/* american fuzzy lop++ - forkserver code -------------------------------------- Originally written by Michal Zalewski Forkserver design by Jann Horn Now maintained by Marc Heuse , Heiko Eißfeldt and Andrea Fioraldi Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: http://www.apache.org/licenses/LICENSE-2.0 Shared code that implements a forkserver. This is used by the fuzzer as well the other components like afl-tmin. */ #include "config.h" #include "types.h" #include "debug.h" #include "common.h" #include "list.h" #include "forkserver.h" #include #include #include #include #include #include #include #include #include #include #include /** * The correct fds for reading and writing pipes */ /* Describe integer as memory size. */ extern u8 *doc_path; u8 *forkserver_DMS(u64 val) { static u8 tmp[12][16]; static u8 cur; #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ if (val < (_divisor) * (_limit_mult)) { \ \ sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ return tmp[cur]; \ \ } \ \ } while (0) cur = (cur + 1) % 12; /* 0-9999 */ CHK_FORMAT(1, 10000, "%llu B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ CHK_FORMAT(1024, 1000, "%llu kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); /* 10.0M - 99.9M */ CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); /* 10.0G - 99.9G */ CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); /* 100G - 999G */ CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); /* 1.00T - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); /* 10.0T - 99.9T */ CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); #undef CHK_FORMAT /* 100T+ */ strcpy(tmp[cur], "infty"); return tmp[cur]; } list_t fsrv_list = {.element_prealloc_count = 0}; /* the timeout handler */ void handle_timeout(int sig) { LIST_FOREACH(&fsrv_list, afl_forkserver_t, { // TODO: We need a proper timer to handle multiple timeouts if (el->child_pid > 0) { el->child_timed_out = 1; kill(el->child_pid, SIGKILL); } else if (el->child_pid == -1 && el->fsrv_pid > 0) { el->child_timed_out = 1; kill(el->fsrv_pid, SIGKILL); } }); } /* Initializes the struct */ void afl_fsrv_init(afl_forkserver_t *fsrv) { // this structure needs default so we initialize it if this was not done // already fsrv->use_stdin = 1; fsrv->out_fd = -1; fsrv->out_dir_fd = -1; fsrv->dev_null_fd = -1; #ifndef HAVE_ARC4RANDOM fsrv->dev_urandom_fd = -1; #endif fsrv->exec_tmout = EXEC_TIMEOUT; fsrv->mem_limit = MEM_LIMIT; fsrv->child_pid = -1; fsrv->out_dir_fd = -1; fsrv->use_fauxsrv = 0; fsrv->prev_timed_out = 0; list_append(&fsrv_list, fsrv); } /* Internal forkserver for dumb_mode=1 and non-forkserver mode runs. It execvs for each fork, forwarding exit codes and child pids to afl. */ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { unsigned char tmp[4] = {0}; pid_t child_pid = -1; /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ if (write(FORKSRV_FD + 1, tmp, 4) != 4) abort(); // TODO: Abort? void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL); while (1) { uint32_t was_killed; int status; /* Wait for parent by reading from the pipe. Exit if read fails. */ if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(0); /* Create a clone of our process. */ child_pid = fork(); if (child_pid < 0) PFATAL("Fork failed"); /* In child process: close fds, resume execution. */ if (!child_pid) { // New child signal(SIGCHLD, old_sigchld_handler); // FORKSRV_FD is for communication with AFL, we don't need it in the // child. close(FORKSRV_FD); close(FORKSRV_FD + 1); // TODO: exec... execv(fsrv->target_path, argv); /* Use a distinctive bitmap signature to tell the parent about execv() falling through. */ *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; PFATAL("Execv failed in fauxserver."); } /* In parent process: write PID to AFL. */ if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(0); /* after child exited, get and relay exit status to parent through waitpid. */ if (waitpid(child_pid, &status, 0) < 0) { // Zombie Child could not be collected. Scary! PFATAL("Fauxserver could not determin