1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - initialization related routines
3*08b48e0bSAndroid Build Coastguard Worker ------------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>,
8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]> and
9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>
10*08b48e0bSAndroid Build Coastguard Worker
11*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved.
12*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
13*08b48e0bSAndroid Build Coastguard Worker
14*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
15*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
16*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
17*08b48e0bSAndroid Build Coastguard Worker
18*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
19*08b48e0bSAndroid Build Coastguard Worker
20*08b48e0bSAndroid Build Coastguard Worker This is the real deal: the program takes an instrumented binary and
21*08b48e0bSAndroid Build Coastguard Worker attempts a variety of basic fuzzing tricks, paying close attention to
22*08b48e0bSAndroid Build Coastguard Worker how they affect the execution path.
23*08b48e0bSAndroid Build Coastguard Worker
24*08b48e0bSAndroid Build Coastguard Worker */
25*08b48e0bSAndroid Build Coastguard Worker
26*08b48e0bSAndroid Build Coastguard Worker #include "afl-fuzz.h"
27*08b48e0bSAndroid Build Coastguard Worker #include "common.h"
28*08b48e0bSAndroid Build Coastguard Worker #include <limits.h>
29*08b48e0bSAndroid Build Coastguard Worker #include <string.h>
30*08b48e0bSAndroid Build Coastguard Worker #include "cmplog.h"
31*08b48e0bSAndroid Build Coastguard Worker
32*08b48e0bSAndroid Build Coastguard Worker #ifdef HAVE_AFFINITY
33*08b48e0bSAndroid Build Coastguard Worker
34*08b48e0bSAndroid Build Coastguard Worker /* bind process to a specific cpu. Returns 0 on failure. */
35*08b48e0bSAndroid Build Coastguard Worker
bind_cpu(afl_state_t * afl,s32 cpuid)36*08b48e0bSAndroid Build Coastguard Worker static u8 bind_cpu(afl_state_t *afl, s32 cpuid) {
37*08b48e0bSAndroid Build Coastguard Worker
38*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
39*08b48e0bSAndroid Build Coastguard Worker cpu_set_t c;
40*08b48e0bSAndroid Build Coastguard Worker #elif defined(__NetBSD__)
41*08b48e0bSAndroid Build Coastguard Worker cpuset_t *c;
42*08b48e0bSAndroid Build Coastguard Worker #elif defined(__sun)
43*08b48e0bSAndroid Build Coastguard Worker psetid_t c;
44*08b48e0bSAndroid Build Coastguard Worker #endif
45*08b48e0bSAndroid Build Coastguard Worker
46*08b48e0bSAndroid Build Coastguard Worker afl->cpu_aff = cpuid;
47*08b48e0bSAndroid Build Coastguard Worker
48*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
49*08b48e0bSAndroid Build Coastguard Worker
50*08b48e0bSAndroid Build Coastguard Worker CPU_ZERO(&c);
51*08b48e0bSAndroid Build Coastguard Worker CPU_SET(cpuid, &c);
52*08b48e0bSAndroid Build Coastguard Worker
53*08b48e0bSAndroid Build Coastguard Worker #elif defined(__NetBSD__)
54*08b48e0bSAndroid Build Coastguard Worker
55*08b48e0bSAndroid Build Coastguard Worker c = cpuset_create();
56*08b48e0bSAndroid Build Coastguard Worker if (c == NULL) { PFATAL("cpuset_create failed"); }
57*08b48e0bSAndroid Build Coastguard Worker cpuset_set(cpuid, c);
58*08b48e0bSAndroid Build Coastguard Worker
59*08b48e0bSAndroid Build Coastguard Worker #elif defined(__sun)
60*08b48e0bSAndroid Build Coastguard Worker
61*08b48e0bSAndroid Build Coastguard Worker pset_create(&c);
62*08b48e0bSAndroid Build Coastguard Worker if (pset_assign(c, cpuid, NULL)) { PFATAL("pset_assign failed"); }
63*08b48e0bSAndroid Build Coastguard Worker
64*08b48e0bSAndroid Build Coastguard Worker #endif
65*08b48e0bSAndroid Build Coastguard Worker
66*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
67*08b48e0bSAndroid Build Coastguard Worker
68*08b48e0bSAndroid Build Coastguard Worker return (sched_setaffinity(0, sizeof(c), &c) == 0);
69*08b48e0bSAndroid Build Coastguard Worker
70*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__) || defined(__DragonFly__)
71*08b48e0bSAndroid Build Coastguard Worker
72*08b48e0bSAndroid Build Coastguard Worker return (pthread_setaffinity_np(pthread_self(), sizeof(c), &c) == 0);
73*08b48e0bSAndroid Build Coastguard Worker
74*08b48e0bSAndroid Build Coastguard Worker #elif defined(__NetBSD__)
75*08b48e0bSAndroid Build Coastguard Worker
76*08b48e0bSAndroid Build Coastguard Worker if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) {
77*08b48e0bSAndroid Build Coastguard Worker
78*08b48e0bSAndroid Build Coastguard Worker cpuset_destroy(c);
79*08b48e0bSAndroid Build Coastguard Worker return 0;
80*08b48e0bSAndroid Build Coastguard Worker
81*08b48e0bSAndroid Build Coastguard Worker }
82*08b48e0bSAndroid Build Coastguard Worker
83*08b48e0bSAndroid Build Coastguard Worker cpuset_destroy(c);
84*08b48e0bSAndroid Build Coastguard Worker return 1;
85*08b48e0bSAndroid Build Coastguard Worker
86*08b48e0bSAndroid Build Coastguard Worker #elif defined(__sun)
87*08b48e0bSAndroid Build Coastguard Worker
88*08b48e0bSAndroid Build Coastguard Worker if (pset_bind(c, P_PID, getpid(), NULL)) {
89*08b48e0bSAndroid Build Coastguard Worker
90*08b48e0bSAndroid Build Coastguard Worker pset_destroy(c);
91*08b48e0bSAndroid Build Coastguard Worker return 0;
92*08b48e0bSAndroid Build Coastguard Worker
93*08b48e0bSAndroid Build Coastguard Worker }
94*08b48e0bSAndroid Build Coastguard Worker
95*08b48e0bSAndroid Build Coastguard Worker pset_destroy(c);
96*08b48e0bSAndroid Build Coastguard Worker return 1;
97*08b48e0bSAndroid Build Coastguard Worker
98*08b48e0bSAndroid Build Coastguard Worker #else
99*08b48e0bSAndroid Build Coastguard Worker
100*08b48e0bSAndroid Build Coastguard Worker // this will need something for other platforms
101*08b48e0bSAndroid Build Coastguard Worker // TODO: Solaris/Illumos has processor_bind ... might worth a try
102*08b48e0bSAndroid Build Coastguard Worker WARNF("Cannot bind to CPU yet on this platform.");
103*08b48e0bSAndroid Build Coastguard Worker return 1;
104*08b48e0bSAndroid Build Coastguard Worker
105*08b48e0bSAndroid Build Coastguard Worker #endif
106*08b48e0bSAndroid Build Coastguard Worker
107*08b48e0bSAndroid Build Coastguard Worker }
108*08b48e0bSAndroid Build Coastguard Worker
109*08b48e0bSAndroid Build Coastguard Worker /* Build a list of processes bound to specific cores. Returns -1 if nothing
110*08b48e0bSAndroid Build Coastguard Worker can be found. Assumes an upper bound of 4k CPUs. */
111*08b48e0bSAndroid Build Coastguard Worker
bind_to_free_cpu(afl_state_t * afl)112*08b48e0bSAndroid Build Coastguard Worker void bind_to_free_cpu(afl_state_t *afl) {
113*08b48e0bSAndroid Build Coastguard Worker
114*08b48e0bSAndroid Build Coastguard Worker u8 cpu_used[4096] = {0};
115*08b48e0bSAndroid Build Coastguard Worker u8 lockfile[PATH_MAX] = "";
116*08b48e0bSAndroid Build Coastguard Worker s32 i;
117*08b48e0bSAndroid Build Coastguard Worker
118*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) {
119*08b48e0bSAndroid Build Coastguard Worker
120*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_to_bind != -1) {
121*08b48e0bSAndroid Build Coastguard Worker
122*08b48e0bSAndroid Build Coastguard Worker FATAL("-b and AFL_NO_AFFINITY are mututally exclusive.");
123*08b48e0bSAndroid Build Coastguard Worker
124*08b48e0bSAndroid Build Coastguard Worker }
125*08b48e0bSAndroid Build Coastguard Worker
126*08b48e0bSAndroid Build Coastguard Worker WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set).");
127*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
128*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = 0; }
129*08b48e0bSAndroid Build Coastguard Worker #endif
130*08b48e0bSAndroid Build Coastguard Worker return;
131*08b48e0bSAndroid Build Coastguard Worker
132*08b48e0bSAndroid Build Coastguard Worker }
133*08b48e0bSAndroid Build Coastguard Worker
134*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_to_bind != -1) {
135*08b48e0bSAndroid Build Coastguard Worker
136*08b48e0bSAndroid Build Coastguard Worker if (!bind_cpu(afl, afl->cpu_to_bind)) {
137*08b48e0bSAndroid Build Coastguard Worker
138*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_try_affinity) {
139*08b48e0bSAndroid Build Coastguard Worker
140*08b48e0bSAndroid Build Coastguard Worker WARNF(
141*08b48e0bSAndroid Build Coastguard Worker "Could not bind to requested CPU %d! Make sure you passed a valid "
142*08b48e0bSAndroid Build Coastguard Worker "-b.",
143*08b48e0bSAndroid Build Coastguard Worker afl->cpu_to_bind);
144*08b48e0bSAndroid Build Coastguard Worker
145*08b48e0bSAndroid Build Coastguard Worker } else {
146*08b48e0bSAndroid Build Coastguard Worker
147*08b48e0bSAndroid Build Coastguard Worker FATAL(
148*08b48e0bSAndroid Build Coastguard Worker "Could not bind to requested CPU %d! Make sure you passed a valid "
149*08b48e0bSAndroid Build Coastguard Worker "-b.",
150*08b48e0bSAndroid Build Coastguard Worker afl->cpu_to_bind);
151*08b48e0bSAndroid Build Coastguard Worker
152*08b48e0bSAndroid Build Coastguard Worker }
153*08b48e0bSAndroid Build Coastguard Worker
154*08b48e0bSAndroid Build Coastguard Worker } else {
155*08b48e0bSAndroid Build Coastguard Worker
156*08b48e0bSAndroid Build Coastguard Worker OKF("CPU binding request using -b %d successful.", afl->cpu_to_bind);
157*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
158*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = afl->cpu_to_bind; }
159*08b48e0bSAndroid Build Coastguard Worker #endif
160*08b48e0bSAndroid Build Coastguard Worker
161*08b48e0bSAndroid Build Coastguard Worker }
162*08b48e0bSAndroid Build Coastguard Worker
163*08b48e0bSAndroid Build Coastguard Worker return;
164*08b48e0bSAndroid Build Coastguard Worker
165*08b48e0bSAndroid Build Coastguard Worker }
166*08b48e0bSAndroid Build Coastguard Worker
167*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_core_count < 2) { return; }
168*08b48e0bSAndroid Build Coastguard Worker
169*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id) {
170*08b48e0bSAndroid Build Coastguard Worker
171*08b48e0bSAndroid Build Coastguard Worker s32 lockfd, first = 1;
172*08b48e0bSAndroid Build Coastguard Worker
173*08b48e0bSAndroid Build Coastguard Worker snprintf(lockfile, sizeof(lockfile), "%s/.affinity_lock", afl->sync_dir);
174*08b48e0bSAndroid Build Coastguard Worker setenv(CPU_AFFINITY_ENV_VAR, lockfile, 1);
175*08b48e0bSAndroid Build Coastguard Worker
176*08b48e0bSAndroid Build Coastguard Worker do {
177*08b48e0bSAndroid Build Coastguard Worker
178*08b48e0bSAndroid Build Coastguard Worker if ((lockfd = open(lockfile, O_RDWR | O_CREAT | O_EXCL,
179*08b48e0bSAndroid Build Coastguard Worker DEFAULT_PERMISSION)) < 0) {
180*08b48e0bSAndroid Build Coastguard Worker
181*08b48e0bSAndroid Build Coastguard Worker if (first) {
182*08b48e0bSAndroid Build Coastguard Worker
183*08b48e0bSAndroid Build Coastguard Worker WARNF("CPU affinity lock file present, waiting ...");
184*08b48e0bSAndroid Build Coastguard Worker first = 0;
185*08b48e0bSAndroid Build Coastguard Worker
186*08b48e0bSAndroid Build Coastguard Worker }
187*08b48e0bSAndroid Build Coastguard Worker
188*08b48e0bSAndroid Build Coastguard Worker usleep(1000);
189*08b48e0bSAndroid Build Coastguard Worker
190*08b48e0bSAndroid Build Coastguard Worker }
191*08b48e0bSAndroid Build Coastguard Worker
192*08b48e0bSAndroid Build Coastguard Worker } while (lockfd < 0);
193*08b48e0bSAndroid Build Coastguard Worker
194*08b48e0bSAndroid Build Coastguard Worker close(lockfd);
195*08b48e0bSAndroid Build Coastguard Worker
196*08b48e0bSAndroid Build Coastguard Worker }
197*08b48e0bSAndroid Build Coastguard Worker
198*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
199*08b48e0bSAndroid Build Coastguard Worker
200*08b48e0bSAndroid Build Coastguard Worker DIR *d;
201*08b48e0bSAndroid Build Coastguard Worker struct dirent *de;
202*08b48e0bSAndroid Build Coastguard Worker d = opendir("/proc");
203*08b48e0bSAndroid Build Coastguard Worker
204*08b48e0bSAndroid Build Coastguard Worker if (!d) {
205*08b48e0bSAndroid Build Coastguard Worker
206*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
207*08b48e0bSAndroid Build Coastguard Worker WARNF("Unable to access /proc - can't scan for free CPU cores.");
208*08b48e0bSAndroid Build Coastguard Worker return;
209*08b48e0bSAndroid Build Coastguard Worker
210*08b48e0bSAndroid Build Coastguard Worker }
211*08b48e0bSAndroid Build Coastguard Worker
212*08b48e0bSAndroid Build Coastguard Worker ACTF("Checking CPU core loadout...");
213*08b48e0bSAndroid Build Coastguard Worker
214*08b48e0bSAndroid Build Coastguard Worker /* Scan all /proc/<pid>/status entries, checking for Cpus_allowed_list.
215*08b48e0bSAndroid Build Coastguard Worker Flag all processes bound to a specific CPU using cpu_used[]. This will
216*08b48e0bSAndroid Build Coastguard Worker fail for some exotic binding setups, but is likely good enough in almost
217*08b48e0bSAndroid Build Coastguard Worker all real-world use cases. */
218*08b48e0bSAndroid Build Coastguard Worker
219*08b48e0bSAndroid Build Coastguard Worker while ((de = readdir(d))) {
220*08b48e0bSAndroid Build Coastguard Worker
221*08b48e0bSAndroid Build Coastguard Worker u8 fn[PATH_MAX];
222*08b48e0bSAndroid Build Coastguard Worker FILE *f;
223*08b48e0bSAndroid Build Coastguard Worker u8 tmp[MAX_LINE];
224*08b48e0bSAndroid Build Coastguard Worker u8 has_vmsize = 0;
225*08b48e0bSAndroid Build Coastguard Worker
226*08b48e0bSAndroid Build Coastguard Worker if (!isdigit(de->d_name[0])) { continue; }
227*08b48e0bSAndroid Build Coastguard Worker
228*08b48e0bSAndroid Build Coastguard Worker snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name);
229*08b48e0bSAndroid Build Coastguard Worker
230*08b48e0bSAndroid Build Coastguard Worker if (!(f = fopen(fn, "r"))) { continue; }
231*08b48e0bSAndroid Build Coastguard Worker
232*08b48e0bSAndroid Build Coastguard Worker while (fgets(tmp, MAX_LINE, f)) {
233*08b48e0bSAndroid Build Coastguard Worker
234*08b48e0bSAndroid Build Coastguard Worker u32 hval;
235*08b48e0bSAndroid Build Coastguard Worker
236*08b48e0bSAndroid Build Coastguard Worker /* Processes without VmSize are probably kernel tasks. */
237*08b48e0bSAndroid Build Coastguard Worker
238*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(tmp, "VmSize:\t", 8)) { has_vmsize = 1; }
239*08b48e0bSAndroid Build Coastguard Worker
240*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && !strchr(tmp, '-') &&
241*08b48e0bSAndroid Build Coastguard Worker !strchr(tmp, ',') && sscanf(tmp + 19, "%u", &hval) == 1 &&
242*08b48e0bSAndroid Build Coastguard Worker hval < sizeof(cpu_used) && has_vmsize) {
243*08b48e0bSAndroid Build Coastguard Worker
244*08b48e0bSAndroid Build Coastguard Worker cpu_used[hval] = 1;
245*08b48e0bSAndroid Build Coastguard Worker break;
246*08b48e0bSAndroid Build Coastguard Worker
247*08b48e0bSAndroid Build Coastguard Worker }
248*08b48e0bSAndroid Build Coastguard Worker
249*08b48e0bSAndroid Build Coastguard Worker }
250*08b48e0bSAndroid Build Coastguard Worker
251*08b48e0bSAndroid Build Coastguard Worker fclose(f);
252*08b48e0bSAndroid Build Coastguard Worker
253*08b48e0bSAndroid Build Coastguard Worker }
254*08b48e0bSAndroid Build Coastguard Worker
255*08b48e0bSAndroid Build Coastguard Worker closedir(d);
256*08b48e0bSAndroid Build Coastguard Worker
257*08b48e0bSAndroid Build Coastguard Worker #elif defined(__FreeBSD__) || defined(__DragonFly__)
258*08b48e0bSAndroid Build Coastguard Worker
259*08b48e0bSAndroid Build Coastguard Worker struct kinfo_proc *procs;
260*08b48e0bSAndroid Build Coastguard Worker size_t nprocs;
261*08b48e0bSAndroid Build Coastguard Worker size_t proccount;
262*08b48e0bSAndroid Build Coastguard Worker int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL};
263*08b48e0bSAndroid Build Coastguard Worker size_t s_name_l = sizeof(s_name) / sizeof(s_name[0]);
264*08b48e0bSAndroid Build Coastguard Worker
265*08b48e0bSAndroid Build Coastguard Worker if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) {
266*08b48e0bSAndroid Build Coastguard Worker
267*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
268*08b48e0bSAndroid Build Coastguard Worker return;
269*08b48e0bSAndroid Build Coastguard Worker
270*08b48e0bSAndroid Build Coastguard Worker }
271*08b48e0bSAndroid Build Coastguard Worker
272*08b48e0bSAndroid Build Coastguard Worker proccount = nprocs / sizeof(*procs);
273*08b48e0bSAndroid Build Coastguard Worker nprocs = nprocs * 4 / 3;
274*08b48e0bSAndroid Build Coastguard Worker
275*08b48e0bSAndroid Build Coastguard Worker procs = ck_alloc(nprocs);
276*08b48e0bSAndroid Build Coastguard Worker if (sysctl(s_name, s_name_l, procs, &nprocs, NULL, 0) != 0) {
277*08b48e0bSAndroid Build Coastguard Worker
278*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
279*08b48e0bSAndroid Build Coastguard Worker ck_free(procs);
280*08b48e0bSAndroid Build Coastguard Worker return;
281*08b48e0bSAndroid Build Coastguard Worker
282*08b48e0bSAndroid Build Coastguard Worker }
283*08b48e0bSAndroid Build Coastguard Worker
284*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < (s32)proccount; i++) {
285*08b48e0bSAndroid Build Coastguard Worker
286*08b48e0bSAndroid Build Coastguard Worker #if defined(__FreeBSD__)
287*08b48e0bSAndroid Build Coastguard Worker
288*08b48e0bSAndroid Build Coastguard Worker if (!strcmp(procs[i].ki_comm, "idle")) continue;
289*08b48e0bSAndroid Build Coastguard Worker
290*08b48e0bSAndroid Build Coastguard Worker // fix when ki_oncpu = -1
291*08b48e0bSAndroid Build Coastguard Worker s32 oncpu;
292*08b48e0bSAndroid Build Coastguard Worker oncpu = procs[i].ki_oncpu;
293*08b48e0bSAndroid Build Coastguard Worker if (oncpu == -1) oncpu = procs[i].ki_lastcpu;
294*08b48e0bSAndroid Build Coastguard Worker
295*08b48e0bSAndroid Build Coastguard Worker if (oncpu != -1 && oncpu < (s32)sizeof(cpu_used) && procs[i].ki_pctcpu > 60)
296*08b48e0bSAndroid Build Coastguard Worker cpu_used[oncpu] = 1;
297*08b48e0bSAndroid Build Coastguard Worker
298*08b48e0bSAndroid Build Coastguard Worker #elif defined(__DragonFly__)
299*08b48e0bSAndroid Build Coastguard Worker
300*08b48e0bSAndroid Build Coastguard Worker if (procs[i].kp_lwp.kl_cpuid < (s32)sizeof(cpu_used) &&
301*08b48e0bSAndroid Build Coastguard Worker procs[i].kp_lwp.kl_pctcpu > 10)
302*08b48e0bSAndroid Build Coastguard Worker cpu_used[procs[i].kp_lwp.kl_cpuid] = 1;
303*08b48e0bSAndroid Build Coastguard Worker
304*08b48e0bSAndroid Build Coastguard Worker #endif
305*08b48e0bSAndroid Build Coastguard Worker
306*08b48e0bSAndroid Build Coastguard Worker }
307*08b48e0bSAndroid Build Coastguard Worker
308*08b48e0bSAndroid Build Coastguard Worker ck_free(procs);
309*08b48e0bSAndroid Build Coastguard Worker
310*08b48e0bSAndroid Build Coastguard Worker #elif defined(__NetBSD__)
311*08b48e0bSAndroid Build Coastguard Worker
312*08b48e0bSAndroid Build Coastguard Worker struct kinfo_proc2 *procs;
313*08b48e0bSAndroid Build Coastguard Worker size_t nprocs;
314*08b48e0bSAndroid Build Coastguard Worker size_t proccount;
315*08b48e0bSAndroid Build Coastguard Worker int s_name[] = {
316*08b48e0bSAndroid Build Coastguard Worker
317*08b48e0bSAndroid Build Coastguard Worker CTL_KERN, KERN_PROC2, KERN_PROC_ALL, 0, sizeof(struct kinfo_proc2), 0};
318*08b48e0bSAndroid Build Coastguard Worker size_t s_name_l = sizeof(s_name) / sizeof(s_name[0]);
319*08b48e0bSAndroid Build Coastguard Worker
320*08b48e0bSAndroid Build Coastguard Worker if (sysctl(s_name, s_name_l, NULL, &nprocs, NULL, 0) != 0) {
321*08b48e0bSAndroid Build Coastguard Worker
322*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
323*08b48e0bSAndroid Build Coastguard Worker return;
324*08b48e0bSAndroid Build Coastguard Worker
325*08b48e0bSAndroid Build Coastguard Worker }
326*08b48e0bSAndroid Build Coastguard Worker
327*08b48e0bSAndroid Build Coastguard Worker proccount = nprocs / sizeof(struct kinfo_proc2);
328*08b48e0bSAndroid Build Coastguard Worker procs = ck_alloc(nprocs * sizeof(struct kinfo_proc2));
329*08b48e0bSAndroid Build Coastguard Worker s_name[5] = proccount;
330*08b48e0bSAndroid Build Coastguard Worker
331*08b48e0bSAndroid Build Coastguard Worker if (sysctl(s_name, s_name_l, procs, &nprocs, NULL, 0) != 0) {
332*08b48e0bSAndroid Build Coastguard Worker
333*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
334*08b48e0bSAndroid Build Coastguard Worker ck_free(procs);
335*08b48e0bSAndroid Build Coastguard Worker return;
336*08b48e0bSAndroid Build Coastguard Worker
337*08b48e0bSAndroid Build Coastguard Worker }
338*08b48e0bSAndroid Build Coastguard Worker
339*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < (s32)proccount; i++) {
340*08b48e0bSAndroid Build Coastguard Worker
341*08b48e0bSAndroid Build Coastguard Worker if (procs[i].p_cpuid < sizeof(cpu_used) && procs[i].p_pctcpu > 0)
342*08b48e0bSAndroid Build Coastguard Worker cpu_used[procs[i].p_cpuid] = 1;
343*08b48e0bSAndroid Build Coastguard Worker
344*08b48e0bSAndroid Build Coastguard Worker }
345*08b48e0bSAndroid Build Coastguard Worker
346*08b48e0bSAndroid Build Coastguard Worker ck_free(procs);
347*08b48e0bSAndroid Build Coastguard Worker
348*08b48e0bSAndroid Build Coastguard Worker #elif defined(__sun)
349*08b48e0bSAndroid Build Coastguard Worker
350*08b48e0bSAndroid Build Coastguard Worker kstat_named_t *n;
351*08b48e0bSAndroid Build Coastguard Worker kstat_ctl_t *m;
352*08b48e0bSAndroid Build Coastguard Worker kstat_t *k;
353*08b48e0bSAndroid Build Coastguard Worker cpu_stat_t cs;
354*08b48e0bSAndroid Build Coastguard Worker u32 ncpus;
355*08b48e0bSAndroid Build Coastguard Worker
356*08b48e0bSAndroid Build Coastguard Worker m = kstat_open();
357*08b48e0bSAndroid Build Coastguard Worker
358*08b48e0bSAndroid Build Coastguard Worker if (!m) FATAL("kstat_open failed");
359*08b48e0bSAndroid Build Coastguard Worker
360*08b48e0bSAndroid Build Coastguard Worker k = kstat_lookup(m, "unix", 0, "system_misc");
361*08b48e0bSAndroid Build Coastguard Worker
362*08b48e0bSAndroid Build Coastguard Worker if (!k) {
363*08b48e0bSAndroid Build Coastguard Worker
364*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
365*08b48e0bSAndroid Build Coastguard Worker kstat_close(m);
366*08b48e0bSAndroid Build Coastguard Worker return;
367*08b48e0bSAndroid Build Coastguard Worker
368*08b48e0bSAndroid Build Coastguard Worker }
369*08b48e0bSAndroid Build Coastguard Worker
370*08b48e0bSAndroid Build Coastguard Worker if (kstat_read(m, k, NULL)) {
371*08b48e0bSAndroid Build Coastguard Worker
372*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
373*08b48e0bSAndroid Build Coastguard Worker kstat_close(m);
374*08b48e0bSAndroid Build Coastguard Worker return;
375*08b48e0bSAndroid Build Coastguard Worker
376*08b48e0bSAndroid Build Coastguard Worker }
377*08b48e0bSAndroid Build Coastguard Worker
378*08b48e0bSAndroid Build Coastguard Worker n = kstat_data_lookup(k, "ncpus");
379*08b48e0bSAndroid Build Coastguard Worker ncpus = n->value.i32;
380*08b48e0bSAndroid Build Coastguard Worker
381*08b48e0bSAndroid Build Coastguard Worker if (ncpus > sizeof(cpu_used)) ncpus = sizeof(cpu_used);
382*08b48e0bSAndroid Build Coastguard Worker
383*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < (s32)ncpus; i++) {
384*08b48e0bSAndroid Build Coastguard Worker
385*08b48e0bSAndroid Build Coastguard Worker k = kstat_lookup(m, "cpu_stat", i, NULL);
386*08b48e0bSAndroid Build Coastguard Worker if (kstat_read(m, k, &cs)) {
387*08b48e0bSAndroid Build Coastguard Worker
388*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
389*08b48e0bSAndroid Build Coastguard Worker kstat_close(m);
390*08b48e0bSAndroid Build Coastguard Worker return;
391*08b48e0bSAndroid Build Coastguard Worker
392*08b48e0bSAndroid Build Coastguard Worker }
393*08b48e0bSAndroid Build Coastguard Worker
394*08b48e0bSAndroid Build Coastguard Worker if (cs.cpu_sysinfo.cpu[CPU_IDLE] > 0) continue;
395*08b48e0bSAndroid Build Coastguard Worker
396*08b48e0bSAndroid Build Coastguard Worker if (cs.cpu_sysinfo.cpu[CPU_USER] > 0 || cs.cpu_sysinfo.cpu[CPU_KERNEL] > 0)
397*08b48e0bSAndroid Build Coastguard Worker cpu_used[i] = 1;
398*08b48e0bSAndroid Build Coastguard Worker
399*08b48e0bSAndroid Build Coastguard Worker }
400*08b48e0bSAndroid Build Coastguard Worker
401*08b48e0bSAndroid Build Coastguard Worker kstat_close(m);
402*08b48e0bSAndroid Build Coastguard Worker
403*08b48e0bSAndroid Build Coastguard Worker #else
404*08b48e0bSAndroid Build Coastguard Worker #warning \
405*08b48e0bSAndroid Build Coastguard Worker "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus"
406*08b48e0bSAndroid Build Coastguard Worker #endif
407*08b48e0bSAndroid Build Coastguard Worker
408*08b48e0bSAndroid Build Coastguard Worker #if !defined(__aarch64__) && !defined(__arm__) && !defined(__arm64__)
409*08b48e0bSAndroid Build Coastguard Worker
410*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->cpu_core_count; i++) {
411*08b48e0bSAndroid Build Coastguard Worker
412*08b48e0bSAndroid Build Coastguard Worker #else
413*08b48e0bSAndroid Build Coastguard Worker
414*08b48e0bSAndroid Build Coastguard Worker /* many ARM devices have performance and efficiency cores, the slower
415*08b48e0bSAndroid Build Coastguard Worker efficiency cores seem to always come first */
416*08b48e0bSAndroid Build Coastguard Worker
417*08b48e0bSAndroid Build Coastguard Worker for (i = afl->cpu_core_count - 1; i > -1; i--) {
418*08b48e0bSAndroid Build Coastguard Worker
419*08b48e0bSAndroid Build Coastguard Worker #endif
420*08b48e0bSAndroid Build Coastguard Worker
421*08b48e0bSAndroid Build Coastguard Worker if (cpu_used[i]) { continue; }
422*08b48e0bSAndroid Build Coastguard Worker
423*08b48e0bSAndroid Build Coastguard Worker OKF("Found a free CPU core, try binding to #%u.", i);
424*08b48e0bSAndroid Build Coastguard Worker
425*08b48e0bSAndroid Build Coastguard Worker if (bind_cpu(afl, i)) {
426*08b48e0bSAndroid Build Coastguard Worker
427*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
428*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = i; }
429*08b48e0bSAndroid Build Coastguard Worker #endif
430*08b48e0bSAndroid Build Coastguard Worker /* Success :) */
431*08b48e0bSAndroid Build Coastguard Worker break;
432*08b48e0bSAndroid Build Coastguard Worker
433*08b48e0bSAndroid Build Coastguard Worker }
434*08b48e0bSAndroid Build Coastguard Worker
435*08b48e0bSAndroid Build Coastguard Worker WARNF("setaffinity failed to CPU %d, trying next CPU", i);
436*08b48e0bSAndroid Build Coastguard Worker
437*08b48e0bSAndroid Build Coastguard Worker }
438*08b48e0bSAndroid Build Coastguard Worker
439*08b48e0bSAndroid Build Coastguard Worker if (lockfile[0]) unlink(lockfile);
440*08b48e0bSAndroid Build Coastguard Worker
441*08b48e0bSAndroid Build Coastguard Worker if (i == afl->cpu_core_count || i == -1) {
442*08b48e0bSAndroid Build Coastguard Worker
443*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
444*08b48e0bSAndroid Build Coastguard Worker "Uh-oh, looks like all %d CPU cores on your system are allocated to\n"
445*08b48e0bSAndroid Build Coastguard Worker " other instances of afl-fuzz (or similar CPU-locked tasks). "
446*08b48e0bSAndroid Build Coastguard Worker "Starting\n"
447*08b48e0bSAndroid Build Coastguard Worker " another fuzzer on this machine is probably a bad plan.\n"
448*08b48e0bSAndroid Build Coastguard Worker "%s",
449*08b48e0bSAndroid Build Coastguard Worker afl->cpu_core_count,
450*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_try_affinity ? ""
451*08b48e0bSAndroid Build Coastguard Worker : " If you are sure, you can set "
452*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_AFFINITY and try again.\n");
453*08b48e0bSAndroid Build Coastguard Worker
454*08b48e0bSAndroid Build Coastguard Worker if (!afl->afl_env.afl_try_affinity) { FATAL("No more free CPU cores"); }
455*08b48e0bSAndroid Build Coastguard Worker
456*08b48e0bSAndroid Build Coastguard Worker }
457*08b48e0bSAndroid Build Coastguard Worker
458*08b48e0bSAndroid Build Coastguard Worker }
459*08b48e0bSAndroid Build Coastguard Worker
460*08b48e0bSAndroid Build Coastguard Worker #endif /* HAVE_AFFINITY */
461*08b48e0bSAndroid Build Coastguard Worker
462*08b48e0bSAndroid Build Coastguard Worker /* Shuffle an array of pointers. Might be slightly biased. */
463*08b48e0bSAndroid Build Coastguard Worker
464*08b48e0bSAndroid Build Coastguard Worker static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) {
465*08b48e0bSAndroid Build Coastguard Worker
466*08b48e0bSAndroid Build Coastguard Worker u32 i;
467*08b48e0bSAndroid Build Coastguard Worker
468*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < cnt - 2; ++i) {
469*08b48e0bSAndroid Build Coastguard Worker
470*08b48e0bSAndroid Build Coastguard Worker u32 j = i + rand_below(afl, cnt - i);
471*08b48e0bSAndroid Build Coastguard Worker void *s = ptrs[i];
472*08b48e0bSAndroid Build Coastguard Worker ptrs[i] = ptrs[j];
473*08b48e0bSAndroid Build Coastguard Worker ptrs[j] = s;
474*08b48e0bSAndroid Build Coastguard Worker
475*08b48e0bSAndroid Build Coastguard Worker }
476*08b48e0bSAndroid Build Coastguard Worker
477*08b48e0bSAndroid Build Coastguard Worker }
478*08b48e0bSAndroid Build Coastguard Worker
479*08b48e0bSAndroid Build Coastguard Worker /* Read all testcases from foreign input directories, then queue them for
480*08b48e0bSAndroid Build Coastguard Worker testing. Called at startup and at sync intervals.
