/*
* Returns true if a process exited (so, presumably, we can delete an input
* file)
*/
static bool arch_analyzeSignal(honggfuzz_t * hfuzz, int status, fuzzer_t * fuzzer)
{
/*
* Resumed by delivery of SIGCONT
*/
if (WIFCONTINUED(status)) {
return false;
}
/*
* Boring, the process just exited
*/
if (WIFEXITED(status)) {
LOG_D("Process (pid %d) exited normally with status %d", fuzzer->pid, WEXITSTATUS(status));
return true;
}
/*
* Shouldn't really happen, but, well..
*/
if (!WIFSIGNALED(status)) {
LOG_E("Process (pid %d) exited with the following status %d, please report that as a bug",
fuzzer->pid, status);
return true;
}
int termsig = WTERMSIG(status);
LOG_D("Process (pid %d) killed by signal %d '%s'", fuzzer->pid, termsig, strsignal(termsig));
if (!arch_sigs[termsig].important) {
LOG_D("It's not that important signal, skipping");
return true;
}
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
char newname[PATH_MAX];
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->flipRate == 0.0L && hfuzz->useVerifier) {
snprintf(newname, sizeof(newname), "%s", fuzzer->origFileName);
} else {
snprintf(newname, sizeof(newname), "%s/%s.%d.%s.%s.%s",
hfuzz->workDir, arch_sigs[termsig].descr, fuzzer->pid, localtmstr,
fuzzer->origFileName, hfuzz->fileExtn);
}
LOG_I("Ok, that's interesting, saving the '%s' as '%s'", fuzzer->fileName, newname);
/*
* All crashes are marked as unique due to lack of information in POSIX arch
*/
__sync_fetch_and_add(&hfuzz->crashesCnt, 1UL);
__sync_fetch_and_add(&hfuzz->uniqueCrashesCnt, 1UL);
if (files_copyFile(fuzzer->fileName, newname, NULL) == false) {
LOG_E("Couldn't save '%s' as '%s'", fuzzer->fileName, newname);
}
return true;
}
void report_Report(run_t* run) {
if (run->report[0] == '\0') {
return;
}
MX_SCOPED_LOCK(&run->global->cfg.report_mutex);
if (reportFD == -1) {
char reportFName[PATH_MAX];
if (run->global->cfg.reportFile == NULL) {
snprintf(reportFName, sizeof(reportFName), "%s/%s", run->global->io.workDir,
_HF_REPORT_FILE);
} else {
snprintf(reportFName, sizeof(reportFName), "%s", run->global->cfg.reportFile);
}
reportFD =
TEMP_FAILURE_RETRY(open(reportFName, O_WRONLY | O_CREAT | O_APPEND | O_CLOEXEC, 0644));
if (reportFD == -1) {
PLOG_F("Couldn't open('%s') for writing", reportFName);
}
}
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
dprintf(reportFD,
"=====================================================================\n"
"TIME: %s\n"
"=====================================================================\n"
"FUZZER ARGS:\n"
" mutationsPerRun : %u\n"
" externalCmd : %s\n"
" fuzzStdin : %s\n"
" timeout : %ld (sec)\n"
#if defined(_HF_ARCH_LINUX) || defined(_HF_ARCH_NETBSD)
" ignoreAddr : %p\n"
#endif
" ASLimit : %" PRIu64 " (MiB)\n"
" RSSLimit : %" PRIu64 " (MiB)\n"
" DATALimit : %" PRIu64 " (MiB)\n"
" wordlistFile : %s\n",
localtmstr, run->global->mutate.mutationsPerRun,
run->global->exe.externalCommand == NULL ? "NULL" : run->global->exe.externalCommand,
run->global->exe.fuzzStdin ? "TRUE" : "FALSE", run->global->timing.tmOut,
#if defined(_HF_ARCH_LINUX)
run->global->linux.ignoreAddr,
#elif defined(_HF_ARCH_NETBSD)
run->global->netbsd.ignoreAddr,
#endif
run->global->exe.asLimit, run->global->exe.rssLimit, run->global->exe.dataLimit,
run->global->mutate.dictionaryFile == NULL ? "NULL" : run->global->mutate.dictionaryFile);
#if defined(_HF_ARCH_LINUX)
report_printdynFileMethod(run);
#endif
report_printTargetCmd(run);
dprintf(reportFD,
"%s"
"=====================================================================\n",
run->report);
}
static void display_displayLocked(honggfuzz_t * hfuzz)
{
unsigned long elapsed = (unsigned long)(time(NULL) - hfuzz->timeStart);
size_t curr_exec_cnt = __sync_fetch_and_add(&hfuzz->mutationsCnt, 0UL);
/*
* We increase the mutation counter unconditionally in threads, but if it's
* above hfuzz->mutationsMax we don't really execute the fuzzing loop.
