diff options
Diffstat (limited to 'src/afl-forkserver.c')
| -rw-r--r-- | src/afl-forkserver.c | 133 |
1 files changed, 81 insertions, 52 deletions
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 0051f6b0..152ae802 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -15,34 +15,39 @@ #include <sys/resource.h> /* a program that includes afl-forkserver needs to define these */ -extern u8 uses_asan; +extern u8 uses_asan; extern u8 *trace_bits; extern s32 forksrv_pid, child_pid, fsrv_ctl_fd, fsrv_st_fd; -extern s32 out_fd, out_dir_fd, dev_urandom_fd, dev_null_fd; /* initialize these with -1 */ -extern u32 exec_tmout; -extern u64 mem_limit; -extern u8 *out_file, *target_path, *doc_path; +extern s32 out_fd, out_dir_fd, dev_urandom_fd, + dev_null_fd; /* initialize these with -1 */ +extern u32 exec_tmout; +extern u64 mem_limit; +extern u8 * out_file, *target_path, *doc_path; extern FILE *plot_file; -/* we need this internally but can be defined and read extern in the main source */ +/* we need this internally but can be defined and read extern in the main source + */ u8 child_timed_out; - /* Describe integer as memory size. */ -u8* forkserver_DMS(u64 val) { +u8 *forkserver_DMS(u64 val) { static u8 tmp[12][16]; static u8 cur; -#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) do { \ - if (val < (_divisor) * (_limit_mult)) { \ +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ + do { \ + \ + if (val < (_divisor) * (_limit_mult)) { \ + \ sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ - return tmp[cur]; \ - } \ + return tmp[cur]; \ + \ + } \ + \ } while (0) - cur = (cur + 1) % 12; /* 0-9999 */ @@ -86,20 +91,23 @@ u8* forkserver_DMS(u64 val) { } - - /* the timeout handler */ void handle_timeout(int sig) { + if (child_pid > 0) { - child_timed_out = 1; + + child_timed_out = 1; kill(child_pid, SIGKILL); + } else if (child_pid == -1 && forksrv_pid > 0) { - child_timed_out = 1; + + child_timed_out = 1; kill(forksrv_pid, SIGKILL); + } -} +} /* Spin up fork server (instrumented mode only). The idea is explained here: @@ -112,20 +120,18 @@ void handle_timeout(int sig) { void init_forkserver(char **argv) { static struct itimerval it; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; ACTF("Spinning up the fork server..."); - if (pipe(st_pipe) || pipe(ctl_pipe)) - PFATAL("pipe() failed"); + if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); child_timed_out = 0; forksrv_pid = fork(); - if (forksrv_pid < 0) - PFATAL("fork() failed"); + if (forksrv_pid < 0) PFATAL("fork() failed"); if (!forksrv_pid) { @@ -137,29 +143,33 @@ void init_forkserver(char **argv) { soft 128. Let's try to fix that... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { + r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + } if (mem_limit) { + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ #else /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but according to reliable sources, RLIMIT_DATA covers anonymous maps - so we should be getting good protection against OOM bugs. */ - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ #endif /* ^RLIMIT_AS */ + } /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered before the dump is complete. */ -// r.rlim_max = r.rlim_cur = 0; -// setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + // r.rlim_max = r.rlim_cur = 0; + // setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ /* Isolate the process and configure standard descriptors. If out_file is specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ @@ -167,23 +177,27 @@ void init_forkserver(char **argv) { setsid(); if (!getenv("AFL_DEBUG_CHILD_OUTPUT")) { + dup2(dev_null_fd, 1); dup2(dev_null_fd, 2); + } if (out_file) { + dup2(dev_null_fd, 0); + } else { + dup2(out_fd, 0); close(out_fd); + } /* Set up control and status pipes, close the unneeded original fds. */ - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) - PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) - PFATAL("dup2() failed"); + if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); + if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); close(ctl_pipe[0]); close(ctl_pipe[1]); @@ -198,8 +212,7 @@ void init_forkserver(char **argv) { /* This should improve performance a bit, since it stops the linker from doing extra work post-fork(). */ - if (!getenv("LD_BIND_LAZY")) - setenv("LD_BIND_NOW", "1", 0); + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); /* Set sane defaults for ASAN if nothing else specified. */ @@ -228,6 +241,7 @@ void init_forkserver(char **argv) { *(u32 *)trace_bits = EXEC_FAIL_SIG; exit(0); + } /* PARENT PROCESS */ @@ -243,8 +257,10 @@ void init_forkserver(char **argv) { /* Wait for the fork server to come up, but don't wait too long. */ if (exec_tmout) { + it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; + } setitimer(ITIMER_REAL, &it, NULL); @@ -260,22 +276,24 @@ void init_forkserver(char **argv) { Otherwise, try to figure out what went wrong. */ if (rlen == 4) { + OKF("All right - fork server is up."); return; + } if (child_timed_out) FATAL("Timeout while initializing fork server (adjusting -t may help)"); - if (waitpid(forksrv_pid, &status, 0) <= 0) - PFATAL("waitpid() failed"); + if (waitpid(forksrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); if (WIFSIGNALED(status)) { if (mem_limit && mem_limit < 500 && uses_asan) { - SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " @@ -285,8 +303,9 @@ void init_forkserver(char **argv) { } else if (!mem_limit) { - SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" " from the fuzzer! There are several probable explanations:\n\n" " - The binary is just buggy and explodes entirely on its own. " @@ -303,8 +322,9 @@ void init_forkserver(char **argv) { } else { - SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" " from the fuzzer! There are several probable explanations:\n\n" " - The current memory limit (%s) is too restrictive, causing " @@ -315,7 +335,8 @@ void init_forkserver(char **argv) { "way confirm\n" " this diagnosis would be:\n\n" - MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" + MSG_ULIMIT_USAGE + " /path/to/fuzzed_app )\n\n" " Tip: you can use http://jwilk.net/software/recidivm to " "quickly\n" @@ -334,9 +355,11 @@ void init_forkserver(char **argv) { " fail, poke <afl-users@googlegroups.com> for troubleshooting " "tips.\n", forkserver_DMS(mem_limit << 20), mem_limit - 1); + } FATAL("Fork server crashed with signal %d", WTERMSIG(status)); + } if (*(u32 *)trace_bits == EXEC_FAIL_SIG) @@ -344,8 +367,9 @@ void init_forkserver(char **argv) { if (mem_limit && mem_limit < 500 && uses_asan) { - SAYF("\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " - "before we could complete a\n" + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" " handshake with the injected code. Since it seems to be built " "with ASAN and\n" " you have a restrictive memory limit configured, this is " @@ -355,8 +379,9 @@ void init_forkserver(char **argv) { } else if (!mem_limit) { - SAYF("\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " - "before we could complete a\n" + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" " handshake with the injected code. Perhaps there is a horrible " "bug in the\n" " fuzzer. Poke <afl-users@googlegroups.com> for troubleshooting " @@ -365,8 +390,9 @@ void init_forkserver(char **argv) { } else { SAYF( - "\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " - "before we could complete a\n" + "\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" " handshake with the injected code. There are %s probable " "explanations:\n\n" @@ -377,7 +403,8 @@ void init_forkserver(char **argv) { "option. A\n" " simple way to confirm the diagnosis may be:\n\n" - MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" + MSG_ULIMIT_USAGE + " /path/to/fuzzed_app )\n\n" " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" " estimate the required amount of virtual memory for the " @@ -394,8 +421,10 @@ void init_forkserver(char **argv) { " reached before the program terminates.\n\n" : "", forkserver_DMS(mem_limit << 20), mem_limit - 1); + } FATAL("Fork server handshake failed"); + } |