481*08b48e0bSAndroid Build Coastguard Worker Does not descend into subdirectories! */
482*08b48e0bSAndroid Build Coastguard Worker
483*08b48e0bSAndroid Build Coastguard Worker void read_foreign_testcases(afl_state_t *afl, int first) {
484*08b48e0bSAndroid Build Coastguard Worker
485*08b48e0bSAndroid Build Coastguard Worker if (!afl->foreign_sync_cnt) return;
486*08b48e0bSAndroid Build Coastguard Worker
487*08b48e0bSAndroid Build Coastguard Worker struct dirent **nl;
488*08b48e0bSAndroid Build Coastguard Worker s32 nl_cnt;
489*08b48e0bSAndroid Build Coastguard Worker u32 i, iter;
490*08b48e0bSAndroid Build Coastguard Worker
491*08b48e0bSAndroid Build Coastguard Worker u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX];
492*08b48e0bSAndroid Build Coastguard Worker u8 foreign_name[16];
493*08b48e0bSAndroid Build Coastguard Worker
494*08b48e0bSAndroid Build Coastguard Worker for (iter = 0; iter < afl->foreign_sync_cnt; iter++) {
495*08b48e0bSAndroid Build Coastguard Worker
496*08b48e0bSAndroid Build Coastguard Worker if (afl->foreign_syncs[iter].dir && afl->foreign_syncs[iter].dir[0]) {
497*08b48e0bSAndroid Build Coastguard Worker
498*08b48e0bSAndroid Build Coastguard Worker if (first) ACTF("Scanning '%s'...", afl->foreign_syncs[iter].dir);
499*08b48e0bSAndroid Build Coastguard Worker time_t mtime_max = 0;
500*08b48e0bSAndroid Build Coastguard Worker
501*08b48e0bSAndroid Build Coastguard Worker u8 *name = strrchr(afl->foreign_syncs[iter].dir, '/');
502*08b48e0bSAndroid Build Coastguard Worker if (!name) {
503*08b48e0bSAndroid Build Coastguard Worker
504*08b48e0bSAndroid Build Coastguard Worker name = afl->foreign_syncs[iter].dir;
505*08b48e0bSAndroid Build Coastguard Worker
506*08b48e0bSAndroid Build Coastguard Worker } else {
507*08b48e0bSAndroid Build Coastguard Worker
508*08b48e0bSAndroid Build Coastguard Worker ++name;
509*08b48e0bSAndroid Build Coastguard Worker
510*08b48e0bSAndroid Build Coastguard Worker }
511*08b48e0bSAndroid Build Coastguard Worker
512*08b48e0bSAndroid Build Coastguard Worker if (!strcmp(name, "queue") || !strcmp(name, "out") ||
513*08b48e0bSAndroid Build Coastguard Worker !strcmp(name, "default")) {
514*08b48e0bSAndroid Build Coastguard Worker
515*08b48e0bSAndroid Build Coastguard Worker snprintf(foreign_name, sizeof(foreign_name), "foreign_%u", iter);
516*08b48e0bSAndroid Build Coastguard Worker
517*08b48e0bSAndroid Build Coastguard Worker } else {
518*08b48e0bSAndroid Build Coastguard Worker
519*08b48e0bSAndroid Build Coastguard Worker snprintf(foreign_name, sizeof(foreign_name), "%s_%u", name, iter);
520*08b48e0bSAndroid Build Coastguard Worker
521*08b48e0bSAndroid Build Coastguard Worker }
522*08b48e0bSAndroid Build Coastguard Worker
523*08b48e0bSAndroid Build Coastguard Worker /* We do not use sorting yet and do a more expensive mtime check instead.
524*08b48e0bSAndroid Build Coastguard Worker a mtimesort() implementation would be better though. */
525*08b48e0bSAndroid Build Coastguard Worker
526*08b48e0bSAndroid Build Coastguard Worker nl_cnt = scandir(afl->foreign_syncs[iter].dir, &nl, NULL, NULL);
527*08b48e0bSAndroid Build Coastguard Worker
528*08b48e0bSAndroid Build Coastguard Worker if (nl_cnt < 0) {
529*08b48e0bSAndroid Build Coastguard Worker
530*08b48e0bSAndroid Build Coastguard Worker if (first) {
531*08b48e0bSAndroid Build Coastguard Worker
532*08b48e0bSAndroid Build Coastguard Worker WARNF("Unable to open directory '%s'", afl->foreign_syncs[iter].dir);
533*08b48e0bSAndroid Build Coastguard Worker sleep(1);
534*08b48e0bSAndroid Build Coastguard Worker
535*08b48e0bSAndroid Build Coastguard Worker }
536*08b48e0bSAndroid Build Coastguard Worker
537*08b48e0bSAndroid Build Coastguard Worker continue;
538*08b48e0bSAndroid Build Coastguard Worker
539*08b48e0bSAndroid Build Coastguard Worker }
540*08b48e0bSAndroid Build Coastguard Worker
541*08b48e0bSAndroid Build Coastguard Worker if (nl_cnt == 0) {
542*08b48e0bSAndroid Build Coastguard Worker
543*08b48e0bSAndroid Build Coastguard Worker if (first) {
544*08b48e0bSAndroid Build Coastguard Worker
545*08b48e0bSAndroid Build Coastguard Worker WARNF("directory %s is currently empty",
546*08b48e0bSAndroid Build Coastguard Worker afl->foreign_syncs[iter].dir);
547*08b48e0bSAndroid Build Coastguard Worker
548*08b48e0bSAndroid Build Coastguard Worker }
549*08b48e0bSAndroid Build Coastguard Worker
550*08b48e0bSAndroid Build Coastguard Worker continue;
551*08b48e0bSAndroid Build Coastguard Worker
552*08b48e0bSAndroid Build Coastguard Worker }
553*08b48e0bSAndroid Build Coastguard Worker
554*08b48e0bSAndroid Build Coastguard Worker /* Show stats */
555*08b48e0bSAndroid Build Coastguard Worker
556*08b48e0bSAndroid Build Coastguard Worker snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "foreign sync %u", iter);
557*08b48e0bSAndroid Build Coastguard Worker
558*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = afl->stage_name_buf;
559*08b48e0bSAndroid Build Coastguard Worker afl->stage_cur = 0;
560*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = 0;
561*08b48e0bSAndroid Build Coastguard Worker
562*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < (u32)nl_cnt; ++i) {
563*08b48e0bSAndroid Build Coastguard Worker
564*08b48e0bSAndroid Build Coastguard Worker struct stat st;
565*08b48e0bSAndroid Build Coastguard Worker
566*08b48e0bSAndroid Build Coastguard Worker u8 *fn2 =
567*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s/%s", afl->foreign_syncs[iter].dir, nl[i]->d_name);
568*08b48e0bSAndroid Build Coastguard Worker
569*08b48e0bSAndroid Build Coastguard Worker free(nl[i]); /* not tracked */
570*08b48e0bSAndroid Build Coastguard Worker
571*08b48e0bSAndroid Build Coastguard Worker if (unlikely(lstat(fn2, &st) || access(fn2, R_OK))) {
572*08b48e0bSAndroid Build Coastguard Worker
573*08b48e0bSAndroid Build Coastguard Worker if (first) PFATAL("Unable to access '%s'", fn2);
574*08b48e0bSAndroid Build Coastguard Worker continue;
575*08b48e0bSAndroid Build Coastguard Worker
576*08b48e0bSAndroid Build Coastguard Worker }
577*08b48e0bSAndroid Build Coastguard Worker
578*08b48e0bSAndroid Build Coastguard Worker /* we detect new files by their mtime */
579*08b48e0bSAndroid Build Coastguard Worker if (likely(st.st_mtime <= afl->foreign_syncs[iter].mtime)) {
580*08b48e0bSAndroid Build Coastguard Worker
581*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
582*08b48e0bSAndroid Build Coastguard Worker continue;
583*08b48e0bSAndroid Build Coastguard Worker
584*08b48e0bSAndroid Build Coastguard Worker }
585*08b48e0bSAndroid Build Coastguard Worker
586*08b48e0bSAndroid Build Coastguard Worker /* This also takes care of . and .. */
587*08b48e0bSAndroid Build Coastguard Worker
588*08b48e0bSAndroid Build Coastguard Worker if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) {
589*08b48e0bSAndroid Build Coastguard Worker
590*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
591*08b48e0bSAndroid Build Coastguard Worker continue;
592*08b48e0bSAndroid Build Coastguard Worker
593*08b48e0bSAndroid Build Coastguard Worker }
594*08b48e0bSAndroid Build Coastguard Worker
595*08b48e0bSAndroid Build Coastguard Worker if (st.st_size > MAX_FILE) {
596*08b48e0bSAndroid Build Coastguard Worker
597*08b48e0bSAndroid Build Coastguard Worker if (first) {
598*08b48e0bSAndroid Build Coastguard Worker
599*08b48e0bSAndroid Build Coastguard Worker WARNF(
600*08b48e0bSAndroid Build Coastguard Worker "Test case '%s' is too big (%s, limit is %s), skipping", fn2,
601*08b48e0bSAndroid Build Coastguard Worker stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size),
602*08b48e0bSAndroid Build Coastguard Worker stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE));
603*08b48e0bSAndroid Build Coastguard Worker
604*08b48e0bSAndroid Build Coastguard Worker }
605*08b48e0bSAndroid Build Coastguard Worker
606*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
607*08b48e0bSAndroid Build Coastguard Worker continue;
608*08b48e0bSAndroid Build Coastguard Worker
609*08b48e0bSAndroid Build Coastguard Worker }
610*08b48e0bSAndroid Build Coastguard Worker
611*08b48e0bSAndroid Build Coastguard Worker // lets do not use add_to_queue(afl, fn2, st.st_size, 0);
612*08b48e0bSAndroid Build Coastguard Worker // as this could add duplicates of the startup input corpus
613*08b48e0bSAndroid Build Coastguard Worker
614*08b48e0bSAndroid Build Coastguard Worker int fd = open(fn2, O_RDONLY);
615*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) {
616*08b48e0bSAndroid Build Coastguard Worker
617*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
618*08b48e0bSAndroid Build Coastguard Worker continue;
619*08b48e0bSAndroid Build Coastguard Worker
620*08b48e0bSAndroid Build Coastguard Worker }
621*08b48e0bSAndroid Build Coastguard Worker
622*08b48e0bSAndroid Build Coastguard Worker u8 fault;
623*08b48e0bSAndroid Build Coastguard Worker u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
624*08b48e0bSAndroid Build Coastguard Worker
625*08b48e0bSAndroid Build Coastguard Worker if (mem == MAP_FAILED) {
626*08b48e0bSAndroid Build Coastguard Worker
627*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
628*08b48e0bSAndroid Build Coastguard Worker continue;
629*08b48e0bSAndroid Build Coastguard Worker
630*08b48e0bSAndroid Build Coastguard Worker }
631*08b48e0bSAndroid Build Coastguard Worker
632*08b48e0bSAndroid Build Coastguard Worker u32 len = write_to_testcase(afl, (void **)&mem, st.st_size, 1);
633*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
634*08b48e0bSAndroid Build Coastguard Worker afl->syncing_party = foreign_name;
635*08b48e0bSAndroid Build Coastguard Worker afl->queued_imported += save_if_interesting(afl, mem, len, fault);
636*08b48e0bSAndroid Build Coastguard Worker afl->syncing_party = 0;
637*08b48e0bSAndroid Build Coastguard Worker munmap(mem, st.st_size);
638*08b48e0bSAndroid Build Coastguard Worker close(fd);
639*08b48e0bSAndroid Build Coastguard Worker
640*08b48e0bSAndroid Build Coastguard Worker if (st.st_mtime > mtime_max) mtime_max = st.st_mtime;
641*08b48e0bSAndroid Build Coastguard Worker
642*08b48e0bSAndroid Build Coastguard Worker }
643*08b48e0bSAndroid Build Coastguard Worker
644*08b48e0bSAndroid Build Coastguard Worker afl->foreign_syncs[iter].mtime = mtime_max;
645*08b48e0bSAndroid Build Coastguard Worker free(nl); /* not tracked */
646*08b48e0bSAndroid Build Coastguard Worker
647*08b48e0bSAndroid Build Coastguard Worker }
648*08b48e0bSAndroid Build Coastguard Worker
649*08b48e0bSAndroid Build Coastguard Worker }
650*08b48e0bSAndroid Build Coastguard Worker
651*08b48e0bSAndroid Build Coastguard Worker if (first) {
652*08b48e0bSAndroid Build Coastguard Worker
653*08b48e0bSAndroid Build Coastguard Worker afl->last_find_time = 0;
654*08b48e0bSAndroid Build Coastguard Worker afl->queued_at_start = afl->queued_items;
655*08b48e0bSAndroid Build Coastguard Worker
656*08b48e0bSAndroid Build Coastguard Worker }
657*08b48e0bSAndroid Build Coastguard Worker
658*08b48e0bSAndroid Build Coastguard Worker }
659*08b48e0bSAndroid Build Coastguard Worker
660*08b48e0bSAndroid Build Coastguard Worker /* Read all testcases from the input directory, then queue them for testing.
661*08b48e0bSAndroid Build Coastguard Worker Called at startup. */
662*08b48e0bSAndroid Build Coastguard Worker
663*08b48e0bSAndroid Build Coastguard Worker void read_testcases(afl_state_t *afl, u8 *directory) {
664*08b48e0bSAndroid Build Coastguard Worker
665*08b48e0bSAndroid Build Coastguard Worker struct dirent **nl;
666*08b48e0bSAndroid Build Coastguard Worker s32 nl_cnt, subdirs = 1;
667*08b48e0bSAndroid Build Coastguard Worker u32 i;
668*08b48e0bSAndroid Build Coastguard Worker u8 *fn1, *dir = directory;
669*08b48e0bSAndroid Build Coastguard Worker u8 val_buf[2][STRINGIFY_VAL_SIZE_MAX];
670*08b48e0bSAndroid Build Coastguard Worker
671*08b48e0bSAndroid Build Coastguard Worker /* Auto-detect non-in-place resumption attempts. */
672*08b48e0bSAndroid Build Coastguard Worker
673*08b48e0bSAndroid Build Coastguard Worker if (dir == NULL) {
674*08b48e0bSAndroid Build Coastguard Worker
675*08b48e0bSAndroid Build Coastguard Worker fn1 = alloc_printf("%s/queue", afl->in_dir);
676*08b48e0bSAndroid Build Coastguard Worker if (!access(fn1, F_OK)) {
677*08b48e0bSAndroid Build Coastguard Worker
678*08b48e0bSAndroid Build Coastguard Worker afl->in_dir = fn1;
679*08b48e0bSAndroid Build Coastguard Worker subdirs = 0;
680*08b48e0bSAndroid Build Coastguard Worker
681*08b48e0bSAndroid Build Coastguard Worker } else {
682*08b48e0bSAndroid Build Coastguard Worker
683*08b48e0bSAndroid Build Coastguard Worker ck_free(fn1);
684*08b48e0bSAndroid Build Coastguard Worker
685*08b48e0bSAndroid Build Coastguard Worker }
686*08b48e0bSAndroid Build Coastguard Worker
687*08b48e0bSAndroid Build Coastguard Worker dir = afl->in_dir;
688*08b48e0bSAndroid Build Coastguard Worker
689*08b48e0bSAndroid Build Coastguard Worker }
690*08b48e0bSAndroid Build Coastguard Worker
691*08b48e0bSAndroid Build Coastguard Worker ACTF("Scanning '%s'...", dir);
692*08b48e0bSAndroid Build Coastguard Worker
693*08b48e0bSAndroid Build Coastguard Worker /* We use scandir() + alphasort() rather than readdir() because otherwise,
694*08b48e0bSAndroid Build Coastguard Worker the ordering of test cases would vary somewhat randomly and would be
695*08b48e0bSAndroid Build Coastguard Worker difficult to control. */
696*08b48e0bSAndroid Build Coastguard Worker
697*08b48e0bSAndroid Build Coastguard Worker nl_cnt = scandir(dir, &nl, NULL, alphasort);
698*08b48e0bSAndroid Build Coastguard Worker
699*08b48e0bSAndroid Build Coastguard Worker if (nl_cnt < 0 && directory == NULL) {
700*08b48e0bSAndroid Build Coastguard Worker
701*08b48e0bSAndroid Build Coastguard Worker if (errno == ENOENT || errno == ENOTDIR) {
702*08b48e0bSAndroid Build Coastguard Worker
703*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
704*08b48e0bSAndroid Build Coastguard Worker "The input directory does not seem to be valid - try again. The "
705*08b48e0bSAndroid Build Coastguard Worker "fuzzer needs\n"
706*08b48e0bSAndroid Build Coastguard Worker " one or more test case to start with - ideally, a small file "
707*08b48e0bSAndroid Build Coastguard Worker "under 1 kB\n"
708*08b48e0bSAndroid Build Coastguard Worker " or so. The cases must be stored as regular files directly in "
709*08b48e0bSAndroid Build Coastguard Worker "the input\n"
710*08b48e0bSAndroid Build Coastguard Worker " directory.\n");
711*08b48e0bSAndroid Build Coastguard Worker
712*08b48e0bSAndroid Build Coastguard Worker }
713*08b48e0bSAndroid Build Coastguard Worker
714*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to open '%s'", dir);
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker }
717*08b48e0bSAndroid Build Coastguard Worker
718*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->old_seed_selection && afl->shuffle_queue && nl_cnt > 1)) {
719*08b48e0bSAndroid Build Coastguard Worker
720*08b48e0bSAndroid Build Coastguard Worker ACTF("Shuffling queue...");
721*08b48e0bSAndroid Build Coastguard Worker shuffle_ptrs(afl, (void **)nl, nl_cnt);
722*08b48e0bSAndroid Build Coastguard Worker
723*08b48e0bSAndroid Build Coastguard Worker }
724*08b48e0bSAndroid Build Coastguard Worker
725*08b48e0bSAndroid Build Coastguard Worker // if (getenv("MYTEST")) afl->in_place_resume = 1;
726*08b48e0bSAndroid Build Coastguard Worker
727*08b48e0bSAndroid Build Coastguard Worker if (nl_cnt) {
728*08b48e0bSAndroid Build Coastguard Worker
729*08b48e0bSAndroid Build Coastguard Worker u32 done = 0;
730*08b48e0bSAndroid Build Coastguard Worker
731*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->in_place_resume)) {
732*08b48e0bSAndroid Build Coastguard Worker
733*08b48e0bSAndroid Build Coastguard Worker i = nl_cnt;
734*08b48e0bSAndroid Build Coastguard Worker
735*08b48e0bSAndroid Build Coastguard Worker } else {
736*08b48e0bSAndroid Build Coastguard Worker
737*08b48e0bSAndroid Build Coastguard Worker i = 0;
738*08b48e0bSAndroid Build Coastguard Worker
739*08b48e0bSAndroid Build Coastguard Worker }
740*08b48e0bSAndroid Build Coastguard Worker
741*08b48e0bSAndroid Build Coastguard Worker do {
742*08b48e0bSAndroid Build Coastguard Worker
743*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->in_place_resume)) { --i; }
744*08b48e0bSAndroid Build Coastguard Worker
745*08b48e0bSAndroid Build Coastguard Worker struct stat st;
746*08b48e0bSAndroid Build Coastguard Worker u8 dfn[PATH_MAX];
747*08b48e0bSAndroid Build Coastguard Worker snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir,
748*08b48e0bSAndroid Build Coastguard Worker nl[i]->d_name);
749*08b48e0bSAndroid Build Coastguard Worker u8 *fn2 = alloc_printf("%s/%s", dir, nl[i]->d_name);
750*08b48e0bSAndroid Build Coastguard Worker
751*08b48e0bSAndroid Build Coastguard Worker u8 passed_det = 0;
752*08b48e0bSAndroid Build Coastguard Worker
753*08b48e0bSAndroid Build Coastguard Worker if (lstat(fn2, &st) || access(fn2, R_OK)) {
754*08b48e0bSAndroid Build Coastguard Worker
755*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to access '%s'", fn2);
756*08b48e0bSAndroid Build Coastguard Worker
757*08b48e0bSAndroid Build Coastguard Worker }
758*08b48e0bSAndroid Build Coastguard Worker
759*08b48e0bSAndroid Build Coastguard Worker /* obviously we want to skip "descending" into . and .. directories,
760*08b48e0bSAndroid Build Coastguard Worker however it is a good idea to skip also directories that start with
761*08b48e0bSAndroid Build Coastguard Worker a dot */
762*08b48e0bSAndroid Build Coastguard Worker if (subdirs && S_ISDIR(st.st_mode) && nl[i]->d_name[0] != '.') {
763*08b48e0bSAndroid Build Coastguard Worker
764*08b48e0bSAndroid Build Coastguard Worker free(nl[i]); /* not tracked */
765*08b48e0bSAndroid Build Coastguard Worker read_testcases(afl, fn2);
766*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
767*08b48e0bSAndroid Build Coastguard Worker goto next_entry;
768*08b48e0bSAndroid Build Coastguard Worker
769*08b48e0bSAndroid Build Coastguard Worker }
770*08b48e0bSAndroid Build Coastguard Worker
771*08b48e0bSAndroid Build Coastguard Worker free(nl[i]);
772*08b48e0bSAndroid Build Coastguard Worker
773*08b48e0bSAndroid Build Coastguard Worker if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) {
774*08b48e0bSAndroid Build Coastguard Worker
775*08b48e0bSAndroid Build Coastguard Worker ck_free(fn2);
776*08b48e0bSAndroid Build Coastguard Worker goto next_entry;
777*08b48e0bSAndroid Build Coastguard Worker
778*08b48e0bSAndroid Build Coastguard Worker }
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker if (st.st_size > MAX_FILE) {
781*08b48e0bSAndroid Build Coastguard Worker
782*08b48e0bSAndroid Build Coastguard Worker WARNF("Test case '%s' is too big (%s, limit is %s), partial reading",
783*08b48e0bSAndroid Build Coastguard Worker fn2,
784*08b48e0bSAndroid Build Coastguard Worker stringify_mem_size(val_buf[0], sizeof(val_buf[0]), st.st_size),
785*08b48e0bSAndroid Build Coastguard Worker stringify_mem_size(val_buf[1], sizeof(val_buf[1]), MAX_FILE));
786*08b48e0bSAndroid Build Coastguard Worker
787*08b48e0bSAndroid Build Coastguard Worker }
788*08b48e0bSAndroid Build Coastguard Worker
789*08b48e0bSAndroid Build Coastguard Worker /* Check for metadata that indicates that deterministic fuzzing
790*08b48e0bSAndroid Build Coastguard Worker is complete for this entry. We don't want to repeat deterministic
791*08b48e0bSAndroid Build Coastguard Worker fuzzing when resuming aborted scans, because it would be pointless
792*08b48e0bSAndroid Build Coastguard Worker and probably very time-consuming. */
793*08b48e0bSAndroid Build Coastguard Worker
794*08b48e0bSAndroid Build Coastguard Worker if (!access(dfn, F_OK)) { passed_det = 1; }
795*08b48e0bSAndroid Build Coastguard Worker
796*08b48e0bSAndroid Build Coastguard Worker add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size,
797*08b48e0bSAndroid Build Coastguard Worker passed_det);
798*08b48e0bSAndroid Build Coastguard Worker
799*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode)) {
800*08b48e0bSAndroid Build Coastguard Worker
801*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_lvl == 1) {
802*08b48e0bSAndroid Build Coastguard Worker
803*08b48e0bSAndroid Build Coastguard Worker if (!afl->cmplog_max_filesize ||
804*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize < st.st_size) {
805*08b48e0bSAndroid Build Coastguard Worker
806*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize = st.st_size;
807*08b48e0bSAndroid Build Coastguard Worker
808*08b48e0bSAndroid Build Coastguard Worker }
809*08b48e0bSAndroid Build Coastguard Worker
810*08b48e0bSAndroid Build Coastguard Worker } else if (afl->cmplog_lvl == 2) {
811*08b48e0bSAndroid Build Coastguard Worker
812*08b48e0bSAndroid Build Coastguard Worker if (!afl->cmplog_max_filesize ||
813*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize > st.st_size) {
814*08b48e0bSAndroid Build Coastguard Worker
815*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize = st.st_size;
816*08b48e0bSAndroid Build Coastguard Worker
817*08b48e0bSAndroid Build Coastguard Worker }
818*08b48e0bSAndroid Build Coastguard Worker
819*08b48e0bSAndroid Build Coastguard Worker }
820*08b48e0bSAndroid Build Coastguard Worker
821*08b48e0bSAndroid Build Coastguard Worker }
822*08b48e0bSAndroid Build Coastguard Worker
823*08b48e0bSAndroid Build Coastguard Worker next_entry:
824*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->in_place_resume)) {
825*08b48e0bSAndroid Build Coastguard Worker
826*08b48e0bSAndroid Build Coastguard Worker if (unlikely(i == 0)) { done = 1; }
827*08b48e0bSAndroid Build Coastguard Worker
828*08b48e0bSAndroid Build Coastguard Worker } else {
829*08b48e0bSAndroid Build Coastguard Worker
830*08b48e0bSAndroid Build Coastguard Worker if (unlikely(++i >= (u32)nl_cnt)) { done = 1; }
831*08b48e0bSAndroid Build Coastguard Worker
832*08b48e0bSAndroid Build Coastguard Worker }
833*08b48e0bSAndroid Build Coastguard Worker
834*08b48e0bSAndroid Build Coastguard Worker } while (!done);
835*08b48e0bSAndroid Build Coastguard Worker
836*08b48e0bSAndroid Build Coastguard Worker }
837*08b48e0bSAndroid Build Coastguard Worker
838*08b48e0bSAndroid Build Coastguard Worker // if (getenv("MYTEST")) afl->in_place_resume = 0;
839*08b48e0bSAndroid Build Coastguard Worker
840*08b48e0bSAndroid Build Coastguard Worker free(nl); /* not tracked */
841*08b48e0bSAndroid Build Coastguard Worker
842*08b48e0bSAndroid Build Coastguard Worker if (!afl->queued_items && directory == NULL) {
843*08b48e0bSAndroid Build Coastguard Worker
844*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
845*08b48e0bSAndroid Build Coastguard Worker "Looks like there are no valid test cases in the input directory! The "
846*08b48e0bSAndroid Build Coastguard Worker "fuzzer\n"
847*08b48e0bSAndroid Build Coastguard Worker " needs one or more test case to start with - ideally, a small "
848*08b48e0bSAndroid Build Coastguard Worker "file under\n"
849*08b48e0bSAndroid Build Coastguard Worker " 1 kB or so. The cases must be stored as regular files directly "
850*08b48e0bSAndroid Build Coastguard Worker "in the\n"
851*08b48e0bSAndroid Build Coastguard Worker " input directory.\n");
852*08b48e0bSAndroid Build Coastguard Worker
853*08b48e0bSAndroid Build Coastguard Worker FATAL("No usable test cases in '%s'", afl->in_dir);
854*08b48e0bSAndroid Build Coastguard Worker
855*08b48e0bSAndroid Build Coastguard Worker }
856*08b48e0bSAndroid Build Coastguard Worker
857*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode)) {
858*08b48e0bSAndroid Build Coastguard Worker
859*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_max_filesize < 1024) {
860*08b48e0bSAndroid Build Coastguard Worker
861*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize = 1024;
862*08b48e0bSAndroid Build Coastguard Worker
863*08b48e0bSAndroid Build Coastguard Worker } else {
864*08b48e0bSAndroid Build Coastguard Worker
865*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize = (((afl->cmplog_max_filesize >> 10) + 1) << 10);
866*08b48e0bSAndroid Build Coastguard Worker
867*08b48e0bSAndroid Build Coastguard Worker }
868*08b48e0bSAndroid Build Coastguard Worker
869*08b48e0bSAndroid Build Coastguard Worker }
870*08b48e0bSAndroid Build Coastguard Worker
871*08b48e0bSAndroid Build Coastguard Worker afl->last_find_time = 0;
872*08b48e0bSAndroid Build Coastguard Worker afl->queued_at_start = afl->queued_items;
873*08b48e0bSAndroid Build Coastguard Worker
874*08b48e0bSAndroid Build Coastguard Worker }
875*08b48e0bSAndroid Build Coastguard Worker
876*08b48e0bSAndroid Build Coastguard Worker /* Perform dry run of all test cases to confirm that the app is working as
877*08b48e0bSAndroid Build Coastguard Worker expected. This is done only for the initial inputs, and only once. */
878*08b48e0bSAndroid Build Coastguard Worker
879*08b48e0bSAndroid Build Coastguard Worker void perform_dry_run(afl_state_t *afl) {
880*08b48e0bSAndroid Build Coastguard Worker
881*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q;
882*08b48e0bSAndroid Build Coastguard Worker u32 cal_failures = 0, idx;
883*08b48e0bSAndroid Build Coastguard Worker u8 *use_mem;
884*08b48e0bSAndroid Build Coastguard Worker
885*08b48e0bSAndroid Build Coastguard Worker for (idx = 0; idx < afl->queued_items; idx++) {
886*08b48e0bSAndroid Build Coastguard Worker
887*08b48e0bSAndroid Build Coastguard Worker q = afl->queue_buf[idx];
888*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q || q->disabled)) { continue; }
889*08b48e0bSAndroid Build Coastguard Worker
890*08b48e0bSAndroid Build Coastguard Worker u8 res;
891*08b48e0bSAndroid Build Coastguard Worker s32 fd;
892*08b48e0bSAndroid Build Coastguard Worker