* Therefore at the end of fuzzing, the mutation counter might be higher
* than hfuzz->mutationsMax
*/
if (hfuzz->mutationsMax > 0 && curr_exec_cnt > hfuzz->mutationsMax) {
curr_exec_cnt = hfuzz->mutationsMax;
}
static size_t prev_exec_cnt = 0UL;
uintptr_t exec_per_sec = curr_exec_cnt - prev_exec_cnt;
prev_exec_cnt = curr_exec_cnt;
display_put("%s", ESC_CLEAR);
display_put("============================== STAT ==============================\n");
display_put("Iterations: " ESC_BOLD "%zu" ESC_RESET, curr_exec_cnt);
if (hfuzz->mutationsMax) {
display_put(" (out of: " ESC_BOLD "%zu" ESC_RESET ")", hfuzz->mutationsMax);
}
display_put("\n");
char start_time_str[128];
util_getLocalTime("%F %T", start_time_str, sizeof(start_time_str), hfuzz->timeStart);
display_put("Start time: " ESC_BOLD "%s" ESC_RESET " (" ESC_BOLD "%lu"
ESC_RESET " seconds elapsed)\n", start_time_str, elapsed);
display_put("Input file/dir: '" ESC_BOLD "%s" ESC_RESET "'\n", hfuzz->inputFile);
display_put("Fuzzed cmd: '" ESC_BOLD "%s" ESC_RESET "'\n", hfuzz->cmdline_txt);
display_put("Fuzzing threads: " ESC_BOLD "%zu" ESC_RESET "\n", hfuzz->threadsMax);
display_put("Execs per second: " ESC_BOLD "%zu" ESC_RESET " (avg: " ESC_BOLD "%zu" ESC_RESET
")\n", exec_per_sec, elapsed ? (curr_exec_cnt / elapsed) : 0);
/* If dry run, print also the input file count */
if (hfuzz->flipRate == 0.0L && hfuzz->useVerifier) {
display_put("Input Files: '" ESC_BOLD "%zu" ESC_RESET "'\n", hfuzz->fileCnt);
}
display_put("Crashes: " ESC_BOLD "%zu" ESC_RESET " (unique: " ESC_BOLD "%zu" ESC_RESET
", blacklist: " ESC_BOLD "%zu" ESC_RESET ", verified: " ESC_BOLD "%zu" ESC_RESET
") \n", __sync_fetch_and_add(&hfuzz->crashesCnt, 0UL),
__sync_fetch_and_add(&hfuzz->uniqueCrashesCnt, 0UL),
__sync_fetch_and_add(&hfuzz->blCrashesCnt, 0UL),
__sync_fetch_and_add(&hfuzz->verifiedCrashesCnt, 0UL));
display_put("Timeouts: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->timeoutedCnt, 0UL));
/* Feedback data sources are enabled. Start with common headers. */
if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE || hfuzz->useSanCov) {
display_put("Dynamic file size: " ESC_BOLD "%zu" ESC_RESET " (max: " ESC_BOLD "%zu"
ESC_RESET ")\n", hfuzz->dynamicFileBestSz, hfuzz->maxFileSz);
display_put("Dynamic file max iterations keep for chosen seed (" ESC_BOLD "%zu" ESC_RESET
"/" ESC_BOLD "%zu" ESC_RESET ")\n",
__sync_fetch_and_add(&hfuzz->dynFileIterExpire, 0UL), _HF_MAX_DYNFILE_ITER);
display_put("Coverage (max):\n");
}
/* HW perf specific counters */
if (hfuzz->dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
display_put(" - cpu instructions: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.cpuInstrCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
display_put(" - cpu branches: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.cpuBranchCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_UNIQUE_BLOCK_COUNT) {
display_put(" - unique branch targets: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.pcCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_UNIQUE_EDGE_COUNT) {
display_put(" - unique branch pairs: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.pathCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_CUSTOM) {
display_put(" - custom counter: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.customCnt, 0UL));
}
/* Sanitizer coverage specific counters */
if (hfuzz->useSanCov) {
uint64_t hitBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.hitBBCnt, 0UL);
uint64_t totalBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.totalBBCnt, 0UL);
uint8_t covPer = totalBB ? ((hitBB * 100) / totalBB) : 0;
display_put(" - total hit #bb: " ESC_BOLD "%" PRIu64 ESC_RESET " (coverage %d%%)\n",
hitBB, covPer);
display_put(" - total #dso: " ESC_BOLD "%" PRIu64 ESC_RESET " (instrumented only)\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.iDsoCnt, 0UL));
display_put(" - discovered #bb: " ESC_BOLD "%" PRIu64 ESC_RESET " (new from input seed)\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.newBBCnt, 0UL));
display_put(" - crashes: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.crashesCnt, 0UL));
}
display_put("============================== LOGS ==============================\n");
}
static void display_displayLocked(honggfuzz_t * hfuzz)
{
static bool firstDisplay = true;
if (firstDisplay) {
display_put(ESC_CLEAR_ALL);
firstDisplay = false;
}
char *target;
char *extern_fuzzer;
char *time_elapsed_str;
char *time_remain_str;
unsigned long elapsed_second;
unsigned long remain_second;
float speed_second;
unsigned int TITLE_LEN = 78;
unsigned int LEFT_TITLE_LEN = 41;
int remain_title_len;
elapsed_second = (unsigned long)(time(NULL) - hfuzz->timeStart);
time_elapsed_str = get_time_elapsed(hfuzz->timeStart);
size_t curr_exec_cnt = ATOMIC_GET(hfuzz->mutationsCnt);
/*
* We increase the mutation counter unconditionally in threads, but if it's
* above hfuzz->mutationsMax we don't really execute the fuzzing loop.
* Therefore at the end of fuzzing, the mutation counter might be higher
* than hfuzz->mutationsMax
*/
if (hfuzz->mutationsMax > 0 && curr_exec_cnt > hfuzz->mutationsMax) {
curr_exec_cnt = hfuzz->mutationsMax;
}
float exeProgress = 0.0f;
if (hfuzz->mutationsMax > 0) {
exeProgress = ((float)curr_exec_cnt * 100 / hfuzz->mutationsMax);
}
static size_t prev_exec_cnt = 0UL;
//uintptr_t exec_per_sec = curr_exec_cnt - prev_exec_cnt;
prev_exec_cnt = curr_exec_cnt;
/* The lock should be acquired before any output is printed on the screen */
MX_SCOPED_LOCK(logMutexGet());
target = files_get_filename_in_path(hfuzz->cmdline[0]);
hfuzz->target = target;
speed_second = elapsed_second ? ((float)curr_exec_cnt / elapsed_second) : ((float)ATOMIC_GET(hfuzz->tmOut)/hfuzz->threadsMax);
LOG_D("speed_second: %f\n", speed_second);
int remain_file_cnt = ATOMIC_GET(hfuzz->fileCnt) - curr_exec_cnt;
remain_second = (remain_file_cnt>0? remain_file_cnt:1) / speed_second;
time_remain_str = get_time_remain(remain_second);
display_put(ESC_NAV(11, 1) ESC_CLEAR_ABOVE ESC_NAV(1, 1));
display_put("-------------------------[ " ESC_BOLD ESC_YELLOW "%s " ESC_RESET ESC_BOLD"v%s " ESC_PINK "(%s)" ESC_RESET" ]",
PROG_NAME, PROG_VERSION, target );
remain_title_len = TITLE_LEN - LEFT_TITLE_LEN - strlen(target) - 3;
if (remain_title_len) {
for(int i=0;i<remain_title_len;i++){
printf("-");
}
} else {
LOG_W("target name very long!");
}
printf("\n");
display_put(ESC_WHITE " Iterations : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET, curr_exec_cnt);
display_printKMG(curr_exec_cnt);
if (hfuzz->mutationsMax) {
display_put(" (out of: " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET " [" ESC_BOLD "%.2f"
ESC_RESET "%%])", hfuzz->mutationsMax, exeProgress);
}
