From e32b7eeb83c0571a2bdaadfd5b7b769fec1405cc Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 19 Nov 2020 16:14:19 +0100 Subject: fixed child not killed with -c --- instrumentation/afl-compiler-rt.o.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 485f500c..b07aeb83 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -101,6 +101,11 @@ int __afl_sharedmem_fuzzing __attribute__((weak)); struct cmp_map *__afl_cmp_map; +/* Child pid? */ + +static s32 child_pid; +static void (*old_sigterm_handler)(int) = 0; + /* Running in persistent mode? */ static u8 is_persistent; @@ -109,6 +114,14 @@ static u8 is_persistent; static u8 _is_sancov; +/* ensure we kill the child on termination */ + +void at_exit(int signal) { + + if (child_pid > 0) { kill(child_pid, SIGKILL); } + +} + /* Uninspired gcc plugin instrumentation */ void __afl_trace(const u32 x) { @@ -432,7 +445,6 @@ static void __afl_map_shm(void) { static void __afl_start_snapshots(void) { static u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -579,6 +591,7 @@ static void __afl_start_snapshots(void) { //(void)nice(-20); // does not seem to improve signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); @@ -633,6 +646,11 @@ static void __afl_start_snapshots(void) { static void __afl_start_forkserver(void) { + struct sigaction orig_action; + sigaction(SIGTERM, NULL, &orig_action); + old_sigterm_handler = orig_action.sa_handler; + signal(SIGTERM, at_exit); + #ifdef __linux__ if (/*!is_persistent &&*/ !__afl_cmp_map && !getenv("AFL_NO_SNAPSHOT") && afl_snapshot_init() >= 0) { @@ -645,7 +663,6 @@ static void __afl_start_forkserver(void) { #endif u8 tmp[4] = {0, 0, 0, 0}; - s32 child_pid; u32 status = 0; u32 already_read_first = 0; u32 was_killed; @@ -793,6 +810,7 @@ static void __afl_start_forkserver(void) { //(void)nice(-20); signal(SIGCHLD, old_sigchld_handler); + signal(SIGTERM, old_sigterm_handler); close(FORKSRV_FD); close(FORKSRV_FD + 1); -- cgit 1.4.1 From 6e61b2345cc35f101bac7594089dc57999f33b89 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 8 Dec 2020 20:33:41 +0100 Subject: more reporting on errors --- instrumentation/afl-compiler-rt.o.c | 25 +++++++++++++++++++++++-- src/afl-forkserver.c | 7 +++++++ utils/persistent_mode/persistent_demo_new.c | 2 +- 3 files changed, 31 insertions(+), 3 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index b07aeb83..e29c4483 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -163,6 +163,12 @@ static void __afl_map_shm_fuzz() { char *id_str = getenv(SHM_FUZZ_ENV_VAR); + if (getenv("AFL_DEBUG")) { + + fprintf(stderr, "DEBUG: fuzzcase shmem %s\n", id_str ? id_str : "none"); + + } + if (id_str) { u8 *map = NULL; @@ -196,6 +202,7 @@ static void __afl_map_shm_fuzz() { if (!map || map == (void *)-1) { perror("Could not access fuzzing shared memory"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -212,6 +219,7 @@ static void __afl_map_shm_fuzz() { } else { fprintf(stderr, "Error: variable for fuzzing shared memory is not set\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -335,6 +343,8 @@ static void __afl_map_shm(void) { send_forkserver_error(FS_ERROR_MAP_ADDR); else send_forkserver_error(FS_ERROR_MMAP); + perror("shmat for map"); + exit(2); } @@ -349,12 +359,14 @@ static void __afl_map_shm(void) { /* Whooooops. */ - if (__afl_area_ptr == (void *)-1) { + if (!