From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:08:49 +0200 Subject: switch to faster and better hash + random --- src/afl-tmin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-tmin.c') diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 091e5177..13fee660 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -300,7 +300,7 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (ret == FSRV_RUN_NOINST) { FATAL("Binary not instrumented?"); } - u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); + u64 cksum = hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST); if (first_run) { orig_cksum = cksum; } -- cgit 1.4.1 From 40aca0b6b398d8de0ecc17cf075e0eb79ec15d81 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:33:20 +0200 Subject: fix for checksums --- include/xxh3.h | 4 +- include/xxhash.h | 469 +++++++++++++++++++++++++++--------------------------- src/afl-analyze.c | 3 +- src/afl-fuzz.c | 7 +- src/afl-tmin.c | 3 +- 5 files changed, 250 insertions(+), 236 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/include/xxh3.h b/include/xxh3.h index 54d5bf60..2354bde9 100644 --- a/include/xxh3.h +++ b/include/xxh3.h @@ -350,6 +350,7 @@ (outHi) = vget_high_u32(vreinterpretq_u32_u64(in)); \ \ } while (0) + #else #define XXH_SPLIT_IN_PLACE(in, outLo, outHi) \ do { \ @@ -358,6 +359,7 @@ (outHi) = vshrn_n_u64((in), 32); \ \ } while (0) + #endif #endif /* XXH_VECTOR == XXH_NEON */ @@ -1638,7 +1640,7 @@ XXH_FORCE_INLINE void XXH3_accumulate_512_vsx(void *XXH_RESTRICT acc, } else { /* XXH3_acc_128bits */ - /* swap high and low halves */ + /* swap high and low halves */ #ifdef __s390x__ xxh_u64x2 const data_swapped = vec_permi(data_vec, data_vec, 2); #else diff --git a/include/xxhash.h b/include/xxhash.h index b4d640ae..825eed65 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -414,7 +414,7 @@ XXH64_hashFromCanonical(const XXH64_canonical_t *src); * These declarations should only be used with static linking. * Never use them in association with dynamic linking! ***************************************************************************** -*/ + */ /* * These definitions are only present to allow static allocation of an XXH @@ -1165,8 +1165,8 @@ static int XXH_isLittleEndian(void) { return one.c[0]; } -\ - #define XXH_CPU_LITTLE_ENDIAN XXH_isLittleEndian() + +#define XXH_CPU_LITTLE_ENDIAN XXH_isLittleEndian() #endif #endif @@ -1374,13 +1374,14 @@ static xxh_u32 XXH32_avalanche(xxh_u32 h32) { static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, XXH_alignment align) { \ - #define XXH_PROCESS1 \ - do { \ - \ - h32 += (*ptr++) * XXH_PRIME32_5; \ - h32 = XXH_rotl32(h32, 11) * XXH_PRIME32_1; \ - \ - } while (0) + #define XXH_PROCESS1 do { + + h32 += (*ptr++) * XXH_PRIME32_5; + h32 = XXH_rotl32(h32, 11) * XXH_PRIME32_1; + + } + + while (0) #define XXH_PROCESS4 \ do { \ @@ -1391,90 +1392,90 @@ static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, \ } while (0) - /* Compact rerolled version */ - if (XXH_REROLL) { - - len &= 15; - while (len >= 4) { + /* Compact rerolled version */ + if (XXH_REROLL) { - XXH_PROCESS4; - len -= 4; + len &= 15; + while (len >= 4) { - } - - while (len > 0) { - - XXH_PROCESS1; - --len; - - } - - return XXH32_avalanche(h32); - - } else { + XXH_PROCESS4; + len -= 4; - switch (len & 15) /* or switch(bEnd - p) */ { + } - case 12: - XXH_PROCESS4; - /* fallthrough */ - case 8: - XXH_PROCESS4; - /* fallthrough */ - case 4: - XXH_PROCESS4; - return XXH32_avalanche(h32); + while (len > 0) { - case 13: - XXH_PROCESS4; - /* fallthrough */ - case 9: - XXH_PROCESS4; - /* fallthrough */ - case 5: - XXH_PROCESS4; XXH_PROCESS1; - return XXH32_avalanche(h32); + --len; - case 14: - XXH_PROCESS4; - /* fallthrough */ - case 10: - XXH_PROCESS4; - /* fallthrough */ - case 6: - XXH_PROCESS4; - XXH_PROCESS1; - XXH_PROCESS1; - return XXH32_avalanche(h32); + } - case 15: - XXH_PROCESS4; - /* fallthrough */ - case 11: - XXH_PROCESS4; - /* fallthrough */ - case 7: - XXH_PROCESS4; - /* fallthrough */ - case 3: - XXH_PROCESS1; - /* fallthrough */ - case 2: - XXH_PROCESS1; - /* fallthrough */ - case 1: - XXH_PROCESS1; - /* fallthrough */ - case 0: - return XXH32_avalanche(h32); + return XXH32_avalanche(h32); + + } else { + + switch (len & 15) /* or switch(bEnd - p) */ { + + case 12: + XXH_PROCESS4; + /* fallthrough */ + case 8: + XXH_PROCESS4; + /* fallthrough */ + case 4: + XXH_PROCESS4; + return XXH32_avalanche(h32); + + case 13: + XXH_PROCESS4; + /* fallthrough */ + case 9: + XXH_PROCESS4; + /* fallthrough */ + case 5: + XXH_PROCESS4; + XXH_PROCESS1; + return XXH32_avalanche(h32); + + case 14: + XXH_PROCESS4; + /* fallthrough */ + case 10: + XXH_PROCESS4; + /* fallthrough */ + case 6: + XXH_PROCESS4; + XXH_PROCESS1; + XXH_PROCESS1; + return XXH32_avalanche(h32); + + case 15: + XXH_PROCESS4; + /* fallthrough */ + case 11: + XXH_PROCESS4; + /* fallthrough */ + case 7: + XXH_PROCESS4; + /* fallthrough */ + case 3: + XXH_PROCESS1; + /* fallthrough */ + case 2: + XXH_PROCESS1; + /* fallthrough */ + case 1: + XXH_PROCESS1; + /* fallthrough */ + case 0: + return XXH32_avalanche(h32); - } + } - XXH_ASSERT(0); - return h32; /* reaching this point is deemed impossible */ + XXH_ASSERT(0); + return h32; /* reaching this point is deemed impossible */ - } + } } @@ -1926,16 +1927,21 @@ XXH_FORCE_INLINE xxh_u64 XXH_readLE64_align(const void * ptr, /******* xxh64 *******/ -static const xxh_u64 XXH_PRIME64_1 = 0x9E3779B185EBCA87ULL; /* 0b1001111000110111011110011011000110000101111010111100101010000111 - */ -static const xxh_u64 XXH_PRIME64_2 = 0xC2B2AE3D27D4EB4FULL; /* 0b1100001010110010101011100011110100100111110101001110101101001111 - */ -static const xxh_u64 XXH_PRIME64_3 = 0x165667B19E3779F9ULL; /* 0b0001011001010110011001111011000110011110001101110111100111111001 - */ -static const xxh_u64 XXH_PRIME64_4 = 0x85EBCA77C2B2AE63ULL; /* 0b1000010111101011110010100111011111000010101100101010111001100011 - */ -static const xxh_u64 XXH_PRIME64_5 = 0x27D4EB2F165667C5ULL; /* 0b0010011111010100111010110010111100010110010101100110011111000101 - */ +static const xxh_u64 XXH_PRIME64_1 = + 0x9E3779B185EBCA87ULL; /* 0b1001111000110111011110011011000110000101111010111100101010000111 + */ +static const xxh_u64 XXH_PRIME64_2 = + 0xC2B2AE3D27D4EB4FULL; /* 0b1100001010110010101011100011110100100111110101001110101101001111 + */ +static const xxh_u64 XXH_PRIME64_3 = + 0x165667B19E3779F9ULL; /* 0b0001011001010110011001111011000110011110001101110111100111111001 + */ +static const xxh_u64 XXH_PRIME64_4 = + 0x85EBCA77C2B2AE63ULL; /* 0b1000010111101011110010100111011111000010101100101010111001100011 + */ +static const xxh_u64 XXH_PRIME64_5 = + 0x27D4EB2F165667C5ULL; /* 0b0010011111010100111010110010111100010110010101100110011111000101 + */ #ifdef XXH_OLD_NAMES #define PRIME64_1 XXH_PRIME64_1 @@ -1979,13 +1985,14 @@ static xxh_u64 XXH64_avalanche(xxh_u64 h64) { static xxh_u64 XXH64_finalize(xxh_u64 h64, const xxh_u8 *ptr, size_t len, XXH_alignment align) { \ - #define XXH_PROCESS1_64 \ - do { \ - \ - h64 ^= (*ptr++) * XXH_PRIME64_5; \ - h64 = XXH_rotl64(h64, 11) * XXH_PRIME64_1; \ - \ - } while (0) + #define XXH_PROCESS1_64 do { + + h64 ^= (*ptr++) * XXH_PRIME64_5; + h64 = XXH_rotl64(h64, 11) * XXH_PRIME64_1; + + } + + while (0) #define XXH_PROCESS4_64 \ do { \ @@ -2006,153 +2013,153 @@ static xxh_u64 XXH64_finalize(xxh_u64 h64, const xxh_u8 *ptr, size_t len, \ } while (0) - /* Rerolled version for 32-bit targets is faster and much smaller. */ - if (XXH_REROLL || XXH_REROLL_XXH64) { - - len &= 31; - while (len >= 8) { - - XXH_PROCESS8_64; - len -= 8; - - } - - if (len >= 4) { - - XXH_PROCESS4_64; - len -= 4; - - } - - while (len > 0) { - - XXH_PROCESS1_64; - --len; - - } + /* Rerolled version for 32-bit targets is faster and much smaller. */ + if (XXH_REROLL || XXH_REROLL_XXH64) { - return XXH64_avalanche(h64); + len &= 31; + while (len >= 8) { - } else { + XXH_PROCESS8_64; + len -= 8; - switch (len & 31) { + } - case 24: - XXH_PROCESS8_64; - /* fallthrough */ - case 16: - XXH_PROCESS8_64; - /* fallthrough */ - case 8: - XXH_PROCESS8_64; - return XXH64_avalanche(h64); + if (len >= 4) { - case 28: - XXH_PROCESS8_64; - /* fallthrough */ - case 20: - XXH_PROCESS8_64; - /* fallthrough */ - case 12: - XXH_PROCESS8_64; - /* fallthrough */ - case 4: XXH_PROCESS4_64; - return XXH64_avalanche(h64); + len -= 4; - case 25: - XXH_PROCESS8_64; - /* fallthrough */ - case 17: - XXH_PROCESS8_64; - /* fallthrough */ - case 9: - XXH_PROCESS8_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + } - case 29: - XXH_PROCESS8_64; - /* fallthrough */ - case 21: - XXH_PROCESS8_64; - /* fallthrough */ - case 13: - XXH_PROCESS8_64; - /* fallthrough */ - case 5: - XXH_PROCESS4_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + while (len > 0) { - case 26: - XXH_PROCESS8_64; - /* fallthrough */ - case 18: - XXH_PROCESS8_64; - /* fallthrough */ - case 10: - XXH_PROCESS8_64; - XXH_PROCESS1_64; XXH_PROCESS1_64; - return XXH64_avalanche(h64); + --len; - case 30: - XXH_PROCESS8_64; - /* fallthrough */ - case 22: - XXH_PROCESS8_64; - /* fallthrough */ - case 14: - XXH_PROCESS8_64; - /* fallthrough */ - case 6: - XXH_PROCESS4_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + } - case 27: - XXH_PROCESS8_64; - /* fallthrough */ - case 19: - XXH_PROCESS8_64; - /* fallthrough */ - case 11: - XXH_PROCESS8_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + return XXH64_avalanche(h64); + + } else { + + switch (len & 31) { + + case 24: + XXH_PROCESS8_64; + /* fallthrough */ + case 16: + XXH_PROCESS8_64; + /* fallthrough */ + case 8: + XXH_PROCESS8_64; + return XXH64_avalanche(h64); + + case 28: + XXH_PROCESS8_64; + /* fallthrough */ + case 20: + XXH_PROCESS8_64; + /* fallthrough */ + case 12: + XXH_PROCESS8_64; + /* fallthrough */ + case 4: + XXH_PROCESS4_64; + return XXH64_avalanche(h64); + + case 25: + XXH_PROCESS8_64; + /* fallthrough */ + case 17: + XXH_PROCESS8_64; + /* fallthrough */ + case 9: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 29: + XXH_PROCESS8_64; + /* fallthrough */ + case 21: + XXH_PROCESS8_64; + /* fallthrough */ + case 13: + XXH_PROCESS8_64; + /* fallthrough */ + case 5: + XXH_PROCESS4_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 26: + XXH_PROCESS8_64; + /* fallthrough */ + case 18: + XXH_PROCESS8_64; + /* fallthrough */ + case 10: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 30: + XXH_PROCESS8_64; + /* fallthrough */ + case 22: + XXH_PROCESS8_64; + /* fallthrough */ + case 14: + XXH_PROCESS8_64; + /* fallthrough */ + case 6: + XXH_PROCESS4_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 27: + XXH_PROCESS8_64; + /* fallthrough */ + case 19: + XXH_PROCESS8_64; + /* fallthrough */ + case 11: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 31: + XXH_PROCESS8_64; + /* fallthrough */ + case 23: + XXH_PROCESS8_64; + /* fallthrough */ + case 15: + XXH_PROCESS8_64; + /* fallthrough */ + case 7: + XXH_PROCESS4_64; + /* fallthrough */ + case 3: + XXH_PROCESS1_64; + /* fallthrough */ + case 2: + XXH_PROCESS1_64; + /* fallthrough */ + case 1: + XXH_PROCESS1_64; + /* fallthrough */ + case 0: + return XXH64_avalanche(h64); - case 31: - XXH_PROCESS8_64; - /* fallthrough */ - case 23: - XXH_PROCESS8_64; - /* fallthrough */ - case 15: - XXH_PROCESS8_64; - /* fallthrough */ - case 7: - XXH_PROCESS4_64; - /* fallthrough */ - case 3: - XXH_PROCESS1_64; - /* fallthrough */ - case 2: - XXH_PROCESS1_64; - /* fallthrough */ - case 1: - XXH_PROCESS1_64; - /* fallthrough */ - case 0: - return XXH64_avalanche(h64); + } } - } - /* impossible to reach */ XXH_ASSERT(0); return 0; /* unreachable, but some compilers complain without it */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 60ea0968..f1c141d5 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -66,11 +66,12 @@ static u8 *in_file, /* Analyzer input test case */ static u8 *in_data; /* Input data for analysis */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ total_execs, /* Total number of execs */ exec_hangs, /* Total number of hangs */ exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ +static u64 orig_cksum; /* Original checksum */ + static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e1401757..46862613 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -820,13 +820,16 