893*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->len)) {
894*08b48e0bSAndroid Build Coastguard Worker
895*08b48e0bSAndroid Build Coastguard Worker WARNF("Skipping 0-sized entry in queue (%s)", q->fname);
896*08b48e0bSAndroid Build Coastguard Worker continue;
897*08b48e0bSAndroid Build Coastguard Worker
898*08b48e0bSAndroid Build Coastguard Worker }
899*08b48e0bSAndroid Build Coastguard Worker
900*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_cmplog_only_new) { q->colorized = CMPLOG_LVL_MAX; }
901*08b48e0bSAndroid Build Coastguard Worker
902*08b48e0bSAndroid Build Coastguard Worker u8 *fn = strrchr(q->fname, '/') + 1;
903*08b48e0bSAndroid Build Coastguard Worker
904*08b48e0bSAndroid Build Coastguard Worker ACTF("Attempting dry run with '%s'...", fn);
905*08b48e0bSAndroid Build Coastguard Worker
906*08b48e0bSAndroid Build Coastguard Worker fd = open(q->fname, O_RDONLY);
907*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); }
908*08b48e0bSAndroid Build Coastguard Worker
909*08b48e0bSAndroid Build Coastguard Worker u32 read_len = MIN(q->len, (u32)MAX_FILE);
910*08b48e0bSAndroid Build Coastguard Worker use_mem = afl_realloc(AFL_BUF_PARAM(in), read_len);
911*08b48e0bSAndroid Build Coastguard Worker ck_read(fd, use_mem, read_len, q->fname);
912*08b48e0bSAndroid Build Coastguard Worker
913*08b48e0bSAndroid Build Coastguard Worker close(fd);
914*08b48e0bSAndroid Build Coastguard Worker
915*08b48e0bSAndroid Build Coastguard Worker res = calibrate_case(afl, q, use_mem, 0, 1);
916*08b48e0bSAndroid Build Coastguard Worker
917*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon) { return; }
918*08b48e0bSAndroid Build Coastguard Worker
919*08b48e0bSAndroid Build Coastguard Worker if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) {
920*08b48e0bSAndroid Build Coastguard Worker
921*08b48e0bSAndroid Build Coastguard Worker SAYF(cGRA
922*08b48e0bSAndroid Build Coastguard Worker " len = %u, map size = %u, exec speed = %llu us, hash = "
923*08b48e0bSAndroid Build Coastguard Worker "%016llx\n" cRST,
924*08b48e0bSAndroid Build Coastguard Worker q->len, q->bitmap_size, q->exec_us, q->exec_cksum);
925*08b48e0bSAndroid Build Coastguard Worker
926*08b48e0bSAndroid Build Coastguard Worker }
927*08b48e0bSAndroid Build Coastguard Worker
928*08b48e0bSAndroid Build Coastguard Worker switch (res) {
929*08b48e0bSAndroid Build Coastguard Worker
930*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_OK:
931*08b48e0bSAndroid Build Coastguard Worker
932*08b48e0bSAndroid Build Coastguard Worker if (afl->crash_mode) { FATAL("Test case '%s' does *NOT* crash", fn); }
933*08b48e0bSAndroid Build Coastguard Worker
934*08b48e0bSAndroid Build Coastguard Worker break;
935*08b48e0bSAndroid Build Coastguard Worker
936*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_TMOUT:
937*08b48e0bSAndroid Build Coastguard Worker
938*08b48e0bSAndroid Build Coastguard Worker if (afl->timeout_given && !afl->afl_env.afl_exit_on_seed_issues) {
939*08b48e0bSAndroid Build Coastguard Worker
940*08b48e0bSAndroid Build Coastguard Worker /* if we have a timeout but a timeout value was given then always
941*08b48e0bSAndroid Build Coastguard Worker skip. The '+' meaning has been changed! */
942*08b48e0bSAndroid Build Coastguard Worker WARNF("Test case results in a timeout (skipping)");
943*08b48e0bSAndroid Build Coastguard Worker ++cal_failures;
944*08b48e0bSAndroid Build Coastguard Worker q->cal_failed = CAL_CHANCES;
945*08b48e0bSAndroid Build Coastguard Worker q->disabled = 1;
946*08b48e0bSAndroid Build Coastguard Worker q->perf_score = 0;
947*08b48e0bSAndroid Build Coastguard Worker
948*08b48e0bSAndroid Build Coastguard Worker if (!q->was_fuzzed) {
949*08b48e0bSAndroid Build Coastguard Worker
950*08b48e0bSAndroid Build Coastguard Worker q->was_fuzzed = 1;
951*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
952*08b48e0bSAndroid Build Coastguard Worker --afl->pending_not_fuzzed;
953*08b48e0bSAndroid Build Coastguard Worker --afl->active_items;
954*08b48e0bSAndroid Build Coastguard Worker
955*08b48e0bSAndroid Build Coastguard Worker }
956*08b48e0bSAndroid Build Coastguard Worker
957*08b48e0bSAndroid Build Coastguard Worker break;
958*08b48e0bSAndroid Build Coastguard Worker
959*08b48e0bSAndroid Build Coastguard Worker } else {
960*08b48e0bSAndroid Build Coastguard Worker
961*08b48e0bSAndroid Build Coastguard Worker static int say_once = 0;
962*08b48e0bSAndroid Build Coastguard Worker
963*08b48e0bSAndroid Build Coastguard Worker if (!say_once) {
964*08b48e0bSAndroid Build Coastguard Worker
965*08b48e0bSAndroid Build Coastguard Worker SAYF(
966*08b48e0bSAndroid Build Coastguard Worker "\n" cLRD "[-] " cRST
967*08b48e0bSAndroid Build Coastguard Worker "The program took more than %u ms to process one of the "
968*08b48e0bSAndroid Build Coastguard Worker "initial "
969*08b48e0bSAndroid Build Coastguard Worker "test cases.\n"
970*08b48e0bSAndroid Build Coastguard Worker " This is bad news; raising the limit with the -t option is "
971*08b48e0bSAndroid Build Coastguard Worker "possible, but\n"
972*08b48e0bSAndroid Build Coastguard Worker " will probably make the fuzzing process extremely slow.\n\n"
973*08b48e0bSAndroid Build Coastguard Worker
974*08b48e0bSAndroid Build Coastguard Worker " If this test case is just a fluke, the other option is to "
975*08b48e0bSAndroid Build Coastguard Worker "just avoid it\n"
976*08b48e0bSAndroid Build Coastguard Worker " altogether, and find one that is less of a CPU hog.\n",
977*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.exec_tmout);
978*08b48e0bSAndroid Build Coastguard Worker
979*08b48e0bSAndroid Build Coastguard Worker if (!afl->afl_env.afl_ignore_seed_problems) {
980*08b48e0bSAndroid Build Coastguard Worker
981*08b48e0bSAndroid Build Coastguard Worker FATAL("Test case '%s' results in a timeout", fn);
982*08b48e0bSAndroid Build Coastguard Worker
983*08b48e0bSAndroid Build Coastguard Worker }
984*08b48e0bSAndroid Build Coastguard Worker
985*08b48e0bSAndroid Build Coastguard Worker say_once = 1;
986*08b48e0bSAndroid Build Coastguard Worker
987*08b48e0bSAndroid Build Coastguard Worker }
988*08b48e0bSAndroid Build Coastguard Worker
989*08b48e0bSAndroid Build Coastguard Worker if (!q->was_fuzzed) {
990*08b48e0bSAndroid Build Coastguard Worker
991*08b48e0bSAndroid Build Coastguard Worker q->was_fuzzed = 1;
992*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
993*08b48e0bSAndroid Build Coastguard Worker --afl->pending_not_fuzzed;
994*08b48e0bSAndroid Build Coastguard Worker --afl->active_items;
995*08b48e0bSAndroid Build Coastguard Worker
996*08b48e0bSAndroid Build Coastguard Worker }
997*08b48e0bSAndroid Build Coastguard Worker
998*08b48e0bSAndroid Build Coastguard Worker q->disabled = 1;
999*08b48e0bSAndroid Build Coastguard Worker q->perf_score = 0;
1000*08b48e0bSAndroid Build Coastguard Worker
1001*08b48e0bSAndroid Build Coastguard Worker WARNF("Test case '%s' results in a timeout, skipping", fn);
1002*08b48e0bSAndroid Build Coastguard Worker break;
1003*08b48e0bSAndroid Build Coastguard Worker
1004*08b48e0bSAndroid Build Coastguard Worker }
1005*08b48e0bSAndroid Build Coastguard Worker
1006*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_CRASH:
1007*08b48e0bSAndroid Build Coastguard Worker
1008*08b48e0bSAndroid Build Coastguard Worker if (afl->crash_mode) { break; }
1009*08b48e0bSAndroid Build Coastguard Worker
1010*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.mem_limit) {
1011*08b48e0bSAndroid Build Coastguard Worker
1012*08b48e0bSAndroid Build Coastguard Worker u8 val_buf[STRINGIFY_VAL_SIZE_MAX];
1013*08b48e0bSAndroid Build Coastguard Worker
1014*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
1015*08b48e0bSAndroid Build Coastguard Worker "Oops, the program crashed with one of the test cases provided. "
1016*08b48e0bSAndroid Build Coastguard Worker "There are\n"
1017*08b48e0bSAndroid Build Coastguard Worker " several possible explanations:\n\n"
1018*08b48e0bSAndroid Build Coastguard Worker
1019*08b48e0bSAndroid Build Coastguard Worker " - The test case causes known crashes under normal working "
1020*08b48e0bSAndroid Build Coastguard Worker "conditions. If\n"
1021*08b48e0bSAndroid Build Coastguard Worker " so, please remove it. The fuzzer should be seeded with "
1022*08b48e0bSAndroid Build Coastguard Worker "interesting\n"
1023*08b48e0bSAndroid Build Coastguard Worker " inputs - but not ones that cause an outright crash.\n\n"
1024*08b48e0bSAndroid Build Coastguard Worker
1025*08b48e0bSAndroid Build Coastguard Worker " - The current memory limit (%s) is too low for this "
1026*08b48e0bSAndroid Build Coastguard Worker "program, causing\n"
1027*08b48e0bSAndroid Build Coastguard Worker " it to die due to OOM when parsing valid files. To fix "
1028*08b48e0bSAndroid Build Coastguard Worker "this, try\n"
1029*08b48e0bSAndroid Build Coastguard Worker " bumping it up with the -m setting in the command line. "
1030*08b48e0bSAndroid Build Coastguard Worker "If in doubt,\n"
1031*08b48e0bSAndroid Build Coastguard Worker " try something along the lines of:\n\n"
1032*08b48e0bSAndroid Build Coastguard Worker
1033*08b48e0bSAndroid Build Coastguard Worker MSG_ULIMIT_USAGE
1034*08b48e0bSAndroid Build Coastguard Worker " /path/to/binary [...] <testcase )\n\n"
1035*08b48e0bSAndroid Build Coastguard Worker
1036*08b48e0bSAndroid Build Coastguard Worker " Tip: you can use https://jwilk.net/software/recidivm to\n"
1037*08b48e0bSAndroid Build Coastguard Worker " estimate the required amount of virtual memory for the "
1038*08b48e0bSAndroid Build Coastguard Worker "binary. Also,\n"
1039*08b48e0bSAndroid Build Coastguard Worker " if you are using ASAN, set '-m 0'.\n\n"
1040*08b48e0bSAndroid Build Coastguard Worker
1041*08b48e0bSAndroid Build Coastguard Worker " - In QEMU persistent mode the selected address(es) for the "
1042*08b48e0bSAndroid Build Coastguard Worker "loop are not\n"
1043*08b48e0bSAndroid Build Coastguard Worker " properly cleaning up variables and memory. Try adding\n"
1044*08b48e0bSAndroid Build Coastguard Worker " AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in "
1045*08b48e0bSAndroid Build Coastguard Worker "the binary.\n\n"
1046*08b48e0bSAndroid Build Coastguard Worker
1047*08b48e0bSAndroid Build Coastguard Worker MSG_FORK_ON_APPLE
1048*08b48e0bSAndroid Build Coastguard Worker
1049*08b48e0bSAndroid Build Coastguard Worker " - Least likely, there is a horrible bug in the fuzzer. If "
1050*08b48e0bSAndroid Build Coastguard Worker "other options\n"
1051*08b48e0bSAndroid Build Coastguard Worker " fail, poke the Awesome Fuzzing Discord for "
1052*08b48e0bSAndroid Build Coastguard Worker "troubleshooting tips.\n",
1053*08b48e0bSAndroid Build Coastguard Worker stringify_mem_size(val_buf, sizeof(val_buf),
1054*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit << 20),
1055*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit - 1);
1056*08b48e0bSAndroid Build Coastguard Worker
1057*08b48e0bSAndroid Build Coastguard Worker } else {
1058*08b48e0bSAndroid Build Coastguard Worker
1059*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
1060*08b48e0bSAndroid Build Coastguard Worker "Oops, the program crashed with one of the test cases provided. "
1061*08b48e0bSAndroid Build Coastguard Worker "There are\n"
1062*08b48e0bSAndroid Build Coastguard Worker " several possible explanations:\n\n"
1063*08b48e0bSAndroid Build Coastguard Worker
1064*08b48e0bSAndroid Build Coastguard Worker " - The test case causes known crashes under normal working "
1065*08b48e0bSAndroid Build Coastguard Worker "conditions. If\n"
1066*08b48e0bSAndroid Build Coastguard Worker " so, please remove it. The fuzzer should be seeded with "
1067*08b48e0bSAndroid Build Coastguard Worker "interesting\n"
1068*08b48e0bSAndroid Build Coastguard Worker " inputs - but not ones that cause an outright crash.\n\n"
1069*08b48e0bSAndroid Build Coastguard Worker
1070*08b48e0bSAndroid Build Coastguard Worker " - In QEMU persistent mode the selected address(es) for the "
1071*08b48e0bSAndroid Build Coastguard Worker "loop are not\n"
1072*08b48e0bSAndroid Build Coastguard Worker " properly cleaning up variables and memory. Try adding\n"
1073*08b48e0bSAndroid Build Coastguard Worker " AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in "
1074*08b48e0bSAndroid Build Coastguard Worker "the binary.\n\n"
1075*08b48e0bSAndroid Build Coastguard Worker
1076*08b48e0bSAndroid Build Coastguard Worker MSG_FORK_ON_APPLE
1077*08b48e0bSAndroid Build Coastguard Worker
1078*08b48e0bSAndroid Build Coastguard Worker " - Least likely, there is a horrible bug in the fuzzer. If "
1079*08b48e0bSAndroid Build Coastguard Worker "other options\n"
1080*08b48e0bSAndroid Build Coastguard Worker " fail, poke the Awesome Fuzzing Discord for "
1081*08b48e0bSAndroid Build Coastguard Worker "troubleshooting tips.\n");
1082*08b48e0bSAndroid Build Coastguard Worker
1083*08b48e0bSAndroid Build Coastguard Worker }
1084*08b48e0bSAndroid Build Coastguard Worker
1085*08b48e0bSAndroid Build Coastguard Worker #undef MSG_ULIMIT_USAGE
1086*08b48e0bSAndroid Build Coastguard Worker #undef MSG_FORK_ON_APPLE
1087*08b48e0bSAndroid Build Coastguard Worker
1088*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.uses_crash_exitcode) {
1089*08b48e0bSAndroid Build Coastguard Worker
1090*08b48e0bSAndroid Build Coastguard Worker WARNF(
1091*08b48e0bSAndroid Build Coastguard Worker "Test case '%s' results in a crash or AFL_CRASH_EXITCODE %d, "
1092*08b48e0bSAndroid Build Coastguard Worker "skipping",
1093*08b48e0bSAndroid Build Coastguard Worker fn, (int)(s8)afl->fsrv.crash_exitcode);
1094*08b48e0bSAndroid Build Coastguard Worker
1095*08b48e0bSAndroid Build Coastguard Worker } else {
1096*08b48e0bSAndroid Build Coastguard Worker
1097*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
1098*08b48e0bSAndroid Build Coastguard Worker
1099*08b48e0bSAndroid Build Coastguard Worker WARNF(
1100*08b48e0bSAndroid Build Coastguard Worker "Test case '%s' results in a crash, "
1101*08b48e0bSAndroid Build Coastguard Worker "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, "
1102*08b48e0bSAndroid Build Coastguard Worker "saving as a new crash",
1103*08b48e0bSAndroid Build Coastguard Worker fn);
1104*08b48e0bSAndroid Build Coastguard Worker
1105*08b48e0bSAndroid Build Coastguard Worker } else {
1106*08b48e0bSAndroid Build Coastguard Worker
1107*08b48e0bSAndroid Build Coastguard Worker WARNF("Test case '%s' results in a crash, skipping", fn);
1108*08b48e0bSAndroid Build Coastguard Worker
1109*08b48e0bSAndroid Build Coastguard Worker }
1110*08b48e0bSAndroid Build Coastguard Worker
1111*08b48e0bSAndroid Build Coastguard Worker }
1112*08b48e0bSAndroid Build Coastguard Worker
1113*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_exit_on_seed_issues) {
1114*08b48e0bSAndroid Build Coastguard Worker
1115*08b48e0bSAndroid Build Coastguard Worker FATAL("As AFL_EXIT_ON_SEED_ISSUES is set, afl-fuzz exits.");
1116*08b48e0bSAndroid Build Coastguard Worker
1117*08b48e0bSAndroid Build Coastguard Worker }
1118*08b48e0bSAndroid Build Coastguard Worker
1119*08b48e0bSAndroid Build Coastguard Worker /* Remove from fuzzing queue but keep for splicing */
1120*08b48e0bSAndroid Build Coastguard Worker
1121*08b48e0bSAndroid Build Coastguard Worker if (!q->was_fuzzed) {
1122*08b48e0bSAndroid Build Coastguard Worker
1123*08b48e0bSAndroid Build Coastguard Worker q->was_fuzzed = 1;
1124*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
1125*08b48e0bSAndroid Build Coastguard Worker --afl->pending_not_fuzzed;
1126*08b48e0bSAndroid Build Coastguard Worker --afl->active_items;
1127*08b48e0bSAndroid Build Coastguard Worker
1128*08b48e0bSAndroid Build Coastguard Worker }
1129*08b48e0bSAndroid Build Coastguard Worker
1130*08b48e0bSAndroid Build Coastguard Worker /* Crashing seeds will be regarded as new crashes on startup */
1131*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
1132*08b48e0bSAndroid Build Coastguard Worker
1133*08b48e0bSAndroid Build Coastguard Worker ++afl->total_crashes;
1134*08b48e0bSAndroid Build Coastguard Worker
1135*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->non_instrumented_mode)) {
1136*08b48e0bSAndroid Build Coastguard Worker
1137*08b48e0bSAndroid Build Coastguard Worker classify_counts(&afl->fsrv);
1138*08b48e0bSAndroid Build Coastguard Worker
1139*08b48e0bSAndroid Build Coastguard Worker simplify_trace(afl, afl->fsrv.trace_bits);
1140*08b48e0bSAndroid Build Coastguard Worker
1141*08b48e0bSAndroid Build Coastguard Worker if (!has_new_bits(afl, afl->virgin_crash)) { break; }
1142*08b48e0bSAndroid Build Coastguard Worker
1143*08b48e0bSAndroid Build Coastguard Worker }
1144*08b48e0bSAndroid Build Coastguard Worker
1145*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->saved_crashes) &&
1146*08b48e0bSAndroid Build Coastguard Worker (afl->afl_env.afl_no_crash_readme != 1)) {
1147*08b48e0bSAndroid Build Coastguard Worker
1148*08b48e0bSAndroid Build Coastguard Worker write_crash_readme(afl);
1149*08b48e0bSAndroid Build Coastguard Worker
1150*08b48e0bSAndroid Build Coastguard Worker }
1151*08b48e0bSAndroid Build Coastguard Worker
1152*08b48e0bSAndroid Build Coastguard Worker u8 crash_fn[PATH_MAX];
1153*08b48e0bSAndroid Build Coastguard Worker u8 *use_name = strstr(q->fname, ",orig:");
1154*08b48e0bSAndroid Build Coastguard Worker
1155*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = "dry_run";
1156*08b48e0bSAndroid Build Coastguard Worker afl->stage_short = "dry_run";
1157*08b48e0bSAndroid Build Coastguard Worker
1158*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
1159*08b48e0bSAndroid Build Coastguard Worker
1160*08b48e0bSAndroid Build Coastguard Worker snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s",
1161*08b48e0bSAndroid Build Coastguard Worker afl->out_dir, afl->saved_crashes, afl->fsrv.last_kill_signal,
1162*08b48e0bSAndroid Build Coastguard Worker describe_op(afl, 0,
1163*08b48e0bSAndroid Build Coastguard Worker NAME_MAX - strlen("id:000000,sig:00,") -
1164*08b48e0bSAndroid Build Coastguard Worker strlen(use_name)),
1165*08b48e0bSAndroid Build Coastguard Worker use_name);
1166*08b48e0bSAndroid Build Coastguard Worker
1167*08b48e0bSAndroid Build Coastguard Worker #else
1168*08b48e0bSAndroid Build Coastguard Worker
1169*08b48e0bSAndroid Build Coastguard Worker snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u",
1170*08b48e0bSAndroid Build Coastguard Worker afl->out_dir, afl->saved_crashes,
1171*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.last_kill_signal);
1172*08b48e0bSAndroid Build Coastguard Worker
1173*08b48e0bSAndroid Build Coastguard Worker #endif
1174*08b48e0bSAndroid Build Coastguard Worker
1175*08b48e0bSAndroid Build Coastguard Worker ++afl->saved_crashes;
1176*08b48e0bSAndroid Build Coastguard Worker
1177*08b48e0bSAndroid Build Coastguard Worker fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
1178*08b48e0bSAndroid Build Coastguard Worker if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); }
1179*08b48e0bSAndroid Build Coastguard Worker ck_write(fd, use_mem, read_len, crash_fn);
1180*08b48e0bSAndroid Build Coastguard Worker close(fd);
1181*08b48e0bSAndroid Build Coastguard Worker
1182*08b48e0bSAndroid Build Coastguard Worker afl->last_crash_time = get_cur_time();
1183*08b48e0bSAndroid Build Coastguard Worker afl->last_crash_execs = afl->fsrv.total_execs;
1184*08b48e0bSAndroid Build Coastguard Worker
1185*08b48e0bSAndroid Build Coastguard Worker } else {
1186*08b48e0bSAndroid Build Coastguard Worker
1187*08b48e0bSAndroid Build Coastguard Worker u32 i = 0;
1188*08b48e0bSAndroid Build Coastguard Worker while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
1189*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[i]->disabled)) {
1190*08b48e0bSAndroid Build Coastguard Worker
1191*08b48e0bSAndroid Build Coastguard Worker ++i;
1192*08b48e0bSAndroid Build Coastguard Worker
1193*08b48e0bSAndroid Build Coastguard Worker }
1194*08b48e0bSAndroid Build Coastguard Worker
1195*08b48e0bSAndroid Build Coastguard Worker if (i < afl->queued_items && afl->queue_buf[i]) {
1196*08b48e0bSAndroid Build Coastguard Worker
1197*08b48e0bSAndroid Build Coastguard Worker afl->queue = afl->queue_buf[i];
1198*08b48e0bSAndroid Build Coastguard Worker
1199*08b48e0bSAndroid Build Coastguard Worker } else {
1200*08b48e0bSAndroid Build Coastguard Worker
1201*08b48e0bSAndroid Build Coastguard Worker afl->queue = afl->queue_buf[0];
1202*08b48e0bSAndroid Build Coastguard Worker
1203*08b48e0bSAndroid Build Coastguard Worker }
1204*08b48e0bSAndroid Build Coastguard Worker
1205*08b48e0bSAndroid Build Coastguard Worker afl->max_depth = 0;
1206*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
1207*08b48e0bSAndroid Build Coastguard Worker
1208*08b48e0bSAndroid Build Coastguard Worker if (!afl->queue_buf[i]->disabled &&
1209*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[i]->depth > afl->max_depth)
1210*08b48e0bSAndroid Build Coastguard Worker afl->max_depth = afl->queue_buf[i]->depth;
1211*08b48e0bSAndroid Build Coastguard Worker
1212*08b48e0bSAndroid Build Coastguard Worker }
1213*08b48e0bSAndroid Build Coastguard Worker
1214*08b48e0bSAndroid Build Coastguard Worker }
1215*08b48e0bSAndroid Build Coastguard Worker
1216*08b48e0bSAndroid Build Coastguard Worker q->disabled = 1;
1217*08b48e0bSAndroid Build Coastguard Worker q->perf_score = 0;
1218*08b48e0bSAndroid Build Coastguard Worker
1219*08b48e0bSAndroid Build Coastguard Worker break;
1220*08b48e0bSAndroid Build Coastguard Worker
1221*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_ERROR:
1222*08b48e0bSAndroid Build Coastguard Worker
1223*08b48e0bSAndroid Build Coastguard Worker FATAL("Unable to execute target application ('%s')", afl->argv[0]);
1224*08b48e0bSAndroid Build Coastguard Worker
1225*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_NOINST:
1226*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1227*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL) {
1228*08b48e0bSAndroid Build Coastguard Worker
1229*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner);
1230*08b48e0bSAndroid Build Coastguard Worker
1231*08b48e0bSAndroid Build Coastguard Worker }
1232*08b48e0bSAndroid Build Coastguard Worker
1233*08b48e0bSAndroid Build Coastguard Worker #endif
1234*08b48e0bSAndroid Build Coastguard Worker FATAL("No instrumentation detected");
1235*08b48e0bSAndroid Build Coastguard Worker
1236*08b48e0bSAndroid Build Coastguard Worker case FSRV_RUN_NOBITS:
1237*08b48e0bSAndroid Build Coastguard Worker
1238*08b48e0bSAndroid Build Coastguard Worker ++afl->useless_at_start;
1239*08b48e0bSAndroid Build Coastguard Worker
1240*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_bitmap && !afl->shuffle_queue) {
1241*08b48e0bSAndroid Build Coastguard Worker
1242*08b48e0bSAndroid Build Coastguard Worker WARNF("No new instrumentation output, test case may be useless.");
1243*08b48e0bSAndroid Build Coastguard Worker
1244*08b48e0bSAndroid Build Coastguard Worker }
1245*08b48e0bSAndroid Build Coastguard Worker
1246*08b48e0bSAndroid Build Coastguard Worker break;
1247*08b48e0bSAndroid Build Coastguard Worker
1248*08b48e0bSAndroid Build Coastguard Worker }
1249*08b48e0bSAndroid Build Coastguard Worker
1250*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q->var_behavior && !afl->afl_env.afl_no_warn_instability)) {
1251*08b48e0bSAndroid Build Coastguard Worker
1252*08b48e0bSAndroid Build Coastguard Worker WARNF("Instrumentation output varies across runs.");
1253*08b48e0bSAndroid Build Coastguard Worker
1254*08b48e0bSAndroid Build Coastguard Worker }
1255*08b48e0bSAndroid Build Coastguard Worker
1256*08b48e0bSAndroid Build Coastguard Worker }
1257*08b48e0bSAndroid Build Coastguard Worker
1258*08b48e0bSAndroid Build Coastguard Worker if (cal_failures) {
1259*08b48e0bSAndroid Build Coastguard Worker
1260*08b48e0bSAndroid Build Coastguard Worker if (cal_failures == afl->queued_items) {
1261*08b48e0bSAndroid Build Coastguard Worker
1262*08b48e0bSAndroid Build Coastguard Worker FATAL("All test cases time out or crash, giving up!");
1263*08b48e0bSAndroid Build Coastguard Worker
1264*08b48e0bSAndroid Build Coastguard Worker }
1265*08b48e0bSAndroid Build Coastguard Worker
1266*08b48e0bSAndroid Build Coastguard Worker WARNF("Skipped %u test cases (%0.02f%%) due to timeouts or crashes.",
1267*08b48e0bSAndroid Build Coastguard Worker cal_failures, ((double)cal_failures) * 100 / afl->queued_items);
1268*08b48e0bSAndroid Build Coastguard Worker
1269*08b48e0bSAndroid Build Coastguard Worker if (cal_failures * 5 > afl->queued_items) {
1270*08b48e0bSAndroid Build Coastguard Worker
1271*08b48e0bSAndroid Build Coastguard Worker WARNF(cLRD "High percentage of rejected test cases, check settings!");
1272*08b48e0bSAndroid Build Coastguard Worker
1273*08b48e0bSAndroid Build Coastguard Worker }
1274*08b48e0bSAndroid Build Coastguard Worker
1275*08b48e0bSAndroid Build Coastguard Worker }
1276*08b48e0bSAndroid Build Coastguard Worker
1277*08b48e0bSAndroid Build Coastguard Worker /* Now we remove all entries from the queue that have a duplicate trace map */
1278*08b48e0bSAndroid Build Coastguard Worker
1279*08b48e0bSAndroid Build Coastguard Worker u32 duplicates = 0, i;
1280*08b48e0bSAndroid Build Coastguard Worker
1281*08b48e0bSAndroid Build Coastguard Worker for (idx = 0; idx < afl->queued_items - 1; idx++) {
1282*08b48e0bSAndroid Build Coastguard Worker
1283*08b48e0bSAndroid Build Coastguard Worker q = afl->queue_buf[idx];
1284*08b48e0bSAndroid Build Coastguard Worker if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; }
1285*08b48e0bSAndroid Build Coastguard Worker u32 done = 0;
