From 7512316b46a25180729ff8c568a6061a0ab19fea Mon Sep 17 00:00:00 2001 From: Nils Bars Date: Fri, 21 Oct 2022 12:13:43 +0200 Subject: Add AFL_FORK_SERVER_KILL_SIGNAL environment variable. The AFL_FORK_SERVER_KILL_SIGNAL variable allows to configure the signal used to kill the fork server on termination. --- docs/env_variables.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 1abe9438..6fd08910 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -409,11 +409,18 @@ checks or alter some of the more exotic semantics of the tool: the afl-fuzz -g/-G command line option to control the minimum/maximum of fuzzing input generated. - - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on - timeout. Unless you implement your own targets or instrumentation, you + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes + on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. + - `AFL_FORK_SERVER_KILL_SIGNAL`: Set the signal ID to be delivered to the + fork server when AFL++ is terminated. Unless you implement your + fork server, you likely do not have to set it. By default, `SIGTERM` + (`AFL_FORK_SERVER_KILL_SIGNAL=15`) will be delivered to the fork server. + NOTE: Uncatchable signals, such as `SIGKILL`, cause child processes of + the fork server to be orphaned and leaves them in a zombie state. + - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz, afl-showmap, and afl-tmin create to gather instrumentation data from the target. This must be equal or larger than the size the target was compiled -- cgit 1.4.1 From 102b749c0734165f1cb121397e4a4c307666b8eb Mon Sep 17 00:00:00 2001 From: Nils Bars Date: Mon, 24 Oct 2022 17:52:04 +0200 Subject: AFL_FORK_SERVER_KILL_SIGNAL backwards compatiblity If `AFL_KILL_SIGNAL` is set, `AFL_FORK_SERVER_KILL_SIGNAL` is set to the same value. --- docs/env_variables.md | 4 ++++ include/common.h | 6 ++++++ src/afl-analyze.c | 5 +---- src/afl-common.c | 23 +++++++++++++++++++++++ src/afl-fuzz.c | 8 ++++---- src/afl-showmap.c | 5 +---- src/afl-tmin.c | 5 +---- 7 files changed, 40 insertions(+), 16 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 6fd08910..d1c13e15 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -418,6 +418,10 @@ checks or alter some of the more exotic semantics of the tool: fork server when AFL++ is terminated. Unless you implement your fork server, you likely do not have to set it. By default, `SIGTERM` (`AFL_FORK_SERVER_KILL_SIGNAL=15`) will be delivered to the fork server. + If only `AFL_KILL_SIGNAL` is provided, `AFL_FORK_SERVER_KILL_SIGNAL` will + be set to same value as `AFL_KILL_SIGNAL` to provide backward compatibility. + If `AFL_FORK_SERVER_KILL_SIGNAL` is also set, it takes precedence. + NOTE: Uncatchable signals, such as `SIGKILL`, cause child processes of the fork server to be orphaned and leaves them in a zombie state. diff --git a/include/common.h b/include/common.h index 34732197..c1ba0f20 100644 --- a/include/common.h +++ b/include/common.h @@ -32,6 +32,7 @@ #include #include #include +#include "forkserver.h" #include "types.h" /* STRINGIFY_VAL_SIZE_MAX will fit all stringify_ strings. */ @@ -73,6 +74,11 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname); FATALs if `numeric_signal_as_str` is not a valid integer .