child's exit code. "); } /* Relay wait status to AFL pipe, then loop back. */ if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(0); } } /* Spins up fork server (instrumented mode only). The idea is explained here: http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html In essence, the instrumentation allows us to skip execve(), and just keep cloning a stopped child. So, we just execute once, and then send commands through a pipe. The other part of this logic is in afl-as.h / llvm_mode */ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { struct timeval timeout; int st_pipe[2], ctl_pipe[2]; int status; s32 rlen; if (fsrv->use_fauxsrv) ACTF("Using Fauxserver:"); if (!getenv("AFL_QUIET")) ACTF("Spinning up the fork server..."); if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); fsrv->child_timed_out = 0; fsrv->fsrv_pid = fork(); if (fsrv->fsrv_pid < 0) PFATAL("fork() failed"); if (!fsrv->fsrv_pid) { /* CHILD PROCESS */ struct rlimit r; /* Umpf. On OpenBSD, the default fd limit for root users is set to soft 128. Let's try to fix that... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { r.rlim_cur = FORKSRV_FD + 2; setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ } if (fsrv->mem_limit) { r.rlim_max = r.rlim_cur = ((rlim_t)fsrv->mem_limit) << 20; #ifdef RLIMIT_AS setrlimit(RLIMIT_AS, &r); /* Ignore errors */ #else /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but according to reliable sources, RLIMIT_DATA covers anonymous maps - so we should be getting good protection against OOM bugs. */ setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ #endif /* ^RLIMIT_AS */ } /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered before the dump is complete. */ // r.rlim_max = r.rlim_cur = 0; // setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ /* Isolate the process and configure standard descriptors. If out_file is specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ setsid(); if (!get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) { dup2(fsrv->dev_null_fd, 1); dup2(fsrv->dev_null_fd, 2); } if (!fsrv->use_stdin) { dup2(fsrv->dev_null_fd, 0); } else { dup2(fsrv->out_fd, 0); close(fsrv->out_fd); } /* Set up control and status pipes, close the unneeded original fds. */ if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); close(ctl_pipe[0]); close(ctl_pipe[1]); close(st_pipe[0]); close(st_pipe[1]); close(fsrv->out_dir_fd); close(fsrv->dev_null_fd); #ifndef HAVE_ARC4RANDOM close(fsrv->dev_urandom_fd); #endif close(fsrv->plot_file == NULL ? -1 : fileno(fsrv->plot_file)); /* This should improve performance a bit, since it stops the linker from doing extra work post-fork(). */ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); /* Set sane defaults for ASAN if nothing else specified. */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" "malloc_context_size=0:" "symbolize=0:" "allocator_may_return_null=1", 0); /* MSAN is tricky, because it doesn't support abort_on_error=1 at this point. So, we do this in a very hacky way. */ setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" "abort_on_error=1:" "malloc_context_size=0:" "allocator_may_return_null=1:" "msan_track_origins=0", 0); if (fsrv->use_fauxsrv) { afl_fauxsrv_execv(fsrv, argv); } else { execv(fsrv->target_path, argv); } /* Use a distinctive bitmap signature to tell the parent about execv() falling through. */ *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; exit(0); } /* PARENT PROCESS */ /* Close the unneeded endpoints. */ close(ctl_pipe[0]); close(st_pipe[1]); fsrv->fsrv_ctl_fd = ctl_pipe[1]; fsrv->fsrv_st_fd = st_pipe[0]; /* Wait for the fork server to come up, but don't wait too long. */ rlen = 0; if (fsrv->exec_tmout) { fd_set readfds; FD_ZERO(&readfds); FD_SET(fsrv->fsrv_st_fd, &readfds); timeout.tv_sec = ((fsrv->exec_tmout * FORK_WAIT_MULT) / 1000); timeout.tv_usec = ((fsrv->exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; int sret = select(fsrv->fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); if (sret == 0) { fsrv->child_timed_out = 