1286*08b48e0bSAndroid Build Coastguard Worker
1287*08b48e0bSAndroid Build Coastguard Worker for (i = idx + 1;
1288*08b48e0bSAndroid Build Coastguard Worker likely(i < afl->queued_items && afl->queue_buf[i] && !done); ++i) {
1289*08b48e0bSAndroid Build Coastguard Worker
1290*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *p = afl->queue_buf[i];
1291*08b48e0bSAndroid Build Coastguard Worker if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; }
1292*08b48e0bSAndroid Build Coastguard Worker
1293*08b48e0bSAndroid Build Coastguard Worker if (p->exec_cksum == q->exec_cksum) {
1294*08b48e0bSAndroid Build Coastguard Worker
1295*08b48e0bSAndroid Build Coastguard Worker duplicates = 1;
1296*08b48e0bSAndroid Build Coastguard Worker
1297*08b48e0bSAndroid Build Coastguard Worker // we keep the shorter file
1298*08b48e0bSAndroid Build Coastguard Worker if (p->len >= q->len) {
1299*08b48e0bSAndroid Build Coastguard Worker
1300*08b48e0bSAndroid Build Coastguard Worker if (!p->was_fuzzed) {
1301*08b48e0bSAndroid Build Coastguard Worker
1302*08b48e0bSAndroid Build Coastguard Worker p->was_fuzzed = 1;
1303*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
1304*08b48e0bSAndroid Build Coastguard Worker --afl->pending_not_fuzzed;
1305*08b48e0bSAndroid Build Coastguard Worker --afl->active_items;
1306*08b48e0bSAndroid Build Coastguard Worker
1307*08b48e0bSAndroid Build Coastguard Worker }
1308*08b48e0bSAndroid Build Coastguard Worker
1309*08b48e0bSAndroid Build Coastguard Worker p->disabled = 1;
1310*08b48e0bSAndroid Build Coastguard Worker p->perf_score = 0;
1311*08b48e0bSAndroid Build Coastguard Worker
1312*08b48e0bSAndroid Build Coastguard Worker if (afl->debug) {
1313*08b48e0bSAndroid Build Coastguard Worker
1314*08b48e0bSAndroid Build Coastguard Worker WARNF("Same coverage - %s is kept active, %s is disabled.",
1315*08b48e0bSAndroid Build Coastguard Worker q->fname, p->fname);
1316*08b48e0bSAndroid Build Coastguard Worker
1317*08b48e0bSAndroid Build Coastguard Worker }
1318*08b48e0bSAndroid Build Coastguard Worker
1319*08b48e0bSAndroid Build Coastguard Worker } else {
1320*08b48e0bSAndroid Build Coastguard Worker
1321*08b48e0bSAndroid Build Coastguard Worker if (!q->was_fuzzed) {
1322*08b48e0bSAndroid Build Coastguard Worker
1323*08b48e0bSAndroid Build Coastguard Worker q->was_fuzzed = 1;
1324*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table = 1;
1325*08b48e0bSAndroid Build Coastguard Worker --afl->pending_not_fuzzed;
1326*08b48e0bSAndroid Build Coastguard Worker --afl->active_items;
1327*08b48e0bSAndroid Build Coastguard Worker
1328*08b48e0bSAndroid Build Coastguard Worker }
1329*08b48e0bSAndroid Build Coastguard Worker
1330*08b48e0bSAndroid Build Coastguard Worker q->disabled = 1;
1331*08b48e0bSAndroid Build Coastguard Worker q->perf_score = 0;
1332*08b48e0bSAndroid Build Coastguard Worker
1333*08b48e0bSAndroid Build Coastguard Worker if (afl->debug) {
1334*08b48e0bSAndroid Build Coastguard Worker
1335*08b48e0bSAndroid Build Coastguard Worker WARNF("Same coverage - %s is kept active, %s is disabled.",
1336*08b48e0bSAndroid Build Coastguard Worker p->fname, q->fname);
1337*08b48e0bSAndroid Build Coastguard Worker
1338*08b48e0bSAndroid Build Coastguard Worker }
1339*08b48e0bSAndroid Build Coastguard Worker
1340*08b48e0bSAndroid Build Coastguard Worker done = 1; // end inner loop because outer loop entry is disabled now
1341*08b48e0bSAndroid Build Coastguard Worker
1342*08b48e0bSAndroid Build Coastguard Worker }
1343*08b48e0bSAndroid Build Coastguard Worker
1344*08b48e0bSAndroid Build Coastguard Worker }
1345*08b48e0bSAndroid Build Coastguard Worker
1346*08b48e0bSAndroid Build Coastguard Worker }
1347*08b48e0bSAndroid Build Coastguard Worker
1348*08b48e0bSAndroid Build Coastguard Worker }
1349*08b48e0bSAndroid Build Coastguard Worker
1350*08b48e0bSAndroid Build Coastguard Worker if (duplicates) {
1351*08b48e0bSAndroid Build Coastguard Worker
1352*08b48e0bSAndroid Build Coastguard Worker afl->max_depth = 0;
1353*08b48e0bSAndroid Build Coastguard Worker
1354*08b48e0bSAndroid Build Coastguard Worker for (idx = 0; idx < afl->queued_items; idx++) {
1355*08b48e0bSAndroid Build Coastguard Worker
1356*08b48e0bSAndroid Build Coastguard Worker if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled &&
1357*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[idx]->depth > afl->max_depth)
1358*08b48e0bSAndroid Build Coastguard Worker afl->max_depth = afl->queue_buf[idx]->depth;
1359*08b48e0bSAndroid Build Coastguard Worker
1360*08b48e0bSAndroid Build Coastguard Worker }
1361*08b48e0bSAndroid Build Coastguard Worker
1362*08b48e0bSAndroid Build Coastguard Worker afl->queue_top = afl->queue;
1363*08b48e0bSAndroid Build Coastguard Worker
1364*08b48e0bSAndroid Build Coastguard Worker }
1365*08b48e0bSAndroid Build Coastguard Worker
1366*08b48e0bSAndroid Build Coastguard Worker OKF("All test cases processed.");
1367*08b48e0bSAndroid Build Coastguard Worker
1368*08b48e0bSAndroid Build Coastguard Worker }
1369*08b48e0bSAndroid Build Coastguard Worker
1370*08b48e0bSAndroid Build Coastguard Worker /* Helper function: link() if possible, copy otherwise. */
1371*08b48e0bSAndroid Build Coastguard Worker
1372*08b48e0bSAndroid Build Coastguard Worker static void link_or_copy(u8 *old_path, u8 *new_path) {
1373*08b48e0bSAndroid Build Coastguard Worker
1374*08b48e0bSAndroid Build Coastguard Worker s32 i = link(old_path, new_path);
1375*08b48e0bSAndroid Build Coastguard Worker s32 sfd, dfd;
1376*08b48e0bSAndroid Build Coastguard Worker u8 *tmp;
1377*08b48e0bSAndroid Build Coastguard Worker
1378*08b48e0bSAndroid Build Coastguard Worker if (!i) { return; }
1379*08b48e0bSAndroid Build Coastguard Worker
1380*08b48e0bSAndroid Build Coastguard Worker sfd = open(old_path, O_RDONLY);
1381*08b48e0bSAndroid Build Coastguard Worker if (sfd < 0) { PFATAL("Unable to open '%s'", old_path); }
1382*08b48e0bSAndroid Build Coastguard Worker
1383*08b48e0bSAndroid Build Coastguard Worker dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
1384*08b48e0bSAndroid Build Coastguard Worker if (dfd < 0) { PFATAL("Unable to create '%s'", new_path); }
1385*08b48e0bSAndroid Build Coastguard Worker
1386*08b48e0bSAndroid Build Coastguard Worker tmp = ck_alloc(64 * 1024);
1387*08b48e0bSAndroid Build Coastguard Worker
1388*08b48e0bSAndroid Build Coastguard Worker while ((i = read(sfd, tmp, 64 * 1024)) > 0) {
1389*08b48e0bSAndroid Build Coastguard Worker
1390*08b48e0bSAndroid Build Coastguard Worker ck_write(dfd, tmp, i, new_path);
1391*08b48e0bSAndroid Build Coastguard Worker
1392*08b48e0bSAndroid Build Coastguard Worker }
1393*08b48e0bSAndroid Build Coastguard Worker
1394*08b48e0bSAndroid Build Coastguard Worker if (i < 0) { PFATAL("read() failed"); }
1395*08b48e0bSAndroid Build Coastguard Worker
1396*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
1397*08b48e0bSAndroid Build Coastguard Worker close(sfd);
1398*08b48e0bSAndroid Build Coastguard Worker close(dfd);
1399*08b48e0bSAndroid Build Coastguard Worker
1400*08b48e0bSAndroid Build Coastguard Worker }
1401*08b48e0bSAndroid Build Coastguard Worker
1402*08b48e0bSAndroid Build Coastguard Worker /* Create hard links for input test cases in the output directory, choosing
1403*08b48e0bSAndroid Build Coastguard Worker good names and pivoting accordingly. */
1404*08b48e0bSAndroid Build Coastguard Worker
1405*08b48e0bSAndroid Build Coastguard Worker void pivot_inputs(afl_state_t *afl) {
1406*08b48e0bSAndroid Build Coastguard Worker
1407*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *q;
1408*08b48e0bSAndroid Build Coastguard Worker u32 id = 0, i;
1409*08b48e0bSAndroid Build Coastguard Worker
1410*08b48e0bSAndroid Build Coastguard Worker ACTF("Creating hard links for all input files...");
1411*08b48e0bSAndroid Build Coastguard Worker
1412*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
1413*08b48e0bSAndroid Build Coastguard Worker
1414*08b48e0bSAndroid Build Coastguard Worker q = afl->queue_buf[i];
1415*08b48e0bSAndroid Build Coastguard Worker
1416*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q->disabled)) { continue; }
1417*08b48e0bSAndroid Build Coastguard Worker
1418*08b48e0bSAndroid Build Coastguard Worker u8 *nfn, *rsl = strrchr(q->fname, '/');
1419*08b48e0bSAndroid Build Coastguard Worker u32 orig_id;
1420*08b48e0bSAndroid Build Coastguard Worker
1421*08b48e0bSAndroid Build Coastguard Worker if (!rsl) {
1422*08b48e0bSAndroid Build Coastguard Worker
1423*08b48e0bSAndroid Build Coastguard Worker rsl = q->fname;
1424*08b48e0bSAndroid Build Coastguard Worker
1425*08b48e0bSAndroid Build Coastguard Worker } else {
1426*08b48e0bSAndroid Build Coastguard Worker
1427*08b48e0bSAndroid Build Coastguard Worker ++rsl;
1428*08b48e0bSAndroid Build Coastguard Worker
1429*08b48e0bSAndroid Build Coastguard Worker }
1430*08b48e0bSAndroid Build Coastguard Worker
1431*08b48e0bSAndroid Build Coastguard Worker /* If the original file name conforms to the syntax and the recorded
1432*08b48e0bSAndroid Build Coastguard Worker ID matches the one we'd assign, just use the original file name.
1433*08b48e0bSAndroid Build Coastguard Worker This is valuable for resuming fuzzing runs. */
1434*08b48e0bSAndroid Build Coastguard Worker
1435*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(rsl, CASE_PREFIX, 3) &&
1436*08b48e0bSAndroid Build Coastguard Worker sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) {
1437*08b48e0bSAndroid Build Coastguard Worker
1438*08b48e0bSAndroid Build Coastguard Worker u8 *src_str;
1439*08b48e0bSAndroid Build Coastguard Worker u32 src_id;
1440*08b48e0bSAndroid Build Coastguard Worker
1441*08b48e0bSAndroid Build Coastguard Worker afl->resuming_fuzz = 1;
1442*08b48e0bSAndroid Build Coastguard Worker nfn = alloc_printf("%s/queue/%s", afl->out_dir, rsl);
1443*08b48e0bSAndroid Build Coastguard Worker
1444*08b48e0bSAndroid Build Coastguard Worker /* Since we're at it, let's also get the parent and figure out the
1445*08b48e0bSAndroid Build Coastguard Worker appropriate depth for this entry. */
1446*08b48e0bSAndroid Build Coastguard Worker
1447*08b48e0bSAndroid Build Coastguard Worker src_str = strchr(rsl + 3, ':');
1448*08b48e0bSAndroid Build Coastguard Worker
1449*08b48e0bSAndroid Build Coastguard Worker if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
1450*08b48e0bSAndroid Build Coastguard Worker
1451*08b48e0bSAndroid Build Coastguard Worker if (src_id < afl->queued_items) {
1452*08b48e0bSAndroid Build Coastguard Worker
1453*08b48e0bSAndroid Build Coastguard Worker struct queue_entry *s = afl->queue_buf[src_id];
1454*08b48e0bSAndroid Build Coastguard Worker
1455*08b48e0bSAndroid Build Coastguard Worker if (s) { q->depth = s->depth + 1; }
1456*08b48e0bSAndroid Build Coastguard Worker
1457*08b48e0bSAndroid Build Coastguard Worker }
1458*08b48e0bSAndroid Build Coastguard Worker
1459*08b48e0bSAndroid Build Coastguard Worker if (afl->max_depth < q->depth) { afl->max_depth = q->depth; }
1460*08b48e0bSAndroid Build Coastguard Worker
1461*08b48e0bSAndroid Build Coastguard Worker }
1462*08b48e0bSAndroid Build Coastguard Worker
1463*08b48e0bSAndroid Build Coastguard Worker } else {
1464*08b48e0bSAndroid Build Coastguard Worker
1465*08b48e0bSAndroid Build Coastguard Worker /* No dice - invent a new name, capturing the original one as a
1466*08b48e0bSAndroid Build Coastguard Worker substring. */
1467*08b48e0bSAndroid Build Coastguard Worker
1468*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
1469*08b48e0bSAndroid Build Coastguard Worker
1470*08b48e0bSAndroid Build Coastguard Worker u8 *use_name = strstr(rsl, ",orig:");
1471*08b48e0bSAndroid Build Coastguard Worker
1472*08b48e0bSAndroid Build Coastguard Worker if (use_name) {
1473*08b48e0bSAndroid Build Coastguard Worker
1474*08b48e0bSAndroid Build Coastguard Worker use_name += 6;
1475*08b48e0bSAndroid Build Coastguard Worker
1476*08b48e0bSAndroid Build Coastguard Worker } else {
1477*08b48e0bSAndroid Build Coastguard Worker
1478*08b48e0bSAndroid Build Coastguard Worker use_name = rsl;
1479*08b48e0bSAndroid Build Coastguard Worker
1480*08b48e0bSAndroid Build Coastguard Worker }
1481*08b48e0bSAndroid Build Coastguard Worker
1482*08b48e0bSAndroid Build Coastguard Worker nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s",
1483*08b48e0bSAndroid Build Coastguard Worker afl->out_dir, id, afl->fsrv.total_execs, use_name);
1484*08b48e0bSAndroid Build Coastguard Worker
1485*08b48e0bSAndroid Build Coastguard Worker #else
1486*08b48e0bSAndroid Build Coastguard Worker
1487*08b48e0bSAndroid Build Coastguard Worker nfn = alloc_printf("%s/queue/id_%06u", afl->out_dir, id);
1488*08b48e0bSAndroid Build Coastguard Worker
1489*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!SIMPLE_FILES */
1490*08b48e0bSAndroid Build Coastguard Worker
1491*08b48e0bSAndroid Build Coastguard Worker }
1492*08b48e0bSAndroid Build Coastguard Worker
1493*08b48e0bSAndroid Build Coastguard Worker /* Pivot to the new queue entry. */
1494*08b48e0bSAndroid Build Coastguard Worker
1495*08b48e0bSAndroid Build Coastguard Worker link_or_copy(q->fname, nfn);
1496*08b48e0bSAndroid Build Coastguard Worker ck_free(q->fname);
1497*08b48e0bSAndroid Build Coastguard Worker q->fname = nfn;
1498*08b48e0bSAndroid Build Coastguard Worker
1499*08b48e0bSAndroid Build Coastguard Worker /* Make sure that the passed_det value carries over, too. */
1500*08b48e0bSAndroid Build Coastguard Worker
1501*08b48e0bSAndroid Build Coastguard Worker if (q->passed_det) { mark_as_det_done(afl, q); }
1502*08b48e0bSAndroid Build Coastguard Worker
1503*08b48e0bSAndroid Build Coastguard Worker if (afl->custom_mutators_count) {
1504*08b48e0bSAndroid Build Coastguard Worker
1505*08b48e0bSAndroid Build Coastguard Worker run_afl_custom_queue_new_entry(afl, q, q->fname, NULL);
1506*08b48e0bSAndroid Build Coastguard Worker
1507*08b48e0bSAndroid Build Coastguard Worker }
1508*08b48e0bSAndroid Build Coastguard Worker
1509*08b48e0bSAndroid Build Coastguard Worker ++id;
1510*08b48e0bSAndroid Build Coastguard Worker
1511*08b48e0bSAndroid Build Coastguard Worker }
1512*08b48e0bSAndroid Build Coastguard Worker
1513*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) { nuke_resume_dir(afl); }
1514*08b48e0bSAndroid Build Coastguard Worker
1515*08b48e0bSAndroid Build Coastguard Worker }
1516*08b48e0bSAndroid Build Coastguard Worker
1517*08b48e0bSAndroid Build Coastguard Worker /* When resuming, try to find the queue position to start from. This makes sense
1518*08b48e0bSAndroid Build Coastguard Worker only when resuming, and when we can find the original fuzzer_stats. */
1519*08b48e0bSAndroid Build Coastguard Worker
1520*08b48e0bSAndroid Build Coastguard Worker u32 find_start_position(afl_state_t *afl) {
1521*08b48e0bSAndroid Build Coastguard Worker
1522*08b48e0bSAndroid Build Coastguard Worker u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */
1523*08b48e0bSAndroid Build Coastguard Worker
1524*08b48e0bSAndroid Build Coastguard Worker u8 *fn, *off;
1525*08b48e0bSAndroid Build Coastguard Worker s32 fd, i;
1526*08b48e0bSAndroid Build Coastguard Worker u32 ret;
1527*08b48e0bSAndroid Build Coastguard Worker
1528*08b48e0bSAndroid Build Coastguard Worker if (!afl->resuming_fuzz) { return 0; }
1529*08b48e0bSAndroid Build Coastguard Worker
1530*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) {
1531*08b48e0bSAndroid Build Coastguard Worker
1532*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1533*08b48e0bSAndroid Build Coastguard Worker
1534*08b48e0bSAndroid Build Coastguard Worker } else {
1535*08b48e0bSAndroid Build Coastguard Worker
1536*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir);
1537*08b48e0bSAndroid Build Coastguard Worker
1538*08b48e0bSAndroid Build Coastguard Worker }
1539*08b48e0bSAndroid Build Coastguard Worker
1540*08b48e0bSAndroid Build Coastguard Worker fd = open(fn, O_RDONLY);
1541*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1542*08b48e0bSAndroid Build Coastguard Worker
1543*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { return 0; }
1544*08b48e0bSAndroid Build Coastguard Worker
1545*08b48e0bSAndroid Build Coastguard Worker i = read(fd, tmp, sizeof(tmp) - 1);
1546*08b48e0bSAndroid Build Coastguard Worker (void)i; /* Ignore errors */
1547*08b48e0bSAndroid Build Coastguard Worker close(fd);
1548*08b48e0bSAndroid Build Coastguard Worker
1549*08b48e0bSAndroid Build Coastguard Worker off = strstr(tmp, "cur_item : ");
1550*08b48e0bSAndroid Build Coastguard Worker if (!off) { return 0; }
1551*08b48e0bSAndroid Build Coastguard Worker
1552*08b48e0bSAndroid Build Coastguard Worker ret = atoi(off + 20);
1553*08b48e0bSAndroid Build Coastguard Worker if (ret >= afl->queued_items) { ret = 0; }
1554*08b48e0bSAndroid Build Coastguard Worker return ret;
1555*08b48e0bSAndroid Build Coastguard Worker
1556*08b48e0bSAndroid Build Coastguard Worker }
1557*08b48e0bSAndroid Build Coastguard Worker
1558*08b48e0bSAndroid Build Coastguard Worker /* The same, but for timeouts. The idea is that when resuming sessions without
1559*08b48e0bSAndroid Build Coastguard Worker -t given, we don't want to keep auto-scaling the timeout over and over
1560*08b48e0bSAndroid Build Coastguard Worker again to prevent it from growing due to random flukes. */
1561*08b48e0bSAndroid Build Coastguard Worker
1562*08b48e0bSAndroid Build Coastguard Worker void find_timeout(afl_state_t *afl) {
1563*08b48e0bSAndroid Build Coastguard Worker
1564*08b48e0bSAndroid Build Coastguard Worker u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */
1565*08b48e0bSAndroid Build Coastguard Worker
1566*08b48e0bSAndroid Build Coastguard Worker u8 *fn, *off;
1567*08b48e0bSAndroid Build Coastguard Worker s32 fd, i;
1568*08b48e0bSAndroid Build Coastguard Worker u32 ret;
1569*08b48e0bSAndroid Build Coastguard Worker
1570*08b48e0bSAndroid Build Coastguard Worker if (!afl->resuming_fuzz) { return; }
1571*08b48e0bSAndroid Build Coastguard Worker
1572*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) {
1573*08b48e0bSAndroid Build Coastguard Worker
1574*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1575*08b48e0bSAndroid Build Coastguard Worker
1576*08b48e0bSAndroid Build Coastguard Worker } else {
1577*08b48e0bSAndroid Build Coastguard Worker
1578*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir);
1579*08b48e0bSAndroid Build Coastguard Worker
1580*08b48e0bSAndroid Build Coastguard Worker }
1581*08b48e0bSAndroid Build Coastguard Worker
1582*08b48e0bSAndroid Build Coastguard Worker fd = open(fn, O_RDONLY);
1583*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1584*08b48e0bSAndroid Build Coastguard Worker
1585*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { return; }
1586*08b48e0bSAndroid Build Coastguard Worker
1587*08b48e0bSAndroid Build Coastguard Worker i = read(fd, tmp, sizeof(tmp) - 1);
1588*08b48e0bSAndroid Build Coastguard Worker (void)i; /* Ignore errors */
1589*08b48e0bSAndroid Build Coastguard Worker close(fd);
1590*08b48e0bSAndroid Build Coastguard Worker
1591*08b48e0bSAndroid Build Coastguard Worker off = strstr(tmp, "exec_timeout : ");
1592*08b48e0bSAndroid Build Coastguard Worker if (!off) { return; }
1593*08b48e0bSAndroid Build Coastguard Worker
1594*08b48e0bSAndroid Build Coastguard Worker ret = atoi(off + 20);
1595*08b48e0bSAndroid Build Coastguard Worker if (ret <= 4) { return; }
1596*08b48e0bSAndroid Build Coastguard Worker
1597*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.exec_tmout = ret;
1598*08b48e0bSAndroid Build Coastguard Worker afl->timeout_given = 3;
1599*08b48e0bSAndroid Build Coastguard Worker
1600*08b48e0bSAndroid Build Coastguard Worker }
1601*08b48e0bSAndroid Build Coastguard Worker
1602*08b48e0bSAndroid Build Coastguard Worker /* A helper function for handle_existing_out_dir(), deleting all prefixed
1603*08b48e0bSAndroid Build Coastguard Worker files in a directory. */
1604*08b48e0bSAndroid Build Coastguard Worker
1605*08b48e0bSAndroid Build Coastguard Worker static u8 delete_files(u8 *path, u8 *prefix) {
1606*08b48e0bSAndroid Build Coastguard Worker
1607*08b48e0bSAndroid Build Coastguard Worker DIR *d;
1608*08b48e0bSAndroid Build Coastguard Worker struct dirent *d_ent;
1609*08b48e0bSAndroid Build Coastguard Worker
1610*08b48e0bSAndroid Build Coastguard Worker d = opendir(path);
1611*08b48e0bSAndroid Build Coastguard Worker
1612*08b48e0bSAndroid Build Coastguard Worker if (!d) { return 0; }
1613*08b48e0bSAndroid Build Coastguard Worker
1614*08b48e0bSAndroid Build Coastguard Worker while ((d_ent = readdir(d))) {
1615*08b48e0bSAndroid Build Coastguard Worker
1616*08b48e0bSAndroid Build Coastguard Worker if (d_ent->d_name[0] != '.' &&
1617*08b48e0bSAndroid Build Coastguard Worker (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) {
1618*08b48e0bSAndroid Build Coastguard Worker
1619*08b48e0bSAndroid Build Coastguard Worker u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
1620*08b48e0bSAndroid Build Coastguard Worker if (unlink(fname)) { PFATAL("Unable to delete '%s'", fname); }
1621*08b48e0bSAndroid Build Coastguard Worker ck_free(fname);
1622*08b48e0bSAndroid Build Coastguard Worker
1623*08b48e0bSAndroid Build Coastguard Worker }
1624*08b48e0bSAndroid Build Coastguard Worker
1625*08b48e0bSAndroid Build Coastguard Worker }
1626*08b48e0bSAndroid Build Coastguard Worker
1627*08b48e0bSAndroid Build Coastguard Worker closedir(d);
1628*08b48e0bSAndroid Build Coastguard Worker
1629*08b48e0bSAndroid Build Coastguard Worker return !!rmdir(path);
1630*08b48e0bSAndroid Build Coastguard Worker
1631*08b48e0bSAndroid Build Coastguard Worker }
1632*08b48e0bSAndroid Build Coastguard Worker
1633*08b48e0bSAndroid Build Coastguard Worker /* Get the number of runnable processes, with some simple smoothing. */
1634*08b48e0bSAndroid Build Coastguard Worker
1635*08b48e0bSAndroid Build Coastguard Worker double get_runnable_processes(void) {
1636*08b48e0bSAndroid Build Coastguard Worker
1637*08b48e0bSAndroid Build Coastguard Worker double res = 0;
1638*08b48e0bSAndroid Build Coastguard Worker
1639*08b48e0bSAndroid Build Coastguard Worker #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
1640*08b48e0bSAndroid Build Coastguard Worker defined(__NetBSD__) || defined(__DragonFly__)
1641*08b48e0bSAndroid Build Coastguard Worker
1642*08b48e0bSAndroid Build Coastguard Worker /* I don't see any portable sysctl or so that would quickly give us the
1643*08b48e0bSAndroid Build Coastguard Worker number of runnable processes; the 1-minute load average can be a
1644*08b48e0bSAndroid Build Coastguard Worker semi-decent approximation, though. */
1645*08b48e0bSAndroid Build Coastguard Worker
1646*08b48e0bSAndroid Build Coastguard Worker if (getloadavg(&res, 1) != 1) return 0;
1647*08b48e0bSAndroid Build Coastguard Worker
1648*08b48e0bSAndroid Build Coastguard Worker #else
1649*08b48e0bSAndroid Build Coastguard Worker
1650*08b48e0bSAndroid Build Coastguard Worker /* On Linux, /proc/stat is probably the best way; load averages are
1651*08b48e0bSAndroid Build Coastguard Worker computed in funny ways and sometimes don't reflect extremely short-lived
1652*08b48e0bSAndroid Build Coastguard Worker processes well. */
1653*08b48e0bSAndroid Build Coastguard Worker
1654*08b48e0bSAndroid Build Coastguard Worker FILE *f = fopen("/proc/stat", "r");
1655*08b48e0bSAndroid Build Coastguard Worker u8 tmp[1024];
1656*08b48e0bSAndroid Build Coastguard Worker u32 val = 0;
1657*08b48e0bSAndroid Build Coastguard Worker
1658*08b48e0bSAndroid Build Coastguard Worker if (!f) { return 0; }
1659*08b48e0bSAndroid Build Coastguard Worker
1660*08b48e0bSAndroid Build Coastguard Worker while (fgets(tmp, sizeof(tmp), f)) {
1661*08b48e0bSAndroid Build Coastguard Worker
1662*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(tmp, "procs_running ", 14) ||
1663*08b48e0bSAndroid Build Coastguard Worker !strncmp(tmp, "procs_blocked ", 14)) {
1664*08b48e0bSAndroid Build Coastguard Worker
1665*08b48e0bSAndroid Build Coastguard Worker val += atoi(tmp + 14);
1666*08b48e0bSAndroid Build Coastguard Worker
1667*08b48e0bSAndroid Build Coastguard Worker }
1668*08b48e0bSAndroid Build Coastguard Worker
1669*08b48e0bSAndroid Build Coastguard Worker }
1670*08b48e0bSAndroid Build Coastguard Worker
1671*08b48e0bSAndroid Build Coastguard Worker fclose(f);
1672*08b48e0bSAndroid Build Coastguard Worker
1673*08b48e0bSAndroid Build Coastguard Worker if (!res) {
1674*08b48e0bSAndroid Build Coastguard Worker
1675*08b48e0bSAndroid Build Coastguard Worker res = val;
1676*08b48e0bSAndroid Build Coastguard Worker
1677*08b48e0bSAndroid Build Coastguard Worker } else {
1678*08b48e0bSAndroid Build Coastguard Worker
1679*08b48e0bSAndroid Build Coastguard Worker res = res * (1.0 - 1.0 / AVG_SMOOTHING) +
1680*08b48e0bSAndroid Build Coastguard Worker ((double)val) * (1.0 / AVG_SMOOTHING);
1681*08b48e0bSAndroid Build Coastguard Worker
1682*08b48e0bSAndroid Build Coastguard Worker }
1683*08b48e0bSAndroid Build Coastguard Worker
1684*08b48e0bSAndroid Build Coastguard Worker #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__ || __NetBSD__) */
1685*08b48e0bSAndroid Build Coastguard Worker
1686*08b48e0bSAndroid Build Coastguard Worker return res;
1687*08b48e0bSAndroid Build Coastguard Worker
1688*08b48e0bSAndroid Build Coastguard Worker }
1689*08b48e0bSAndroid Build Coastguard Worker
1690*08b48e0bSAndroid Build Coastguard Worker /* Delete the temporary directory used for in-place session resume. */
1691*08b48e0bSAndroid Build Coastguard Worker
1692*08b48e0bSAndroid Build Coastguard Worker void nuke_resume_dir(afl_state_t *afl) {
1693*08b48e0bSAndroid Build Coastguard Worker
1694*08b48e0bSAndroid Build Coastguard Worker u8 *fn;
1695*08b48e0bSAndroid Build Coastguard Worker
1696*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir);
