static bool fuzz_prepareFileDynamically(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
{
while (pthread_mutex_lock(&hfuzz->dynamicFile_mutex)) ;
if (hfuzz->inputFile && hfuzz->branchBestCnt[0] == 0 && hfuzz->branchBestCnt[1] == 0
&& hfuzz->branchBestCnt[2] == 0 && hfuzz->branchBestCnt[3] == 0) {
size_t fileSz = files_readFileToBufMax(hfuzz->files[rnd_index], hfuzz->dynamicFileBest,
hfuzz->maxFileSz);
if (fileSz == 0) {
while (pthread_mutex_unlock(&hfuzz->dynamicFile_mutex)) ;
LOGMSG(l_ERROR, "Couldn't read '%s'", hfuzz->files[rnd_index]);
return false;
}
hfuzz->dynamicFileBestSz = fileSz;
}
if (hfuzz->dynamicFileBestSz > hfuzz->maxFileSz) {
LOGMSG(l_FATAL, "Current BEST file Sz > maxFileSz (%zu > %zu)", hfuzz->dynamicFileBestSz,
hfuzz->maxFileSz);
}
fuzzer->dynamicFileSz = hfuzz->dynamicFileBestSz;
memcpy(fuzzer->dynamicFile, hfuzz->dynamicFileBest, hfuzz->dynamicFileBestSz);
while (pthread_mutex_unlock(&hfuzz->dynamicFile_mutex)) ;
/* The first pass should be on an empty/initial file */
if (hfuzz->branchBestCnt[0] > 0 || hfuzz->branchBestCnt[1] > 0 || hfuzz->branchBestCnt[2] > 0
|| hfuzz->branchBestCnt[3] > 0) {
mangle_Resize(hfuzz, fuzzer->dynamicFile, &fuzzer->dynamicFileSz);
mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fuzzer->dynamicFileSz);
}
if (files_writeBufToFile
(fuzzer->fileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_WRONLY | O_CREAT | O_EXCL | O_TRUNC) == false) {
LOGMSG(l_ERROR, "Couldn't write buffer to file '%s'", fuzzer->fileName);
return false;
}
return true;
}
static bool fuzz_prepareFile(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
{
size_t fileSz =
files_readFileToBufMax(hfuzz->files[rnd_index], fuzzer->dynamicFile, hfuzz->maxFileSz);
if (fileSz == 0UL) {
LOGMSG(l_ERROR, "Couldn't read contents of '%s'", hfuzz->files[rnd_index]);
return false;
}
mangle_Resize(hfuzz, fuzzer->dynamicFile, &fileSz);
mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fileSz);
if (files_writeBufToFile
(fuzzer->fileName, fuzzer->dynamicFile, fileSz, O_WRONLY | O_CREAT | O_EXCL) == false) {
LOGMSG(l_ERROR, "Couldn't write buffer to file '%s'", fuzzer->fileName);
return false;
}
return true;
}
static bool fuzz_prepareFile(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
{
size_t fileSz =
files_readFileToBufMax(hfuzz->files[rnd_index], fuzzer->dynamicFile, hfuzz->maxFileSz);
if (fileSz == 0UL) {
LOG_E("Couldn't read contents of '%s'", hfuzz->files[rnd_index]);
return false;
}
/* If flip rate is 0.0, early abort file mangling */
if (hfuzz->flipRate != 0.0L) {
mangle_Resize(hfuzz, fuzzer->dynamicFile, &fileSz);
mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fileSz);
}
if (files_writeBufToFile
(fuzzer->fileName, fuzzer->dynamicFile, fileSz, O_WRONLY | O_CREAT | O_EXCL) == false) {
LOG_E("Couldn't write buffer to file '%s'", fuzzer->fileName);
return false;
}
return true;
}
/*
* Returns true if a process exited (so, presumably, we can delete an input
* file)
*/
static bool arch_analyzeSignal(honggfuzz_t * hfuzz, int status, fuzzer_t * fuzzer)
{
/*
* Resumed by delivery of SIGCONT
*/
if (WIFCONTINUED(status)) {
return false;
}
if (WIFEXITED(status) || WIFSIGNALED(status)) {
sancov_Analyze(hfuzz, fuzzer);
}
/*
* Boring, the process just exited
*/
if (WIFEXITED(status)) {
LOG_D("Process (pid %d) exited normally with status %d", fuzzer->pid, WEXITSTATUS(status));
return true;
}
/*
* Shouldn't really happen, but, well..
