From 51a346bcbeb66d159b01c6fd37616824c32ee569 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 19:22:57 +0100 Subject: 50% less globals --- src/afl-tmin.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 17e9af5a..9a3a72da 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -398,8 +398,7 @@ static void init_forkserver(char **argv) { static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { - static struct itimerval it; - static u32 prev_timed_out = 0; + struct itimerval it; int status = 0; u32 cksum; @@ -416,7 +415,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, /* we have the fork server up and running, so simply tell it to have at it, and then read back PID. */ - if ((res = write(fsrv->fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { + if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { if (stop_soon) return 0; RPFATAL(res, "Unable to request new process from fork server (OOM?)"); -- cgit 1.4.1 From b6fa63abdfb62fba1a00d9b5401ee69cf1bced1a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 19:23:58 +0100 Subject: code format --- include/afl-fuzz.h | 15 ++++----- qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 4 +-- src/afl-forkserver.c | 2 +- src/afl-fuzz-cmplog.c | 15 ++++----- src/afl-fuzz-init.c | 4 +-- src/afl-fuzz-misc.c | 4 +-- src/afl-fuzz-mutators.c | 3 +- src/afl-fuzz-one.c | 13 +++++--- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-run.c | 16 ++++++---- src/afl-fuzz-stats.c | 46 +++++++++++++++++----------- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 13 files changed, 74 insertions(+), 54 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 913b08e6..28156268 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,7 +109,8 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state */ +#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ + */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; @@ -542,7 +543,7 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; - u32 cmplog_prev_timed_out; + u32 cmplog_prev_timed_out; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ @@ -559,13 +560,13 @@ typedef struct afl_state { #endif /* statis file */ - double last_bitmap_cvg, last_stability, last_eps; + double last_bitmap_cvg, last_stability, last_eps; /* plot file saves from last run */ u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; u64 plot_prev_qc, plot_prev_uc, plot_prev_uh; - u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; + u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; u8 clean_trace[MAP_SIZE]; @@ -800,9 +801,9 @@ u8 has_new_bits(afl_state_t *, u8 *); /* Misc */ -u8 *DI(u64); -u8 *DF(double); -u8 *DMS(u64); +u8 * DI(u64); +u8 * DF(double); +u8 * DMS(u64); void DTD(u8 *, size_t, u64, u64); /* Extras */ diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index b7cd71bb..1526f09c 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -185,8 +185,8 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) { if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return; // when this hook is executed, the retaddr is not on stack yet - void *ptr1 = g2h(stack[0]); - void *ptr2 = g2h(stack[1]); + void * ptr1 = g2h(stack[0]); + void * ptr2 = g2h(stack[1]); #else diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a77684a7..68ffe28d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -168,7 +168,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { unsigned char tmp[4] = {0}; - pid_t child_pid = -1; + pid_t child_pid = -1; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 7af7b84c..6211548b 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -32,9 +32,9 @@ void init_cmplog_forkserver(afl_state_t *afl) { struct timeval timeout; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; ACTF("Spinning up the cmplog fork server..."); @@ -373,9 +373,9 @@ void init_cmplog_forkserver(afl_state_t *afl) { u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { struct timeval it; - int status = 0; - int sret; - u64 exec_ms; + int status = 0; + int sret; + u64 exec_ms; u32 tb4; s32 res; @@ -394,7 +394,8 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { /* Since we always have a forkserver (or a fauxserver) running, we can simply tell them to have at it and read back the pid from it.*/ - if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != 4) { + if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != + 4) { if (afl->stop_soon) return 0; RPFATAL(res, diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 8acb305c..ab455417 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -797,7 +797,7 @@ void pivot_inputs(afl_state_t *afl) { u32 find_start_position(afl_state_t *afl) { - u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ + u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; @@ -834,7 +834,7 @@ u32 find_start_position(afl_state_t *afl) { void find_timeout(afl_state_t *afl) { - u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ + u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; diff --git a/src/afl-fuzz-misc.c b/src/afl-fuzz-misc.c index d0db79d6..90e0ee8a 100644 --- a/src/afl-fuzz-misc.c +++ b/src/afl-fuzz-misc.c @@ -166,8 +166,8 @@ u8 *DMS(u64 val) { void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { - u64 delta; - s32 t_d, t_h, t_m, t_s; + u64 delta; + s32 t_d, t_h, t_m, t_s; if (!event_ms) snprintf(buf, len, "none seen yet"); diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 5d39c2ee..9788da49 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -196,7 +196,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 trim_exec = 0; u32 orig_len = q->len; - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; /* Initialize trimming in the custom mutator */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index ebb863ca..c1458dbb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1680,7 +1680,8 @@ havoc_stage: perf_score = orig_perf; snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_short = "splice"; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3573,9 +3574,10 @@ pacemaker_fuzzing: perf_score = orig_perf; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, - splice_cycle); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3623,7 +3625,8 @@ pacemaker_fuzzing: } else { perf_score = orig_perf; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, splice_cycle); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 00bad48f..8a995727 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -254,7 +254,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { void cull_queue(afl_state_t *afl) { struct queue_entry *q; - u8 temp_v[MAP_SIZE >> 3]; + u8 temp_v[MAP_SIZE >> 3]; u32 i; if (afl->dumb_mode || !afl->score_changed) return; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c65cdce3..500c5ba2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -38,8 +38,8 @@ u8 run_target(afl_state_t *afl, u32 timeout) { fd_set readfds; struct timeval it; - int status = 0; - u32 tb4; + int status = 0; + u32 tb4; afl->fsrv.child_timed_out = 0; @@ -361,7 +361,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (i = 0; i < MAP_SIZE; ++i) { - if (!afl->var_bytes[i] && afl->first_trace[i] != afl->fsrv.trace_bits[i]) { + if (!afl->var_bytes[i] && + afl->first_trace[i] != afl->fsrv.trace_bits[i]) { afl->var_bytes[i] = 1; afl->stage_max = CAL_CYCLES_LONG; @@ -500,7 +501,8 @@ void sync_fuzzers(afl_state_t *afl) { snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt); - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->stage_cur = 0; afl->stage_max = 0; @@ -607,7 +609,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (q->len < 5) return 0; - if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; + if (afl->stage_name != afl->stage_name_buf) + afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; /* Select initial chunk len, starting with large steps. */ @@ -623,7 +626,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { u32 remove_pos = remove_len; - snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), DI(remove_len)); + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), + DI(remove_len)); afl->stage_cur = 0; afl->stage_max = q->len / remove_len; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d4b27625..c89820d8 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -192,20 +192,22 @@ static void check_term_size(afl_state_t *afl) { void show_stats(afl_state_t *afl) { - double t_byte_ratio, stab_ratio; + double t_byte_ratio, stab_ratio; u64 cur_ms; u32 t_bytes, t_bits; u32 banner_len, banner_pad; u8 tmp[256]; - u8 time_tmp[64]; + u8 time_tmp[64]; cur_ms = get_cur_time(); /* If not enough time has passed since last UI update, bail out. */ - if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && !afl->force_ui_update) return; + if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && + !afl->force_ui_update) + return; /* Check if we're past the 10 minute mark. */ @@ -215,18 +217,22 @@ void show_stats(afl_state_t *afl) { if (!afl->stats_last_execs) { - afl->stats_avg_exec = ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); + afl->stats_avg_exec = + ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); } else { - double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * 1000 / (cur_ms - afl->stats_last_ms); + double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * + 1000 / (cur_ms - afl->stats_last_ms); /* If there is a dramatic (5x+) jump in speed, reset the indicator more quickly. */ - if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) afl->stats_avg_exec = cur_avg; + if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) + afl->stats_avg_exec = cur_avg; - afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + cur_avg * (1.0 / AVG_SMOOTHING); + afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + + cur_avg * (1.0 / AVG_SMOOTHING); } @@ -348,9 +354,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -383,7 +389,8 @@ void show_stats(afl_state_t *afl) { DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time); SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP - " cycles done : %s%-5s " bSTG bV "\n", time_tmp, tmp, DI(afl->queue_cycle - 1)); + " cycles done : %s%-5s " bSTG bV "\n", + time_tmp, tmp, DI(afl->queue_cycle - 1)); /* We want to warn people about not seeing new paths after a full cycle, except when resuming fuzzing or running in non-instrumented mode. */ @@ -420,18 +427,20 @@ void show_stats(afl_state_t *afl) { DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time); SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP - " uniq crashes : %s%-6s" bSTG bV "\n", time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); + " uniq crashes : %s%-6s" bSTG bV "\n", + time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); sprintf(tmp, "%s%s", DI(afl->unique_hangs), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time); SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP - " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); + " uniq hangs : " cRST "%-6s" bSTG bV "\n", + time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -460,9 +469,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -526,13 +535,14 @@ void show_stats(afl_state_t *afl) { } sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts), - DI(afl->unique_tmouts), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + DI(afl->unique_tmouts), + (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp); /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index cc771c5a..712b50bd 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -264,7 +264,7 @@ static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { struct itimerval it; - int status = 0; + int status = 0; memset(fsrv->trace_bits, 0, MAP_SIZE); MEM_BARRIER(); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 9a3a72da..9238abab 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -399,7 +399,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { struct itimerval it; - int status = 0; + int status = 0; u32 cksum; -- cgit 1.4.1 From b22e890ec243c31fedc06ff3a68f62ca2b8c0ab6 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 21:32:08 +0100 Subject: fixed resize; removed more statics --- src/afl-analyze.c | 14 ----- src/afl-forkserver.c | 46 +++++----------- src/afl-fuzz-init.c | 7 +-- src/afl-gotcpu.c | 2 +- src/afl-showmap.c | 5 -- src/afl-tmin.c | 150 --------------------------------------------------- 6 files changed, 16 insertions(+), 208 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 2148cdf0..d509c43e 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -207,15 +207,6 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { } -/* Handle timeout signal. */ - -static void handle_timeout(int sig) { - - child_timed_out = 1; - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - /* Execute target application. Returns exec checksum, or 0 if program times out. */ @@ -770,11 +761,6 @@ static void setup_signal_handlers(void) { sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - } /* Display usage hints. */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 68ffe28d..6755a73c 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -51,18 +51,17 @@ extern u8 *doc_path; -u8 *forkserver_DMS(u64 val) { +static void forkserver_stringify_int(u8 *buf, size_t len, u64 val) { - static u8 tmp[12][16]; - static u8 cur; + u8 cur = 0; #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ if (val < (_divisor) * (_limit_mult)) { \ \ - sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ - return tmp[cur]; \ + snprintf(buf, len, _fmt, ((_cast)val) / (_divisor));\ + return; \ \ } \ \ @@ -106,36 +105,13 @@ u8 *forkserver_DMS(u64 val) { #undef CHK_FORMAT /* 100T+ */ - strcpy(tmp[cur], "infty"); - return tmp[cur]; + strncpy(buf, "infty", len - 1); + buf[len - 1] = '\0'; } list_t fsrv_list = {.element_prealloc_count = 0}; -/* the timeout handler */ - -void handle_timeout(int sig) { - - LIST_FOREACH(&fsrv_list, afl_forkserver_t, { - - // TODO: We need a proper timer to handle multiple timeouts - if (el->child_pid > 0) { - - el->child_timed_out = 1; - kill(el->child_pid, SIGKILL); - - } else if (el->child_pid == -1 && el->fsrv_pid > 0) { - - el->child_timed_out = 1; - kill(el->fsrv_pid, SIGKILL); - - } - - }); - -} - /* Initializes the struct */ void afl_fsrv_init(afl_forkserver_t *fsrv) { @@ -477,6 +453,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { } else { + u8 mem_limit_buf[16]; + forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); + SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " "before receiving any input\n" @@ -509,7 +488,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { "options\n" " fail, poke for troubleshooting " "tips.