1697*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1698*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1699*08b48e0bSAndroid Build Coastguard Worker
1700*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume/.state/auto_extras", afl->out_dir);
1701*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, "auto_")) { goto dir_cleanup_failed; }
1702*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1703*08b48e0bSAndroid Build Coastguard Worker
1704*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume/.state/redundant_edges", afl->out_dir);
1705*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1706*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1707*08b48e0bSAndroid Build Coastguard Worker
1708*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume/.state/variable_behavior", afl->out_dir);
1709*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1710*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1711*08b48e0bSAndroid Build Coastguard Worker
1712*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume/.state", afl->out_dir);
1713*08b48e0bSAndroid Build Coastguard Worker if (rmdir(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
1714*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1715*08b48e0bSAndroid Build Coastguard Worker
1716*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/_resume", afl->out_dir);
1717*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1718*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1719*08b48e0bSAndroid Build Coastguard Worker
1720*08b48e0bSAndroid Build Coastguard Worker return;
1721*08b48e0bSAndroid Build Coastguard Worker
1722*08b48e0bSAndroid Build Coastguard Worker dir_cleanup_failed:
1723*08b48e0bSAndroid Build Coastguard Worker
1724*08b48e0bSAndroid Build Coastguard Worker FATAL("_resume directory cleanup failed");
1725*08b48e0bSAndroid Build Coastguard Worker
1726*08b48e0bSAndroid Build Coastguard Worker }
1727*08b48e0bSAndroid Build Coastguard Worker
1728*08b48e0bSAndroid Build Coastguard Worker /* Delete fuzzer output directory if we recognize it as ours, if the fuzzer
1729*08b48e0bSAndroid Build Coastguard Worker is not currently running, and if the last run time isn't too great.
1730*08b48e0bSAndroid Build Coastguard Worker Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */
1731*08b48e0bSAndroid Build Coastguard Worker
1732*08b48e0bSAndroid Build Coastguard Worker static void handle_existing_out_dir(afl_state_t *afl) {
1733*08b48e0bSAndroid Build Coastguard Worker
1734*08b48e0bSAndroid Build Coastguard Worker FILE *f;
1735*08b48e0bSAndroid Build Coastguard Worker u8 *fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1736*08b48e0bSAndroid Build Coastguard Worker
1737*08b48e0bSAndroid Build Coastguard Worker /* See if the output directory is locked. If yes, bail out. If not,
1738*08b48e0bSAndroid Build Coastguard Worker create a lock that will persist for the lifetime of the process
1739*08b48e0bSAndroid Build Coastguard Worker (this requires leaving the descriptor open).*/
1740*08b48e0bSAndroid Build Coastguard Worker
1741*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY);
1742*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.out_dir_fd < 0) { PFATAL("Unable to open '%s'", afl->out_dir); }
1743*08b48e0bSAndroid Build Coastguard Worker
1744*08b48e0bSAndroid Build Coastguard Worker #ifndef __sun
1745*08b48e0bSAndroid Build Coastguard Worker
1746*08b48e0bSAndroid Build Coastguard Worker if (flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) {
1747*08b48e0bSAndroid Build Coastguard Worker
1748*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
1749*08b48e0bSAndroid Build Coastguard Worker "Looks like the job output directory is being actively used by "
1750*08b48e0bSAndroid Build Coastguard Worker "another\n"
1751*08b48e0bSAndroid Build Coastguard Worker " instance of afl-fuzz. You will need to choose a different %s\n"
1752*08b48e0bSAndroid Build Coastguard Worker " or stop the other process first.\n",
1753*08b48e0bSAndroid Build Coastguard Worker afl->sync_id ? "fuzzer ID" : "output location");
1754*08b48e0bSAndroid Build Coastguard Worker
1755*08b48e0bSAndroid Build Coastguard Worker FATAL("Directory '%s' is in use", afl->out_dir);
1756*08b48e0bSAndroid Build Coastguard Worker
1757*08b48e0bSAndroid Build Coastguard Worker }
1758*08b48e0bSAndroid Build Coastguard Worker
1759*08b48e0bSAndroid Build Coastguard Worker #endif /* !__sun */
1760*08b48e0bSAndroid Build Coastguard Worker
1761*08b48e0bSAndroid Build Coastguard Worker f = fopen(fn, "r");
1762*08b48e0bSAndroid Build Coastguard Worker
1763*08b48e0bSAndroid Build Coastguard Worker if (f) {
1764*08b48e0bSAndroid Build Coastguard Worker
1765*08b48e0bSAndroid Build Coastguard Worker u64 start_time2, last_update;
1766*08b48e0bSAndroid Build Coastguard Worker
1767*08b48e0bSAndroid Build Coastguard Worker if (fscanf(f,
1768*08b48e0bSAndroid Build Coastguard Worker "start_time : %llu\n"
1769*08b48e0bSAndroid Build Coastguard Worker "last_update : %llu\n",
1770*08b48e0bSAndroid Build Coastguard Worker &start_time2, &last_update) != 2) {
1771*08b48e0bSAndroid Build Coastguard Worker
1772*08b48e0bSAndroid Build Coastguard Worker FATAL("Malformed data in '%s'", fn);
1773*08b48e0bSAndroid Build Coastguard Worker
1774*08b48e0bSAndroid Build Coastguard Worker }
1775*08b48e0bSAndroid Build Coastguard Worker
1776*08b48e0bSAndroid Build Coastguard Worker fclose(f);
1777*08b48e0bSAndroid Build Coastguard Worker
1778*08b48e0bSAndroid Build Coastguard Worker /* Autoresume treats a normal run as in_place_resume if a valid out dir
1779*08b48e0bSAndroid Build Coastguard Worker * already exists */
1780*08b48e0bSAndroid Build Coastguard Worker
1781*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume && afl->autoresume) {
1782*08b48e0bSAndroid Build Coastguard Worker
1783*08b48e0bSAndroid Build Coastguard Worker OKF("Detected prior run with AFL_AUTORESUME set. Resuming.");
1784*08b48e0bSAndroid Build Coastguard Worker afl->in_place_resume = 1;
1785*08b48e0bSAndroid Build Coastguard Worker
1786*08b48e0bSAndroid Build Coastguard Worker }
1787*08b48e0bSAndroid Build Coastguard Worker
1788*08b48e0bSAndroid Build Coastguard Worker /* Let's see how much work is at stake. */
1789*08b48e0bSAndroid Build Coastguard Worker
1790*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume && last_update > start_time2 &&
1791*08b48e0bSAndroid Build Coastguard Worker last_update - start_time2 > OUTPUT_GRACE * 60) {
1792*08b48e0bSAndroid Build Coastguard Worker
1793*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
1794*08b48e0bSAndroid Build Coastguard Worker "The job output directory already exists and contains the results "
1795*08b48e0bSAndroid Build Coastguard Worker "of more\n"
1796*08b48e0bSAndroid Build Coastguard Worker " than %d minutes worth of fuzzing. To avoid data loss, afl-fuzz "
1797*08b48e0bSAndroid Build Coastguard Worker "will *NOT*\n"
1798*08b48e0bSAndroid Build Coastguard Worker " automatically delete this data for you.\n\n"
1799*08b48e0bSAndroid Build Coastguard Worker
1800*08b48e0bSAndroid Build Coastguard Worker " If you wish to start a new session, remove or rename the "
1801*08b48e0bSAndroid Build Coastguard Worker "directory manually,\n"
1802*08b48e0bSAndroid Build Coastguard Worker " or specify a different output location for this job. To resume "
1803*08b48e0bSAndroid Build Coastguard Worker "the old\n"
1804*08b48e0bSAndroid Build Coastguard Worker " session, pass '-' as input directory in the command line ('-i "
1805*08b48e0bSAndroid Build Coastguard Worker "-')\n"
1806*08b48e0bSAndroid Build Coastguard Worker " or set the 'AFL_AUTORESUME=1' env variable and try again.\n",
1807*08b48e0bSAndroid Build Coastguard Worker OUTPUT_GRACE);
1808*08b48e0bSAndroid Build Coastguard Worker
1809*08b48e0bSAndroid Build Coastguard Worker FATAL("At-risk data found in '%s'", afl->out_dir);
1810*08b48e0bSAndroid Build Coastguard Worker
1811*08b48e0bSAndroid Build Coastguard Worker }
1812*08b48e0bSAndroid Build Coastguard Worker
1813*08b48e0bSAndroid Build Coastguard Worker }
1814*08b48e0bSAndroid Build Coastguard Worker
1815*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1816*08b48e0bSAndroid Build Coastguard Worker
1817*08b48e0bSAndroid Build Coastguard Worker /* The idea for in-place resume is pretty simple: we temporarily move the old
1818*08b48e0bSAndroid Build Coastguard Worker queue/ to a new location that gets deleted once import to the new queue/
1819*08b48e0bSAndroid Build Coastguard Worker is finished. If _resume/ already exists, the current queue/ may be
1820*08b48e0bSAndroid Build Coastguard Worker incomplete due to an earlier abort, so we want to use the old _resume/
1821*08b48e0bSAndroid Build Coastguard Worker dir instead, and we let rename() fail silently. */
1822*08b48e0bSAndroid Build Coastguard Worker
1823*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) {
1824*08b48e0bSAndroid Build Coastguard Worker
1825*08b48e0bSAndroid Build Coastguard Worker u8 *orig_q = alloc_printf("%s/queue", afl->out_dir);
1826*08b48e0bSAndroid Build Coastguard Worker
1827*08b48e0bSAndroid Build Coastguard Worker afl->in_dir = alloc_printf("%s/_resume", afl->out_dir);
1828*08b48e0bSAndroid Build Coastguard Worker
1829*08b48e0bSAndroid Build Coastguard Worker rename(orig_q, afl->in_dir); /* Ignore errors */
1830*08b48e0bSAndroid Build Coastguard Worker
1831*08b48e0bSAndroid Build Coastguard Worker OKF("Output directory exists, will attempt session resume.");
1832*08b48e0bSAndroid Build Coastguard Worker
1833*08b48e0bSAndroid Build Coastguard Worker ck_free(orig_q);
1834*08b48e0bSAndroid Build Coastguard Worker
1835*08b48e0bSAndroid Build Coastguard Worker } else {
1836*08b48e0bSAndroid Build Coastguard Worker
1837*08b48e0bSAndroid Build Coastguard Worker OKF("Output directory exists but deemed OK to reuse.");
1838*08b48e0bSAndroid Build Coastguard Worker
1839*08b48e0bSAndroid Build Coastguard Worker }
1840*08b48e0bSAndroid Build Coastguard Worker
1841*08b48e0bSAndroid Build Coastguard Worker ACTF("Deleting old session data...");
1842*08b48e0bSAndroid Build Coastguard Worker
1843*08b48e0bSAndroid Build Coastguard Worker /* Okay, let's get the ball rolling! First, we need to get rid of the entries
1844*08b48e0bSAndroid Build Coastguard Worker in <afl->out_dir>/.synced/.../id:*, if any are present. */
1845*08b48e0bSAndroid Build Coastguard Worker
1846*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume) {
1847*08b48e0bSAndroid Build Coastguard Worker
1848*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/.synced", afl->out_dir);
1849*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, NULL)) { goto dir_cleanup_failed; }
1850*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1851*08b48e0bSAndroid Build Coastguard Worker
1852*08b48e0bSAndroid Build Coastguard Worker }
1853*08b48e0bSAndroid Build Coastguard Worker
1854*08b48e0bSAndroid Build Coastguard Worker /* Next, we need to clean up <afl->out_dir>/queue/.state/ subdirectories: */
1855*08b48e0bSAndroid Build Coastguard Worker
1856*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue/.state/deterministic_done", afl->out_dir);
1857*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1858*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1859*08b48e0bSAndroid Build Coastguard Worker
1860*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue/.state/auto_extras", afl->out_dir);
1861*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, "auto_")) { goto dir_cleanup_failed; }
1862*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1863*08b48e0bSAndroid Build Coastguard Worker
1864*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue/.state/redundant_edges", afl->out_dir);
1865*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1866*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1867*08b48e0bSAndroid Build Coastguard Worker
1868*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue/.state/variable_behavior", afl->out_dir);
1869*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1870*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1871*08b48e0bSAndroid Build Coastguard Worker
1872*08b48e0bSAndroid Build Coastguard Worker /* Then, get rid of the .state subdirectory itself (should be empty by now)
1873*08b48e0bSAndroid Build Coastguard Worker and everything matching <afl->out_dir>/queue/id:*. */
1874*08b48e0bSAndroid Build Coastguard Worker
1875*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue/.state", afl->out_dir);
1876*08b48e0bSAndroid Build Coastguard Worker if (rmdir(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
1877*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1878*08b48e0bSAndroid Build Coastguard Worker
1879*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue", afl->out_dir);
1880*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1881*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1882*08b48e0bSAndroid Build Coastguard Worker
1883*08b48e0bSAndroid Build Coastguard Worker /* All right, let's do <afl->out_dir>/crashes/id:* and
1884*08b48e0bSAndroid Build Coastguard Worker * <afl->out_dir>/hangs/id:*. */
1885*08b48e0bSAndroid Build Coastguard Worker
1886*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume) {
1887*08b48e0bSAndroid Build Coastguard Worker
1888*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
1889*08b48e0bSAndroid Build Coastguard Worker unlink(fn); /* Ignore errors */
1890*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1891*08b48e0bSAndroid Build Coastguard Worker
1892*08b48e0bSAndroid Build Coastguard Worker }
1893*08b48e0bSAndroid Build Coastguard Worker
1894*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/crashes", afl->out_dir);
1895*08b48e0bSAndroid Build Coastguard Worker
1896*08b48e0bSAndroid Build Coastguard Worker /* Make backup of the crashes directory if it's not empty and if we're
1897*08b48e0bSAndroid Build Coastguard Worker doing in-place resume. */
1898*08b48e0bSAndroid Build Coastguard Worker
1899*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume && rmdir(fn)) {
1900*08b48e0bSAndroid Build Coastguard Worker
1901*08b48e0bSAndroid Build Coastguard Worker time_t cur_t = time(0);
1902*08b48e0bSAndroid Build Coastguard Worker struct tm t;
1903*08b48e0bSAndroid Build Coastguard Worker localtime_r(&cur_t, &t);
1904*08b48e0bSAndroid Build Coastguard Worker
1905*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
1906*08b48e0bSAndroid Build Coastguard Worker
1907*08b48e0bSAndroid Build Coastguard Worker u8 *nfn =
1908*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900,
1909*08b48e0bSAndroid Build Coastguard Worker t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
1910*08b48e0bSAndroid Build Coastguard Worker
1911*08b48e0bSAndroid Build Coastguard Worker #else
1912*08b48e0bSAndroid Build Coastguard Worker
1913*08b48e0bSAndroid Build Coastguard Worker u8 *nfn =
1914*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900,
1915*08b48e0bSAndroid Build Coastguard Worker t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
1916*08b48e0bSAndroid Build Coastguard Worker
1917*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!SIMPLE_FILES */
1918*08b48e0bSAndroid Build Coastguard Worker
1919*08b48e0bSAndroid Build Coastguard Worker rename(fn, nfn); /* Ignore errors. */
1920*08b48e0bSAndroid Build Coastguard Worker ck_free(nfn);
1921*08b48e0bSAndroid Build Coastguard Worker
1922*08b48e0bSAndroid Build Coastguard Worker }
1923*08b48e0bSAndroid Build Coastguard Worker
1924*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1925*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1926*08b48e0bSAndroid Build Coastguard Worker
1927*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/hangs", afl->out_dir);
1928*08b48e0bSAndroid Build Coastguard Worker
1929*08b48e0bSAndroid Build Coastguard Worker /* Backup hangs, too. */
1930*08b48e0bSAndroid Build Coastguard Worker
1931*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume && rmdir(fn)) {
1932*08b48e0bSAndroid Build Coastguard Worker
1933*08b48e0bSAndroid Build Coastguard Worker time_t cur_t = time(0);
1934*08b48e0bSAndroid Build Coastguard Worker struct tm t;
1935*08b48e0bSAndroid Build Coastguard Worker localtime_r(&cur_t, &t);
1936*08b48e0bSAndroid Build Coastguard Worker
1937*08b48e0bSAndroid Build Coastguard Worker #ifndef SIMPLE_FILES
1938*08b48e0bSAndroid Build Coastguard Worker
1939*08b48e0bSAndroid Build Coastguard Worker u8 *nfn =
1940*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900,
1941*08b48e0bSAndroid Build Coastguard Worker t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
1942*08b48e0bSAndroid Build Coastguard Worker
1943*08b48e0bSAndroid Build Coastguard Worker #else
1944*08b48e0bSAndroid Build Coastguard Worker
1945*08b48e0bSAndroid Build Coastguard Worker u8 *nfn =
1946*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t.tm_year + 1900,
1947*08b48e0bSAndroid Build Coastguard Worker t.tm_mon + 1, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec);
1948*08b48e0bSAndroid Build Coastguard Worker
1949*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!SIMPLE_FILES */
1950*08b48e0bSAndroid Build Coastguard Worker
1951*08b48e0bSAndroid Build Coastguard Worker rename(fn, nfn); /* Ignore errors. */
1952*08b48e0bSAndroid Build Coastguard Worker ck_free(nfn);
1953*08b48e0bSAndroid Build Coastguard Worker
1954*08b48e0bSAndroid Build Coastguard Worker }
1955*08b48e0bSAndroid Build Coastguard Worker
1956*08b48e0bSAndroid Build Coastguard Worker if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
1957*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1958*08b48e0bSAndroid Build Coastguard Worker
1959*08b48e0bSAndroid Build Coastguard Worker /* And now, for some finishing touches. */
1960*08b48e0bSAndroid Build Coastguard Worker
1961*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) {
1962*08b48e0bSAndroid Build Coastguard Worker
1963*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/.cur_input.%s", afl->out_dir, afl->file_extension);
1964*08b48e0bSAndroid Build Coastguard Worker
1965*08b48e0bSAndroid Build Coastguard Worker } else {
1966*08b48e0bSAndroid Build Coastguard Worker
1967*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/.cur_input", afl->out_dir);
1968*08b48e0bSAndroid Build Coastguard Worker
1969*08b48e0bSAndroid Build Coastguard Worker }
1970*08b48e0bSAndroid Build Coastguard Worker
1971*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
1972*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1973*08b48e0bSAndroid Build Coastguard Worker
1974*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_tmpdir) {
1975*08b48e0bSAndroid Build Coastguard Worker
1976*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) {
1977*08b48e0bSAndroid Build Coastguard Worker
1978*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/.cur_input.%s", afl->afl_env.afl_tmpdir,
1979*08b48e0bSAndroid Build Coastguard Worker afl->file_extension);
1980*08b48e0bSAndroid Build Coastguard Worker
1981*08b48e0bSAndroid Build Coastguard Worker } else {
1982*08b48e0bSAndroid Build Coastguard Worker
1983*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/.cur_input", afl->afl_env.afl_tmpdir);
1984*08b48e0bSAndroid Build Coastguard Worker
1985*08b48e0bSAndroid Build Coastguard Worker }
1986*08b48e0bSAndroid Build Coastguard Worker
1987*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
1988*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1989*08b48e0bSAndroid Build Coastguard Worker
1990*08b48e0bSAndroid Build Coastguard Worker }
1991*08b48e0bSAndroid Build Coastguard Worker
1992*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/fuzz_bitmap", afl->out_dir);
1993*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
1994*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
1995*08b48e0bSAndroid Build Coastguard Worker
1996*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume) {
1997*08b48e0bSAndroid Build Coastguard Worker
1998*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1999*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
2000*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
2001*08b48e0bSAndroid Build Coastguard Worker
2002*08b48e0bSAndroid Build Coastguard Worker }
2003*08b48e0bSAndroid Build Coastguard Worker
2004*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume) {
2005*08b48e0bSAndroid Build Coastguard Worker
2006*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/plot_data", afl->out_dir);
2007*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
2008*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
2009*08b48e0bSAndroid Build Coastguard Worker
2010*08b48e0bSAndroid Build Coastguard Worker }
2011*08b48e0bSAndroid Build Coastguard Worker
2012*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/queue_data", afl->out_dir);
2013*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
2014*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
2015*08b48e0bSAndroid Build Coastguard Worker
2016*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/cmdline", afl->out_dir);
2017*08b48e0bSAndroid Build Coastguard Worker if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
2018*08b48e0bSAndroid Build Coastguard Worker ck_free(fn);
2019*08b48e0bSAndroid Build Coastguard Worker
2020*08b48e0bSAndroid Build Coastguard Worker OKF("Output dir cleanup successful.");
2021*08b48e0bSAndroid Build Coastguard Worker
2022*08b48e0bSAndroid Build Coastguard Worker /* Wow... is that all? If yes, celebrate! */
2023*08b48e0bSAndroid Build Coastguard Worker
2024*08b48e0bSAndroid Build Coastguard Worker return;
2025*08b48e0bSAndroid Build Coastguard Worker
2026*08b48e0bSAndroid Build Coastguard Worker dir_cleanup_failed:
2027*08b48e0bSAndroid Build Coastguard Worker
2028*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2029*08b48e0bSAndroid Build Coastguard Worker "Whoops, the fuzzer tried to reuse your output directory, but bumped "
2030*08b48e0bSAndroid Build Coastguard Worker "into\n"
2031*08b48e0bSAndroid Build Coastguard Worker " some files that shouldn't be there or that couldn't be removed - "
2032*08b48e0bSAndroid Build Coastguard Worker "so it\n"
2033*08b48e0bSAndroid Build Coastguard Worker " decided to abort! This happened while processing this path:\n\n"
2034*08b48e0bSAndroid Build Coastguard Worker
2035*08b48e0bSAndroid Build Coastguard Worker " %s\n\n"
2036*08b48e0bSAndroid Build Coastguard Worker " Please examine and manually delete the files, or specify a "
2037*08b48e0bSAndroid Build Coastguard Worker "different\n"
2038*08b48e0bSAndroid Build Coastguard Worker " output location for the tool.\n",
2039*08b48e0bSAndroid Build Coastguard Worker fn);
2040*08b48e0bSAndroid Build Coastguard Worker
2041*08b48e0bSAndroid Build Coastguard Worker FATAL("Output directory cleanup failed");
2042*08b48e0bSAndroid Build Coastguard Worker
2043*08b48e0bSAndroid Build Coastguard Worker }
2044*08b48e0bSAndroid Build Coastguard Worker
2045*08b48e0bSAndroid Build Coastguard Worker /* If this is a -S secondary node, ensure a -M main node is running,
2046*08b48e0bSAndroid Build Coastguard Worker if a main node is running when another main is started, then warn */
2047*08b48e0bSAndroid Build Coastguard Worker
2048*08b48e0bSAndroid Build Coastguard Worker int check_main_node_exists(afl_state_t *afl) {
2049*08b48e0bSAndroid Build Coastguard Worker
2050*08b48e0bSAndroid Build Coastguard Worker DIR *sd;
2051*08b48e0bSAndroid Build Coastguard Worker struct dirent *sd_ent;
2052*08b48e0bSAndroid Build Coastguard Worker u8 *fn;
2053*08b48e0bSAndroid Build Coastguard Worker
2054*08b48e0bSAndroid Build Coastguard Worker sd = opendir(afl->sync_dir);
2055*08b48e0bSAndroid Build Coastguard Worker if (!sd) { return 0; }
2056*08b48e0bSAndroid Build Coastguard Worker
2057*08b48e0bSAndroid Build Coastguard Worker while ((sd_ent = readdir(sd))) {
2058*08b48e0bSAndroid Build Coastguard Worker
2059*08b48e0bSAndroid Build Coastguard Worker /* Skip dot files and our own output directory. */
2060*08b48e0bSAndroid Build Coastguard Worker
2061*08b48e0bSAndroid Build Coastguard Worker if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) {
2062*08b48e0bSAndroid Build Coastguard Worker
2063*08b48e0bSAndroid Build Coastguard Worker continue;
2064*08b48e0bSAndroid Build Coastguard Worker
2065*08b48e0bSAndroid Build Coastguard Worker }
2066*08b48e0bSAndroid Build Coastguard Worker
2067*08b48e0bSAndroid Build Coastguard Worker fn = alloc_printf("%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name);
2068*08b48e0bSAndroid Build Coastguard Worker int res = access(fn, F_OK);
2069*08b48e0bSAndroid Build Coastguard Worker free(fn);
2070*08b48e0bSAndroid Build Coastguard Worker if (res == 0) return 1;
2071*08b48e0bSAndroid Build Coastguard Worker
2072*08b48e0bSAndroid Build Coastguard Worker }
2073*08b48e0bSAndroid Build Coastguard Worker
2074*08b48e0bSAndroid Build Coastguard Worker return 0;
2075*08b48e0bSAndroid Build Coastguard Worker
2076*08b48e0bSAndroid Build Coastguard Worker }
2077*08b48e0bSAndroid Build Coastguard Worker
2078*08b48e0bSAndroid Build Coastguard Worker /* Prepare output directories and fds. */
2079*08b48e0bSAndroid Build Coastguard Worker
2080*08b48e0bSAndroid Build Coastguard Worker void setup_dirs_fds(afl_state_t *afl) {
2081*08b48e0bSAndroid Build Coastguard Worker
2082*08b48e0bSAndroid Build Coastguard Worker u8 *tmp;
2083*08b48e0bSAndroid Build Coastguard Worker
2084*08b48e0bSAndroid Build Coastguard Worker ACTF("Setting up output directories...");
2085*08b48e0bSAndroid Build Coastguard Worker
2086*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id && mkdir(afl->sync_dir, 0700) && errno != EEXIST) {