*/
if (!WIFSIGNALED(status)) {
LOG_E("Process (pid %d) exited with the following status %d, please report that as a bug",
fuzzer->pid, status);
return true;
}
int termsig = WTERMSIG(status);
LOG_D("Process (pid %d) killed by signal %d '%s'", fuzzer->pid, termsig, strsignal(termsig));
if (!arch_sigs[termsig].important) {
LOG_D("It's not that important signal, skipping");
return true;
}
/*
* Signal is interesting
*/
/*
* Increase crashes counter presented by ASCII display
*/
ATOMIC_POST_INC(hfuzz->crashesCnt);
/*
* Get data from exception handler
*/
fuzzer->pc = g_fuzzer_crash_information[fuzzer->pid].pc;
fuzzer->exception = g_fuzzer_crash_information[fuzzer->pid].exception;
fuzzer->access = g_fuzzer_crash_information[fuzzer->pid].access;
fuzzer->backtrace = g_fuzzer_crash_information[fuzzer->pid].backtrace;
defer {
if (g_fuzzer_crash_callstack[fuzzer->pid]) {
free(g_fuzzer_crash_callstack[fuzzer->pid]);
g_fuzzer_crash_callstack[fuzzer->pid] = NULL;
}
};
/*
* Check if stackhash is blacklisted
*/
if (hfuzz->blacklist
&& (fastArray64Search(hfuzz->blacklist, hfuzz->blacklistCnt, fuzzer->backtrace) != -1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", fuzzer->backtrace);
ATOMIC_POST_INC(hfuzz->blCrashesCnt);
return true;
}
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName), "%s/%s",
hfuzz->workDir, fuzzer->origFileName);
} else if (hfuzz->saveUnique) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.%s",
hfuzz->workDir, arch_sigs[termsig].descr,
exception_to_string(fuzzer->exception), fuzzer->pc,
fuzzer->backtrace, fuzzer->access, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H.%M.%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.TIME.%s.PID.%.5d.%s",
hfuzz->workDir, arch_sigs[termsig].descr,
exception_to_string(fuzzer->exception), fuzzer->pc,
fuzzer->backtrace, fuzzer->access, localtmstr, fuzzer->pid, hfuzz->fileExtn);
}
if (files_exists(fuzzer->crashFileName)) {
LOG_I("It seems that '%s' already exists, skipping", fuzzer->crashFileName);
// Clear filename so that verifier can understand we hit a duplicate
memset(fuzzer->crashFileName, 0, sizeof(fuzzer->crashFileName));
return true;
}
if (files_writeBufToFile
(fuzzer->crashFileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_CREAT | O_EXCL | O_WRONLY) == false) {
LOG_E("Couldn't copy '%s' to '%s'", fuzzer->fileName, fuzzer->crashFileName);
return true;
}
LOG_I("Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName, fuzzer->crashFileName);
ATOMIC_POST_INC(hfuzz->uniqueCrashesCnt);
/* If unique crash found, reset dynFile counter */
ATOMIC_CLEAR(hfuzz->dynFileIterExpire);
arch_generateReport(fuzzer, termsig);
return true;
}
static void arch_ptraceSaveData(honggfuzz_t * hfuzz, pid_t pid, fuzzer_t * fuzzer)
{
REG_TYPE pc = 0;
/* Local copy since flag is overridden for some crashes */
bool saveUnique = hfuzz->saveUnique;
char instr[_HF_INSTR_SZ] = "\x00";
siginfo_t si;
bzero(&si, sizeof(si));
if (ptrace(PTRACE_GETSIGINFO, pid, 0, &si) == -1) {
PLOG_W("Couldn't get siginfo for pid %d", pid);
}
arch_getInstrStr(pid, &pc, instr);
LOG_D("Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %"
REG_PM ", instr: '%s'", pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc, instr);
if (!SI_FROMUSER(&si) && pc && si.si_addr < hfuzz->linux.ignoreAddr) {
LOG_I("'%s' is interesting (%s), but the si.si_addr is %p (below %p), skipping",
fuzzer->fileName, arch_sigs[si.si_signo].descr, si.si_addr, hfuzz->linux.ignoreAddr);
return;
}
/*
* Unwind and resolve symbols
*/
/* *INDENT-OFF* */
funcs_t funcs[_HF_MAX_FUNCS] = {
[0 ... (_HF_MAX_FUNCS - 1)].pc = NULL,
[0 ... (_HF_MAX_FUNCS - 1)].line = 0,
[0 ... (_HF_MAX_FUNCS - 1)].func = {'\0'}
,
};
/* *INDENT-ON* */
#if !defined(__ANDROID__)
size_t funcCnt = arch_unwindStack(pid, funcs);
arch_bfdResolveSyms(pid, funcs, funcCnt);
#else
size_t funcCnt = arch_unwindStack(pid, funcs);
#endif
/*
* If unwinder failed (zero frames), use PC from ptrace GETREGS if not zero.