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->init_seed) { + afl->rand_seed[0] = afl->init_seed; afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + } - //srandom((u32)afl->init_seed); - //srand((u32)afl->init_seed); // in case it is a different implementation + + // srandom((u32)afl->init_seed); + // srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 13fee660..609f61d1 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -67,12 +67,13 @@ static u8 *in_file, /* Minimizer input test case */ static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ missed_paths, /* Misses due to exec path diffs */ map_size = MAP_SIZE; +static u64 orig_cksum; /* Original checksum */ + static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ -- cgit 1.4.1 From 67d87dd2a9dbc393b56162e77ff3178f4e3f59fa Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 14 Jun 2020 15:26:43 +0000 Subject: Porting to Haiku. getrusage does not implement resident memory gathering, no shm api neither. --- GNUmakefile | 7 +++++++ gcc_plugin/GNUmakefile | 4 +++- gcc_plugin/afl-gcc-fast.c | 2 +- gcc_plugin/afl-gcc-rt.o.c | 2 ++ include/afl-fuzz.h | 2 ++ llvm_mode/GNUmakefile | 4 ++-- llvm_mode/afl-clang-fast.c | 2 +- src/afl-analyze.c | 2 ++ src/afl-fuzz-stats.c | 8 ++++++++ src/afl-gcc.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 2 ++ src/afl-tmin.c | 2 ++ src/third_party/libradamsa/libradamsa.c | 9 ++++++--- 14 files changed, 40 insertions(+), 10 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/GNUmakefile b/GNUmakefile index 7818a362..f1c5f99b 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -119,6 +119,13 @@ ifeq "$(shell uname -s)" "NetBSD" LDFLAGS += -L /usr/pkg/lib/ endif +ifeq "$(shell uname -s)" "Haiku" + SHMAT_OK=0 + override CFLAGS += -DUSEMMAP=1 -Wno-error=format -fpic + LDFLAGS+=-Wno-deprecated-declarations -lgnu + SPECIAL_PERFORMANCE += -DUSEMMAP=1 +endif + AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) ifneq "$(shell command -v python3m 2>/dev/null)" "" diff --git a/gcc_plugin/GNUmakefile b/gcc_plugin/GNUmakefile index 9a404966..0f69e924 100644 --- a/gcc_plugin/GNUmakefile +++ b/gcc_plugin/GNUmakefile @@ -61,12 +61,14 @@ ifeq "$(shell echo '$(HASH)include @$(HASH)include @int ma else SHMAT_OK=0 CFLAGS+=-DUSEMMAP=1 - LDFLAGS += -lrt endif ifeq "$(TEST_MMAP)" "1" SHMAT_OK=0 CFLAGS+=-DUSEMMAP=1 +endif + +ifneq "$(shell uname -s)" "Haiku" LDFLAGS += -lrt endif diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 164c72c2..bd780b40 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -231,7 +231,7 @@ static void edit_params(u32 argc, char **argv) { } -#ifdef USEMMAP +#if defined(USEMMAP) && !defined(__HAIKU__) cc_params[cc_par_cnt++] = "-lrt"; #endif diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index f41bea17..5c94f68a 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -35,7 +35,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9d71e20f..2f712806 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -66,7 +66,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index ca1e8e08..de247a60 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -196,7 +196,7 @@ ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`com endif endif -CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 +CFLAGS ?= -O3 -funroll-loops -fpic -D_FORTIFY_SOURCE=2 override CFLAGS += -Wall \ -g -Wno-pointer-sign -I ../include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ @@ -209,7 +209,7 @@ ifdef AFL_TRACE_PC $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets ) endif -CXXFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 +CXXFLAGS ?