2087*08b48e0bSAndroid Build Coastguard Worker
2088*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to create '%s'", afl->sync_dir);
2089*08b48e0bSAndroid Build Coastguard Worker
2090*08b48e0bSAndroid Build Coastguard Worker }
2091*08b48e0bSAndroid Build Coastguard Worker
2092*08b48e0bSAndroid Build Coastguard Worker if (mkdir(afl->out_dir, 0700)) {
2093*08b48e0bSAndroid Build Coastguard Worker
2094*08b48e0bSAndroid Build Coastguard Worker if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); }
2095*08b48e0bSAndroid Build Coastguard Worker
2096*08b48e0bSAndroid Build Coastguard Worker handle_existing_out_dir(afl);
2097*08b48e0bSAndroid Build Coastguard Worker
2098*08b48e0bSAndroid Build Coastguard Worker } else {
2099*08b48e0bSAndroid Build Coastguard Worker
2100*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) {
2101*08b48e0bSAndroid Build Coastguard Worker
2102*08b48e0bSAndroid Build Coastguard Worker FATAL("Resume attempted but old output directory not found");
2103*08b48e0bSAndroid Build Coastguard Worker
2104*08b48e0bSAndroid Build Coastguard Worker }
2105*08b48e0bSAndroid Build Coastguard Worker
2106*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY);
2107*08b48e0bSAndroid Build Coastguard Worker
2108*08b48e0bSAndroid Build Coastguard Worker #ifndef __sun
2109*08b48e0bSAndroid Build Coastguard Worker
2110*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.out_dir_fd < 0 ||
2111*08b48e0bSAndroid Build Coastguard Worker flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB)) {
2112*08b48e0bSAndroid Build Coastguard Worker
2113*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to flock() output directory.");
2114*08b48e0bSAndroid Build Coastguard Worker
2115*08b48e0bSAndroid Build Coastguard Worker }
2116*08b48e0bSAndroid Build Coastguard Worker
2117*08b48e0bSAndroid Build Coastguard Worker #endif /* !__sun */
2118*08b48e0bSAndroid Build Coastguard Worker
2119*08b48e0bSAndroid Build Coastguard Worker }
2120*08b48e0bSAndroid Build Coastguard Worker
2121*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node) {
2122*08b48e0bSAndroid Build Coastguard Worker
2123*08b48e0bSAndroid Build Coastguard Worker u8 *x = alloc_printf("%s/is_main_node", afl->out_dir);
2124*08b48e0bSAndroid Build Coastguard Worker int fd = open(x, O_CREAT | O_RDWR, 0644);
2125*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) FATAL("cannot create %s", x);
2126*08b48e0bSAndroid Build Coastguard Worker free(x);
2127*08b48e0bSAndroid Build Coastguard Worker close(fd);
2128*08b48e0bSAndroid Build Coastguard Worker
2129*08b48e0bSAndroid Build Coastguard Worker }
2130*08b48e0bSAndroid Build Coastguard Worker
2131*08b48e0bSAndroid Build Coastguard Worker /* Queue directory for any starting & discovered paths. */
2132*08b48e0bSAndroid Build Coastguard Worker
2133*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue", afl->out_dir);
2134*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2135*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2136*08b48e0bSAndroid Build Coastguard Worker
2137*08b48e0bSAndroid Build Coastguard Worker /* Top-level directory for queue metadata used for session
2138*08b48e0bSAndroid Build Coastguard Worker resume and related tasks. */
2139*08b48e0bSAndroid Build Coastguard Worker
2140*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue/.state/", afl->out_dir);
2141*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2142*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2143*08b48e0bSAndroid Build Coastguard Worker
2144*08b48e0bSAndroid Build Coastguard Worker /* Directory for flagging queue entries that went through
2145*08b48e0bSAndroid Build Coastguard Worker deterministic fuzzing in the past. */
2146*08b48e0bSAndroid Build Coastguard Worker
2147*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue/.state/deterministic_done/", afl->out_dir);
2148*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2149*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2150*08b48e0bSAndroid Build Coastguard Worker
2151*08b48e0bSAndroid Build Coastguard Worker /* Directory with the auto-selected dictionary entries. */
2152*08b48e0bSAndroid Build Coastguard Worker
2153*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue/.state/auto_extras/", afl->out_dir);
2154*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2155*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2156*08b48e0bSAndroid Build Coastguard Worker
2157*08b48e0bSAndroid Build Coastguard Worker /* The set of paths currently deemed redundant. */
2158*08b48e0bSAndroid Build Coastguard Worker
2159*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue/.state/redundant_edges/", afl->out_dir);
2160*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2161*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2162*08b48e0bSAndroid Build Coastguard Worker
2163*08b48e0bSAndroid Build Coastguard Worker /* The set of paths showing variable behavior. */
2164*08b48e0bSAndroid Build Coastguard Worker
2165*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/queue/.state/variable_behavior/", afl->out_dir);
2166*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2167*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2168*08b48e0bSAndroid Build Coastguard Worker
2169*08b48e0bSAndroid Build Coastguard Worker /* Sync directory for keeping track of cooperating fuzzers. */
2170*08b48e0bSAndroid Build Coastguard Worker
2171*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id) {
2172*08b48e0bSAndroid Build Coastguard Worker
2173*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/.synced/", afl->out_dir);
2174*08b48e0bSAndroid Build Coastguard Worker
2175*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700) && (!afl->in_place_resume || errno != EEXIST)) {
2176*08b48e0bSAndroid Build Coastguard Worker
2177*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to create '%s'", tmp);
2178*08b48e0bSAndroid Build Coastguard Worker
2179*08b48e0bSAndroid Build Coastguard Worker }
2180*08b48e0bSAndroid Build Coastguard Worker
2181*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2182*08b48e0bSAndroid Build Coastguard Worker
2183*08b48e0bSAndroid Build Coastguard Worker }
2184*08b48e0bSAndroid Build Coastguard Worker
2185*08b48e0bSAndroid Build Coastguard Worker /* All recorded crashes. */
2186*08b48e0bSAndroid Build Coastguard Worker
2187*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/crashes", afl->out_dir);
2188*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2189*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2190*08b48e0bSAndroid Build Coastguard Worker
2191*08b48e0bSAndroid Build Coastguard Worker /* All recorded hangs. */
2192*08b48e0bSAndroid Build Coastguard Worker
2193*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/hangs", afl->out_dir);
2194*08b48e0bSAndroid Build Coastguard Worker if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); }
2195*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2196*08b48e0bSAndroid Build Coastguard Worker
2197*08b48e0bSAndroid Build Coastguard Worker /* Generally useful file descriptors. */
2198*08b48e0bSAndroid Build Coastguard Worker
2199*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.dev_null_fd = open("/dev/null", O_RDWR);
2200*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
2201*08b48e0bSAndroid Build Coastguard Worker
2202*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY);
2203*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); }
2204*08b48e0bSAndroid Build Coastguard Worker
2205*08b48e0bSAndroid Build Coastguard Worker /* Gnuplot output file. */
2206*08b48e0bSAndroid Build Coastguard Worker
2207*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/plot_data", afl->out_dir);
2208*08b48e0bSAndroid Build Coastguard Worker
2209*08b48e0bSAndroid Build Coastguard Worker if (!afl->in_place_resume) {
2210*08b48e0bSAndroid Build Coastguard Worker
2211*08b48e0bSAndroid Build Coastguard Worker int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
2212*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
2213*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2214*08b48e0bSAndroid Build Coastguard Worker
2215*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.plot_file = fdopen(fd, "w");
2216*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
2217*08b48e0bSAndroid Build Coastguard Worker
2218*08b48e0bSAndroid Build Coastguard Worker fprintf(
2219*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.plot_file,
2220*08b48e0bSAndroid Build Coastguard Worker "# relative_time, cycles_done, cur_item, corpus_count, "
2221*08b48e0bSAndroid Build Coastguard Worker "pending_total, pending_favs, map_size, saved_crashes, "
2222*08b48e0bSAndroid Build Coastguard Worker "saved_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
2223*08b48e0bSAndroid Build Coastguard Worker
2224*08b48e0bSAndroid Build Coastguard Worker } else {
2225*08b48e0bSAndroid Build Coastguard Worker
2226*08b48e0bSAndroid Build Coastguard Worker int fd = open(tmp, O_WRONLY | O_CREAT, DEFAULT_PERMISSION);
2227*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
2228*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2229*08b48e0bSAndroid Build Coastguard Worker
2230*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.plot_file = fdopen(fd, "w");
2231*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
2232*08b48e0bSAndroid Build Coastguard Worker
2233*08b48e0bSAndroid Build Coastguard Worker fseek(afl->fsrv.plot_file, 0, SEEK_END);
2234*08b48e0bSAndroid Build Coastguard Worker
2235*08b48e0bSAndroid Build Coastguard Worker }
2236*08b48e0bSAndroid Build Coastguard Worker
2237*08b48e0bSAndroid Build Coastguard Worker fflush(afl->fsrv.plot_file);
2238*08b48e0bSAndroid Build Coastguard Worker
2239*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
2240*08b48e0bSAndroid Build Coastguard Worker
2241*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/plot_det_data", afl->out_dir);
2242*08b48e0bSAndroid Build Coastguard Worker
2243*08b48e0bSAndroid Build Coastguard Worker int fd = open(tmp, O_WRONLY | O_CREAT, DEFAULT_PERMISSION);
2244*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
2245*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2246*08b48e0bSAndroid Build Coastguard Worker
2247*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.det_plot_file = fdopen(fd, "w");
2248*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.det_plot_file) { PFATAL("fdopen() failed"); }
2249*08b48e0bSAndroid Build Coastguard Worker
2250*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) { fseek(afl->fsrv.det_plot_file, 0, SEEK_END); }
2251*08b48e0bSAndroid Build Coastguard Worker
2252*08b48e0bSAndroid Build Coastguard Worker #endif
2253*08b48e0bSAndroid Build Coastguard Worker
2254*08b48e0bSAndroid Build Coastguard Worker /* ignore errors */
2255*08b48e0bSAndroid Build Coastguard Worker
2256*08b48e0bSAndroid Build Coastguard Worker }
2257*08b48e0bSAndroid Build Coastguard Worker
2258*08b48e0bSAndroid Build Coastguard Worker void setup_cmdline_file(afl_state_t *afl, char **argv) {
2259*08b48e0bSAndroid Build Coastguard Worker
2260*08b48e0bSAndroid Build Coastguard Worker u8 *tmp;
2261*08b48e0bSAndroid Build Coastguard Worker s32 fd;
2262*08b48e0bSAndroid Build Coastguard Worker u32 i = 0;
2263*08b48e0bSAndroid Build Coastguard Worker
2264*08b48e0bSAndroid Build Coastguard Worker FILE *cmdline_file = NULL;
2265*08b48e0bSAndroid Build Coastguard Worker
2266*08b48e0bSAndroid Build Coastguard Worker /* Store the command line to reproduce our findings */
2267*08b48e0bSAndroid Build Coastguard Worker tmp = alloc_printf("%s/cmdline", afl->out_dir);
2268*08b48e0bSAndroid Build Coastguard Worker fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
2269*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
2270*08b48e0bSAndroid Build Coastguard Worker ck_free(tmp);
2271*08b48e0bSAndroid Build Coastguard Worker
2272*08b48e0bSAndroid Build Coastguard Worker cmdline_file = fdopen(fd, "w");
2273*08b48e0bSAndroid Build Coastguard Worker if (!cmdline_file) { PFATAL("fdopen() failed"); }
2274*08b48e0bSAndroid Build Coastguard Worker
2275*08b48e0bSAndroid Build Coastguard Worker while (argv[i]) {
2276*08b48e0bSAndroid Build Coastguard Worker
2277*08b48e0bSAndroid Build Coastguard Worker fprintf(cmdline_file, "%s\n", argv[i]);
2278*08b48e0bSAndroid Build Coastguard Worker ++i;
2279*08b48e0bSAndroid Build Coastguard Worker
2280*08b48e0bSAndroid Build Coastguard Worker }
2281*08b48e0bSAndroid Build Coastguard Worker
2282*08b48e0bSAndroid Build Coastguard Worker fclose(cmdline_file);
2283*08b48e0bSAndroid Build Coastguard Worker
2284*08b48e0bSAndroid Build Coastguard Worker }
2285*08b48e0bSAndroid Build Coastguard Worker
2286*08b48e0bSAndroid Build Coastguard Worker /* Setup the output file for fuzzed data, if not using -f. */
2287*08b48e0bSAndroid Build Coastguard Worker
2288*08b48e0bSAndroid Build Coastguard Worker void setup_stdio_file(afl_state_t *afl) {
2289*08b48e0bSAndroid Build Coastguard Worker
2290*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) {
2291*08b48e0bSAndroid Build Coastguard Worker
2292*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file =
2293*08b48e0bSAndroid Build Coastguard Worker alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension);
2294*08b48e0bSAndroid Build Coastguard Worker
2295*08b48e0bSAndroid Build Coastguard Worker } else {
2296*08b48e0bSAndroid Build Coastguard Worker
2297*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file = alloc_printf("%s/.cur_input", afl->tmp_dir);
2298*08b48e0bSAndroid Build Coastguard Worker
2299*08b48e0bSAndroid Build Coastguard Worker }
2300*08b48e0bSAndroid Build Coastguard Worker
2301*08b48e0bSAndroid Build Coastguard Worker unlink(afl->fsrv.out_file); /* Ignore errors */
2302*08b48e0bSAndroid Build Coastguard Worker
2303*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_fd =
2304*08b48e0bSAndroid Build Coastguard Worker open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
2305*08b48e0bSAndroid Build Coastguard Worker
2306*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.out_fd < 0) {
2307*08b48e0bSAndroid Build Coastguard Worker
2308*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to create '%s'", afl->fsrv.out_file);
2309*08b48e0bSAndroid Build Coastguard Worker
2310*08b48e0bSAndroid Build Coastguard Worker }
2311*08b48e0bSAndroid Build Coastguard Worker
2312*08b48e0bSAndroid Build Coastguard Worker }
2313*08b48e0bSAndroid Build Coastguard Worker
2314*08b48e0bSAndroid Build Coastguard Worker /* Make sure that core dumps don't go to a program. */
2315*08b48e0bSAndroid Build Coastguard Worker
2316*08b48e0bSAndroid Build Coastguard Worker void check_crash_handling(void) {
2317*08b48e0bSAndroid Build Coastguard Worker
2318*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
2319*08b48e0bSAndroid Build Coastguard Worker
2320*08b48e0bSAndroid Build Coastguard Worker /* Yuck! There appears to be no simple C API to query for the state of
2321*08b48e0bSAndroid Build Coastguard Worker loaded daemons on MacOS X, and I'm a bit hesitant to do something
2322*08b48e0bSAndroid Build Coastguard Worker more sophisticated, such as disabling crash reporting via Mach ports,
2323*08b48e0bSAndroid Build Coastguard Worker until I get a box to test the code. So, for now, we check for crash
2324*08b48e0bSAndroid Build Coastguard Worker reporting the awful way. */
2325*08b48e0bSAndroid Build Coastguard Worker
2326*08b48e0bSAndroid Build Coastguard Worker #if !TARGET_OS_IPHONE
2327*08b48e0bSAndroid Build Coastguard Worker if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash\\>'"))
2328*08b48e0bSAndroid Build Coastguard Worker return;
2329*08b48e0bSAndroid Build Coastguard Worker
2330*08b48e0bSAndroid Build Coastguard Worker SAYF(
2331*08b48e0bSAndroid Build Coastguard Worker "\n" cLRD "[-] " cRST
2332*08b48e0bSAndroid Build Coastguard Worker "Whoops, your system is configured to forward crash notifications to an\n"
2333*08b48e0bSAndroid Build Coastguard Worker " external crash reporting utility. This will cause issues due to "
2334*08b48e0bSAndroid Build Coastguard Worker "the\n"
2335*08b48e0bSAndroid Build Coastguard Worker " extended delay between the fuzzed binary malfunctioning and this "
2336*08b48e0bSAndroid Build Coastguard Worker "fact\n"
2337*08b48e0bSAndroid Build Coastguard Worker " being relayed to the fuzzer via the standard waitpid() API.\n\n"
2338*08b48e0bSAndroid Build Coastguard Worker " To avoid having crashes misinterpreted as timeouts, please run the\n"
2339*08b48e0bSAndroid Build Coastguard Worker " following commands:\n\n"
2340*08b48e0bSAndroid Build Coastguard Worker
2341*08b48e0bSAndroid Build Coastguard Worker " SL=/System/Library; PL=com.apple.ReportCrash\n"
2342*08b48e0bSAndroid Build Coastguard Worker " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n"
2343*08b48e0bSAndroid Build Coastguard Worker " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n");
2344*08b48e0bSAndroid Build Coastguard Worker
2345*08b48e0bSAndroid Build Coastguard Worker #endif
2346*08b48e0bSAndroid Build Coastguard Worker if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES"))
2347*08b48e0bSAndroid Build Coastguard Worker FATAL("Crash reporter detected");
2348*08b48e0bSAndroid Build Coastguard Worker
2349*08b48e0bSAndroid Build Coastguard Worker #else
2350*08b48e0bSAndroid Build Coastguard Worker
2351*08b48e0bSAndroid Build Coastguard Worker /* This is Linux specific, but I don't think there's anything equivalent on
2352*08b48e0bSAndroid Build Coastguard Worker *BSD, so we can just let it slide for now. */
2353*08b48e0bSAndroid Build Coastguard Worker
2354*08b48e0bSAndroid Build Coastguard Worker s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY);
2355*08b48e0bSAndroid Build Coastguard Worker u8 fchar;
2356*08b48e0bSAndroid Build Coastguard Worker
2357*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { return; }
2358*08b48e0bSAndroid Build Coastguard Worker
2359*08b48e0bSAndroid Build Coastguard Worker ACTF("Checking core_pattern...");
2360*08b48e0bSAndroid Build Coastguard Worker
2361*08b48e0bSAndroid Build Coastguard Worker if (read(fd, &fchar, 1) == 1 && fchar == '|') {
2362*08b48e0bSAndroid Build Coastguard Worker
2363*08b48e0bSAndroid Build Coastguard Worker SAYF(
2364*08b48e0bSAndroid Build Coastguard Worker "\n" cLRD "[-] " cRST
2365*08b48e0bSAndroid Build Coastguard Worker "Hmm, your system is configured to send core dump notifications to an\n"
2366*08b48e0bSAndroid Build Coastguard Worker " external utility. This will cause issues: there will be an "
2367*08b48e0bSAndroid Build Coastguard Worker "extended delay\n"
2368*08b48e0bSAndroid Build Coastguard Worker " between stumbling upon a crash and having this information "
2369*08b48e0bSAndroid Build Coastguard Worker "relayed to the\n"
2370*08b48e0bSAndroid Build Coastguard Worker " fuzzer via the standard waitpid() API.\n"
2371*08b48e0bSAndroid Build Coastguard Worker " If you're just testing, set "
2372*08b48e0bSAndroid Build Coastguard Worker "'AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1'.\n\n"
2373*08b48e0bSAndroid Build Coastguard Worker
2374*08b48e0bSAndroid Build Coastguard Worker " To avoid having crashes misinterpreted as timeouts, please log in "
2375*08b48e0bSAndroid Build Coastguard Worker "as root\n"
2376*08b48e0bSAndroid Build Coastguard Worker " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n"
2377*08b48e0bSAndroid Build Coastguard Worker
2378*08b48e0bSAndroid Build Coastguard Worker " echo core >/proc/sys/kernel/core_pattern\n");
2379*08b48e0bSAndroid Build Coastguard Worker
2380*08b48e0bSAndroid Build Coastguard Worker if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) {
2381*08b48e0bSAndroid Build Coastguard Worker
2382*08b48e0bSAndroid Build Coastguard Worker FATAL("Pipe at the beginning of 'core_pattern'");
2383*08b48e0bSAndroid Build Coastguard Worker
2384*08b48e0bSAndroid Build Coastguard Worker }
2385*08b48e0bSAndroid Build Coastguard Worker
2386*08b48e0bSAndroid Build Coastguard Worker }
2387*08b48e0bSAndroid Build Coastguard Worker
2388*08b48e0bSAndroid Build Coastguard Worker close(fd);
2389*08b48e0bSAndroid Build Coastguard Worker
2390*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__APPLE__ */
2391*08b48e0bSAndroid Build Coastguard Worker
2392*08b48e0bSAndroid Build Coastguard Worker }
2393*08b48e0bSAndroid Build Coastguard Worker
2394*08b48e0bSAndroid Build Coastguard Worker /* Check CPU governor. */
2395*08b48e0bSAndroid Build Coastguard Worker
2396*08b48e0bSAndroid Build Coastguard Worker void check_cpu_governor(afl_state_t *afl) {
2397*08b48e0bSAndroid Build Coastguard Worker
2398*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
2399*08b48e0bSAndroid Build Coastguard Worker FILE *f;
2400*08b48e0bSAndroid Build Coastguard Worker u8 tmp[128];
2401*08b48e0bSAndroid Build Coastguard Worker u64 min = 0, max = 0;
2402*08b48e0bSAndroid Build Coastguard Worker
2403*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_skip_cpufreq) { return; }
2404*08b48e0bSAndroid Build Coastguard Worker
2405*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_aff > 0) {
2406*08b48e0bSAndroid Build Coastguard Worker
2407*08b48e0bSAndroid Build Coastguard Worker snprintf(tmp, sizeof(tmp), "%s%d%s", "/sys/devices/system/cpu/cpu",
2408*08b48e0bSAndroid Build Coastguard Worker afl->cpu_aff, "/cpufreq/scaling_governor");
2409*08b48e0bSAndroid Build Coastguard Worker
2410*08b48e0bSAndroid Build Coastguard Worker } else {
2411*08b48e0bSAndroid Build Coastguard Worker
2412*08b48e0bSAndroid Build Coastguard Worker snprintf(tmp, sizeof(tmp), "%s",
2413*08b48e0bSAndroid Build Coastguard Worker "/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor");
2414*08b48e0bSAndroid Build Coastguard Worker
2415*08b48e0bSAndroid Build Coastguard Worker }
2416*08b48e0bSAndroid Build Coastguard Worker
2417*08b48e0bSAndroid Build Coastguard Worker f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r");
2418*08b48e0bSAndroid Build Coastguard Worker if (!f) {
2419*08b48e0bSAndroid Build Coastguard Worker
2420*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_aff > 0) {
2421*08b48e0bSAndroid Build Coastguard Worker
2422*08b48e0bSAndroid Build Coastguard Worker snprintf(tmp, sizeof(tmp), "%s%d%s",
2423*08b48e0bSAndroid Build Coastguard Worker "/sys/devices/system/cpu/cpufreq/policy", afl->cpu_aff,
2424*08b48e0bSAndroid Build Coastguard Worker "/scaling_governor");
2425*08b48e0bSAndroid Build Coastguard Worker
2426*08b48e0bSAndroid Build Coastguard Worker } else {
2427*08b48e0bSAndroid Build Coastguard Worker
2428*08b48e0bSAndroid Build Coastguard Worker snprintf(tmp, sizeof(tmp), "%s",
2429*08b48e0bSAndroid Build Coastguard Worker "/sys/devices/system/cpu/cpufreq/policy0/scaling_governor");
2430*08b48e0bSAndroid Build Coastguard Worker
2431*08b48e0bSAndroid Build Coastguard Worker }
2432*08b48e0bSAndroid Build Coastguard Worker
2433*08b48e0bSAndroid Build Coastguard Worker f = fopen(tmp, "r");
2434*08b48e0bSAndroid Build Coastguard Worker
2435*08b48e0bSAndroid Build Coastguard Worker }
2436*08b48e0bSAndroid Build Coastguard Worker
2437*08b48e0bSAndroid Build Coastguard Worker if (!f) {
2438*08b48e0bSAndroid Build Coastguard Worker
2439*08b48e0bSAndroid Build Coastguard Worker WARNF("Could not check CPU scaling governor");
2440*08b48e0bSAndroid Build Coastguard Worker return;
2441*08b48e0bSAndroid Build Coastguard Worker
2442*08b48e0bSAndroid Build Coastguard Worker }
2443*08b48e0bSAndroid Build Coastguard Worker
2444*08b48e0bSAndroid Build Coastguard Worker ACTF("Checking CPU scaling governor...");
2445*08b48e0bSAndroid Build Coastguard Worker
2446*08b48e0bSAndroid Build Coastguard Worker if (!fgets(tmp, 128, f)) { PFATAL("fgets() failed"); }
2447*08b48e0bSAndroid Build Coastguard Worker
2448*08b48e0bSAndroid Build Coastguard Worker fclose(f);
2449*08b48e0bSAndroid Build Coastguard Worker
2450*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(tmp, "perf", 4)) { return; }
2451*08b48e0bSAndroid Build Coastguard Worker
2452*08b48e0bSAndroid Build Coastguard Worker f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r");
2453*08b48e0bSAndroid Build Coastguard Worker
2454*08b48e0bSAndroid Build Coastguard Worker if (f) {
2455*08b48e0bSAndroid Build Coastguard Worker
2456*08b48e0bSAndroid Build Coastguard Worker if (fscanf(f, "%llu", &min) != 1) { min = 0; }
2457*08b48e0bSAndroid Build Coastguard Worker fclose(f);
2458*08b48e0bSAndroid Build Coastguard Worker
2459*08b48e0bSAndroid Build Coastguard Worker }
2460*08b48e0bSAndroid Build Coastguard Worker
2461*08b48e0bSAndroid Build Coastguard Worker f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r");
2462*08b48e0bSAndroid Build Coastguard Worker
2463*08b48e0bSAndroid Build Coastguard Worker if (f) {
2464*08b48e0bSAndroid Build Coastguard Worker
2465*08b48e0bSAndroid Build Coastguard Worker if (fscanf(f, "%llu", &max) != 1) { max = 0; }
2466*08b48e0bSAndroid Build Coastguard Worker fclose(f);
2467*08b48e0bSAndroid Build Coastguard Worker
2468*08b48e0bSAndroid Build Coastguard Worker }
2469*08b48e0bSAndroid Build Coastguard Worker
2470*08b48e0bSAndroid Build Coastguard Worker if (min == max) { return; }
2471*08b48e0bSAndroid Build Coastguard Worker
2472*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2473*08b48e0bSAndroid Build Coastguard Worker "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n"
2474*08b48e0bSAndroid Build Coastguard Worker " between %llu and %llu MHz. Unfortunately, the scaling algorithm in "
2475*08b48e0bSAndroid Build Coastguard Worker "the\n"
