From 0bc3367b55b2f08c7c2588576af27567044dc0b6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Oct 2021 14:46:15 +0200 Subject: remove race condition --- src/afl-forkserver.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f510c4..94ca3009 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -610,12 +610,24 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!time_ms) { - if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } + s32 tmp_pid = fsrv->fsrv_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->fsrv_pid = 1; + + } } else if (time_ms > fsrv->init_tmout) { fsrv->last_run_timed_out = 1; - if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); } + s32 tmp_pid = fsrv->fsrv_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->fsrv_pid = 1; + + } } else { @@ -1248,7 +1260,14 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); } + s32 tmp_pid = srv->child_pid; + if (tmp_pid > 0) { + + kill(tmp_pid, fsrv->kill_signal); + fsrv->child_pid = -1 + + } + fsrv->last_run_timed_out = 1; if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; } -- cgit 1.4.1 From 90786e2ce9970c52e661c0fe290cb78a1a063004 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Oct 2021 15:20:59 +0200 Subject: fix --- src/afl-forkserver.c | 4 ++-- test/test-pre.sh | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 94ca3009..71667262 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1260,11 +1260,11 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - s32 tmp_pid = srv->child_pid; + s32 tmp_pid = fsrv->child_pid; if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->child_pid = -1 + fsrv->child_pid = -1; } diff --git a/test/test-pre.sh b/test/test-pre.sh index 7819da47..e12d95be 100755 --- a/test/test-pre.sh +++ b/test/test-pre.sh @@ -88,6 +88,8 @@ unset AFL_QEMU_PERSISTENT_GPR unset AFL_QEMU_PERSISTENT_RET unset AFL_QEMU_PERSISTENT_HOOK unset AFL_QEMU_PERSISTENT_CNT +unset AFL_QEMU_PERSISTENT_MEM +unset AFL_QEMU_PERSISTENT_EXITS unset AFL_CUSTOM_MUTATOR_LIBRARY unset AFL_PYTHON_MODULE unset AFL_PRELOAD -- cgit 1.4.1 From a7ee11a1747347847b06a4226f2800dd780f7c16 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:35:58 +0200 Subject: fix --- src/afl-forkserver.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 71667262..c570a2bb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -603,7 +603,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* Wait for the fork server to come up, but don't wait too long. */ rlen = 0; - if (fsrv->exec_tmout) { + if (fsrv->init_tmout) { u32 time_ms = read_s32_timed(fsrv->fsrv_st_fd, &status, fsrv->init_tmout, stop_soon_p); @@ -614,7 +614,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->fsrv_pid = 1; + fsrv->fsrv_pid = -1; } @@ -625,7 +625,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (tmp_pid > 0) { kill(tmp_pid, fsrv->kill_signal); - fsrv->fsrv_pid = 1; + fsrv->fsrv_pid = -1; } @@ -1301,7 +1301,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = 0; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1 ; } fsrv->total_execs++; -- cgit 1.4.1 From 0f49463edec0c019bd098659fa74c58a2d28c439 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 24 Oct 2021 19:41:06 +0200 Subject: fix --- src/afl-forkserver.c | 2 +- src/afl-showmap.c | 9 ++++++--- unicorn_mode/unicornafl | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c570a2bb..80b295e0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1301,7 +1301,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, } - if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1 ; } + if (!WIFSTOPPED(fsrv->child_status)) { fsrv->child_pid = -1; } fsrv->total_execs++; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3a244c04..3826e385 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -77,7 +77,7 @@ static u32 tcnt, highest; /* tuple content information */ static u32 in_len; /* Input data length */ -static u32 map_size = MAP_SIZE; +static u32 map_size = MAP_SIZE, timed_out = 0; static bool quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ @@ -148,6 +148,7 @@ static const u8 count_class_binary[256] = { static void kill_child() { + timed_out = 1; if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); @@ -373,9 +374,10 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem, if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { @@ -581,9 +583,10 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { if (!quiet_mode) { - if (fsrv->last_run_timed_out) { + if (timed_out || fsrv->last_run_timed_out) { SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + timed_out = 0; } else if (stop_soon) { diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 94617f5b..d4915053 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 94617f5bee0c08a5cbd1a1aa73f59cd973dfb17f +Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e -- cgit 1.4.1