1; kill(fsrv->child_pid, SIGKILL); } else { rlen = read(fsrv->fsrv_st_fd, &status, 4); } } else { rlen = read(fsrv->fsrv_st_fd, &status, 4); } /* If we have a four-byte "hello" message from the server, we're all set. Otherwise, try to figure out what went wrong. */ if (rlen == 4) { if (!getenv("AFL_QUIET")) OKF("All right - fork server is up."); return; } if (fsrv->child_timed_out) FATAL("Timeout while initializing fork server (adjusting -t may help)"); if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); if (WIFSIGNALED(status)) { if (fsrv->mem_limit && fsrv->mem_limit < 500 && fsrv->uses_asan) { SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " "before receiving any input\n" " from the fuzzer! Since it seems to be built with ASAN and you " "have a\n" " restrictive memory limit configured, this is expected; please " "read\n" " %s/notes_for_asan.md for help.\n", doc_path); } else if (!fsrv->mem_limit) { SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " "before receiving any input\n" " from the fuzzer! There are several probable explanations:\n\n" " - The binary is just buggy and explodes entirely on its own. " "If so, you\n" " need to fix the underlying problem or find a better " "replacement.\n\n" MSG_FORK_ON_APPLE " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke for troubleshooting " "tips.\n"); } else { SAYF("\n" cLRD "[-] " cRST "Whoops, the target binary crashed suddenly, " "before receiving any input\n" " from the fuzzer! There are several probable explanations:\n\n" " - The current memory limit (%s) is too restrictive, causing " "the\n" " target to hit an OOM condition in the dynamic linker. Try " "bumping up\n" " the limit with the -m setting in the command line. A simple " "way confirm\n" " this diagnosis would be:\n\n" MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" " Tip: you can use http://jwilk.net/software/recidivm to " "quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" " - The binary is just buggy and explodes entirely on its own. " "If so, you\n" " need to fix the underlying problem or find a better " "replacement.\n\n" MSG_FORK_ON_APPLE " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke for troubleshooting " "tips.\n", forkserver_DMS(fsrv->mem_limit << 20), fsrv->mem_limit - 1); } FATAL("Fork server crashed with signal %d", WTERMSIG(status)); } if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute target application ('%s')", argv[0]); if (fsrv->mem_limit && fsrv->mem_limit < 500 && fsrv->uses_asan) { SAYF("\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " "before we could complete a\n" " handshake with the injected code. Since it seems to be built " "with ASAN and\n" " you have a restrictive memory limit configured, this is " "expected; please\n" " read %s/notes_for_asan.md for help.\n", doc_path); } else if (!fsrv->mem_limit) { SAYF("\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " "before we could complete a\n" " handshake with the injected code. Perhaps there is a horrible " "bug in the\n" " fuzzer. Poke for troubleshooting " "tips.\n"); } else { SAYF( "\n" cLRD "[-] " cRST "Hmm, looks like the target binary terminated " "before we could complete a\n" " handshake with the injected code. There are %s probable " "explanations:\n\n" "%s" " - The current memory limit (%s) is too restrictive, causing an " "OOM\n" " fault in the dynamic linker. This can be fixed with the -m " "option. A\n" " simple way to confirm the diagnosis may be:\n\n" MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke for troubleshooting " "tips.\n", getenv(DEFER_ENV_VAR) ? "three" : "two", getenv(DEFER_ENV_VAR) ? " - You are using deferred forkserver, but __AFL_INIT() is " "never\n" " reached before the program terminates.\n\n" : "", forkserver_DMS(fsrv->mem_limit << 20), fsrv->mem_limit - 1); } FATAL("Fork server handshake failed"); } void afl_fsrv_killall() { LIST_FOREACH(&fsrv_list, afl_forkserver_t, { if (el->child_pid > 0) kill(el->child_pid, SIGKILL); }); } void afl_fsrv_deinit(afl_forkserver_t *fsrv) { list_remove(&fsrv_list, fsrv); }