From d9ff84e39ecad47deec8808ea127fd90d9f5e8ef Mon Sep 17 00:00:00 2001
From: Heiko Eißfeldt <heikoi@hexco.de>
Date: Sun, 30 Jun 2019 10:06:20 +0200
Subject: Refactor to use an alternative method for shared memory. If USEMMAP
 is defined, the shared memory segment is created/attached etc. now by
 shm_open() and mmap(). This API is hopefully more often available (at least
 for iOS).

In order to reduce code duplication I have added new files
sharedmem.[ch] which now encapsulate the shared memory method.

This is based on the work of Proteas to support iOS fuzzing (thanks).
https://github.com/Proteas/afl-ios/commit/866af8ad1cb230d5d753b546380a4af1e55d6946

Currently this is in an experimental status yet. Please report
whether this variant works on 32 and 64 bit and on the supported platforms.

This branch enables USEMMAP and has been tested on Linux.
There is no auto detection for the mmap API yet.
---
 sharedmem.h | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 sharedmem.h

(limited to 'sharedmem.h')

diff --git a/sharedmem.h b/sharedmem.h
new file mode 100644
index 00000000..9300ccf1
--- /dev/null
+++ b/sharedmem.h
@@ -0,0 +1,6 @@
+#ifndef SHAREDMEM
+#define SHAREDMEM
+
+void setup_shm(unsigned char dumb_mode);
+void remove_shm(void);
+#endif
-- 
cgit 1.4.1


From 9eb2cd73274362f117621696dd407ac631334e74 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Mon, 1 Jul 2019 11:46:14 +0200
Subject: various fixes

---
 Makefile    | 46 +++++++++++++++++++++++++++++++++++++++-------
 sharedmem.c | 19 +++++++++----------
 sharedmem.h |  4 ++--
 3 files changed, 50 insertions(+), 19 deletions(-)

(limited to 'sharedmem.h')

diff --git a/Makefile b/Makefile
index 4f85b53a..18e91b1e 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ SH_PROGS    = afl-plot afl-cmin afl-whatsup afl-system-config
 CFLAGS     ?= -O3 -funroll-loops
 CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
 	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-	      -DBIN_PATH=\"$(BIN_PATH)\" -DUSEMMAP=1
+	      -DBIN_PATH=\"$(BIN_PATH)\"
 
 PYTHON_INCLUDE	?= /usr/include/python2.7
 
@@ -54,15 +54,24 @@ else
 	PYFLAGS=
 endif
 
-all:	test_x86 test_python27 $(PROGS) afl-as test_build all_done
+ifeq "$(shell echo '\#include <stdio.h>XXX\#include <sys/ipc.h>XXX\#include <sys/shm.h>XXXvoid main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, NULL);}' | sed 's/XXX/\n/g' | $(CC) -x c - -o .test2 && echo 1 || echo 0 )" "1"
+	SHM_OK=1
+else
+	SHM_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS+=-Wno-deprecated-declarations
+endif
+
+
+all:	test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done
+
 
 ifndef AFL_NO_X86
 
 test_x86:
 	@echo "[*] Checking for the ability to compile x86 code..."
-	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
-	@rm -f .test
-	@echo "[+] Everything seems to be working, ready to compile."
+	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
+	@rm -f .test1
 
 else
 
@@ -71,6 +80,21 @@ test_x86:
 
 endif
 
+
+ifeq "$(SHM_OK)" "1"
+
+test_shm:
+	@rm -f .test2 2> /dev/null
+	@echo "[+] shmem seems to be working."
+
+else
+
+test_shm:
+	@echo "[-] shmem seems not to be working, switchig to mmap implementation"
+
+endif
+
+
 ifeq "$(PYTHON_OK)" "1"
 
 test_python27:
@@ -84,6 +108,10 @@ test_python27:
 
 endif
 
+
+ready:
+	@echo "[+] Everything seems to be working, ready to compile."
+
 afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
 	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
@@ -130,14 +158,18 @@ endif
 
 all_done: test_build
 	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
-	@echo "[+] All done! Be sure to review README - it's pretty short and useful."
+	@echo "[+] All done! Be sure to review the README - it's pretty short and useful."
+ifeq "$(SHM_OK)" "1"
+	@echo "[!] shmem isn't working on your platform - compile every target with -lrt:"
+	@echo "[!]  CFLAGS=-lrt LDFLAGS=-lrt CC=afl-gcc CXX=afl-g++ ./configure"
+endif
 	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
 	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
 
 .NOTPARALLEL: clean
 
 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
+	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
 	rm -rf out_dir qemu_mode/qemu-2.10.0
 	$(MAKE) -C llvm_mode clean
 	$(MAKE) -C libdislocator clean
diff --git a/sharedmem.c b/sharedmem.c
index 23cc8984..5ee16959 100644
--- a/sharedmem.c
+++ b/sharedmem.c
@@ -23,13 +23,16 @@
 
 #include <sys/wait.h>
 #include <sys/time.h>
-#include <sys/shm.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/resource.h>
+ #include <sys/mman.h>
+ #include <fcntl.h>
 
-#include <sys/mman.h>
-#include <fcntl.h>
+#ifndef USEMMAP
+ #include <sys/ipc.h>
+ #include <sys/shm.h>
+#endif
 
 extern unsigned char*trace_bits;
 
@@ -67,14 +70,10 @@ void remove_shm(void) {
 void setup_shm(unsigned char dumb_mode) {
 #ifdef USEMMAP
   /* generate random file name for multi instance */
-  memset(g_shm_file_path, 0x0, L_tmpnam);
-
-  char *result = tmpnam(g_shm_file_path);
-  if (result == 0)
-    PFATAL("cannot generate filename for shared memory");
 
-  /* get rid of second slash  in /tmp/blabla */
-  g_shm_file_path[4] = '_';
+  /* thanks to f*cking glibc we can not use tmpnam securely, it generates a security warning that cannot be suppressed */
+  /* so we do this worse workaround */
+  snprintf(g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
 
   /* create the shared memory segment as if it was a file */
   g_shm_fd = shm_open(g_shm_file_path, O_CREAT | O_RDWR | O_EXCL, 0600);
diff --git a/sharedmem.h b/sharedmem.h
index 9300ccf1..53a85fcb 100644
--- a/sharedmem.h
+++ b/sharedmem.h
@@ -1,5 +1,5 @@
-#ifndef SHAREDMEM
-#define SHAREDMEM
+#ifndef __SHAREDMEM_H
+#define __SHAREDMEM_H
 
 void setup_shm(unsigned char dumb_mode);
 void remove_shm(void);
-- 
cgit 1.4.1