switch (ATOMIC_GET(hfuzz->state)) {
case _HF_STATE_STATIC:
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "Dumb Fuzzing" ESC_RESET);
break;
case _HF_STATE_DRY_RUN:
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "Dry Run" ESC_RESET);
break;
case _HF_STATE_DYNAMIC_PRE:
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "Dynamic Fuzzing" ESC_RESET);
break;
case _HF_STATE_DYNAMIC_MAIN:
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "Feedback-driven Fuzzing" ESC_RESET);
break;
case _HF_STATE_EXTERN:
extern_fuzzer = files_get_filename_in_path(hfuzz->externalCommand);
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "External (%s)" ESC_RESET, extern_fuzzer);
break;
default:
display_put(ESC_WHITE "\n Run Mode : " ESC_RESET ESC_GREEN ESC_BOLD "Unknown" ESC_RESET);
break;
}
char start_time_str[128];
util_getLocalTime("%F %T", start_time_str, sizeof(start_time_str), hfuzz->timeStart);
if(ATOMIC_GET(hfuzz->state) == _HF_STATE_DRY_RUN){
display_put(ESC_WHITE "\n Run Time : " ESC_RESET ESC_BOLD "%s (" ESC_RESET ESC_WHITE "Remain: " ESC_RESET ESC_BOLD "%s)\n" ESC_RESET , time_elapsed_str, time_remain_str);
}else{
display_put(ESC_WHITE "\n Run Time : " ESC_RESET ESC_BOLD "%s\n" ESC_RESET , time_elapsed_str);
}
static char tmpstr[1024] = {0};
size_t len = strlen(hfuzz->inputDir);
if(len > 40){
snprintf(tmpstr, sizeof(tmpstr), "%.32s...%s", hfuzz->inputDir, hfuzz->inputDir+len-18);
}else{
snprintf(tmpstr, sizeof(tmpstr), "%s", hfuzz->inputDir);
}
display_put(ESC_WHITE " Input Dir : " ESC_RESET ESC_RED "[% " _HF_MONETARY_MOD "zu] " ESC_RESET ESC_BOLD "'%s" ESC_RESET "'\n",
ATOMIC_GET(hfuzz->fileCnt), tmpstr);
/*
display_put(ESC_WHITE " Fuzzed Cmd : " ESC_RESET ESC_BOLD "'%s" ESC_RESET "'\n", hfuzz->cmdline_txt);
if (hfuzz->linux.pid > 0) {
display_put(ESC_WHITE "Remote cmd [" ESC_BOLD "%d" ESC_RESET "]: '" ESC_RESET ESC_BOLD "%s" ESC_RESET
"'\n", hfuzz->linux.pid, hfuzz->linux.pidCmd);
}
*/
static long num_cpu = 0;
if (num_cpu == 0) {
num_cpu = sysconf(_SC_NPROCESSORS_ONLN);
}
double cpuUse = getCpuUse(num_cpu);
display_put(ESC_WHITE " Threads : " ESC_RESET ESC_BOLD "%zu" ESC_RESET ", " ESC_WHITE "CPUs: " ESC_RESET ESC_BOLD "%ld" ESC_RESET
", " ESC_WHITE "CPU: " ESC_RESET ESC_BOLD "%.1lf" ESC_RESET "%%\n",
hfuzz->threadsMax, num_cpu, cpuUse / num_cpu);
display_put(ESC_WHITE " Speed : " ESC_RESET ESC_BOLD "%.2f" ESC_RESET ESC_WHITE "/sec" ESC_RESET"\n",
elapsed_second ? ((float_t)curr_exec_cnt / elapsed_second) : 0);
uint64_t crashesCnt = ATOMIC_GET(hfuzz->crashesCnt);
/* colored the crash count as red when exist crash */
display_put(ESC_WHITE " Crashes : " ESC_RESET ESC_BOLD "%s" "%zu" ESC_RESET " (" ESC_WHITE "unique: " ESC_RESET "%s" ESC_BOLD "%zu"
ESC_RESET ", " ESC_WHITE "blacklist: " ESC_RESET ESC_BOLD "%zu" ESC_RESET ", " ESC_WHITE "verified: " ESC_RESET
ESC_BOLD "%s" "%zu" ESC_RESET ")\n", crashesCnt > 0 ? ESC_RED : "", hfuzz->crashesCnt,
ATOMIC_GET(hfuzz->uniqueCrashesCnt) > 0 ? ESC_RED : "",
ATOMIC_GET(hfuzz->uniqueCrashesCnt), ATOMIC_GET(hfuzz->blCrashesCnt),
ATOMIC_GET(hfuzz->verifiedCrashesCnt) > 0 ? ESC_RED : "",
ATOMIC_GET(hfuzz->verifiedCrashesCnt));
display_put(ESC_WHITE " Timeouts : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET " [%"
_HF_MONETARY_MOD "zu sec]\n", ATOMIC_GET(hfuzz->timeoutedCnt), hfuzz->tmOut);
/* Feedback data sources are enabled. Start with common headers. */
if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE || hfuzz->useSanCov) {
/*
display_put(ESC_WHITE " Corpus Size : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET
", " ESC_WHITE "max size (bytes): " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET "\n",
hfuzz->dynfileqCnt, hfuzz->maxFileSz);
display_put(ESC_WHITE " Coverage :\n" ESC_RESET);
*/
}else{
display_put(ESC_WHITE " Coverage : N/A\n" ESC_RESET);
}
/* HW perf specific counters */
if (hfuzz->dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
display_put(ESC_YELLOW " *** instructions: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.cpuInstrCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
display_put(ESC_YELLOW " *** branches: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.cpuBranchCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BTS_BLOCK) {
display_put(ESC_YELLOW " *** BTS blocks: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BTS_EDGE) {
display_put(ESC_YELLOW " *** BTS edges: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_IPT_BLOCK) {
display_put(ESC_YELLOW " *** PT blocks: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_SOFT) {
uint64_t softCntPc = ATOMIC_GET(hfuzz->linux.hwCnts.softCntPc);
uint64_t softCntCmp = ATOMIC_GET(hfuzz->linux.hwCnts.softCntCmp);
display_put(ESC_YELLOW " *** blocks seen: " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
", comparison map: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET "\n",
softCntPc, softCntCmp);
}
/* Sanitizer coverage specific counters */
if (hfuzz->useSanCov) {
uint64_t hitBB = ATOMIC_GET(hfuzz->sanCovCnts.hitBBCnt);
uint64_t totalBB = ATOMIC_GET(hfuzz->sanCovCnts.totalBBCnt);
float covPer = totalBB ? (((float)hitBB * 100) / totalBB) : 0.0;
display_put(ESC_YELLOW " Coverage : " ESC_RESET ESC_BOLD "%.2f" ESC_RESET "%%"
"(" ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET ESC_WHITE
", last update:" ESC_RESET ESC_BOLD " %s" ESC_RESET ")\n", covPer, hitBB,
get_time_elapsed(ATOMIC_GET(hfuzz->sanCovCnts.lastBBTime)));
/*
display_put(ESC_YELLOW " *** hit #bb : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (" ESC_WHITE "coverage: " ESC_RESET ESC_BOLD "%.2f" ESC_RESET "%%)\n", hitBB, covPer);
display_put(ESC_YELLOW " *** total #dso : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (" ESC_WHITE "Instrumented Dynamic Shared Object" ESC_RESET ")\n", ATOMIC_GET(hfuzz->sanCovCnts.iDsoCnt));
display_put(ESC_YELLOW " *** new #bb : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (" ESC_WHITE "last update:" ESC_RESET ESC_BOLD " %s)\n" ESC_RESET,
ATOMIC_GET(hfuzz->sanCovCnts.newBBCnt),
get_time_elapsed(ATOMIC_GET(hfuzz->sanCovCnts.lastBBTime)));
display_put(ESC_YELLOW " *** crashes : " ESC_RESET ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->sanCovCnts.crashesCnt));
*/
}
display_put("-----------------------------------[ " ESC_BOLD ESC_YELLOW "LOGS" ESC_RESET
" ]-----------------------------------\n");
display_put(ESC_SCROLL(12, 999) ESC_NAV(999, 1));
}
static void display_displayLocked(honggfuzz_t * hfuzz)
{
unsigned long elapsed = (unsigned long)(time(NULL) - hfuzz->timeStart);
size_t curr_exec_cnt = __sync_fetch_and_add(&hfuzz->mutationsCnt, 0UL);
/*
* We increase the mutation counter unconditionally in threads, but if it's
* above hfuzz->mutationsMax we don't really execute the fuzzing loop.