*/ int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal); +/* Configure the signals that are used to kill the forkserver + and the forked childs. If `afl_kill_signal_env` or `afl_fsrv_kill_signal_env` + is NULL, the appropiate values are read from the environment. */ +void configure_afl_kill_signals(afl_forkserver_t *fsrv, char* afl_kill_signal_env, char* afl_fsrv_kill_signal_env); + /* Read a bitmap from file fname to memory This is for the -B option again. */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index cbcd2ede..d356874d 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -1115,10 +1115,7 @@ int main(int argc, char **argv_orig, char **envp) { } - fsrv.child_kill_signal = - parse_afl_kill_signal(getenv("AFL_KILL_SIGNAL"), SIGKILL); - fsrv.fsrv_kill_signal = - parse_afl_kill_signal(getenv("AFL_FORK_SERVER_KILL_SIGNAL"), SIGTERM); + configure_afl_kill_signals(&fsrv, NULL, NULL); read_initial_file(); diff --git a/src/afl-common.c b/src/afl-common.c index 75b463ed..f2934817 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -25,6 +25,7 @@ #include #include +#include "forkserver.h" #ifndef _GNU_SOURCE #define _GNU_SOURCE #endif @@ -47,6 +48,7 @@ #include #include #include +#include u8 be_quiet = 0; u8 *doc_path = ""; @@ -476,6 +478,27 @@ int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal) { return default_signal; } +void configure_afl_kill_signals(afl_forkserver_t *fsrv, char* afl_kill_signal_env, char* afl_fsrv_kill_signal_env) { + afl_kill_signal_env = afl_kill_signal_env ? + afl_kill_signal_env : getenv("AFL_KILL_SIGNAL"); + afl_fsrv_kill_signal_env = afl_fsrv_kill_signal_env ? + afl_fsrv_kill_signal_env : getenv("AFL_FORK_SERVER_KILL_SIGNAL"); + + fsrv->child_kill_signal = + parse_afl_kill_signal(afl_kill_signal_env, SIGKILL); + + if (afl_kill_signal_env && !afl_fsrv_kill_signal_env) { + /* + Set AFL_FORK_SERVER_KILL_SIGNAL to the value of AFL_KILL_SIGNAL for backwards + compatibility. However, if AFL_FORK_SERVER_KILL_SIGNAL is set, is takes precedence. + */ + afl_fsrv_kill_signal_env = afl_kill_signal_env; + } + fsrv->fsrv_kill_signal = + parse_afl_kill_signal(afl_fsrv_kill_signal_env, SIGTERM); + +} + static inline unsigned int helper_min3(unsigned int a, unsigned int b, unsigned int c) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 573a6b42..7e4e20a0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -25,6 +25,7 @@ #include "afl-fuzz.h" #include "cmplog.h" +#include "common.h" #include #include #ifndef USEMMAP @@ -1358,10 +1359,9 @@ int main(int argc, char **argv_orig, char **envp) { #endif - afl->fsrv.child_kill_signal = - parse_afl_kill_signal(afl->afl_env.afl_child_kill_signal, SIGKILL); - afl->fsrv.fsrv_kill_signal = - parse_afl_kill_signal(afl->afl_env.afl_fsrv_kill_signal, SIGTERM); + configure_afl_kill_signals(&afl->fsrv, + afl->afl_env.afl_child_kill_signal, + afl->afl_env.afl_fsrv_kill_signal); setup_signal_handlers(); check_asan_opts(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 80a9e766..19288c04 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1260,10 +1260,7 @@ int main(int argc, char **argv_orig, char **envp) { : 0); be_quiet = save_be_quiet; - fsrv->child_kill_signal = - parse_afl_kill_signal(getenv("AFL_KILL_SIGNAL"), SIGKILL); - fsrv->fsrv_kill_signal = - parse_afl_kill_signal(getenv("AFL_FORK_SERVER_KILL_SIGNAL"), SIGTERM); + configure_afl_kill_signals(fsrv, NULL, NULL); if (new_map_size) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index d4660eb1..43636b6f 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1197,10 +1197,7 @@ int main(int argc, char **argv_orig, char **envp) { } - fsrv->child_kill_signal = - parse_afl_kill_signal(getenv("AFL_KILL_SIGNAL"), SIGKILL); - fsrv->fsrv_kill_signal = - parse_afl_kill_signal(getenv("AFL_FORK_SERVER_KILL_SIGNAL"), SIGTERM); + configure_afl_kill_signals(fsrv, NULL, NULL); if (getenv("AFL_CRASH_EXITCODE")) { -- cgit 1.4.1