2476*08b48e0bSAndroid Build Coastguard Worker " kernel is imperfect and can miss the short-lived processes spawned "
2477*08b48e0bSAndroid Build Coastguard Worker "by\n"
2478*08b48e0bSAndroid Build Coastguard Worker " afl-fuzz. To keep things moving, run these commands as root:\n\n"
2479*08b48e0bSAndroid Build Coastguard Worker
2480*08b48e0bSAndroid Build Coastguard Worker " cd /sys/devices/system/cpu\n"
2481*08b48e0bSAndroid Build Coastguard Worker " echo performance | tee cpu*/cpufreq/scaling_governor\n\n"
2482*08b48e0bSAndroid Build Coastguard Worker
2483*08b48e0bSAndroid Build Coastguard Worker " You can later go back to the original state by replacing "
2484*08b48e0bSAndroid Build Coastguard Worker "'performance'\n"
2485*08b48e0bSAndroid Build Coastguard Worker " with 'ondemand' or 'powersave'. If you don't want to change the "
2486*08b48e0bSAndroid Build Coastguard Worker "settings,\n"
2487*08b48e0bSAndroid Build Coastguard Worker " set AFL_SKIP_CPUFREQ to make afl-fuzz skip this check - but expect "
2488*08b48e0bSAndroid Build Coastguard Worker "some\n"
2489*08b48e0bSAndroid Build Coastguard Worker " performance drop.\n",
2490*08b48e0bSAndroid Build Coastguard Worker min / 1024, max / 1024);
2491*08b48e0bSAndroid Build Coastguard Worker FATAL("Suboptimal CPU scaling governor");
2492*08b48e0bSAndroid Build Coastguard Worker
2493*08b48e0bSAndroid Build Coastguard Worker #elif defined __APPLE__
2494*08b48e0bSAndroid Build Coastguard Worker u64 min = 0, max = 0;
2495*08b48e0bSAndroid Build Coastguard Worker size_t mlen = sizeof(min);
2496*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_skip_cpufreq) return;
2497*08b48e0bSAndroid Build Coastguard Worker
2498*08b48e0bSAndroid Build Coastguard Worker ACTF("Checking CPU scaling governor...");
2499*08b48e0bSAndroid Build Coastguard Worker
2500*08b48e0bSAndroid Build Coastguard Worker if (sysctlbyname("hw.cpufrequency_min", &min, &mlen, NULL, 0) == -1) {
2501*08b48e0bSAndroid Build Coastguard Worker
2502*08b48e0bSAndroid Build Coastguard Worker WARNF("Could not check CPU min frequency");
2503*08b48e0bSAndroid Build Coastguard Worker return;
2504*08b48e0bSAndroid Build Coastguard Worker
2505*08b48e0bSAndroid Build Coastguard Worker }
2506*08b48e0bSAndroid Build Coastguard Worker
2507*08b48e0bSAndroid Build Coastguard Worker if (sysctlbyname("hw.cpufrequency_max", &max, &mlen, NULL, 0) == -1) {
2508*08b48e0bSAndroid Build Coastguard Worker
2509*08b48e0bSAndroid Build Coastguard Worker WARNF("Could not check CPU max frequency");
2510*08b48e0bSAndroid Build Coastguard Worker return;
2511*08b48e0bSAndroid Build Coastguard Worker
2512*08b48e0bSAndroid Build Coastguard Worker }
2513*08b48e0bSAndroid Build Coastguard Worker
2514*08b48e0bSAndroid Build Coastguard Worker if (min == max) return;
2515*08b48e0bSAndroid Build Coastguard Worker
2516*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2517*08b48e0bSAndroid Build Coastguard Worker "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n"
2518*08b48e0bSAndroid Build Coastguard Worker " between %llu and %llu MHz.\n"
2519*08b48e0bSAndroid Build Coastguard Worker " If you don't want to check those settings, set "
2520*08b48e0bSAndroid Build Coastguard Worker "AFL_SKIP_CPUFREQ\n"
2521*08b48e0bSAndroid Build Coastguard Worker " to make afl-fuzz skip this check - but expect some performance "
2522*08b48e0bSAndroid Build Coastguard Worker "drop.\n",
2523*08b48e0bSAndroid Build Coastguard Worker min / 1024, max / 1024);
2524*08b48e0bSAndroid Build Coastguard Worker FATAL("Suboptimal CPU scaling governor");
2525*08b48e0bSAndroid Build Coastguard Worker #else
2526*08b48e0bSAndroid Build Coastguard Worker (void)afl;
2527*08b48e0bSAndroid Build Coastguard Worker #endif
2528*08b48e0bSAndroid Build Coastguard Worker
2529*08b48e0bSAndroid Build Coastguard Worker }
2530*08b48e0bSAndroid Build Coastguard Worker
2531*08b48e0bSAndroid Build Coastguard Worker /* Count the number of logical CPU cores. */
2532*08b48e0bSAndroid Build Coastguard Worker
2533*08b48e0bSAndroid Build Coastguard Worker void get_core_count(afl_state_t *afl) {
2534*08b48e0bSAndroid Build Coastguard Worker
2535*08b48e0bSAndroid Build Coastguard Worker #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
2536*08b48e0bSAndroid Build Coastguard Worker defined(__DragonFly__)
2537*08b48e0bSAndroid Build Coastguard Worker
2538*08b48e0bSAndroid Build Coastguard Worker size_t s = sizeof(afl->cpu_core_count);
2539*08b48e0bSAndroid Build Coastguard Worker
2540*08b48e0bSAndroid Build Coastguard Worker /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */
2541*08b48e0bSAndroid Build Coastguard Worker
2542*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
2543*08b48e0bSAndroid Build Coastguard Worker
2544*08b48e0bSAndroid Build Coastguard Worker if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0)
2545*08b48e0bSAndroid Build Coastguard Worker return;
2546*08b48e0bSAndroid Build Coastguard Worker
2547*08b48e0bSAndroid Build Coastguard Worker #else
2548*08b48e0bSAndroid Build Coastguard Worker
2549*08b48e0bSAndroid Build Coastguard Worker int s_name[2] = {CTL_HW, HW_NCPU};
2550*08b48e0bSAndroid Build Coastguard Worker
2551*08b48e0bSAndroid Build Coastguard Worker if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return;
2552*08b48e0bSAndroid Build Coastguard Worker
2553*08b48e0bSAndroid Build Coastguard Worker #endif /* ^__APPLE__ */
2554*08b48e0bSAndroid Build Coastguard Worker
2555*08b48e0bSAndroid Build Coastguard Worker #else
2556*08b48e0bSAndroid Build Coastguard Worker
2557*08b48e0bSAndroid Build Coastguard Worker #ifdef HAVE_AFFINITY
2558*08b48e0bSAndroid Build Coastguard Worker
2559*08b48e0bSAndroid Build Coastguard Worker afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN);
2560*08b48e0bSAndroid Build Coastguard Worker
2561*08b48e0bSAndroid Build Coastguard Worker #else
2562*08b48e0bSAndroid Build Coastguard Worker
2563*08b48e0bSAndroid Build Coastguard Worker FILE *f = fopen("/proc/stat", "r");
2564*08b48e0bSAndroid Build Coastguard Worker u8 tmp[1024];
2565*08b48e0bSAndroid Build Coastguard Worker
2566*08b48e0bSAndroid Build Coastguard Worker if (!f) return;
2567*08b48e0bSAndroid Build Coastguard Worker
2568*08b48e0bSAndroid Build Coastguard Worker while (fgets(tmp, sizeof(tmp), f))
2569*08b48e0bSAndroid Build Coastguard Worker if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) ++afl->cpu_core_count;
2570*08b48e0bSAndroid Build Coastguard Worker
2571*08b48e0bSAndroid Build Coastguard Worker fclose(f);
2572*08b48e0bSAndroid Build Coastguard Worker
2573*08b48e0bSAndroid Build Coastguard Worker #endif /* ^HAVE_AFFINITY */
2574*08b48e0bSAndroid Build Coastguard Worker
2575*08b48e0bSAndroid Build Coastguard Worker #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */
2576*08b48e0bSAndroid Build Coastguard Worker
2577*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_core_count > 0) {
2578*08b48e0bSAndroid Build Coastguard Worker
2579*08b48e0bSAndroid Build Coastguard Worker u32 cur_runnable = 0;
2580*08b48e0bSAndroid Build Coastguard Worker
2581*08b48e0bSAndroid Build Coastguard Worker cur_runnable = (u32)get_runnable_processes();
2582*08b48e0bSAndroid Build Coastguard Worker
2583*08b48e0bSAndroid Build Coastguard Worker #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
2584*08b48e0bSAndroid Build Coastguard Worker defined(__DragonFly__)
2585*08b48e0bSAndroid Build Coastguard Worker
2586*08b48e0bSAndroid Build Coastguard Worker /* Add ourselves, since the 1-minute average doesn't include that yet. */
2587*08b48e0bSAndroid Build Coastguard Worker
2588*08b48e0bSAndroid Build Coastguard Worker ++cur_runnable;
2589*08b48e0bSAndroid Build Coastguard Worker
2590*08b48e0bSAndroid Build Coastguard Worker #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
2591*08b48e0bSAndroid Build Coastguard Worker
2592*08b48e0bSAndroid Build Coastguard Worker OKF("You have %d CPU core%s and %u runnable tasks (utilization: %0.0f%%).",
2593*08b48e0bSAndroid Build Coastguard Worker afl->cpu_core_count, afl->cpu_core_count > 1 ? "s" : "", cur_runnable,
2594*08b48e0bSAndroid Build Coastguard Worker cur_runnable * 100.0 / afl->cpu_core_count);
2595*08b48e0bSAndroid Build Coastguard Worker
2596*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_core_count > 1) {
2597*08b48e0bSAndroid Build Coastguard Worker
2598*08b48e0bSAndroid Build Coastguard Worker if (cur_runnable > afl->cpu_core_count * 1.5) {
2599*08b48e0bSAndroid Build Coastguard Worker
2600*08b48e0bSAndroid Build Coastguard Worker WARNF("System under apparent load, performance may be spotty.");
2601*08b48e0bSAndroid Build Coastguard Worker
2602*08b48e0bSAndroid Build Coastguard Worker } else if ((s64)cur_runnable + 1 <= (s64)afl->cpu_core_count) {
2603*08b48e0bSAndroid Build Coastguard Worker
2604*08b48e0bSAndroid Build Coastguard Worker OKF("Try parallel jobs - see "
2605*08b48e0bSAndroid Build Coastguard Worker "%s/fuzzing_in_depth.md#c-using-multiple-cores",
2606*08b48e0bSAndroid Build Coastguard Worker doc_path);
2607*08b48e0bSAndroid Build Coastguard Worker
2608*08b48e0bSAndroid Build Coastguard Worker }
2609*08b48e0bSAndroid Build Coastguard Worker
2610*08b48e0bSAndroid Build Coastguard Worker }
2611*08b48e0bSAndroid Build Coastguard Worker
2612*08b48e0bSAndroid Build Coastguard Worker } else {
2613*08b48e0bSAndroid Build Coastguard Worker
2614*08b48e0bSAndroid Build Coastguard Worker afl->cpu_core_count = 0;
2615*08b48e0bSAndroid Build Coastguard Worker WARNF("Unable to figure out the number of CPU cores.");
2616*08b48e0bSAndroid Build Coastguard Worker
2617*08b48e0bSAndroid Build Coastguard Worker }
2618*08b48e0bSAndroid Build Coastguard Worker
2619*08b48e0bSAndroid Build Coastguard Worker }
2620*08b48e0bSAndroid Build Coastguard Worker
2621*08b48e0bSAndroid Build Coastguard Worker /* Validate and fix up afl->out_dir and sync_dir when using -S. */
2622*08b48e0bSAndroid Build Coastguard Worker
2623*08b48e0bSAndroid Build Coastguard Worker void fix_up_sync(afl_state_t *afl) {
2624*08b48e0bSAndroid Build Coastguard Worker
2625*08b48e0bSAndroid Build Coastguard Worker u8 *x = afl->sync_id;
2626*08b48e0bSAndroid Build Coastguard Worker
2627*08b48e0bSAndroid Build Coastguard Worker while (*x) {
2628*08b48e0bSAndroid Build Coastguard Worker
2629*08b48e0bSAndroid Build Coastguard Worker if (!isalnum(*x) && *x != '_' && *x != '-') {
2630*08b48e0bSAndroid Build Coastguard Worker
2631*08b48e0bSAndroid Build Coastguard Worker FATAL("Non-alphanumeric fuzzer ID specified via -S or -M");
2632*08b48e0bSAndroid Build Coastguard Worker
2633*08b48e0bSAndroid Build Coastguard Worker }
2634*08b48e0bSAndroid Build Coastguard Worker
2635*08b48e0bSAndroid Build Coastguard Worker ++x;
2636*08b48e0bSAndroid Build Coastguard Worker
2637*08b48e0bSAndroid Build Coastguard Worker }
2638*08b48e0bSAndroid Build Coastguard Worker
2639*08b48e0bSAndroid Build Coastguard Worker if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); }
2640*08b48e0bSAndroid Build Coastguard Worker
2641*08b48e0bSAndroid Build Coastguard Worker x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id);
2642*08b48e0bSAndroid Build Coastguard Worker
2643*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
2644*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { afl->fsrv.out_dir_path = afl->out_dir; }
2645*08b48e0bSAndroid Build Coastguard Worker #endif
2646*08b48e0bSAndroid Build Coastguard Worker afl->sync_dir = afl->out_dir;
2647*08b48e0bSAndroid Build Coastguard Worker afl->out_dir = x;
2648*08b48e0bSAndroid Build Coastguard Worker
2649*08b48e0bSAndroid Build Coastguard Worker }
2650*08b48e0bSAndroid Build Coastguard Worker
2651*08b48e0bSAndroid Build Coastguard Worker /* Handle screen resize (SIGWINCH). */
2652*08b48e0bSAndroid Build Coastguard Worker
2653*08b48e0bSAndroid Build Coastguard Worker static void handle_resize(int sig) {
2654*08b48e0bSAndroid Build Coastguard Worker
2655*08b48e0bSAndroid Build Coastguard Worker (void)sig;
2656*08b48e0bSAndroid Build Coastguard Worker afl_states_clear_screen();
2657*08b48e0bSAndroid Build Coastguard Worker
2658*08b48e0bSAndroid Build Coastguard Worker }
2659*08b48e0bSAndroid Build Coastguard Worker
2660*08b48e0bSAndroid Build Coastguard Worker /* Check ASAN options. */
2661*08b48e0bSAndroid Build Coastguard Worker
2662*08b48e0bSAndroid Build Coastguard Worker void check_asan_opts(afl_state_t *afl) {
2663*08b48e0bSAndroid Build Coastguard Worker
2664*08b48e0bSAndroid Build Coastguard Worker u8 *x = get_afl_env("ASAN_OPTIONS");
2665*08b48e0bSAndroid Build Coastguard Worker
2666*08b48e0bSAndroid Build Coastguard Worker (void)(afl);
2667*08b48e0bSAndroid Build Coastguard Worker
2668*08b48e0bSAndroid Build Coastguard Worker if (x) {
2669*08b48e0bSAndroid Build Coastguard Worker
2670*08b48e0bSAndroid Build Coastguard Worker if (!strstr(x, "abort_on_error=1")) {
2671*08b48e0bSAndroid Build Coastguard Worker
2672*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
2673*08b48e0bSAndroid Build Coastguard Worker
2674*08b48e0bSAndroid Build Coastguard Worker }
2675*08b48e0bSAndroid Build Coastguard Worker
2676*08b48e0bSAndroid Build Coastguard Worker #ifndef ASAN_BUILD
2677*08b48e0bSAndroid Build Coastguard Worker if (!afl->debug && !strstr(x, "symbolize=0")) {
2678*08b48e0bSAndroid Build Coastguard Worker
2679*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
2680*08b48e0bSAndroid Build Coastguard Worker
2681*08b48e0bSAndroid Build Coastguard Worker }
2682*08b48e0bSAndroid Build Coastguard Worker
2683*08b48e0bSAndroid Build Coastguard Worker #endif
2684*08b48e0bSAndroid Build Coastguard Worker
2685*08b48e0bSAndroid Build Coastguard Worker }
2686*08b48e0bSAndroid Build Coastguard Worker
2687*08b48e0bSAndroid Build Coastguard Worker x = get_afl_env("MSAN_OPTIONS");
2688*08b48e0bSAndroid Build Coastguard Worker
2689*08b48e0bSAndroid Build Coastguard Worker if (x) {
2690*08b48e0bSAndroid Build Coastguard Worker
2691*08b48e0bSAndroid Build Coastguard Worker if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) {
2692*08b48e0bSAndroid Build Coastguard Worker
2693*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY(
2694*08b48e0bSAndroid Build Coastguard Worker MSAN_ERROR) " - please fix!");
2695*08b48e0bSAndroid Build Coastguard Worker
2696*08b48e0bSAndroid Build Coastguard Worker }
2697*08b48e0bSAndroid Build Coastguard Worker
2698*08b48e0bSAndroid Build Coastguard Worker if (!afl->debug && !strstr(x, "symbolize=0")) {
2699*08b48e0bSAndroid Build Coastguard Worker
2700*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
2701*08b48e0bSAndroid Build Coastguard Worker
2702*08b48e0bSAndroid Build Coastguard Worker }
2703*08b48e0bSAndroid Build Coastguard Worker
2704*08b48e0bSAndroid Build Coastguard Worker }
2705*08b48e0bSAndroid Build Coastguard Worker
2706*08b48e0bSAndroid Build Coastguard Worker x = get_afl_env("LSAN_OPTIONS");
2707*08b48e0bSAndroid Build Coastguard Worker
2708*08b48e0bSAndroid Build Coastguard Worker if (x) {
2709*08b48e0bSAndroid Build Coastguard Worker
2710*08b48e0bSAndroid Build Coastguard Worker if (!strstr(x, "symbolize=0")) {
2711*08b48e0bSAndroid Build Coastguard Worker
2712*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!");
2713*08b48e0bSAndroid Build Coastguard Worker
2714*08b48e0bSAndroid Build Coastguard Worker }
2715*08b48e0bSAndroid Build Coastguard Worker
2716*08b48e0bSAndroid Build Coastguard Worker }
2717*08b48e0bSAndroid Build Coastguard Worker
2718*08b48e0bSAndroid Build Coastguard Worker }
2719*08b48e0bSAndroid Build Coastguard Worker
2720*08b48e0bSAndroid Build Coastguard Worker /* Handle stop signal (Ctrl-C, etc). */
2721*08b48e0bSAndroid Build Coastguard Worker
2722*08b48e0bSAndroid Build Coastguard Worker static void handle_stop_sig(int sig) {
2723*08b48e0bSAndroid Build Coastguard Worker
2724*08b48e0bSAndroid Build Coastguard Worker (void)sig;
2725*08b48e0bSAndroid Build Coastguard Worker afl_states_stop();
2726*08b48e0bSAndroid Build Coastguard Worker
2727*08b48e0bSAndroid Build Coastguard Worker }
2728*08b48e0bSAndroid Build Coastguard Worker
2729*08b48e0bSAndroid Build Coastguard Worker /* Handle skip request (SIGUSR1). */
2730*08b48e0bSAndroid Build Coastguard Worker
2731*08b48e0bSAndroid Build Coastguard Worker static void handle_skipreq(int sig) {
2732*08b48e0bSAndroid Build Coastguard Worker
2733*08b48e0bSAndroid Build Coastguard Worker (void)sig;
2734*08b48e0bSAndroid Build Coastguard Worker afl_states_request_skip();
2735*08b48e0bSAndroid Build Coastguard Worker
2736*08b48e0bSAndroid Build Coastguard Worker }
2737*08b48e0bSAndroid Build Coastguard Worker
2738*08b48e0bSAndroid Build Coastguard Worker /* Setup shared map for fuzzing with input via sharedmem */
2739*08b48e0bSAndroid Build Coastguard Worker
2740*08b48e0bSAndroid Build Coastguard Worker void setup_testcase_shmem(afl_state_t *afl) {
2741*08b48e0bSAndroid Build Coastguard Worker
2742*08b48e0bSAndroid Build Coastguard Worker afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
2743*08b48e0bSAndroid Build Coastguard Worker
2744*08b48e0bSAndroid Build Coastguard Worker // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
2745*08b48e0bSAndroid Build Coastguard Worker u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
2746*08b48e0bSAndroid Build Coastguard Worker afl->shm_fuzz->shmemfuzz_mode = 1;
2747*08b48e0bSAndroid Build Coastguard Worker
2748*08b48e0bSAndroid Build Coastguard Worker if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
2749*08b48e0bSAndroid Build Coastguard Worker
2750*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
2751*08b48e0bSAndroid Build Coastguard Worker setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
2752*08b48e0bSAndroid Build Coastguard Worker #else
2753*08b48e0bSAndroid Build Coastguard Worker u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
2754*08b48e0bSAndroid Build Coastguard Worker setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
2755*08b48e0bSAndroid Build Coastguard Worker ck_free(shm_str);
2756*08b48e0bSAndroid Build Coastguard Worker #endif
2757*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.support_shmem_fuzz = 1;
2758*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.shmem_fuzz_len = (u32 *)map;
2759*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.shmem_fuzz = map + sizeof(u32);
2760*08b48e0bSAndroid Build Coastguard Worker
2761*08b48e0bSAndroid Build Coastguard Worker }
2762*08b48e0bSAndroid Build Coastguard Worker
2763*08b48e0bSAndroid Build Coastguard Worker /* Do a PATH search and find target binary to see that it exists and
2764*08b48e0bSAndroid Build Coastguard Worker isn't a shell script - a common and painful mistake. We also check for
2765*08b48e0bSAndroid Build Coastguard Worker a valid ELF header and for evidence of AFL instrumentation. */
2766*08b48e0bSAndroid Build Coastguard Worker
2767*08b48e0bSAndroid Build Coastguard Worker void check_binary(afl_state_t *afl, u8 *fname) {
2768*08b48e0bSAndroid Build Coastguard Worker
2769*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!fname)) { FATAL("BUG: Binary name is NULL"); }
2770*08b48e0bSAndroid Build Coastguard Worker
2771*08b48e0bSAndroid Build Coastguard Worker u8 *env_path = 0;
2772*08b48e0bSAndroid Build Coastguard Worker struct stat st;
2773*08b48e0bSAndroid Build Coastguard Worker
2774*08b48e0bSAndroid Build Coastguard Worker s32 fd;
2775*08b48e0bSAndroid Build Coastguard Worker u8 *f_data;
2776*08b48e0bSAndroid Build Coastguard Worker u32 f_len = 0;
2777*08b48e0bSAndroid Build Coastguard Worker
2778*08b48e0bSAndroid Build Coastguard Worker ACTF("Validating target binary...");
2779*08b48e0bSAndroid Build Coastguard Worker
2780*08b48e0bSAndroid Build Coastguard Worker if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
2781*08b48e0bSAndroid Build Coastguard Worker
2782*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path = ck_strdup(fname);
2783*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
2784*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) {
2785*08b48e0bSAndroid Build Coastguard Worker
2786*08b48e0bSAndroid Build Coastguard Worker /* check if target_path is a nyx sharedir */
2787*08b48e0bSAndroid Build Coastguard Worker if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)) {
2788*08b48e0bSAndroid Build Coastguard Worker
2789*08b48e0bSAndroid Build Coastguard Worker char *tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path);
2790*08b48e0bSAndroid Build Coastguard Worker if (stat(tmp, &st) || S_ISREG(st.st_mode)) {
2791*08b48e0bSAndroid Build Coastguard Worker
2792*08b48e0bSAndroid Build Coastguard Worker free(tmp);
2793*08b48e0bSAndroid Build Coastguard Worker return;
2794*08b48e0bSAndroid Build Coastguard Worker
2795*08b48e0bSAndroid Build Coastguard Worker }
2796*08b48e0bSAndroid Build Coastguard Worker
2797*08b48e0bSAndroid Build Coastguard Worker }
2798*08b48e0bSAndroid Build Coastguard Worker
2799*08b48e0bSAndroid Build Coastguard Worker FATAL("Directory '%s' not found or is not a nyx share directory",
2800*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path);
2801*08b48e0bSAndroid Build Coastguard Worker
2802*08b48e0bSAndroid Build Coastguard Worker }
2803*08b48e0bSAndroid Build Coastguard Worker
2804*08b48e0bSAndroid Build Coastguard Worker #endif
2805*08b48e0bSAndroid Build Coastguard Worker if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) ||
2806*08b48e0bSAndroid Build Coastguard Worker !(st.st_mode & 0111) || (f_len = st.st_size) < 4) {
2807*08b48e0bSAndroid Build Coastguard Worker
2808*08b48e0bSAndroid Build Coastguard Worker FATAL("Program '%s' not found or not executable", fname);
2809*08b48e0bSAndroid Build Coastguard Worker
2810*08b48e0bSAndroid Build Coastguard Worker }
2811*08b48e0bSAndroid Build Coastguard Worker
2812*08b48e0bSAndroid Build Coastguard Worker } else {
2813*08b48e0bSAndroid Build Coastguard Worker
2814*08b48e0bSAndroid Build Coastguard Worker while (env_path) {
2815*08b48e0bSAndroid Build Coastguard Worker
2816*08b48e0bSAndroid Build Coastguard Worker u8 *cur_elem, *delim = strchr(env_path, ':');
2817*08b48e0bSAndroid Build Coastguard Worker
2818*08b48e0bSAndroid Build Coastguard Worker if (delim) {
2819*08b48e0bSAndroid Build Coastguard Worker
2820*08b48e0bSAndroid Build Coastguard Worker cur_elem = ck_alloc(delim - env_path + 1);
2821*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!cur_elem)) { FATAL("Unexpected large PATH"); }
2822*08b48e0bSAndroid Build Coastguard Worker memcpy(cur_elem, env_path, delim - env_path);
2823*08b48e0bSAndroid Build Coastguard Worker ++delim;
2824*08b48e0bSAndroid Build Coastguard Worker
2825*08b48e0bSAndroid Build Coastguard Worker } else {
2826*08b48e0bSAndroid Build Coastguard Worker
2827*08b48e0bSAndroid Build Coastguard Worker cur_elem = ck_strdup(env_path);
2828*08b48e0bSAndroid Build Coastguard Worker
2829*08b48e0bSAndroid Build Coastguard Worker }
2830*08b48e0bSAndroid Build Coastguard Worker
2831*08b48e0bSAndroid Build Coastguard Worker env_path = delim;
2832*08b48e0bSAndroid Build Coastguard Worker
2833*08b48e0bSAndroid Build Coastguard Worker if (cur_elem[0]) {
2834*08b48e0bSAndroid Build Coastguard Worker
2835*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path = alloc_printf("%s/%s", cur_elem, fname);
2836*08b48e0bSAndroid Build Coastguard Worker
2837*08b48e0bSAndroid Build Coastguard Worker } else {
2838*08b48e0bSAndroid Build Coastguard Worker
2839*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path = ck_strdup(fname);
2840*08b48e0bSAndroid Build Coastguard Worker
2841*08b48e0bSAndroid Build Coastguard Worker }
2842*08b48e0bSAndroid Build Coastguard Worker
2843*08b48e0bSAndroid Build Coastguard Worker ck_free(cur_elem);
2844*08b48e0bSAndroid Build Coastguard Worker
2845*08b48e0bSAndroid Build Coastguard Worker if (!stat(afl->fsrv.target_path, &st) && S_ISREG(st.st_mode) &&
2846*08b48e0bSAndroid Build Coastguard Worker (st.st_mode & 0111) && (f_len = st.st_size) >= 4) {
2847*08b48e0bSAndroid Build Coastguard Worker
2848*08b48e0bSAndroid Build Coastguard Worker break;
2849*08b48e0bSAndroid Build Coastguard Worker
2850*08b48e0bSAndroid Build Coastguard Worker }
2851*08b48e0bSAndroid Build Coastguard Worker
2852*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->fsrv.target_path);
2853*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path = 0;
2854*08b48e0bSAndroid Build Coastguard Worker
2855*08b48e0bSAndroid Build Coastguard Worker }
2856*08b48e0bSAndroid Build Coastguard Worker
2857*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.target_path) {
2858*08b48e0bSAndroid Build Coastguard Worker
2859*08b48e0bSAndroid Build Coastguard Worker FATAL("Program '%s' not found or not executable", fname);
2860*08b48e0bSAndroid Build Coastguard Worker
2861*08b48e0bSAndroid Build Coastguard Worker }
2862*08b48e0bSAndroid Build Coastguard Worker
2863*08b48e0bSAndroid Build Coastguard Worker }
2864*08b48e0bSAndroid Build Coastguard Worker
2865*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
2866*08b48e0bSAndroid Build Coastguard Worker (afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) ||
2867*08b48e0bSAndroid Build Coastguard Worker (afl->fsrv.cs_mode && getenv("AFL_CS_CUSTOM_BIN")) ||
2868*08b48e0bSAndroid Build Coastguard Worker afl->non_instrumented_mode) {
2869*08b48e0bSAndroid Build Coastguard Worker
2870*08b48e0bSAndroid Build Coastguard Worker return;
2871*08b48e0bSAndroid Build Coastguard Worker
2872*08b48e0bSAndroid Build Coastguard Worker }
2873*08b48e0bSAndroid Build Coastguard Worker
2874*08b48e0bSAndroid Build Coastguard Worker /* Check for blatant user errors. */
2875*08b48e0bSAndroid Build Coastguard Worker
2876*08b48e0bSAndroid Build Coastguard Worker /* disabled. not a real-worl scenario where this is a problem.
