From 67d87dd2a9dbc393b56162e77ff3178f4e3f59fa Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 14 Jun 2020 15:26:43 +0000 Subject: Porting to Haiku. getrusage does not implement resident memory gathering, no shm api neither. --- src/afl-sharedmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-sharedmem.c') diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 63013435..f8bbebc8 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -145,7 +145,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); - if (shm->map == -1 || !shm->map) PFATAL("mmap() failed"); + if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed"); #else u8 *shm_str; -- cgit 1.4.1 From 171b1923e94b7157d9c0574fae890d31fd880e4c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 25 Jun 2020 22:02:02 +0200 Subject: shmem release fix --- GNUmakefile | 8 ++++---- docs/Changelog.md | 1 + src/afl-fuzz-run.c | 1 + src/afl-fuzz.c | 38 +++++++++++++++++++++++++++++++++++--- src/afl-sharedmem.c | 2 ++ src/afl-showmap.c | 51 ++++++++++++++++++++++++++++++++------------------- src/afl-tmin.c | 49 ++++++++++++++++++++++++++++++++----------------- 7 files changed, 107 insertions(+), 43 deletions(-) (limited to 'src/afl-sharedmem.c') diff --git a/GNUmakefile b/GNUmakefile index ad7169cd..616d4f70 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -122,7 +122,7 @@ endif ifeq "$(shell uname -s)" "Haiku" SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 -Wno-error=format -fPIC - LDFLAGS+=-Wno-deprecated-declarations -lgnu + LDFLAGS += -Wno-deprecated-declarations -lgnu SPECIAL_PERFORMANCE += -DUSEMMAP=1 endif @@ -253,14 +253,14 @@ ifeq "$(shell echo '$(HASH)include @$(HASH)include @int ma else SHMAT_OK=0 override CFLAGS+=-DUSEMMAP=1 - LDFLAGS+=-Wno-deprecated-declarations + LDFLAGS += -Wno-deprecated-declarations -lrt endif ifdef TEST_MMAP SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 - LDFLAGS += -Wno-deprecated-declarations -else + LDFLAGS += -Wno-deprecated-declarations -lrt +$(info LDFLAGS=$(LDFLAGS)) endif all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done diff --git a/docs/Changelog.md b/docs/Changelog.md index abfd4386..1a9623a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -49,6 +49,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - ensure shmem is released on errors - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not compiled by default anymore. - allow running in /tmp (only unsafe with umask 0) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d5c80cb3..da5b6bc4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2f23aec7..e7a855ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -26,6 +26,13 @@ #include "afl-fuzz.h" #include "cmplog.h" #include +#ifndef USEMMAP + #include + #include + #include + #include + #include +#endif #ifdef PROFILING extern u64 time_spent_working; @@ -34,6 +41,7 @@ extern u64 time_spent_working; static void at_exit() { int i; + char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); @@ -42,7 +50,28 @@ static void at_exit() { if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); - // anything else? shared memory? + i = 0; + while (list[i] != NULL) { + + ptr = getenv(list[i]); + + if (ptr && *ptr) { + +#ifdef USEMMAP + + shm_unlink(ptr); + +#else + + shmctl(atoi(ptr), IPC_RMID, NULL); + +#endif + + } + + i++; + + } } @@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) { check_crash_handling(); check_cpu_governor(afl); + atexit(at_exit); + afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); @@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) { } - atexit(at_exit); - perform_dry_run(afl); cull_queue(afl); @@ -1326,10 +1355,13 @@ stop_fuzzing: destroy_queue(afl); destroy_extras(afl); destroy_custom_mutators(afl); + unsetenv(SHM_ENV_VAR); + unsetenv(CMPLOG_SHM_ENV_VAR); afl_shm_deinit(&afl->shm); if (afl->shm_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f8bbebc8..44a91a97 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + if (shm == NULL) return; + list_remove(&shm_list, shm); #ifdef USEMMAP diff --git a/src/afl-showmap.c b/src/afl-showmap.c index de25e427..1ab7d0a8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -82,11 +82,16 @@ static u8 quiet_mode, /* Hide non-essential messages? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ binary_mode, /* Write output as a binary map */ - keep_cores; /* Allow coredumps? */ + keep_cores, /* Allow coredumps? */ + remove_shm = 1; /* remove shmem? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ +static sharedmem_t shm; +static afl_forkserver_t *fsrv; +static sharedmem_t * shm_fuzz; + /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ @@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Get rid of temp files (atexit handler). */ static void at_exit_handler(void) { if (stdin_file) { unlink(stdin_file); } + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + + afl_fsrv_killall(); + } /* Write results. */ @@ -566,17 +591,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) { } - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) { } + remove_shm = 0; afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) { ck_free(fsrv->target_path); } - if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - afl_fsrv_deinit(fsrv); if (stdin_file) { ck_free(stdin_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8b028327..5e4bdb6c 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -80,10 +80,16 @@ static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ - exact_mode; /* Require path match for crashes? */ + exact_mode, /* Require path match for crashes? */ + remove_out_file, /* remove out_file on exit? */ + remove_shm = 1; /* remove shmem on exit? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */ +static afl_forkserver_t *fsrv; +static sharedmem_t shm; +static sharedmem_t * shm_fuzz; + /* * forkserver section */ @@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = { }; +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Apply mask to classified bitmap (if set). */ static void apply_mask(u32 *mem, u32 *mask) { @@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) { static void at_exit_handler(void) { + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + afl_fsrv_killall(); + if (remove_out_file) unlink(out_file); } @@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid()); + remove_out_file = 1; } @@ -802,17 +828,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); + remove_shm = 0; afl_shm_deinit(&shm); if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); -- cgit 1.4.1 From 07fead04663b491c0a2f9053630e9a175dcbf635 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 26 Jun 2020 01:14:21 +0200 Subject: fix shared memory leaks in afl-showmap, initialize cmplog_mode --- src/afl-analyze.c | 3 +++ src/afl-sharedmem.c | 4 ++-- src/afl-showmap.c | 9 +++++++++ src/afl-tmin.c | 6 ++++++ 4 files changed, 20 insertions(+), 2 deletions(-) (limited to 'src/afl-sharedmem.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f9ba8860..56284f6f 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -1049,6 +1049,9 @@ int main(int argc, char **argv, char **envp) { check_environment_vars(envp); sharedmem_t shm = {0}; + + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); setup_signal_handlers(); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 44a91a97..de0dc916 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -101,7 +101,7 @@ void afl_shm_deinit(sharedmem_t *shm) { u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { - shm->map_size = map_size; + shm->map_size = 0; shm->map = NULL; @@ -153,7 +153,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, u8 *shm_str; shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600); - if (shm->shm_id < 0) { PFATAL("shmget() failed"); } if (shm->cmplog_mode) { @@ -204,6 +203,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, #endif + shm->map_size = map_size; list_append(&shm_list, shm); return shm->map; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 1ab7d0a8..24e83721 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -151,6 +151,7 @@ static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, afl_shm_deinit(shm_fuzz); fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz_len = NULL; fsrv->shmem_fuzz = NULL; ck_free(shm_fuzz); return NULL; @@ -811,6 +812,8 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -865,6 +868,9 @@ int main(int argc, char **argv_orig, char **envp) { } shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + /* initialize cmplog_mode */ + shm_fuzz->cmplog_mode = 0; u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP @@ -991,6 +997,9 @@ int main(int argc, char **argv_orig, char **envp) { } else { + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + showmap_run_target(fsrv, use_argv); tcnt = write_results_to_file(fsrv, out_file); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 5e4bdb6c..2db1eae7 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -116,6 +116,7 @@ static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, afl_shm_deinit(shm_fuzz); fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz_len = NULL; fsrv->shmem_fuzz = NULL; ck_free(shm_fuzz); return NULL; @@ -1036,6 +1037,8 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1078,6 +1081,9 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + /* initialize cmplog_mode */ + shm_fuzz->cmplog_mode = 0; u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP -- cgit 1.4.1 From 1ecfd784187f2bec19b9040158202cdcdc64f06e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 26 Jun 2020 09:13:07 +0200 Subject: implement sharedmem mmap for cmplog --- docs/Changelog.md | 1 + include/sharedmem.h | 2 ++ src/afl-sharedmem.