* Therefore at the end of fuzzing, the mutation counter might be higher
* than hfuzz->mutationsMax
*/
if (hfuzz->mutationsMax > 0 && curr_exec_cnt > hfuzz->mutationsMax) {
curr_exec_cnt = hfuzz->mutationsMax;
}
static size_t prev_exec_cnt = 0UL;
uintptr_t exec_per_sec = curr_exec_cnt - prev_exec_cnt;
prev_exec_cnt = curr_exec_cnt;
display_put("%s", ESC_CLEAR);
display_put("============================== STAT ==============================\n");
display_put("Iterations: " ESC_BOLD "%zu" ESC_RESET, curr_exec_cnt);
if (hfuzz->mutationsMax) {
display_put(" (out of: " ESC_BOLD "%zu" ESC_RESET ")", hfuzz->mutationsMax);
}
display_put("\n");
char start_time_str[128];
util_getLocalTime("%F %T", start_time_str, sizeof(start_time_str), hfuzz->timeStart);
display_put("Start time: " ESC_BOLD "%s" ESC_RESET " (" ESC_BOLD "%lu"
ESC_RESET " seconds elapsed)\n", start_time_str, elapsed);
display_put("Input file/dir: '" ESC_BOLD "%s" ESC_RESET "'\n", hfuzz->inputFile);
display_put("Fuzzed cmd: '" ESC_BOLD "%s" ESC_RESET "'\n", hfuzz->cmdline[0]);
display_put("Fuzzing threads: " ESC_BOLD "%zu" ESC_RESET "\n", hfuzz->threadsMax);
display_put("Execs per second: " ESC_BOLD "%zu" ESC_RESET " (avg: " ESC_BOLD "%zu" ESC_RESET
")\n", exec_per_sec, elapsed ? (curr_exec_cnt / elapsed) : 0);
display_put("Crashes: " ESC_BOLD "%zu" ESC_RESET " (unique: " ESC_BOLD "%zu" ESC_RESET ") \n",
__sync_fetch_and_add(&hfuzz->crashesCnt, 0UL),
__sync_fetch_and_add(&hfuzz->uniqueCrashesCnt, 0UL));
display_put("Timeouts: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->timeoutedCnt, 0UL));
if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE) {
display_put("Dynamic file size: " ESC_BOLD "%zu" ESC_RESET " (max: " ESC_BOLD "%zu"
ESC_RESET ")\n", hfuzz->dynamicFileBestSz, hfuzz->maxFileSz);
display_put("Coverage (max):\n");
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
display_put(" - cpu instructions: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.cpuInstrCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
display_put(" - cpu branches: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.cpuBranchCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_UNIQUE_BLOCK_COUNT) {
display_put(" - unique branch targets: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.pcCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_UNIQUE_EDGE_COUNT) {
display_put(" - unique branch pairs: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.pathCnt, 0UL));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_CUSTOM) {
display_put(" - custom counter: " ESC_BOLD "%zu" ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->hwCnts.customCnt, 0UL));
}
display_put("============================== LOGS ==============================\n");
}
/*
* Returns true if a process exited (so, presumably, we can delete an input
* file)
*/
static bool arch_analyzeSignal(honggfuzz_t * hfuzz, int status, fuzzer_t * fuzzer)
{
/*
* Resumed by delivery of SIGCONT
*/
if (WIFCONTINUED(status)) {
return false;
}
if (WIFEXITED(status) || WIFSIGNALED(status)) {
sancov_Analyze(hfuzz, fuzzer);
}
/*
* Boring, the process just exited
*/
if (WIFEXITED(status)) {
LOG_D("Process (pid %d) exited normally with status %d", fuzzer->pid, WEXITSTATUS(status));
return true;
}
/*
* Shouldn't really happen, but, well..
