory failed. Solution: recompile "
+          "the target with either afl-clang-lto and the environment variable "
+          "AFL_LLVM_MAP_DYNAMIC set or recompile with afl-clang-fast.");
+      break;
+    case FS_ERROR_SHM_OPEN:
+      FATAL("the fuzzing target reports that the shm_open() call failed.");
+      break;
+    case FS_ERROR_SHMAT:
+      FATAL("the fuzzing target reports that the shmat() call failed.");
+      break;
+    case FS_ERROR_MMAP:
+      FATAL(
+          "the fuzzing target reports that the mmap() call to the share memory "
+          "failed.");
+      break;
+    default:
+      FATAL("unknown error code %u from fuzzing target!", error);
+
+  }
+
+}
+
 /* Spins up fork server (instrumented mode only). The idea is explained here:
 
    http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
@@ -400,6 +439,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
     if (!be_quiet) { OKF("All right - fork server is up."); }
 
+    if ((status & FS_OPT_ERROR) == FS_OPT_ERROR)
+      report_error_and_exit(FS_OPT_GET_ERROR(status));
+
     if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) {
 
       if (!be_quiet && getenv("AFL_DEBUG")) {
@@ -434,9 +476,10 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
           FATAL(
               "Target's coverage map size of %u is larger than the one this "
-              "afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and "
-              "recompile or set AFL_MAP_SIZE)\n",
-              tmp_map_size, fsrv->map_size);
+              "afl++ is set with (%u). Either set AFL_MAP_SIZE=%u and restart "
+              " afl-fuzz, or change MAP_SIZE_POW2 in config.h and recompile "
+              "afl-fuzz",
+              tmp_map_size, fsrv->map_size, tmp_map_size);
 
         }
 
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index b38c9ec5..9f48182b 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -81,7 +81,15 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   and out_size are NULL/0 by default. */
   memset(afl, 0, sizeof(afl_state_t));
 
-  if (!map_size) { afl->shm.map_size = MAP_SIZE; }
+  if (!map_size) {
+
+    afl->shm.map_size = MAP_SIZE;
+
+  } else {
+
+    afl->shm.map_size = map_size;
+
+  }
 
   afl->w_init = 0.9;
   afl->w_end = 0.3;
diff --git a/src/afl-gcc.c b/src/afl-gcc.c
index ac6fdd62..7eb01c0c 100644
--- a/src/afl-gcc.c
+++ b/src/afl-gcc.c
@@ -157,8 +157,7 @@ static void edit_params(u32 argc, char **argv) {
     } else {
 
       fprintf(stderr, "Name of the binary: %s\n", argv[0]);
-      FATAL(
-        "Name of the binary is not a known name, expected afl-clang(++)");
+      FATAL("Name of the binary is not a known name, expected afl-clang(++)");
 
     }
 
@@ -173,15 +172,22 @@ static void edit_params(u32 argc, char **argv) {
 #ifdef __APPLE__
 
     if (!strcmp(name, "afl-g++")) {
+
       cc_params[0] = getenv("AFL_CXX");
+
     } else if (!strcmp(name, "afl-gcj")) {
+
       cc_params[0] = getenv("AFL_GCJ");
+
     } else if (!strcmp(name, "afl-gcc")) {
+
       cc_params[0] = getenv("AFL_CC");
+
     } else {
+
       fprintf(stderr, "Name of the binary: %s\n", argv[0]);
-      FATAL(
-        "Name of the binary is not a known name, expected afl-gcc/g++/gcj");
+      FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
+
     }
 
     if (!cc_params[0]) {
@@ -218,8 +224,7 @@ static void edit_params(u32 argc, char **argv) {
     } else {
 
       fprintf(stderr, "Name of the binary: %s\n", argv[0]);
-      FATAL(
-        "Name of the binary is not a known name, expected afl-gcc/g++/gcj");
+      FATAL("Name of the binary is not a known name, expected afl-gcc/g++/gcj");
 
     }