* If PC reg zero, temporarily disable uniqueness flag since callstack
* hash will be also zero, thus not safe for unique decisions.
*/
if (funcCnt == 0) {
if (pc) {
/* Manually update major frame PC & frames counter */
funcs[0].pc = (void *)(uintptr_t) pc;
funcCnt = 1;
} else {
saveUnique = false;
}
}
/*
* Temp local copy of previous backtrace value in case worker hit crashes into multiple
* tids for same target master thread. Will be 0 for first crash against target.
*/
uint64_t oldBacktrace = fuzzer->backtrace;
/*
* Calculate backtrace callstack hash signature
*/
arch_hashCallstack(hfuzz, fuzzer, funcs, funcCnt, saveUnique);
/*
* If fuzzing with sanitizer coverage feedback increase crashes counter used
* as metric for dynFile evolution
*/
if (hfuzz->useSanCov) {
fuzzer->sanCovCnts.crashesCnt++;
}
/*
* If unique flag is set and single frame crash, disable uniqueness for this crash
* to always save (timestamp will be added to the filename)
*/
if (saveUnique && (funcCnt == 1)) {
saveUnique = false;
}
/*
* If worker crashFileName member is set, it means that a tid has already crashed
* from target master thread.
*/
if (fuzzer->crashFileName[0] != '\0') {
LOG_D("Multiple crashes detected from worker against attached tids group");
/*
* If stackhashes match, don't re-analyze. This will avoid duplicates
* and prevent verifier from running multiple passes. Depth of check is
* always 1 (last backtrace saved only per target iteration).
*/
if (oldBacktrace == fuzzer->backtrace) {
return;
}
}
/* Increase global crashes counter */
ATOMIC_POST_INC(hfuzz->crashesCnt);
/*
* Check if stackhash is blacklisted
*/
if (hfuzz->blacklist
&& (fastArray64Search(hfuzz->blacklist, hfuzz->blacklistCnt, fuzzer->backtrace) != -1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", fuzzer->backtrace);
ATOMIC_POST_INC(hfuzz->blCrashesCnt);
return;
}
/* If non-blacklisted crash detected, zero set two MSB */
ATOMIC_POST_ADD(hfuzz->dynFileIterExpire, _HF_DYNFILE_SUB_MASK);
void *sig_addr = si.si_addr;
if (hfuzz->linux.disableRandomization == false) {
pc = 0UL;
sig_addr = NULL;
}
/* User-induced signals don't set si.si_addr */
if (SI_FROMUSER(&si)) {
sig_addr = NULL;
}
/* If dry run mode, copy file with same name into workspace */
if (hfuzz->origFlipRate == 0.0L && hfuzz->useVerifier) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName), "%s/%s",
hfuzz->workDir, fuzzer->origFileName);
} else if (saveUnique) {
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%d.ADDR.%p.INSTR.%s.%s",
hfuzz->workDir, arch_sigs[si.si_signo].descr, pc, fuzzer->backtrace,
si.si_code, sig_addr, instr, hfuzz->fileExtn);
} else {
char localtmstr[PATH_MAX];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NULL));
snprintf(fuzzer->crashFileName, sizeof(fuzzer->crashFileName),
"%s/%s.PC.%" REG_PM ".STACK.%" PRIx64 ".CODE.%d.ADDR.%p.INSTR.%s.%s.%d.%s",
hfuzz->workDir, arch_sigs[si.si_signo].descr, pc, fuzzer->backtrace,
si.si_code, sig_addr, instr, localtmstr, pid, hfuzz->fileExtn);
}
if (files_exists(fuzzer->crashFileName)) {
LOG_I("It seems that '%s' already exists, skipping", fuzzer->crashFileName);
// Clear filename so that verifier can understand we hit a duplicate