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+) (limited to 'src/afl-sharedmem.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 1a9623a7..1ecea274 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -49,6 +49,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - CMPLOG/Redqueen now also works for MMAP sharedmem - ensure shmem is released on errors - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not compiled by default anymore. diff --git a/include/sharedmem.h b/include/sharedmem.h index a77ab7c0..b15d0535 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -38,6 +38,8 @@ typedef struct sharedmem { /* ================ Proteas ================ */ int g_shm_fd; char g_shm_file_path[L_tmpnam]; + int cmplog_g_shm_fd; + char cmplog_g_shm_file_path[L_tmpnam]; /* ========================================= */ #else s32 shm_id; /* ID of the SHM region */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index de0dc916..06f46989 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -85,6 +85,38 @@ void afl_shm_deinit(sharedmem_t *shm) { } + if (shm->g_shm_file_path[0]) { + + shm_unlink(shm->g_shm_file_path); + shm->g_shm_file_path[0] = 0; + + } + + if (shm->cmplog_mode) { + + if (shm->cmp_map != NULL) { + + munmap(shm->cmp_map, shm->map_size); + shm->map = NULL; + + } + + if (shm->cmplog_g_shm_fd != -1) { + + close(shm->cmplog_g_shm_fd); + shm->cmplog_g_shm_fd = -1; + + } + + if (shm->cmplog_g_shm_file_path[0]) { + + shm_unlink(shm->cmplog_g_shm_file_path); + shm->cmplog_g_shm_file_path[0] = 0; + + } + + } + #else shmctl(shm->shm_id, IPC_RMID, NULL); if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); } @@ -104,10 +136,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->map_size = 0; shm->map = NULL; + shm->cmp_map = NULL; #ifdef USEMMAP shm->g_shm_fd = -1; + shm->cmplog_g_shm_fd = -1; /* ====== generate random file name for multi instance @@ -136,6 +170,8 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, close(shm->g_shm_fd); shm->g_shm_fd = -1; + shm_unlink(shm->g_shm_file_path); + shm->g_shm_file_path[0] = 0; PFATAL("mmap() failed"); } @@ -149,6 +185,49 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed"); + if (shm->cmplog_mode) { + + snprintf(shm->cmplog_g_shm_file_path, L_tmpnam, "/afl_cmplog_%d_%ld", + getpid(), random()); + + /* create the shared memory segment as if it was a file */ + shm->cmplog_g_shm_fd = + shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL, 0600); + if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); } + + /* configure the size of the shared memory segment */ + if (ftruncate(shm->cmplog_g_shm_fd, map_size)) { + + PFATAL("setup_shm(): cmplog ftruncate() failed"); + + } + + /* map the shared memory segment to the address space of the process */ + shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, + shm->cmplog_g_shm_fd, 0); + if (shm->map == MAP_FAILED) { + + close(shm->cmplog_g_shm_fd); + shm->cmplog_g_shm_fd = -1; + shm_unlink(shm->cmplog_g_shm_file_path); + shm->cmplog_g_shm_file_path[0] = 0; + PFATAL("mmap() failed"); + + } + + /* If somebody is asking us to fuzz instrumented binaries in + non-instrumented mode, we don't want them to detect instrumentation, + since we won't be sending fork server commands. This should be replaced + with better auto-detection later on, perhaps? */ + + if (!non_instrumented_mode) + setenv(CMPLOG_SHM_ENV_VAR, shm->cmplog_g_shm_file_path, 1); + + if (shm->cmp_map == (void *)-1 || !shm->cmp_map) + PFATAL("cmplog mmap() failed"); + + } + #else u8 *shm_str; -- cgit 1.4.1 From 4103687f766405339b59d595b7ab7e5cd6f8ca33 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 27 Jun 2020 00:13:24 +0200 Subject: afl-sharedmem.c: fix leaks on error paths (SysV shared memory) --- include/debug.h | 2 +- src/afl-sharedmem.c | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) (limited to 'src/afl-sharedmem.c') diff --git a/include/debug.h b/include/debug.h index 9dd21ace..d1bd971b 100644 --- a/include/debug.h +++ b/include/debug.h @@ -262,7 +262,7 @@ \ } while (0) -/* Die with FAULT() or PFAULT() depending on the value of res (used to +/* Die with FATAL() or PFATAL() depending on the value of res (used to