*/
if (!WIFSIGNALED(status)) {
LOG_E("Process (pid %d) exited with the following status %d, please report that as a bug",
fuzzer->pid, status);
return true;
}
int termsig = WTERMSIG(status);
LOG_D("Process (pid %d) killed by signal %d '%s'", fuzzer->pid, termsig, strsignal(termsig));
if (!arch_sigs[termsig].important) {
LOG_D("It's not that important signal, skipping");
return true;
}
/*
* Signal is interesting
*/
/*
* Increase crashes counter presented by ASCII display
*/
ATOMIC_POST_INC(hfuzz->crashesCnt);
/*
* Get data from exception handler
*/
fuzzer->pc = g_fuzzer_crash_information[fuzzer->pid].pc;
fuzzer->exception = g_fuzzer_crash_information[fuzzer->pid].exception;
fuzzer->access = g_fuzzer_crash_information[fuzzer->pid].access;
fuzzer->backtrace = g_fuzzer_crash_information[fuzzer->pid].backtrace;
defer {
if (g_fuzzer_crash_callstack[fuzzer->pid]) {
free(g_fuzzer_crash_callstack[fuzzer->pid]);
g_fuzzer_crash_callstack[fuzzer->pid] = NULL;
}
};
/*
* Check if stackhash is blacklisted
*/
if (hfuzz->blacklist
&& (fastArray64Search(hfuzz->blacklist, hfuzz->blacklistCnt, fuzzer->backtrace) != -1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", fuzzer->backtrace);
ATOMIC_POST_INC(hfuzz->blCrashesCnt);
return true;
}
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName), "%s/%s",
hfuzz->workDir, fuzzer->origFileName);
} else if (hfuzz->saveUnique) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.%s",
hfuzz->workDir, arch_sigs[termsig].descr,
exception_to_string(fuzzer->exception), fuzzer->pc,
fuzzer->backtrace, fuzzer->access, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H.%M.%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.TIME.%s.PID.%.5d.%s",
hfuzz->workDir, arch_sigs[termsig].descr,
exception_to_string(fuzzer->exception), fuzzer->pc,
fuzzer->backtrace, fuzzer->access, localtmstr, fuzzer->pid, hfuzz->fileExtn);
}
if (files_exists(fuzzer->crashFileName)) {
LOG_I("It seems that '%s' already exists, skipping", fuzzer->crashFileName);
// Clear filename so that verifier can understand we hit a duplicate
memset(fuzzer->crashFileName, 0, sizeof(fuzzer->crashFileName));
return true;
}
if (files_writeBufToFile
(fuzzer->crashFileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_CREAT | O_EXCL | O_WRONLY) == false) {
LOG_E("Couldn't copy '%s' to '%s'", fuzzer->fileName, fuzzer->crashFileName);
return true;
}
LOG_I("Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName, fuzzer->crashFileName);
ATOMIC_POST_INC(hfuzz->uniqueCrashesCnt);
/* If unique crash found, reset dynFile counter */
ATOMIC_CLEAR(hfuzz->dynFileIterExpire);
arch_generateReport(fuzzer, termsig);
return true;
}
static void arch_ptraceSaveData(honggfuzz_t * hfuzz, pid_t pid, fuzzer_t * fuzzer)
{
REG_TYPE pc = 0;
/* Local copy since flag is overridden for some crashes */
bool saveUnique = hfuzz->saveUnique;
char instr[_HF_INSTR_SZ] = "\x00";
siginfo_t si;
bzero(&si, sizeof(si));
if (ptrace(PTRACE_GETSIGINFO, pid, 0, &si) == -1) {
PLOG_W("Couldn't get siginfo for pid %d", pid);
}
arch_getInstrStr(pid, &pc, instr);
LOG_D("Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %"
REG_PM ", instr: '%s'", pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc, instr);
if (!SI_FROMUSER(&si) && pc && si.si_addr < hfuzz->linux.ignoreAddr) {
LOG_I("'%s' is interesting (%s), but the si.si_addr is %p (below %p), skipping",
fuzzer->fileName, arch_sigs[si.si_signo].descr, si.si_addr, hfuzz->linux.ignoreAddr);
return;
}
/*
* Unwind and resolve symbols
*/
/* *INDENT-OFF* */
funcs_t funcs[_HF_MAX_FUNCS] = {
[0 ... (_HF_MAX_FUNCS - 1)].pc = NULL,
[0 ... (_HF_MAX_FUNCS - 1)].line = 0,
[0 ... (_HF_MAX_FUNCS - 1)].func = {'\0'}
,
};
/* *INDENT-ON* */
#if !defined(__ANDROID__)
size_t funcCnt = arch_unwindStack(pid, funcs);
arch_bfdResolveSyms(pid, funcs, funcCnt);
#else
size_t funcCnt = arch_unwindStack(pid, funcs);
#endif
/*
* If unwinder failed (zero frames), use PC from ptrace GETREGS if not zero.
* If PC reg zero, temporarily disable uniqueness flag since callstack
* hash will be also zero, thus not safe for unique decisions.
*/
if (funcCnt == 0) {
if (pc) {
/* Manually update major frame PC & frames counter */
funcs[0].pc = (void *)(uintptr_t) pc;
funcCnt = 1;
} else {
saveUnique = false;
}
}
/*
* Temp local copy of previous backtrace value in case worker hit crashes into multiple
* tids for same target master thread. Will be 0 for first crash against target.
*/
uint64_t oldBacktrace = fuzzer->backtrace;
/*
* Calculate backtrace callstack hash signature
*/
arch_hashCallstack(hfuzz, fuzzer, funcs, funcCnt, saveUnique);
/*
* If fuzzing with sanitizer coverage feedback increase crashes counter used
* as metric for dynFile evolution
*/
if (hfuzz->useSanCov) {
fuzzer->sanCovCnts.crashesCnt++;
}
/*
* If unique flag is set and single frame crash, disable uniqueness for this crash
* to always save (timestamp will be added to the filename)
*/
if (saveUnique && (funcCnt == 1)) {
saveUnique = false;
}
/*
* If worker crashFileName member is set, it means that a tid has already crashed
* from target master thread.
*/
if (fuzzer->crashFileName[0] != '\0') {
LOG_D("Multiple crashes detected from worker against attached tids group");
/*
* If stackhashes match, don't re-analyze. This will avoid duplicates
* and prevent verifier from running multiple passes. Depth of check is
* always 1 (last backtrace saved only per target iteration).
*/
if (oldBacktrace == fuzzer->backtrace) {
return;
}
}
/* Increase global crashes counter */
ATOMIC_POST_INC(hfuzz->crashesCnt);
/*
* Check if stackhash is blacklisted
*/
if (hfuzz->blacklist
&& (fastArray64Search(hfuzz->blacklist, hfuzz->blacklistCnt, fuzzer->backtrace) != -1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", fuzzer->backtrace);
ATOMIC_POST_INC(hfuzz->blCrashesCnt);
return;
}
/* If non-blacklisted crash detected, zero set two MSB */
ATOMIC_POST_ADD(hfuzz->dynFileIterExpire, _HF_DYNFILE_SUB_MASK);
void *sig_addr = si.si_addr;
if (hfuzz->linux.disableRandomization == false) {
pc = 0UL;
sig_addr = NULL;
}
/* User-induced signals don't set si.si_addr */
if (SI_FROMUSER(&si)) {
sig_addr = NULL;
}
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName), "%s/%s",
hfuzz->workDir, fuzzer->origFileName);
} else if (saveUnique) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%d.ADDR.%p.INSTR.%s.%s",
hfuzz->workDir, arch_sigs[si.si_signo].descr, pc, fuzzer->backtrace,
si.si_code, sig_addr, instr, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%d.ADDR.%p.INSTR.%s.%s.%d.%s",
hfuzz->workDir, arch_sigs[si.si_signo].descr, pc, fuzzer->backtrace,
si.si_code, sig_addr, instr, localtmstr, pid, hfuzz->fileExtn);
}
if (files_exists(fuzzer->crashFileName)) {
LOG_I("It seems that '%s' already exists, skipping", fuzzer->crashFileName);
// Clear filename so that verifier can understand we hit a duplicate
memset(fuzzer->crashFileName, 0, sizeof(fuzzer->crashFileName));
return;
}
if (files_writeBufToFile
(fuzzer->crashFileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC) == false) {
LOG_E("Couldn't copy '%s' to '%s'", fuzzer->fileName, fuzzer->crashFileName);
return;
}
LOG_I("Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName, fuzzer->crashFileName);
ATOMIC_POST_INC(hfuzz->uniqueCrashesCnt);
/* If unique crash found, reset dynFile counter */
ATOMIC_CLEAR(hfuzz->dynFileIterExpire);
arch_ptraceGenerateReport(pid, fuzzer, funcs, funcCnt, &si, instr);
}
/*
* Special book keeping for cases where crashes are detected based on exitcode and not
* a raised signal. Such case is the ASan fuzzing for Android. Crash file name maintains
* the same format for compatibility with post campaign tools.