\n", - forkserver_DMS(fsrv->mem_limit << 20), fsrv->mem_limit - 1); + mem_limit_buf, fsrv->mem_limit - 1); } @@ -544,6 +523,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { } else { + u8 mem_limit_buf[16]; + forkserver_stringify_int(mem_limit_buf, sizeof(mem_limit_buf), fsrv->mem_limit << 20); + SAYF( "\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " @@ -575,7 +557,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { "never\n" " reached before the program terminates.\n\n" : "", - forkserver_DMS(fsrv->mem_limit << 20), fsrv->mem_limit - 1); + mem_limit_buf, fsrv->mem_limit - 1); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ab455417..48ccbe9c 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1787,7 +1787,7 @@ void fix_up_sync(afl_state_t *afl) { static void handle_resize(int sig) { - LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen; }); + LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; }); } @@ -2125,11 +2125,6 @@ void setup_signal_handlers(void) { sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - /* Window resize */ sa.sa_handler = handle_resize; diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 70ed4dbc..6ca7c071 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -90,7 +90,7 @@ static u64 get_cpu_usage_us(void) { static u32 measure_preemption(u32 target_ms) { - static volatile u32 v1, v2; + volatile u32 v1, v2; u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; s32 loop_repeats = 0; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 712b50bd..caacefe4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -578,11 +578,6 @@ static void setup_signal_handlers(void) { sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - } /* Show banner. */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 9238abab..2275aef5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -247,151 +247,6 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { } -/* Handle timeout signal. */ -/* -static void handle_timeout(int sig) { - - if (child_pid > 0) { - - child_timed_out = 1; - kill(child_pid, SIGKILL); - - } else if (child_pid == -1 && forksrv_pid > 0) { - - child_timed_out = 1; - kill(forksrv_pid, SIGKILL); - - } - -} - -*/ - -/* start the app and it's forkserver */ -/* -static void init_forkserver(char **argv) { - - static struct itimerval it; - int st_pipe[2], ctl_pipe[2]; - int status = 0; - s32 rlen; - - ACTF("Spinning up the fork server..."); - if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); - - forksrv_pid = fork(); - - if (forksrv_pid < 0) PFATAL("fork() failed"); - - if (!forksrv_pid) { - - struct rlimit r; - - if (dup2(use_stdin ? out_fd : dev_null_fd, 0) < 0 || - dup2(dev_null_fd, 1) < 0 || - dup2(dev_null_fd, 2) < 0) { - - *(u32*)trace_bits = EXEC_FAIL_SIG; - PFATAL("dup2() failed"); - - } - - close(dev_null_fd); - close(out_fd); - - setsid(); - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); // Ignore errors - -#else - - setrlimit(RLIMIT_DATA, &r); // Ignore errors - -#endif // ^RLIMIT_AS - - } - - r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); // Ignore errors - - // Set up control and status pipes, close the unneeded original fds. - - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); - - close(ctl_pipe[0]); - close(ctl_pipe[1]); - close(st_pipe[0]); - close(st_pipe[1]); - - execv(fsrv->target_path, argv); - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - // Close the unneeded endpoints. - - close(ctl_pipe[0]); - close(st_pipe[1]); - - fsrv_ctl_fd = ctl_pipe[1]; - fsrv_st_fd = st_pipe[0]; - - // Configure timeout, wait for child, cancel timeout. - - if (exec_tmout) { - - child_timed_out = 0; - it.it_value.tv_sec = (exec_tmout * FORK_WAIT_MULT / 1000); - it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); - - rlen = read(fsrv_st_fd, &status, 4); - - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - setitimer(ITIMER_REAL, &it, NULL); - - // If we have a four-byte "hello" message from the server, we're all set. - // Otherwise, try to figure out what went wrong. - - if (rlen == 4) { - - ACTF("All right - fork server is up."); - return; - - } - - if (waitpid(forksrv_pid, &status, 0) <= 0) - PFATAL("waitpid() failed"); - - u8 child_crashed; - - if (WIFSIGNALED(status)) - child_crashed = 1; - - if (child_timed_out) - SAYF(cLRD "\n+++ Program timed off +++\n" cRST); - else if (stop_soon) - SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); - else if (child_crashed) - SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status)); - -} - -*/ - /* Execute target application. Returns 0 if the changes are a dud, or 1 if they should be kept. */ @@ -961,11 +816,6 @@ static void setup_signal_handlers(void) { sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - } /* Display usage hints. */ -- cgit 1.4.1