interpret different failure modes for read(), write(), etc). */ #define RPFATAL(res, x...) \ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 06f46989..77767f21 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -239,7 +239,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map), IPC_CREAT | IPC_EXCL | 0600); - if (shm->cmplog_shm_id < 0) { PFATAL("shmget() failed"); } + if (shm->cmplog_shm_id < 0) { + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + PFATAL("shmget() failed"); + } } @@ -266,7 +269,13 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->map = shmat(shm->shm_id, NULL, 0); - if (shm->map == (void *)-1 || !shm->map) { PFATAL("shmat() failed"); } + if (shm->map == (void *)-1 || !shm->map) { + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + if (shm->cmplog_mode) { + shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + } + PFATAL("shmat() failed"); + } if (shm->cmplog_mode) { @@ -274,6 +283,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->cmp_map == (void *)-1 || !shm->cmp_map) { + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + if (shm->cmplog_mode) { + shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + } PFATAL("shmat() failed"); } -- cgit 1.4.1 From ee17782e61f7991304b4ecda5b06191f755ced73 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 28 Jun 2020 00:13:31 +0200 Subject: fix output for LTOinstrim --- llvm_mode/afl-llvm-lto-instrim.so.cc | 18 ++++++++++++------ src/afl-sharedmem.c | 20 +++++++++++++++----- 2 files changed, 27 insertions(+), 11 deletions(-) (limited to 'src/afl-sharedmem.c') diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index 5f9731c2..4b89c9d0 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -110,8 +110,9 @@ struct InsTrimLTO : public ModulePass { bool runOnModule(Module &M) override { - char be_quiet = 0; - char *ptr; + char be_quiet = 0; + char * ptr; + uint32_t locations = 0, functions = 0; setvbuf(stdout, NULL, _IONBF, 0); @@ -563,6 +564,8 @@ struct InsTrimLTO : public ModulePass { if (F.size() < function_minimum_size) continue; if (isBlacklisted(&F)) continue; + functions++; + // whitelist check AttributeList Attrs = F.getAttributes(); if (Attrs.hasAttribute(-1, StringRef("skipinstrument"))) { @@ -659,6 +662,7 @@ struct InsTrimLTO : public ModulePass { if (PI == PE) { L = ConstantInt::get(Int32Ty, afl_global_id++); + locations++; } else { @@ -670,6 +674,7 @@ struct InsTrimLTO : public ModulePass { auto It = PredMap.insert({PBB, afl_global_id++}); unsigned Label = It.first->second; PN->addIncoming(ConstantInt::get(Int32Ty, Label), PBB); + locations++; } @@ -887,7 +892,7 @@ struct InsTrimLTO : public ModulePass { for (BasicBlock *Succ : successors(Pred)) if (Succ != NULL) count++; - if (count > 1) return true; + if (count > 1) would_instrument = true; } @@ -912,11 +917,12 @@ struct InsTrimLTO : public ModulePass { getenv("AFL_USE_MSAN") ? ", MSAN" : "", getenv("AFL_USE_CFISAN") ? ", CFISAN" : "", getenv("AFL_USE_UBSAN") ? ", UBSAN" : ""); - OKF("Instrumented %u locations (%llu, %llu) with no collisions (on " + OKF("Instrumented %u locations for %u edges in %u functions (%llu, " + "%llu) with no collisions (on " "average %llu collisions would be in afl-gcc/afl-clang-fast for %u " "edges) (%s mode).", - inst_blocks, total_rs, total_hs, calculateCollisions(edges), edges, - modeline); + inst_blocks, locations, functions, total_rs, total_hs, + calculateCollisions(edges), edges, modeline); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 77767f21..6eb63949 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -240,8 +240,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, IPC_CREAT | IPC_EXCL | 0600); if (shm->cmplog_shm_id < 0) { - shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem PFATAL("shmget() failed"); + } } @@ -270,11 +272,16 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->map = shmat(shm->shm_id, NULL, 0); if (shm->map == (void *)-1 || !shm->map) { - shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem if (shm->cmplog_mode) { - shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + + shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + } + PFATAL("shmat() failed"); + } if (shm->cmplog_mode) { @@ -283,10 +290,13 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->cmp_map == (void *)-1 || !shm->cmp_map) { - shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem + shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem if (shm->cmplog_mode) { - shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + + shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem + } + PFATAL("shmat() failed"); } -- cgit 1.4.1