*/
static void arch_ptraceExitSaveData(honggfuzz_t * hfuzz, pid_t pid, fuzzer_t * fuzzer, int exitCode)
{
REG_TYPE pc = 0;
void *crashAddr = 0;
char *op = "UNKNOWN";
pid_t targetPid = (hfuzz->linux.pid > 0) ? hfuzz->linux.pid : fuzzer->pid;
/* Save only the first hit for each worker */
if (fuzzer->crashFileName[0] != '\0') {
return;
}
/* Increase global crashes counter */
ATOMIC_POST_INC(hfuzz->crashesCnt);
ATOMIC_POST_AND(hfuzz->dynFileIterExpire, _HF_DYNFILE_SUB_MASK);
/*
* If fuzzing with sanitizer coverage feedback increase crashes counter used
* as metric for dynFile evolution
*/
if (hfuzz->useSanCov) {
fuzzer->sanCovCnts.crashesCnt++;
}
/* Get sanitizer string tag based on exitcode */
const char *sanStr = arch_sanCodeToStr(exitCode);
/* If sanitizer produces reports with stack traces (e.g. ASan), they're parsed manually */
int funcCnt = 0;
/* *INDENT-OFF* */
funcs_t funcs[_HF_MAX_FUNCS] = {
[0 ... (_HF_MAX_FUNCS - 1)].pc = NULL,
[0 ... (_HF_MAX_FUNCS - 1)].line = 0,
[0 ... (_HF_MAX_FUNCS - 1)].func = {'\0'}
,
};
/* *INDENT-ON* */
/* If ASan crash, parse report */
if (exitCode == HF_ASAN_EXIT_CODE) {
/* ASan is saving reports against parent PID */
if (targetPid != pid) {
return;
}
funcCnt = arch_parseAsanReport(hfuzz, pid, funcs, &crashAddr, &op);
/*
* -1 error indicates a file not found for report. This is expected to happen often since
* ASan report is generated once for crashing TID. Ptrace arch is not guaranteed to parse
* that TID first. Not setting the 'crashFileName' variable will ensure that this branch
* is executed again for all TIDs until the matching report is found
*/
if (funcCnt == -1) {
return;
}
/* Since crash address is available, apply ignoreAddr filters */
if (crashAddr < hfuzz->linux.ignoreAddr) {
LOG_I("'%s' is interesting, but the crash addr is %p (below %p), skipping",
fuzzer->fileName, crashAddr, hfuzz->linux.ignoreAddr);
return;
}
/* If frames successfully recovered, calculate stack hash & populate crash PC */
arch_hashCallstack(hfuzz, fuzzer, funcs, funcCnt, false);
pc = (uintptr_t) funcs[0].pc;
/* Since stack hash is available apply blacklist filters */
if (hfuzz->blacklist
&& (fastArray64Search(hfuzz->blacklist, hfuzz->blacklistCnt, fuzzer->backtrace) !=
-1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", fuzzer->backtrace);
ATOMIC_POST_INC(hfuzz->blCrashesCnt);
return;
}
}
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName), "%s/%s",
hfuzz->workDir, fuzzer->origFileName);
} else {
/* Keep the crashes file name format identical */
if (fuzzer->backtrace != 0ULL && hfuzz->saveUnique) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%s.ADDR.%p.INSTR.%s.%s",
hfuzz->workDir, sanStr, pc, fuzzer->backtrace,
op, crashAddr, "[UNKNOWN]", hfuzz->fileExtn);
} else {
/* If no stack hash available, all crashes treated as unique */
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%s.ADDR.%p.INSTR.%s.%s.%s",
hfuzz->workDir, sanStr, pc, fuzzer->backtrace,
op, crashAddr, "[UNKNOWN]", localtmstr, hfuzz->fileExtn);
}
}
bool dstFileExists = false;
if (files_copyFile(fuzzer->fileName, fuzzer->crashFileName, &dstFileExists)) {
LOG_I("Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName,
fuzzer->crashFileName);
/* Increase unique crashes counters */
ATOMIC_POST_INC(hfuzz->uniqueCrashesCnt);
ATOMIC_CLEAR(hfuzz->dynFileIterExpire);
} else {
if (dstFileExists) {
LOG_I("It seems that '%s' already exists, skipping", fuzzer->crashFileName);
/* Clear stack hash so that verifier can understand we hit a duplicate */
fuzzer->backtrace = 0ULL;
} else {
LOG_E("Couldn't copy '%s' to '%s'", fuzzer->fileName, fuzzer->crashFileName);
/* In case of write error, clear crashFileName to so that other monitored TIDs can retry */
memset(fuzzer->crashFileName, 0, sizeof(fuzzer->crashFileName));
}
/* Don't bother generating reports for duplicate or non-saved crashes */
return;
}
/* Generate report */
fuzzer->report[0] = '\0';
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "ORIG_FNAME: %s\n",
fuzzer->origFileName);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "FUZZ_FNAME: %s\n",
fuzzer->crashFileName);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "PID: %d\n", pid);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "EXIT CODE: %d (%s)\n", exitCode,
sanStr);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "OPERATION: %s\n", op);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "FAULT ADDRESS: %p\n", crashAddr);
if (funcCnt > 0) {
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "STACK HASH: %016llx\n",
fuzzer->backtrace);
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "STACK:\n");
for (int i = 0; i < funcCnt; i++) {
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), " <" REG_PD REG_PM "> ",
(REG_TYPE) (long)funcs[i].pc, funcs[i].func, funcs[i].line);
if (funcs[i].func[0] != '\0') {
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "[%s + 0x%x]\n",
funcs[i].func, funcs[i].line);
} else {
util_ssnprintf(fuzzer->report, sizeof(fuzzer->report), "[]\n");
}
}
}
}
static void arch_ptraceSaveData(honggfuzz_t * hfuzz, pid_t pid, fuzzer_t * fuzzer)
{
__sync_fetch_and_add(&hfuzz->crashesCnt, 1UL);
REG_TYPE pc = 0;
char instr[_HF_INSTR_SZ] = "\x00";
siginfo_t si;
bzero(&si, sizeof(si));
if (ptrace(PT_GETSIGINFO, pid, 0, &si) == -1) {
LOGMSG_P(l_WARN, "Couldn't get siginfo for pid %d", pid);