__afl_area_ptr || __afl_area_ptr == (void *)-1) { if (__afl_map_addr) send_forkserver_error(FS_ERROR_MAP_ADDR); else send_forkserver_error(FS_ERROR_SHMAT); + + perror("shmat for map"); _exit(1); } @@ -376,6 +388,7 @@ static void __afl_map_shm(void) { fprintf(stderr, "can not acquire mmap for address %p\n", (void *)__afl_map_addr); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -411,6 +424,7 @@ static void __afl_map_shm(void) { if (shm_fd == -1) { fprintf(stderr, "shm_open() failed\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); } @@ -424,6 +438,7 @@ static void __afl_map_shm(void) { shm_fd = -1; fprintf(stderr, "mmap() failed\n"); + send_forkserver_error(FS_ERROR_SHM_OPEN); exit(2); } @@ -435,7 +450,13 @@ static void __afl_map_shm(void) { __afl_cmp_map = shmat(shm_id, NULL, 0); #endif - if (__afl_cmp_map == (void *)-1) _exit(1); + if (!__afl_cmp_map || __afl_cmp_map == (void *)-1) { + + perror("shmat for cmplog"); + send_forkserver_error(FS_ERROR_SHM_OPEN); + _exit(1); + + } } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 20117c1d..b1c29ba6 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1069,6 +1069,13 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, if (fsrv->child_pid <= 0) { if (*stop_soon_p) { return 0; } + + if ((fsrv->child_pid & FS_OPT_ERROR) && + FS_OPT_GET_ERROR(fsrv->child_pid) == FS_ERROR_SHM_OPEN) + FATAL( + "Target reported shared memory access failed (perhaps increase " + "shared memory available)."); + FATAL("Fork server is misbehaving (OOM?)"); } diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index a29792ff..0d24a51e 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -86,7 +86,7 @@ int main(int argc, char **argv) { if (buf[4] == '!') { printf("five\n"); - if (buf[6] == '!') { + if (buf[5] == '!') { printf("six\n"); abort(); -- cgit 1.4.1 From 2b543a64af94d4749fb6644f562a27bec123f7b5 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 8 Dec 2020 22:12:05 +0100 Subject: small fixes --- instrumentation/afl-compiler-rt.o.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index e29c4483..32e4da85 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -343,7 +343,7 @@ static void __afl_map_shm(void) { send_forkserver_error(FS_ERROR_MAP_ADDR); else send_forkserver_error(FS_ERROR_MMAP); - perror("shmat for map"); + perror("mmap for map"); exit(2); @@ -355,8 +355,6 @@ static void __afl_map_shm(void) { __afl_area_ptr = shmat(shm_id, (void *)__afl_map_addr, 0); -#endif - /* Whooooops. */ if (!__afl_area_ptr || __afl_area_ptr == (void *)-1) { @@ -371,6 +369,8 @@ static void __afl_map_shm(void) { } +#endif + /* Write something into the bitmap so that even with low AFL_INST_RATIO, our parent doesn't give up on us. */ @@ -423,7 +423,7 @@ static void __afl_map_shm(void) { shm_fd = shm_open(shm_file_path, O_RDWR, 0600); if (shm_fd == -1) { - fprintf(stderr, "shm_open() failed\n"); + perror("shm_open() failed\n"); send_forkserver_error(FS_ERROR_SHM_OPEN); exit(1); -- cgit 1.4.1 From 9534bb87b1e2c428024879ef4de7337f8fccda5a Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 8 Dec 2020 23:26:28 +0100 Subject: fix some copmpiler warnings for USEMMAP --- instrumentation/afl-compiler-rt.o.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 32e4da85..c29861e6 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -176,7 +176,6 @@ static void __afl_map_shm_fuzz() { #ifdef USEMMAP const char * shm_file_path = id_str; int shm_fd = -1; - unsigned char *shm_base = NULL; /* create the shared memory segment as if it was a file */ shm_fd = shm_open(shm_file_path, O_RDWR, 0600); @@ -417,7 +416,7 @@ static void __afl_map_shm(void) { #ifdef USEMMAP const char * shm_file_path = id_str; int shm_fd = -1; - unsigned char *shm_base = NULL; + struct cmp_map *shm_base = NULL; /* create the shared memory segment as if it was a file */ shm_fd = shm_open(shm_file_path, O_RDWR, 0600); -- cgit 1.4.1 From 39a4fac941177387578ec856aacea2187588fc13 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 