memset(fuzzer->crashFileName, 0, sizeof(fuzzer->crashFileName));
return;
}
if (files_writeBufToFile
(fuzzer->crashFileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC) == false) {
LOG_E("Couldn't copy '%s' to '%s'", fuzzer->fileName, fuzzer->crashFileName);
return;
}
LOG_I("Ok, that's interesting, saved '%s' as '%s'", fuzzer->fileName, fuzzer->crashFileName);
ATOMIC_POST_INC(hfuzz->uniqueCrashesCnt);
/* If unique crash found, reset dynFile counter */
ATOMIC_CLEAR(hfuzz->dynFileIterExpire);
arch_ptraceGenerateReport(pid, fuzzer, funcs, funcCnt, &si, instr);
}
static bool fuzz_prepareFileDynamically(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
{
MX_LOCK(&hfuzz->dynamicFile_mutex);
/* If max dynamicFile iterations counter, pick new seed file when working with input file corpus */
if (hfuzz->inputFile &&
__sync_fetch_and_add(&hfuzz->dynFileIterExpire, 0UL) >= _HF_MAX_DYNFILE_ITER) {
size_t fileSz = files_readFileToBufMax(hfuzz->files[rnd_index], hfuzz->dynamicFileBest,
hfuzz->maxFileSz);
if (fileSz == 0) {
MX_UNLOCK(&hfuzz->dynamicFile_mutex);
LOG_E("Couldn't read '%s'", hfuzz->files[rnd_index]);
return false;
}
hfuzz->dynamicFileBestSz = fileSz;
/* Reset counter since new seed pick */
__sync_fetch_and_and(&hfuzz->dynFileIterExpire, 0UL);
fuzz_resetFeedbackCnts(hfuzz);
/*
* In order to have accurate comparison base for coverage, first iteration
* of a new seed is executed without mangling. Also workersBlock_mutex mutex
* is maintain until execution is finished to ensure that other threads will
* work against the same coverage data vs. original seed.
*/
hfuzz->isDynFileLocked = true;
} else if (hfuzz->inputFile == NULL && (fuzz_isPerfCntsSet(hfuzz) == false)) {
/*
* When working with an empty input file corpus (allowed if perf feedback enabled for Linux archs),
* first iteration is executed without mangling. First iteration need to be executed by one thread
* blocking other workers from continuing until finished.
*/
hfuzz->isDynFileLocked = true;
}
if (hfuzz->dynamicFileBestSz > hfuzz->maxFileSz) {
LOG_F("Current BEST file Sz > maxFileSz (%zu > %zu)", hfuzz->dynamicFileBestSz,
hfuzz->maxFileSz);
}
fuzzer->dynamicFileSz = hfuzz->dynamicFileBestSz;
memcpy(fuzzer->dynamicFile, hfuzz->dynamicFileBest, hfuzz->dynamicFileBestSz);
MX_UNLOCK(&hfuzz->dynamicFile_mutex);
/*
* true isDynFileLocked indicates first run for a new seed, so skip mangling
* without unlocking threads block mutex.
*/
MX_LOCK(&hfuzz->workersBlock_mutex);
if (hfuzz->isDynFileLocked) {
goto skipMangling;
}
MX_UNLOCK(&hfuzz->workersBlock_mutex);
/*
* if flip rate is 0.0, early abort file mangling. This will leave perf counters
* with values equal to dry runs against input corpus.
*/
if (hfuzz->flipRate == 0.0L) {
goto skipMangling;
}
mangle_Resize(hfuzz, fuzzer->dynamicFile, &fuzzer->dynamicFileSz);
mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fuzzer->dynamicFileSz);
skipMangling:
if (files_writeBufToFile
(fuzzer->fileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
O_WRONLY | O_CREAT | O_EXCL | O_TRUNC) == false) {
LOG_E("Couldn't write buffer to file '%s'", fuzzer->fileName);
return false;
}
return true;
}