}
arch_getInstrStr(pid, &pc, instr);
LOGMSG(l_DEBUG,
"Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %"
REG_PM ", instr: '%s'", pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc,
instr);
if (si.si_addr < hfuzz->ignoreAddr) {
LOGMSG(l_INFO,
"'%s' is interesting (%s), but the si.si_addr is %p (below %p), skipping",
fuzzer->fileName, arch_sigs[si.si_signo].descr, si.si_addr, hfuzz->ignoreAddr);
return;
}
char newname[PATH_MAX];
if (hfuzz->saveUnique) {
snprintf(newname, sizeof(newname),
"%s.PC.%" REG_PM ".CODE.%d.ADDR.%p.INSTR.%s.%s",
arch_sigs[si.si_signo].descr, pc, si.si_code, si.si_addr, instr, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(newname, sizeof(newname),
"%s.PC.%" REG_PM ".CODE.%d.ADDR.%p.INSTR.%s.%s.%d.%s",
arch_sigs[si.si_signo].descr, pc, si.si_code, si.si_addr,
instr, localtmstr, pid, hfuzz->fileExtn);
}
if (link(fuzzer->fileName, newname) == 0) {
LOGMSG(l_INFO, "Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName, newname);
} else {
if (errno == EEXIST) {
LOGMSG(l_INFO, "It seems that '%s' already exists, skipping", newname);
// Don't bother unwinding & generating reports for duplicate crashes
return;
} else {
LOGMSG_P(l_ERROR, "Couldn't link '%s' to '%s'", fuzzer->fileName, newname);
}
}
funcs_t funcs[_HF_MAX_FUNCS] = {
[0 ... (_HF_MAX_FUNCS - 1)].pc = NULL,
[0 ... (_HF_MAX_FUNCS - 1)].line = 0,
[0 ... (_HF_MAX_FUNCS - 1)].func = {'\0'}
,
};
#if !defined(__ANDROID__)
size_t funcCnt = arch_unwindStack(pid, funcs);
arch_bfdResolveSyms(pid, funcs, funcCnt);
#else
size_t funcCnt = arch_unwindStack(pid, funcs);
#endif
arch_ptraceGenerateReport(pid, fuzzer, funcs, funcCnt, &si, instr);
}
static void display_displayLocked(honggfuzz_t * hfuzz)
{
unsigned long elapsed_second = (unsigned long)(time(NULL) - hfuzz->timeStart);
unsigned int day, hour, min, second;
char time_elapsed_str[64];
if (elapsed_second < 24 * 3600) {
hour = elapsed_second / 3600;
min = (elapsed_second - 3600 * hour) / 60;
second = elapsed_second - hour * 3600 - min * 60;
snprintf(time_elapsed_str, sizeof(time_elapsed_str), "%u hrs %u min %u sec", hour,
min, second);
} else {
day = elapsed_second / 24 / 3600;
elapsed_second = elapsed_second - day * 24 * 3600;
hour = elapsed_second / 3600;
min = (elapsed_second - 3600 * hour) / 60;
second = elapsed_second - hour * 3600 - min * 60;
snprintf(time_elapsed_str, sizeof(time_elapsed_str),
"%u days %u hrs %u min %u sec", day, hour, min, second);
}
size_t curr_exec_cnt = ATOMIC_GET(hfuzz->mutationsCnt);
/*
* We increase the mutation counter unconditionally in threads, but if it's
* above hfuzz->mutationsMax we don't really execute the fuzzing loop.
* Therefore at the end of fuzzing, the mutation counter might be higher
* than hfuzz->mutationsMax
*/
if (hfuzz->mutationsMax > 0 && curr_exec_cnt > hfuzz->mutationsMax) {
curr_exec_cnt = hfuzz->mutationsMax;
}
float exeProgress = 0.0f;
if (hfuzz->mutationsMax > 0) {
exeProgress = ((float)curr_exec_cnt * 100 / hfuzz->mutationsMax);
}
static size_t prev_exec_cnt = 0UL;
uintptr_t exec_per_sec = curr_exec_cnt - prev_exec_cnt;
prev_exec_cnt = curr_exec_cnt;
/* The lock should be acquired before any output is printed on the screen */
MX_SCOPED_LOCK(logMutexGet());
display_put("%s", ESC_CLEAR);
display_put("----------------------------[ %s v%s ]---------------------------\n",
PROG_NAME, PROG_VERSION);
display_put(" Iterations : " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET, curr_exec_cnt);
display_printKMG(curr_exec_cnt);
if (hfuzz->mutationsMax) {
display_put(" (out of: " ESC_BOLD "%zu" ESC_RESET " [" ESC_BOLD "%.2f" ESC_RESET
"%%])", hfuzz->mutationsMax, exeProgress);
}
switch (ATOMIC_GET(hfuzz->state)) {
case _HF_STATE_STATIC:
display_put("\n Phase : " ESC_BOLD "Static Main" ESC_RESET);
break;
case _HF_STATE_DYNAMIC_PRE:
display_put("\n Phase : " ESC_BOLD "Dynamic Pre" ESC_RESET);
break;
case _HF_STATE_DYNAMIC_MAIN:
display_put("\n Phase : " ESC_BOLD "Dynamic Main" ESC_RESET);
break;
default:
display_put("\n Phase : " ESC_BOLD "Unknown" ESC_RESET);
break;
}
char start_time_str[128];
util_getLocalTime("%F %T", start_time_str, sizeof(start_time_str), hfuzz->timeStart);
display_put("\n Run Time : " ESC_BOLD "%s" ESC_RESET " (since: " ESC_BOLD "%s" ESC_RESET
")\n", time_elapsed_str, start_time_str);
display_put(" Input Dir : '" ESC_BOLD "%s" ESC_RESET "'\n",
hfuzz->inputDir != NULL ? hfuzz->inputDir : "[NONE]");
display_put(" Fuzzed Cmd : '" ESC_BOLD "%s" ESC_RESET "'\n", hfuzz->cmdline_txt);
if (hfuzz->linux.pid > 0) {
display_put("Remote cmd [" ESC_BOLD "%d" ESC_RESET "]: '" ESC_BOLD "%s" ESC_RESET
"'\n", hfuzz->linux.pid, hfuzz->linux.pidCmd);
}
static long num_cpu = 0;
if (num_cpu == 0) {
num_cpu = sysconf(_SC_NPROCESSORS_ONLN);
}
double cpuUse = getCpuUse(num_cpu);
display_put(" Threads : " ESC_BOLD "%zu" ESC_RESET ", CPUs: " ESC_BOLD "%ld" ESC_RESET
", CPU: " ESC_BOLD "%.1lf" ESC_RESET "%% (" ESC_BOLD "%.1lf" ESC_RESET "%%/CPU)\n",
hfuzz->threadsMax, num_cpu, cpuUse, cpuUse / num_cpu);
display_put(" Speed : " ESC_BOLD "% " _HF_MONETARY_MOD "zu" ESC_RESET "/sec"
" (avg: " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET ")\n", exec_per_sec,
elapsed_second ? (curr_exec_cnt / elapsed_second) : 0);
/* If dry run, print also the input file count */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