= -O3 -funroll-loops -fpic -D_FORTIFY_SOURCE=2 override CXXFLAGS += -Wall -g -I ../include/ \ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 75504ea5..57504e65 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -464,7 +464,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } -#ifdef USEMMAP +#if defined(USEMMAP) && !defined(__HAIKU__) cc_params[cc_par_cnt++] = "-lrt"; #endif diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f1c141d5..cf5e9b16 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -51,7 +51,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 5d2e5358..de58f277 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -31,7 +31,9 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, double eps) { +#ifndef __HAIKU__ struct rusage rus; +#endif unsigned long long int cur_time = get_cur_time(); u8 fn[PATH_MAX]; @@ -65,7 +67,9 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, } +#ifndef __HAIKU__ if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } +#endif fprintf( f, @@ -119,11 +123,15 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->last_path_time / 1000, afl->last_crash_time / 1000, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, +#ifndef __HAIKU__ #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), #else (unsigned long int)(rus.ru_maxrss >> 10), #endif +#else + -1UL, +#endif #ifdef HAVE_AFFINITY afl->cpu_aff, #else diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 7eb01c0c..b8ff7e77 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -335,7 +335,7 @@ static void edit_params(u32 argc, char **argv) { } -#ifdef USEMMAP +#if defined(USEMMAP) && !defined(__HAIKU__) cc_params[cc_par_cnt++] = "-lrt"; #endif diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 63013435..f8bbebc8 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -145,7 +145,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); - if (shm->map == -1 || !shm->map) PFATAL("mmap() failed"); + if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed"); #else u8 *shm_str; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 560c8cf6..70a30ce4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -56,7 +56,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 609f61d1..5a28ba79 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -54,7 +54,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 4f5515e5..37c986e9 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2413,9 +2413,12 @@ static word prim_sys(word op, word a, word b, word c) { #endif O_DSYNC, O_EXCL, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_RSYNC, O_SYNC, O_TRUNC, O_TTY_INIT, O_ACCMODE, - FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, F_GETOWN, - F_SETOWN, F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, - CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID + FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, + F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, + CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID, +#if !defined __HAIKU__ + F_GETOWN, F_SETOWN +#endif }; return onum(sysconst[immval(a) % (sizeof sysconst / W)], 0); } case 9: /* return process variables */ -- cgit 1.4.1 From dc002b4b3544d79d846723b445549400935aca64 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 11:08:24 +0200 Subject: code format --- gcc_plugin/afl-gcc-rt.o.c | 2 +- include/afl-fuzz.h | 2 +- src/afl-analyze.c | 2 +- src/afl-fuzz-one.c | 6 +++--- src/afl-fuzz-stats.c | 6 +++--- src/afl-fuzz.c | 10 ++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 8 files changed, 15 insertions(+), 17 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 5c94f68a..49a03cae 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -36,7 +36,7 @@ #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 2f712806..f6158014 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -67,7 +67,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-analyze.c b/src/afl-analyze.c index cf5e9b16..f9ba8860 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -52,7 +52,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a247a837..fc5760cc 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3852,7 +3852,7 @@ pacemaker_fuzzing: afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->extras[j].len)))) { afl->stage_max--; continue; @@ -3960,7 +3960,7 @@ pacemaker_fuzzing: !