shmem release fix

2025-06-11 01:31:37 +00:00 · 2020-06-25 22:02:02 +02:00 · 2020-06-25 22:02:02 +02:00 · 171b1923e9
commit 171b1923e9
parent 8d5eb9487d
7 changed files with 107 additions and 43 deletions
--- a/8
+++ b/8
@ -122,7 +122,7 @@ endif
 ifeq "$(shell uname -s)" "Haiku"
  SHMAT_OK=0
  override CFLAGS  += -DUSEMMAP=1 -Wno-error=format -fPIC
-  LDFLAGS+=-Wno-deprecated-declarations -lgnu
+  LDFLAGS += -Wno-deprecated-declarations -lgnu
  SPECIAL_PERFORMANCE += -DUSEMMAP=1
 endif

@ -253,14 +253,14 @@ ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int ma
 else
 	SHMAT_OK=0
 	override CFLAGS+=-DUSEMMAP=1
-	LDFLAGS+=-Wno-deprecated-declarations
+	LDFLAGS += -Wno-deprecated-declarations -lrt
 endif

 ifdef TEST_MMAP
 	SHMAT_OK=0
 	override CFLAGS += -DUSEMMAP=1
-	LDFLAGS += -Wno-deprecated-declarations
-else
+	LDFLAGS += -Wno-deprecated-declarations -lrt
+$(info LDFLAGS=$(LDFLAGS))
 endif

 all:	test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -49,6 +49,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - Unicornafl
    - Added powerPC support from unicorn/next
    - rust bindings!
+  - ensure shmem is released on errors
  - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
    compiled by default anymore.
  - allow running in /tmp (only unsafe with umask 0)
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,

    if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) {

+      unsetenv(SHM_FUZZ_ENV_VAR);
      afl_shm_deinit(afl->shm_fuzz);
      ck_free(afl->shm_fuzz);
      afl->shm_fuzz = NULL;
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -26,6 +26,13 @@
 #include "afl-fuzz.h"
 #include "cmplog.h"
 #include <limits.h>
+#ifndef USEMMAP
+  #include <sys/mman.h>
+  #include <sys/stat.h>
+  #include <fcntl.h>
+  #include <sys/ipc.h>
+  #include <sys/shm.h>
+#endif

 #ifdef PROFILING
 extern u64 time_spent_working;
@ -34,6 +41,7 @@ extern u64 time_spent_working;
 static void at_exit() {

  int   i;
+  char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL};
  char *ptr = getenv("__AFL_TARGET_PID1");

  if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL);
@ -42,7 +50,28 @@ static void at_exit() {

  if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL);

-  // anything else? shared memory?
+  i = 0;
+  while (list[i] != NULL) {
+
+    ptr = getenv(list[i]);
+
+    if (ptr && *ptr) {
+
+#ifdef USEMMAP
+
+      shm_unlink(ptr);
+
+#else
+
+      shmctl(atoi(ptr), IPC_RMID, NULL);
+
+#endif
+
+    }
+
+    i++;
+
+  }

 }

@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) {
  check_crash_handling();
  check_cpu_governor(afl);

+  atexit(at_exit);
+
  afl->fsrv.trace_bits =
      afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);

@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) {

  }

-  atexit(at_exit);
-
  perform_dry_run(afl);

  cull_queue(afl);
@ -1326,10 +1355,13 @@ stop_fuzzing:
  destroy_queue(afl);
  destroy_extras(afl);
  destroy_custom_mutators(afl);
+  unsetenv(SHM_ENV_VAR);
+  unsetenv(CMPLOG_SHM_ENV_VAR);
  afl_shm_deinit(&afl->shm);

  if (afl->shm_fuzz) {

+    unsetenv(SHM_FUZZ_ENV_VAR);
    afl_shm_deinit(afl->shm_fuzz);
    ck_free(afl->shm_fuzz);

--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0};

 void afl_shm_deinit(sharedmem_t *shm) {

+  if (shm == NULL) return;
+
  list_remove(&shm_list, shm);

 #ifdef USEMMAP
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@ -82,11 +82,16 @@ static u8 quiet_mode,                  /* Hide non-essential messages?      */
    raw_instr_output,                  /* Do not apply AFL filters          */
    cmin_mode,                         /* Generate output in afl-cmin mode? */
    binary_mode,                       /* Write output as a binary map      */
-    keep_cores;                        /* Allow coredumps?                  */
+    keep_cores,                        /* Allow coredumps?                  */
+    remove_shm = 1;                    /* remove shmem?                     */

 static volatile u8 stop_soon,          /* Ctrl-C pressed?                   */
    child_crashed;                     /* Child crashed?                    */

+static sharedmem_t       shm;
+static afl_forkserver_t *fsrv;
+static sharedmem_t *     shm_fuzz;
+
 /* Classify tuple counts. Instead of mapping to individual bits, as in
   afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */

@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) {

 }

+static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
+                                 sharedmem_t *     shm_fuzz) {
+
+  afl_shm_deinit(shm_fuzz);
+  fsrv->support_shmem_fuzz = 0;
+  fsrv->shmem_fuzz = NULL;
+  ck_free(shm_fuzz);
+  return NULL;
+
+}
+
 /* Get rid of temp files (atexit handler). */

 static void at_exit_handler(void) {

  if (stdin_file) { unlink(stdin_file); }

+  if (remove_shm) {
+
+    if (shm.map) afl_shm_deinit(&shm);
+    if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz);
+
+  }
+
+  afl_fsrv_killall();
+
 }

 /* Write results. */
@ -566,17 +591,6 @@ static void usage(u8 *argv0) {

 }

-static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
-                                 sharedmem_t *     shm_fuzz) {
-
-  afl_shm_deinit(shm_fuzz);
-  fsrv->support_shmem_fuzz = 0;
-  fsrv->shmem_fuzz = NULL;
-  ck_free(shm_fuzz);
-  return NULL;
-
-}
-
 /* Main entry point */

 int main(int argc, char **argv_orig, char **envp) {
@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) {

  char **argv = argv_cpy_dup(argc, argv_orig);

-  afl_forkserver_t  fsrv_var = {0};
-  afl_forkserver_t *fsrv = &fsrv_var;
+  afl_forkserver_t fsrv_var = {0};
+  fsrv = &fsrv_var;
  afl_fsrv_init(fsrv);
  map_size = get_map_size();
  fsrv->map_size = map_size;
@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) {

  //  if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }

-  sharedmem_t shm = {0};
  fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
  setup_signal_handlers();

@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) {

  }

-  sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t));
-  u8 *         map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
+  shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+  u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
  if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 #ifdef USEMMAP
  setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) {

  }

+  remove_shm = 0;
  afl_shm_deinit(&shm);
+  if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);

  u32 ret = child_crashed * 2 + fsrv->last_run_timed_out;

  if (fsrv->target_path) { ck_free(fsrv->target_path); }

-  if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
-
  afl_fsrv_deinit(fsrv);

  if (stdin_file) { ck_free(stdin_file); }
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@ -80,10 +80,16 @@ static u8 crash_mode,                  /* Crash-centric mode?               */
    hang_mode,                         /* Minimize as long as it hangs      */
    exit_crash,                        /* Treat non-zero exit as crash?     */
    edges_only,                        /* Ignore hit counts?                */
-    exact_mode;                        /* Require path match for crashes?   */
+    exact_mode,                        /* Require path match for crashes?   */
+    remove_out_file,                   /* remove out_file on exit?          */
+    remove_shm = 1;                    /* remove shmem on exit?             */

 static volatile u8 stop_soon;          /* Ctrl-C pressed?                   */

+static afl_forkserver_t *fsrv;
+static sharedmem_t       shm;
+static sharedmem_t *     shm_fuzz;
+
 /*
 * forkserver section
 */
@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = {

 };

+static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
+                                 sharedmem_t *     shm_fuzz) {
+
+  afl_shm_deinit(shm_fuzz);
+  fsrv->support_shmem_fuzz = 0;
+  fsrv->shmem_fuzz = NULL;
+  ck_free(shm_fuzz);
+  return NULL;
+
+}
+
 /* Apply mask to classified bitmap (if set). */

 static void apply_mask(u32 *mem, u32 *mask) {
@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) {

 static void at_exit_handler(void) {

+  if (remove_shm) {
+
+    if (shm.map) afl_shm_deinit(&shm);
+    if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz);
+
+  }
+
  afl_fsrv_killall();
+  if (remove_out_file) unlink(out_file);

 }

@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
    }

    out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid());
+    remove_out_file = 1;

  }

@ -802,17 +828,6 @@ static void usage(u8 *argv0) {

 }

-static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
-                                 sharedmem_t *     shm_fuzz) {
-
-  afl_shm_deinit(shm_fuzz);
-  fsrv->support_shmem_fuzz = 0;
-  fsrv->shmem_fuzz = NULL;
-  ck_free(shm_fuzz);
-  return NULL;
-
-}
-
 /* Main entry point */

 int main(int argc, char **argv_orig, char **envp) {
@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) {

  char **argv = argv_cpy_dup(argc, argv_orig);

-  afl_forkserver_t  fsrv_var = {0};
-  afl_forkserver_t *fsrv = &fsrv_var;
+  afl_forkserver_t fsrv_var = {0};
+  fsrv = &fsrv_var;
  afl_fsrv_init(fsrv);
  map_size = get_map_size();
  fsrv->map_size = map_size;
@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) {

  check_environment_vars(envp);

-  sharedmem_t shm = {0};
  fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);

  atexit(at_exit_handler);
@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) {

  SAYF("\n");

-  sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t));
-  u8 *         map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
+  shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+  u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
  if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
 #ifdef USEMMAP
  setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) {

  OKF("We're done here. Have a nice day!\n");

+  remove_shm = 0;
  afl_shm_deinit(&shm);
  if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
  afl_fsrv_deinit(fsrv);