2877*08b48e0bSAndroid Build Coastguard Worker if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) &&
2878*08b48e0bSAndroid Build Coastguard Worker !strchr(afl->fsrv.target_path + 5, '/')) ||
2879*08b48e0bSAndroid Build Coastguard Worker (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) &&
2880*08b48e0bSAndroid Build Coastguard Worker !strchr(afl->fsrv.target_path + 9, '/'))) {
2881*08b48e0bSAndroid Build Coastguard Worker
2882*08b48e0bSAndroid Build Coastguard Worker FATAL("Please don't keep binaries in /tmp or /var/tmp");
2883*08b48e0bSAndroid Build Coastguard Worker
2884*08b48e0bSAndroid Build Coastguard Worker }
2885*08b48e0bSAndroid Build Coastguard Worker
2886*08b48e0bSAndroid Build Coastguard Worker */
2887*08b48e0bSAndroid Build Coastguard Worker
2888*08b48e0bSAndroid Build Coastguard Worker fd = open(afl->fsrv.target_path, O_RDONLY);
2889*08b48e0bSAndroid Build Coastguard Worker
2890*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to open '%s'", afl->fsrv.target_path); }
2891*08b48e0bSAndroid Build Coastguard Worker
2892*08b48e0bSAndroid Build Coastguard Worker f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0);
2893*08b48e0bSAndroid Build Coastguard Worker
2894*08b48e0bSAndroid Build Coastguard Worker if (f_data == MAP_FAILED) {
2895*08b48e0bSAndroid Build Coastguard Worker
2896*08b48e0bSAndroid Build Coastguard Worker PFATAL("Unable to mmap file '%s'", afl->fsrv.target_path);
2897*08b48e0bSAndroid Build Coastguard Worker
2898*08b48e0bSAndroid Build Coastguard Worker }
2899*08b48e0bSAndroid Build Coastguard Worker
2900*08b48e0bSAndroid Build Coastguard Worker close(fd);
2901*08b48e0bSAndroid Build Coastguard Worker
2902*08b48e0bSAndroid Build Coastguard Worker if (f_data[0] == '#' && f_data[1] == '!') {
2903*08b48e0bSAndroid Build Coastguard Worker
2904*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2905*08b48e0bSAndroid Build Coastguard Worker "Oops, the target binary looks like a shell script. Some build "
2906*08b48e0bSAndroid Build Coastguard Worker "systems will\n"
2907*08b48e0bSAndroid Build Coastguard Worker " sometimes generate shell stubs for dynamically linked programs; "
2908*08b48e0bSAndroid Build Coastguard Worker "try static\n"
2909*08b48e0bSAndroid Build Coastguard Worker " library mode (./configure --disable-shared) if that's the "
2910*08b48e0bSAndroid Build Coastguard Worker "case.\n\n"
2911*08b48e0bSAndroid Build Coastguard Worker
2912*08b48e0bSAndroid Build Coastguard Worker " Another possible cause is that you are actually trying to use a "
2913*08b48e0bSAndroid Build Coastguard Worker "shell\n"
2914*08b48e0bSAndroid Build Coastguard Worker " wrapper around the fuzzed component. Invoking shell can slow "
2915*08b48e0bSAndroid Build Coastguard Worker "down the\n"
2916*08b48e0bSAndroid Build Coastguard Worker " fuzzing process by a factor of 20x or more; it's best to write "
2917*08b48e0bSAndroid Build Coastguard Worker "the wrapper\n"
2918*08b48e0bSAndroid Build Coastguard Worker " in a compiled language instead.\n");
2919*08b48e0bSAndroid Build Coastguard Worker
2920*08b48e0bSAndroid Build Coastguard Worker FATAL("Program '%s' is a shell script", afl->fsrv.target_path);
2921*08b48e0bSAndroid Build Coastguard Worker
2922*08b48e0bSAndroid Build Coastguard Worker }
2923*08b48e0bSAndroid Build Coastguard Worker
2924*08b48e0bSAndroid Build Coastguard Worker #ifndef __APPLE__
2925*08b48e0bSAndroid Build Coastguard Worker
2926*08b48e0bSAndroid Build Coastguard Worker if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) {
2927*08b48e0bSAndroid Build Coastguard Worker
2928*08b48e0bSAndroid Build Coastguard Worker FATAL("Program '%s' is not an ELF binary", afl->fsrv.target_path);
2929*08b48e0bSAndroid Build Coastguard Worker
2930*08b48e0bSAndroid Build Coastguard Worker }
2931*08b48e0bSAndroid Build Coastguard Worker
2932*08b48e0bSAndroid Build Coastguard Worker #else
2933*08b48e0bSAndroid Build Coastguard Worker
2934*08b48e0bSAndroid Build Coastguard Worker #if !defined(__arm__) && !defined(__arm64__)
2935*08b48e0bSAndroid Build Coastguard Worker if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) &&
2936*08b48e0bSAndroid Build Coastguard Worker (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA))
2937*08b48e0bSAndroid Build Coastguard Worker FATAL("Program '%s' is not a 64-bit or universal Mach-O binary",
2938*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.target_path);
2939*08b48e0bSAndroid Build Coastguard Worker #endif
2940*08b48e0bSAndroid Build Coastguard Worker
2941*08b48e0bSAndroid Build Coastguard Worker #endif /* ^!__APPLE__ */
2942*08b48e0bSAndroid Build Coastguard Worker
2943*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode &&
2944*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
2945*08b48e0bSAndroid Build Coastguard Worker !afl->fsrv.nyx_mode &&
2946*08b48e0bSAndroid Build Coastguard Worker #endif
2947*08b48e0bSAndroid Build Coastguard Worker !afl->fsrv.cs_mode && !afl->non_instrumented_mode &&
2948*08b48e0bSAndroid Build Coastguard Worker !afl_memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
2949*08b48e0bSAndroid Build Coastguard Worker
2950*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2951*08b48e0bSAndroid Build Coastguard Worker "Looks like the target binary is not instrumented! The fuzzer depends "
2952*08b48e0bSAndroid Build Coastguard Worker "on\n"
2953*08b48e0bSAndroid Build Coastguard Worker " compile-time instrumentation to isolate interesting test cases "
2954*08b48e0bSAndroid Build Coastguard Worker "while\n"
2955*08b48e0bSAndroid Build Coastguard Worker " mutating the input data. For more information, and for tips on "
2956*08b48e0bSAndroid Build Coastguard Worker "how to\n"
2957*08b48e0bSAndroid Build Coastguard Worker " instrument binaries, please see %s/README.md.\n\n"
2958*08b48e0bSAndroid Build Coastguard Worker
2959*08b48e0bSAndroid Build Coastguard Worker " When source code is not available, you may be able to leverage "
2960*08b48e0bSAndroid Build Coastguard Worker "QEMU\n"
2961*08b48e0bSAndroid Build Coastguard Worker " mode support. Consult the README.md for tips on how to enable "
2962*08b48e0bSAndroid Build Coastguard Worker "this.\n\n"
2963*08b48e0bSAndroid Build Coastguard Worker
2964*08b48e0bSAndroid Build Coastguard Worker " If your target is an instrumented binary (e.g. with zafl, "
2965*08b48e0bSAndroid Build Coastguard Worker "retrowrite,\n"
2966*08b48e0bSAndroid Build Coastguard Worker " etc.) then set 'AFL_SKIP_BIN_CHECK=1'\n\n"
2967*08b48e0bSAndroid Build Coastguard Worker
2968*08b48e0bSAndroid Build Coastguard Worker " (It is also possible to use afl-fuzz as a traditional, "
2969*08b48e0bSAndroid Build Coastguard Worker "non-instrumented\n"
2970*08b48e0bSAndroid Build Coastguard Worker " fuzzer. For that use the -n option - but expect much worse "
2971*08b48e0bSAndroid Build Coastguard Worker "results.)\n",
2972*08b48e0bSAndroid Build Coastguard Worker doc_path);
2973*08b48e0bSAndroid Build Coastguard Worker
2974*08b48e0bSAndroid Build Coastguard Worker FATAL("No instrumentation detected");
2975*08b48e0bSAndroid Build Coastguard Worker
2976*08b48e0bSAndroid Build Coastguard Worker }
2977*08b48e0bSAndroid Build Coastguard Worker
2978*08b48e0bSAndroid Build Coastguard Worker if ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode) &&
2979*08b48e0bSAndroid Build Coastguard Worker afl_memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
2980*08b48e0bSAndroid Build Coastguard Worker
2981*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cLRD "[-] " cRST
2982*08b48e0bSAndroid Build Coastguard Worker "This program appears to be instrumented with afl-gcc, but is being "
2983*08b48e0bSAndroid Build Coastguard Worker "run in\n"
2984*08b48e0bSAndroid Build Coastguard Worker " QEMU mode (-Q). This is probably not what you "
2985*08b48e0bSAndroid Build Coastguard Worker "want -\n"
2986*08b48e0bSAndroid Build Coastguard Worker " this setup will be slow and offer no practical benefits.\n");
2987*08b48e0bSAndroid Build Coastguard Worker
2988*08b48e0bSAndroid Build Coastguard Worker FATAL("Instrumentation found in -Q mode");
2989*08b48e0bSAndroid Build Coastguard Worker
2990*08b48e0bSAndroid Build Coastguard Worker }
2991*08b48e0bSAndroid Build Coastguard Worker
2992*08b48e0bSAndroid Build Coastguard Worker if (afl_memmem(f_data, f_len, "__asan_init", 11) ||
2993*08b48e0bSAndroid Build Coastguard Worker afl_memmem(f_data, f_len, "__msan_init", 11) ||
2994*08b48e0bSAndroid Build Coastguard Worker afl_memmem(f_data, f_len, "__lsan_init", 11)) {
2995*08b48e0bSAndroid Build Coastguard Worker
2996*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.uses_asan = 1;
2997*08b48e0bSAndroid Build Coastguard Worker
2998*08b48e0bSAndroid Build Coastguard Worker }
2999*08b48e0bSAndroid Build Coastguard Worker
3000*08b48e0bSAndroid Build Coastguard Worker /* Detect persistent & deferred init signatures in the binary. */
3001*08b48e0bSAndroid Build Coastguard Worker
3002*08b48e0bSAndroid Build Coastguard Worker if (afl_memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) {
3003*08b48e0bSAndroid Build Coastguard Worker
3004*08b48e0bSAndroid Build Coastguard Worker OKF(cPIN "Persistent mode binary detected.");
3005*08b48e0bSAndroid Build Coastguard Worker setenv(PERSIST_ENV_VAR, "1", 1);
3006*08b48e0bSAndroid Build Coastguard Worker afl->persistent_mode = 1;
3007*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.persistent_mode = 1;
3008*08b48e0bSAndroid Build Coastguard Worker afl->shmem_testcase_mode = 1;
3009*08b48e0bSAndroid Build Coastguard Worker
3010*08b48e0bSAndroid Build Coastguard Worker } else if (getenv("AFL_PERSISTENT")) {
3011*08b48e0bSAndroid Build Coastguard Worker
3012*08b48e0bSAndroid Build Coastguard Worker OKF(cPIN "Persistent mode enforced.");
3013*08b48e0bSAndroid Build Coastguard Worker setenv(PERSIST_ENV_VAR, "1", 1);
3014*08b48e0bSAndroid Build Coastguard Worker afl->persistent_mode = 1;
3015*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.persistent_mode = 1;
3016*08b48e0bSAndroid Build Coastguard Worker afl->shmem_testcase_mode = 1;
3017*08b48e0bSAndroid Build Coastguard Worker
3018*08b48e0bSAndroid Build Coastguard Worker } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) {
3019*08b48e0bSAndroid Build Coastguard Worker
3020*08b48e0bSAndroid Build Coastguard Worker OKF("FRIDA Persistent mode configuration options detected.");
3021*08b48e0bSAndroid Build Coastguard Worker setenv(PERSIST_ENV_VAR, "1", 1);
3022*08b48e0bSAndroid Build Coastguard Worker afl->persistent_mode = 1;
3023*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.persistent_mode = 1;
3024*08b48e0bSAndroid Build Coastguard Worker afl->shmem_testcase_mode = 1;
3025*08b48e0bSAndroid Build Coastguard Worker
3026*08b48e0bSAndroid Build Coastguard Worker }
3027*08b48e0bSAndroid Build Coastguard Worker
3028*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.frida_mode ||
3029*08b48e0bSAndroid Build Coastguard Worker afl_memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
3030*08b48e0bSAndroid Build Coastguard Worker
3031*08b48e0bSAndroid Build Coastguard Worker OKF(cPIN "Deferred forkserver binary detected.");
3032*08b48e0bSAndroid Build Coastguard Worker setenv(DEFER_ENV_VAR, "1", 1);
3033*08b48e0bSAndroid Build Coastguard Worker afl->deferred_mode = 1;
3034*08b48e0bSAndroid Build Coastguard Worker
3035*08b48e0bSAndroid Build Coastguard Worker } else if (getenv("AFL_DEFER_FORKSRV")) {
3036*08b48e0bSAndroid Build Coastguard Worker
3037*08b48e0bSAndroid Build Coastguard Worker OKF(cPIN "Deferred forkserver enforced.");
3038*08b48e0bSAndroid Build Coastguard Worker setenv(DEFER_ENV_VAR, "1", 1);
3039*08b48e0bSAndroid Build Coastguard Worker afl->deferred_mode = 1;
3040*08b48e0bSAndroid Build Coastguard Worker
3041*08b48e0bSAndroid Build Coastguard Worker }
3042*08b48e0bSAndroid Build Coastguard Worker
3043*08b48e0bSAndroid Build Coastguard Worker if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); }
3044*08b48e0bSAndroid Build Coastguard Worker
3045*08b48e0bSAndroid Build Coastguard Worker }
3046*08b48e0bSAndroid Build Coastguard Worker
3047*08b48e0bSAndroid Build Coastguard Worker /* Check if we're on TTY. */
3048*08b48e0bSAndroid Build Coastguard Worker
3049*08b48e0bSAndroid Build Coastguard Worker void check_if_tty(afl_state_t *afl) {
3050*08b48e0bSAndroid Build Coastguard Worker
3051*08b48e0bSAndroid Build Coastguard Worker struct winsize ws;
3052*08b48e0bSAndroid Build Coastguard Worker
3053*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_no_ui) {
3054*08b48e0bSAndroid Build Coastguard Worker
3055*08b48e0bSAndroid Build Coastguard Worker OKF("Disabling the UI because AFL_NO_UI is set.");
3056*08b48e0bSAndroid Build Coastguard Worker afl->not_on_tty = 1;
3057*08b48e0bSAndroid Build Coastguard Worker return;
3058*08b48e0bSAndroid Build Coastguard Worker
3059*08b48e0bSAndroid Build Coastguard Worker }
3060*08b48e0bSAndroid Build Coastguard Worker
3061*08b48e0bSAndroid Build Coastguard Worker if (ioctl(1, TIOCGWINSZ, &ws)) {
3062*08b48e0bSAndroid Build Coastguard Worker
3063*08b48e0bSAndroid Build Coastguard Worker if (errno == ENOTTY) {
3064*08b48e0bSAndroid Build Coastguard Worker
3065*08b48e0bSAndroid Build Coastguard Worker OKF("Looks like we're not running on a tty, so I'll be a bit less "
3066*08b48e0bSAndroid Build Coastguard Worker "verbose.");
3067*08b48e0bSAndroid Build Coastguard Worker afl->not_on_tty = 1;
3068*08b48e0bSAndroid Build Coastguard Worker
3069*08b48e0bSAndroid Build Coastguard Worker }
3070*08b48e0bSAndroid Build Coastguard Worker
3071*08b48e0bSAndroid Build Coastguard Worker return;
3072*08b48e0bSAndroid Build Coastguard Worker
3073*08b48e0bSAndroid Build Coastguard Worker }
3074*08b48e0bSAndroid Build Coastguard Worker
3075*08b48e0bSAndroid Build Coastguard Worker }
3076*08b48e0bSAndroid Build Coastguard Worker
3077*08b48e0bSAndroid Build Coastguard Worker /* Set up signal handlers. More complicated that needs to be, because libc on
3078*08b48e0bSAndroid Build Coastguard Worker Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call
3079*08b48e0bSAndroid Build Coastguard Worker siginterrupt(), and does other stupid things. */
3080*08b48e0bSAndroid Build Coastguard Worker
3081*08b48e0bSAndroid Build Coastguard Worker void setup_signal_handlers(void) {
3082*08b48e0bSAndroid Build Coastguard Worker
3083*08b48e0bSAndroid Build Coastguard Worker struct sigaction sa;
3084*08b48e0bSAndroid Build Coastguard Worker
3085*08b48e0bSAndroid Build Coastguard Worker memset((void *)&sa, 0, sizeof(sa));
3086*08b48e0bSAndroid Build Coastguard Worker sa.sa_handler = NULL;
3087*08b48e0bSAndroid Build Coastguard Worker #ifdef SA_RESTART
3088*08b48e0bSAndroid Build Coastguard Worker sa.sa_flags = SA_RESTART;
3089*08b48e0bSAndroid Build Coastguard Worker #endif
3090*08b48e0bSAndroid Build Coastguard Worker sa.sa_sigaction = NULL;
3091*08b48e0bSAndroid Build Coastguard Worker
3092*08b48e0bSAndroid Build Coastguard Worker sigemptyset(&sa.sa_mask);
3093*08b48e0bSAndroid Build Coastguard Worker
3094*08b48e0bSAndroid Build Coastguard Worker /* Various ways of saying "stop". */
3095*08b48e0bSAndroid Build Coastguard Worker
3096*08b48e0bSAndroid Build Coastguard Worker sa.sa_handler = handle_stop_sig;
3097*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGHUP, &sa, NULL);
3098*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGINT, &sa, NULL);
3099*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGTERM, &sa, NULL);
3100*08b48e0bSAndroid Build Coastguard Worker
3101*08b48e0bSAndroid Build Coastguard Worker /* Window resize */
3102*08b48e0bSAndroid Build Coastguard Worker
3103*08b48e0bSAndroid Build Coastguard Worker sa.sa_handler = handle_resize;
3104*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGWINCH, &sa, NULL);
3105*08b48e0bSAndroid Build Coastguard Worker
3106*08b48e0bSAndroid Build Coastguard Worker /* SIGUSR1: skip entry */
3107*08b48e0bSAndroid Build Coastguard Worker
3108*08b48e0bSAndroid Build Coastguard Worker sa.sa_handler = handle_skipreq;
3109*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGUSR1, &sa, NULL);
3110*08b48e0bSAndroid Build Coastguard Worker
3111*08b48e0bSAndroid Build Coastguard Worker /* Things we don't care about. */
3112*08b48e0bSAndroid Build Coastguard Worker
3113*08b48e0bSAndroid Build Coastguard Worker sa.sa_handler = SIG_IGN;
3114*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGTSTP, &sa, NULL);
3115*08b48e0bSAndroid Build Coastguard Worker sigaction(SIGPIPE, &sa, NULL);
3116*08b48e0bSAndroid Build Coastguard Worker
3117*08b48e0bSAndroid Build Coastguard Worker }
3118*08b48e0bSAndroid Build Coastguard Worker
3119*08b48e0bSAndroid Build Coastguard Worker /* Make a copy of the current command line. */
3120*08b48e0bSAndroid Build Coastguard Worker
3121*08b48e0bSAndroid Build Coastguard Worker void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
3122*08b48e0bSAndroid Build Coastguard Worker
3123*08b48e0bSAndroid Build Coastguard Worker u32 len = 1, i;
3124*08b48e0bSAndroid Build Coastguard Worker u8 *buf;
3125*08b48e0bSAndroid Build Coastguard Worker
3126*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < argc; ++i) {
3127*08b48e0bSAndroid Build Coastguard Worker
3128*08b48e0bSAndroid Build Coastguard Worker len += strlen(argv[i]) + 1;
3129*08b48e0bSAndroid Build Coastguard Worker
3130*08b48e0bSAndroid Build Coastguard Worker }
3131*08b48e0bSAndroid Build Coastguard Worker
3132*08b48e0bSAndroid Build Coastguard Worker buf = afl->orig_cmdline = ck_alloc(len);
3133*08b48e0bSAndroid Build Coastguard Worker
3134*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < argc; ++i) {
3135*08b48e0bSAndroid Build Coastguard Worker
3136*08b48e0bSAndroid Build Coastguard Worker u32 l = strlen(argv[i]);
3137*08b48e0bSAndroid Build Coastguard Worker
3138*08b48e0bSAndroid Build Coastguard Worker if (!argv[i] || !buf) { FATAL("null deref detected"); }
3139*08b48e0bSAndroid Build Coastguard Worker
3140*08b48e0bSAndroid Build Coastguard Worker memcpy(buf, argv[i], l);
3141*08b48e0bSAndroid Build Coastguard Worker buf += l;
3142*08b48e0bSAndroid Build Coastguard Worker
3143*08b48e0bSAndroid Build Coastguard Worker if (i != argc - 1) { *(buf++) = ' '; }
3144*08b48e0bSAndroid Build Coastguard Worker
3145*08b48e0bSAndroid Build Coastguard Worker }
3146*08b48e0bSAndroid Build Coastguard Worker
3147*08b48e0bSAndroid Build Coastguard Worker *buf = 0;
3148*08b48e0bSAndroid Build Coastguard Worker
3149*08b48e0bSAndroid Build Coastguard Worker }
3150*08b48e0bSAndroid Build Coastguard Worker
3151