9 Dec 2020 11:07:14 +0100 Subject: better examples --- instrumentation/afl-compiler-rt.o.c | 8 ++++---- src/afl-sharedmem.c | 8 ++++---- utils/persistent_mode/persistent_demo.c | 8 +++++++- utils/persistent_mode/persistent_demo_new.c | 8 +++++++- utils/persistent_mode/test-instr.c | 8 +++++++- 5 files changed, 29 insertions(+), 11 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index c29861e6..99dcbb67 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -174,8 +174,8 @@ static void __afl_map_shm_fuzz() { u8 *map = NULL; #ifdef USEMMAP - const char * shm_file_path = id_str; - int shm_fd = -1; + const char *shm_file_path = id_str; + int shm_fd = -1; /* create the shared memory segment as if it was a file */ shm_fd = shm_open(shm_file_path, O_RDWR, 0600); @@ -414,8 +414,8 @@ static void __afl_map_shm(void) { if (id_str) { #ifdef USEMMAP - const char * shm_file_path = id_str; - int shm_fd = -1; + const char * shm_file_path = id_str; + int shm_fd = -1; struct cmp_map *shm_base = NULL; /* create the shared memory segment as if it was a file */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index cef908e0..3e671df5 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -252,10 +252,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm_str = alloc_printf("%d", shm->shm_id); - /* If somebody is asking us to fuzz instrumented binaries in non-instrumented - mode, we don't want them to detect instrumentation, since we won't be - sending fork server commands. This should be replaced with better - auto-detection later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in + non-instrumented mode, we don't want them to detect instrumentation, + since we won't be sending fork server commands. This should be replaced + with better auto-detection later on, perhaps? */ setenv(SHM_ENV_VAR, shm_str, 1); diff --git a/utils/persistent_mode/persistent_demo.c b/utils/persistent_mode/persistent_demo.c index 4cedc32c..f5e43728 100644 --- a/utils/persistent_mode/persistent_demo.c +++ b/utils/persistent_mode/persistent_demo.c @@ -27,9 +27,15 @@ #include #include #include +#include /* Main entry point. */ +/* To ensure checks are not optimized out it is recommended to disable + code optimization for the fuzzer harness main() */ +#pragma clang optimize off +#pragma GCC optimize("O0") + int main(int argc, char **argv) { ssize_t len; /* how much input did we read? */ @@ -42,7 +48,7 @@ int main(int argc, char **argv) { and similar hiccups. */ __AFL_INIT(); - while (__AFL_LOOP(1000)) { + while (__AFL_LOOP(UINT_MAX)) { /*** PLACEHOLDER CODE ***/ diff --git a/utils/persistent_mode/persistent_demo_new.c b/utils/persistent_mode/persistent_demo_new.c index 0d24a51e..7e694696 100644 --- a/utils/persistent_mode/persistent_demo_new.c +++ b/utils/persistent_mode/persistent_demo_new.c @@ -27,6 +27,7 @@ #include #include #include +#include /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN @@ -47,6 +48,11 @@ __AFL_FUZZ_INIT(); /* Main entry point. */ +/* To ensure checks are not optimized out it is recommended to disable + code optimization for the fuzzer harness main() */ +#pragma clang optimize off +#pragma GCC optimize("O0") + int main(int argc, char **argv) { ssize_t len; /* how much input did we read? */ @@ -60,7 +66,7 @@ int main(int argc, char **argv) { __AFL_INIT(); buf = __AFL_FUZZ_TESTCASE_BUF; // this must be assigned before __AFL_LOOP! - while (__AFL_LOOP(1000)) { // increase if you have good stability + while (__AFL_LOOP(UINT_MAX)) { // increase if you have good stability len = __AFL_FUZZ_TESTCASE_LEN; // do not use the macro directly in a call! diff --git a/utils/persistent_mode/test-instr.c