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { afl->stage_max--; continue; @@ -3986,7 +3986,7 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - // AFLpp: Never read: skip_extras_v2: + // AFLpp: Never read: skip_extras_v2: // new_hit_cnt = afl->queued_paths + afl->unique_crashes; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index de58f277..28473c0c 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -124,11 +124,11 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifndef __HAIKU__ -#ifdef __APPLE__ + #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), -#else + #else (unsigned long int)(rus.ru_maxrss >> 10), -#endif + #endif #else -1UL, #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b84585bb..cefcd73f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -33,16 +33,14 @@ extern u64 time_spent_working; static void at_exit() { - int i; + int i; char *ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); // anything else? shared memory? @@ -1259,7 +1257,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Cmplog forkserver successfully started"); } - + atexit(at_exit); perform_dry_run(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 70a30ce4..7b46cd2b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -57,7 +57,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 5a28ba79..9df5112b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -55,7 +55,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include -- cgit 1.4.1 From 37edfe2de9387d460dbb8e945e22122fd9ab8e1c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 19:56:34 +0200 Subject: shmem support for afl-tmin and afl-showmap --- src/afl-showmap.c | 42 ++++++++++++++++++++++++++++++++++++++++++ src/afl-tmin.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) (limited to 'src/afl-tmin.c') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6a26a949..f1926b05 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -566,6 +566,17 @@ static void usage(u8 *argv0) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -775,6 +786,17 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); + if (getenv("AFL_DEBUG")) { + + SAYF(cMGN "[D]" cRST); + for (int i = 0; i < argc; i++) + SAYF(" %s", argv[i]); + SAYF("\n"); + + } + + // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } + sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -829,6 +851,20 @@ int main(int argc, char **argv_orig, char **envp) { } + sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + fsrv->support_shmem_fuzz = 1; + fsrv->shmem_fuzz_len = (u32 *)map; + fsrv->shmem_fuzz = map + sizeof(u32); + if (in_dir) { DIR * dir_in, *dir_out; @@ -897,6 +933,9 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + while (done == 0 && (dir_ent = readdir(dir_in))) { if (dir_ent->d_name[0] == '.') { @@ -966,7 +1005,10 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->target_path) { ck_free(fsrv->target_path); } + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + afl_fsrv_deinit(fsrv); + if (stdin_file) { ck_free(stdin_file); } argv_cpy_free(argv); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 9df5112b..8b028327 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -802,6 +802,17 @@ static void usage(u8 *argv0) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -1052,11 +1063,28 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); + sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + fsrv->support_shmem_fuzz = 1; + fsrv->shmem_fuzz_len = (u32 *)map; + fsrv->shmem_fuzz = map + sizeof(u32); + read_initial_file(); afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); @@ -1111,6 +1139,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); if (fsrv->target_path) { ck_free(fsrv->target_path); } if (mask_bitmap) { ck_free(mask_bitmap); } -- cgit 1.4.1 From 171b1923e94b7157d9c0574fae890d31fd880e4c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 25 Jun 2020 22:02:02 +0200 Subject: shmem release fix --- GNUmakefile | 8 ++++---- docs/Changelog.md | 1 + src/afl-fuzz-run.c | 1 + src/afl-fuzz.c | 38 +++++++++++++++++++++++++++++++++++--- src/afl-sharedmem.c | 2 ++ src/afl-showmap.c | 51 ++++++++++++++++++++++++++++++++------------------- src/afl-tmin.c | 49 ++++++++++++++++++++++++++++++++----------------- 7 files changed, 107 insertions(+), 43 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/GNUmakefile b/GNUmakefile index ad7169cd..616d4f70 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -122,7 +122,7 @@ endif ifeq "$(shell uname -s)" "Haiku" SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 -Wno-error=format -fPIC - LDFLAGS+=-Wno-deprecated-declarations -lgnu + LDFLAGS += -Wno-deprecated-declarations -lgnu SPECIAL_PERFORMANCE += -DUSEMMAP=1 endif @@ -253,14 +253,14 @@ ifeq "$(shell echo '$(HASH)include @$(HASH)include @int ma else SHMAT_OK=0 override CFLAGS+=-DUSEMMAP=1 - LDFLAGS+=-Wno-deprecated-declarations + LDFLAGS += -Wno-deprecated-declarations -lrt endif ifdef TEST_MMAP SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 - LDFLAGS += -Wno-deprecated-declarations -else + LDFLAGS += -Wno-deprecated-declarations -lrt +$(info LDFLAGS=$(LDFLAGS)) endif all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done diff --git a/docs/Changelog.md b/docs/Changelog.md index abfd4386..1a9623a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -49,6 +49,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - ensure shmem is released on errors - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not compiled by default anymore. - allow running in /tmp (only unsafe with umask 0) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d5c80cb3..da5b6bc4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2f23aec7..e7a855ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -26,6 +26,13 @@ #include "afl-fuzz.h" #include "cmplog.h" #include +#ifndef USEMMAP + #include + #include + #include + #include + #include +#endif #ifdef PROFILING extern u64 time_spent_working; @@ -34,6 +41,7 @@ extern u64 time_spent_working; static void at_exit() { int i; + char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); @@ -42,7 +50,28 @@ static void at_exit() { if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); - // anything else? shared memory? + i = 0; + while (list[i] != NULL) { + + ptr = getenv(list[i]); + + if (ptr && *ptr) { + +#ifdef USEMMAP + + shm_unlink(ptr); + +#else + + shmctl(atoi(ptr), IPC_RMID, NULL); + +#endif + + } + + i++; + + } } @@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) { check_crash_handling(); check_cpu_governor(afl); + atexit(at_exit); + afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); @@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) { } - atexit(at_exit); - perform_dry_run(afl); cull_queue(afl); @@ -1326,10 +1355,13 @@ stop_fuzzing: destroy_queue(afl); destroy_extras(afl); destroy_custom_mutators(afl); + unsetenv(SHM_ENV_VAR); + unsetenv(CMPLOG_SHM_ENV_VAR); afl_shm_deinit(&afl->shm); if (afl->shm_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f8bbebc8..44a91a97 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + if (shm == NULL) return; + list_remove(&shm_list, shm); #ifdef USEMMAP diff --git a/src/afl-showmap.c b/src/afl-showmap.c index de25e427..1ab7d0a8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -82,11 +82,16 @@ static u8 quiet_mode, /* Hide non-essential messages? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ binary_mode, /* Write output as a binary map */ - keep_cores; /* Allow coredumps? */ + keep_cores, /* Allow coredumps? */ + remove_shm = 1; /* remove shmem? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ +static sharedmem_t shm; +static afl_forkserver_t *fsrv; +static sharedmem_t * shm_fuzz; + /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ @@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Get rid of temp files (atexit handler). */ static void at_exit_handler(void) { if (stdin_file) { unlink(stdin_file); } + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + + afl_fsrv_killall(); + } /* Write results. */ @@ -566,17 +591,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) { } - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) { } + remove_shm = 0; afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) { ck_free(fsrv->target_path); } - if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - afl_fsrv_deinit(fsrv); if (stdin_file) { ck_free(stdin_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8b028327..5e4bdb6c 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -80,10 +80,16 @@ static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ - exact_mode; /* Require path match for crashes? */ + exact_mode, /* Require path match for crashes? */ + remove_out_file, /* remove out_file on exit? */ + remove_shm = 1; /* remove shmem on exit? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */ +static afl_forkserver_t *fsrv; +static sharedmem_t shm; +static sharedmem_t * shm_fuzz; + /* * forkserver section */ @@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = { }; +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Apply mask to classified bitmap (if set). */ static void apply_mask(u32 *mem, u32 *mask) { @@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) { static void at_exit_handler(void) { + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + afl_fsrv_killall(); + if (remove_out_file) unlink(out_file); } @@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid()); + remove_out_file = 1; } @@ -802,17 +828,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); + remove_shm = 0; afl_shm_deinit(&shm); if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); -- cgit 1.4.1 From 07fead04663b491c0a2f9053630e9a175dcbf635 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 26 Jun 2020 01:14:21 +0200 Subject: fix shared memory leaks in afl-showmap, initialize cmplog_mode --- src/afl-analyze.c | 3 +++ src/afl-sharedmem.c | 4 ++-- src/afl-showmap.c | 9 +++++++++ src/afl-tmin.c | 6 ++++++ 4 files changed, 20 insertions(+), 2 deletions(-) (limited to 'src/afl-tmin.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f9ba8860..56284f6f 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -1049,6 +1049,9 @@ int main(int argc, char **argv, char **envp) { check_environment_vars(envp); sharedmem_t shm = {0}; + + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); setup_signal_handlers(); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 44a91a97..de0dc916 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -101,7 +101,7 @@ void afl_shm_deinit(sharedmem_t *shm) { u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) { - shm->map_size = map_size; + shm->map_size = 0; shm->map = NULL; @@ -153,7 +153,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, u8 *shm_str; shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600); - if (shm->shm_id < 0) { PFATAL("shmget() failed"); } if (shm->cmplog_mode) { @@ -204,6 +203,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, #endif + shm->map_size = map_size; list_append(&shm_list, shm); return shm->map; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 1ab7d0a8..24e83721 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -151,6 +151,7 @@ static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, afl_shm_deinit(shm_fuzz); fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz_len = NULL; fsrv->shmem_fuzz = NULL; ck_free(shm_fuzz); return NULL; @@ -811,6 +812,8 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -865,6 +868,9 @@ int main(int argc, char **argv_orig, char **envp) { } shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + /* initialize cmplog_mode */ + shm_fuzz->cmplog_mode = 0; u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP @@ -991,6 +997,9 @@ int main(int argc, char **argv_orig, char **envp) { } else { + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + showmap_run_target(fsrv, use_argv); tcnt = write_results_to_file(fsrv, out_file); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 5e4bdb6c..2db1eae7 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -116,6 +116,7 @@ static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, afl_shm_deinit(shm_fuzz); fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz_len = NULL; fsrv->shmem_fuzz = NULL; ck_free(shm_fuzz); return NULL; @@ -1036,6 +1037,8 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); + /* initialize cmplog_mode */ + shm.cmplog_mode = 0; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1078,6 +1081,9 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + /* initialize cmplog_mode */ + shm_fuzz->cmplog_mode = 0; u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP -- cgit 1.4.1