display_put(" Input Files : '" ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET "'\n",
hfuzz->fileCnt);
}
uint64_t crashesCnt = ATOMIC_GET(hfuzz->crashesCnt);
/* colored the crash count as red when exist crash */
display_put(" Crashes : " ESC_BOLD "%s" "%zu" ESC_RESET " (unique: %s" ESC_BOLD "%zu"
ESC_RESET ", blacklist: " ESC_BOLD "%zu" ESC_RESET ", verified: "
ESC_BOLD "%zu" ESC_RESET ")\n", crashesCnt > 0 ? ESC_RED : "",
hfuzz->crashesCnt, crashesCnt > 0 ? ESC_RED : "",
ATOMIC_GET(hfuzz->uniqueCrashesCnt), ATOMIC_GET(hfuzz->blCrashesCnt),
ATOMIC_GET(hfuzz->verifiedCrashesCnt));
display_put(" Timeouts : " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET " [%"
_HF_MONETARY_MOD "zu sec.]\n", ATOMIC_GET(hfuzz->timeoutedCnt), hfuzz->tmOut);
/* Feedback data sources are enabled. Start with common headers. */
if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE || hfuzz->useSanCov) {
display_put(" Corpus Size : " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET
", max size (bytes): " ESC_BOLD "%" _HF_MONETARY_MOD "zu" ESC_RESET "\n",
hfuzz->dynfileqCnt, hfuzz->maxFileSz);
display_put(" Coverage :\n");
}
/* HW perf specific counters */
if (hfuzz->dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
display_put(" *** instructions: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.cpuInstrCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
display_put(" *** branches: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.cpuBranchCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BTS_BLOCK) {
display_put(" *** BTS blocks: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BTS_EDGE) {
display_put(" *** BTS edges: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_IPT_BLOCK) {
display_put(" *** PT blocks: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_CUSTOM) {
display_put(" *** custom counter: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->linux.hwCnts.customCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_SOFT) {
uint64_t softCntPc = ATOMIC_GET(hfuzz->linux.hwCnts.softCntPc);
uint64_t softCntCmp = ATOMIC_GET(hfuzz->linux.hwCnts.softCntCmp);
display_put(" *** blocks seen: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
", comparison map: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET "\n",
softCntPc, softCntCmp);
}
/* Sanitizer coverage specific counters */
if (hfuzz->useSanCov) {
uint64_t hitBB = ATOMIC_GET(hfuzz->sanCovCnts.hitBBCnt);
uint64_t totalBB = ATOMIC_GET(hfuzz->sanCovCnts.totalBBCnt);
float covPer = totalBB ? (((float)hitBB * 100) / totalBB) : 0.0;
display_put(" *** total hit #bb: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (coverage " ESC_BOLD "%.2f" ESC_RESET "%%)\n", hitBB, covPer);
display_put(" *** total #dso: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (instrumented only)\n", ATOMIC_GET(hfuzz->sanCovCnts.iDsoCnt));
display_put(" *** discovered #bb: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
" (new from input seed)\n", ATOMIC_GET(hfuzz->sanCovCnts.newBBCnt));
display_put(" *** crashes: " ESC_BOLD "%" _HF_MONETARY_MOD PRIu64 ESC_RESET
"\n", ATOMIC_GET(hfuzz->sanCovCnts.crashesCnt));
}
display_put("-----------------------------------[ LOGS ]-----------------------------------\n");
}
static void arch_savePtraceData(honggfuzz_t * hfuzz, pid_t pid, int status)
{
void *pc = NULL;
char instr[MAX_OP_STRING] = "[UNKNOWN]";
siginfo_t si;
if (ptrace(PT_GETSIGINFO, pid, 0, &si) == -1) {
LOGMSG_P(l_WARN, "Couldn't get siginfo for pid %d", pid);
return;
}
struct user_regs_struct regs;
if (ptrace(PT_GETREGS, pid, NULL, ®s) == -1) {
LOGMSG(l_ERROR, "Couldn't get CPU registers");
}
#ifdef __i386__
pc = (void *)regs.eip;
arch_getX86InstrStr(pid, instr, pc);
#endif /* __i386__ */
#ifdef __x86_64__
pc = (void *)regs.rip;
arch_getX86InstrStr(pid, instr, pc);
#endif /* __x86_64__ */
LOGMSG(l_DEBUG,
"Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %p, instr: '%s'",
pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc, instr);
int idx = HF_SLOT(hfuzz, pid);
// If we're checkign state of an external process, then the idx is 0 (cause
// there's no concurrency)
if (hfuzz->pid) {
idx = 0;
}
if (si.si_addr < hfuzz->ignoreAddr) {
LOGMSG(l_INFO,
"'%s' is interesting (%s), but the si.si_addr is %p (below %p), skipping",
hfuzz->fuzzers[idx].fileName, arch_sigs[si.si_signo].descr, si.si_addr,
hfuzz->ignoreAddr);
return;
}
char newname[PATH_MAX];
if (hfuzz->saveUnique) {
snprintf(newname, sizeof(newname),
"%s.PC.%p.CODE.%d.ADDR.%p.INSTR.%s.%s.%s",
arch_sigs[si.si_signo].descr, pc, si.si_code, si.si_addr, instr,
hfuzz->fuzzers[idx].origFileName, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H.%M.%S", localtmstr, sizeof(localtmstr));
snprintf(newname, sizeof(newname), "%s.PC.%p.CODE.%d.ADDR.%p.INSTR.%s.%s.%d.%s.%s",
arch_sigs[si.si_signo].descr, pc, si.si_code, si.si_addr, instr, localtmstr, pid,
hfuzz->fuzzers[idx].origFileName, hfuzz->fileExtn);
}
if (link(hfuzz->fuzzers[idx].fileName, newname) == 0) {
LOGMSG(l_INFO, "Ok, that's interesting, saved '%s' as '%s'",
hfuzz->fuzzers[idx].fileName, newname);
} else {
if (errno == EEXIST) {
LOGMSG(l_INFO, "It seems that '%s' already exists, skipping", newname);
} else {
LOGMSG_P(l_ERROR, "Couldn't link '%s' to '%s'", hfuzz->fuzzers[idx].fileName, newname);
}
}
}