b/utils/persistent_mode/test-instr.c index a6188b22..6da511de 100644 --- a/utils/persistent_mode/test-instr.c +++ b/utils/persistent_mode/test-instr.c @@ -17,15 +17,21 @@ #include #include #include +#include __AFL_FUZZ_INIT(); +/* To ensure checks are not optimized out it is recommended to disable + code optimization for the fuzzer harness main() */ +#pragma clang optimize off +#pragma GCC optimize("O0") + int main(int argc, char **argv) { __AFL_INIT(); unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability + while (__AFL_LOOP(UINT_MAX)) { // if you have 100% stability unsigned int len = __AFL_FUZZ_TESTCASE_LEN; -- cgit 1.4.1 From 2bf68a0bf45fb2bb3bc0f574f20959a62c9f8239 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 11 Dec 2020 11:19:26 +0100 Subject: fix MMAP --- GNUmakefile.llvm | 4 ++-- instrumentation/afl-compiler-rt.o.c | 2 +- src/afl-cc.c | 27 +++++++++++---------------- src/afl-fuzz.c | 8 +++++++- 4 files changed, 21 insertions(+), 20 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 6e80de81..414cd487 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -288,13 +288,13 @@ ifeq "$(shell echo '$(HASH)include @$(HASH)include @int ma SHMAT_OK=1 else SHMAT_OK=0 - #CFLAGS+=-DUSEMMAP=1 + CFLAGS_SAFE += -DUSEMMAP=1 LDFLAGS += -Wno-deprecated-declarations endif ifeq "$(TEST_MMAP)" "1" SHMAT_OK=0 - CFLAGS+=-DUSEMMAP=1 + CFLAGS_SAFE += -DUSEMMAP=1 LDFLAGS += -Wno-deprecated-declarations endif diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 99dcbb67..afe0839e 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1107,7 +1107,7 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { to avoid duplicate calls (which can happen as an artifact of the underlying implementation in LLVM). */ - *(start++) = R(MAP_SIZE - 1) + 1; + *(start++) = ++__afl_final_loc; while (start < stop) { diff --git a/src/afl-cc.c b/src/afl-cc.c index 14d8e070..37cfc7c8 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -130,21 +130,6 @@ static u8 *find_object(u8 *obj, u8 *argv0) { u8 *afl_path = getenv("AFL_PATH"); u8 *slash = NULL, *tmp; - /* - if (obj_path) { - - tmp = alloc_printf("%s/%s", obj_path, obj); - - if (debug) DEBUGF("Trying %s\n", tmp); - - if (!access(tmp, R_OK)) { return tmp; } - - ck_free(tmp); - - } - - */ - if (afl_path) { tmp = alloc_printf("%s/%s", afl_path, obj); @@ -906,6 +891,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif +#ifdef USEMMAP + cc_params[cc_par_cnt++] = "-lrt"; +#endif + } #endif @@ -1475,9 +1464,15 @@ int main(int argc, char **argv, char **envp) { if (have_llvm) SAYF("afl-cc LLVM version %d with the the binary path \"%s\".\n", LLVM_MAJOR, LLVM_BINDIR); - if (have_lto || have_llvm) SAYF("\n"); #endif +#ifdef USEMMAP + SAYF("Compiled with shm_open support (adds -lrt when linking).\n"); +#else + SAYF("Compiled with shmat support.\n"); +#endif + SAYF("\n"); + SAYF( "Do not be overwhelmed :) afl-cc uses good defaults if no options are " "selected.\n" diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bbe6aec6..391d4c4f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -230,6 +230,12 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled without python module support\n"); #endif +#ifdef USEMMAP + SAYF("Compiled with shm_open support.\n"); +#else + SAYF("Compiled with shmat support.\n"); +#endif + #ifdef ASAN_BUILD SAYF("Compiled with ASAN_BUILD\n\n"); #endif @@ -254,7 +260,7 @@ static void usage(u8 *argv0, int more_help) { SAYF("Compiled with _AFL_DOCUMENT_MUTATIONS\n\n"); #endif - SAYF("For additional help please consult %s/README.md\n\n", doc_path); + SAYF("For additional help please consult %s/README.md :)\n\n", doc_path); exit(1); #undef PHYTON_SUPPORT -- cgit 1.4.1