ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

cleaned up AFL_KILL_SIGNAL

Browse Source
This commit is contained in:
Dominik Maier
2021-01-07 23:21:10 +01:00
parent 9cdf5c4150
commit a06b25538f
7 changed files with 104 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
afl-cmin
View File

@ -120,6 +120,7 @@ function usage() {
"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \ "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \
"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \ "AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \
"AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \ "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
"AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \ "AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \
"AFL_SKIP_BIN_CHECK: skip check for target binary\n" "AFL_SKIP_BIN_CHECK: skip check for target binary\n"
exit 1 exit 1

2
docs/Changelog.md
View File

@ -32,7 +32,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
already building with all cores, the gcc plugin needs only one. already building with all cores, the gcc plugin needs only one.
- added dummy Makefile to instrumentation/ - added dummy Makefile to instrumentation/
- Updated utils/afl_frida to be 5% faster - Updated utils/afl_frida to be 5% faster
- Added AFL_KILL_SIGNAL env variable for custom targets (thanks @v-p-b)
### Version ++3.00c (release) ### Version ++3.00c (release)
- llvm_mode/ and gcc_plugin/ moved to instrumentation/ - llvm_mode/ and gcc_plugin/ moved to instrumentation/

4
docs/env_variables.md
View File

@ -350,6 +350,10 @@ checks or alter some of the more exotic semantics of the tool:
- Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
instead (see below). instead (see below).
- `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout.
Unless you implement your own targets or instrumentation, you likely don't have to set it.
By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child.
- Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
afl_custom_fuzz() creates additional mutations through this library. afl_custom_fuzz() creates additional mutations through this library.
If afl-fuzz is compiled with Python (which is autodetected during builing If afl-fuzz is compiled with Python (which is autodetected during builing

45
src/afl-forkserver.c
View File

@ -84,6 +84,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT; fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT;
fsrv->mem_limit = MEM_LIMIT; fsrv->mem_limit = MEM_LIMIT;
fsrv->out_file = NULL; fsrv->out_file = NULL;
fsrv->kill_signal = SIGKILL;
/* exec related stuff */ /* exec related stuff */
fsrv->child_pid = -1; fsrv->child_pid = -1;
@ -95,30 +96,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
fsrv->uses_asan = false; fsrv->uses_asan = false;
fsrv->init_child_func = fsrv_exec_child; fsrv->init_child_func = fsrv_exec_child;
fsrv->kill_signal = SIGKILL;
char *kill_signal_env = get_afl_env("AFL_KILL_SIGNAL");
if (kill_signal_env) {
char *endptr;
u8 signal_code;
signal_code = (u8)strtoul(kill_signal_env, &endptr, 10);
/* Did we manage to parse the full string? */
if (*endptr != '\0' || endptr == kill_signal_env) {
FATAL("Invalid kill signal value!");
}
fsrv->kill_signal = signal_code;
} else {
/* Using hardcoded code for SIGKILL for the sake of simplicity */
setenv("AFL_KILL_SIGNAL", "9", 1);
}
list_append(&fsrv_list, fsrv); list_append(&fsrv_list, fsrv);
} }
@ -139,6 +116,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
fsrv_to->no_unlink = from->no_unlink; fsrv_to->no_unlink = from->no_unlink;
fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode; fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode;
fsrv_to->crash_exitcode = from->crash_exitcode; fsrv_to->crash_exitcode = from->crash_exitcode;
fsrv_to->kill_signal = from->kill_signal;
// These are forkserver specific. // These are forkserver specific.
fsrv_to->out_dir_fd = -1; fsrv_to->out_dir_fd = -1;
@ -149,8 +127,6 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
fsrv_to->init_child_func = from->init_child_func; fsrv_to->init_child_func = from->init_child_func;
// Note: do not copy ->add_extra_func // Note: do not copy ->add_extra_func
fsrv_to->kill_signal = from->kill_signal;
list_append(&fsrv_list, fsrv_to); list_append(&fsrv_list, fsrv_to);
} }
@ -1162,25 +1138,18 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
/* Report outcome to caller. */ /* Report outcome to caller. */
/* TODO We use SIGTERM here as an indicator of Xen mode, /* Did we timeout? */
although it's not equivalent! */ if (unlikely(fsrv->last_run_timed_out)) {
if (fsrv->kill_signal == SIGTERM && !*stop_soon_p &&
fsrv->last_run_timed_out) {
fsrv->last_kill_signal = fsrv->kill_signal;
return FSRV_RUN_TMOUT; return FSRV_RUN_TMOUT;
} }
if (WIFSIGNALED(fsrv->child_status) && !*stop_soon_p) { /* Did we crash? */
if (unlikely(WIFSIGNALED(fsrv->child_status) && !*stop_soon_p)) {
fsrv->last_kill_signal = WTERMSIG(fsrv->child_status); fsrv->last_kill_signal = WTERMSIG(fsrv->child_status);
if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) {
return FSRV_RUN_TMOUT;
}
return FSRV_RUN_CRASH; return FSRV_RUN_CRASH;
} }

30
src/afl-fuzz.c
View File

@ -194,10 +194,11 @@ static void usage(u8 *argv0, int more_help) {
"AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)\n"
"AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
"AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
"AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
"AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n" "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
"AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
"AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n"
"AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
" the target was compiled for\n" " the target was compiled for\n"
"AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value\n" "AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value\n"
@ -986,6 +987,33 @@ int main(int argc, char **argv_orig, char **envp) {
#endif #endif
afl->fsrv.kill_signal = SIGKILL;
if (afl->afl_env.afl_kill_signal) {
char *endptr;
u8 signal_code;
signal_code = (u8)strtoul(afl->afl_env.afl_kill_signal, &endptr, 10);
/* Did we manage to parse the full string? */
if (*endptr != '\0' || endptr == (char *)afl->afl_env.afl_kill_signal) {
FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
afl->afl_env.afl_kill_signal);
}
afl->fsrv.kill_signal = signal_code;
} else {
char *sigstr = alloc_printf("%d", (int)SIGKILL);
if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
/* Set the env for signal handler */
setenv("AFL_KILL_SIGNAL", sigstr, 1);
free(sigstr);
}
setup_signal_handlers(); setup_signal_handlers();
check_asan_opts(afl); check_asan_opts(afl);

37
src/afl-showmap.c
View File

@ -693,12 +693,13 @@ static void usage(u8 *argv0) {
"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as " "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as "
"crash\n" "crash\n"
"AFL_DEBUG: enable extra developer output\n" "AFL_DEBUG: enable extra developer output\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the "
"size\n"
" the target was compiled for\n"
"AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
"AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during " "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during "
"startup (in milliseconds)\n" "startup (in milliseconds)\n"
"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, "
"etc. (default: SIGKILL)\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the "
"size the target was compiled for\n"
"AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
"AFL_QUIET: do not print extra informational output\n", "AFL_QUIET: do not print extra informational output\n",
argv0, MEM_LIMIT, doc_path); argv0, MEM_LIMIT, doc_path);
@ -1115,6 +1116,34 @@ int main(int argc, char **argv_orig, char **envp) {
} }
fsrv->kill_signal = SIGKILL;
char *afl_kill_signal_env = getenv("AFL_KILL_SIGNAL");
if (afl_kill_signal_env && afl_kill_signal_env[0]) {
char *endptr;
u8 signal_code;
signal_code = (u8)strtoul(afl_kill_signal_env, &endptr, 10);
/* Did we manage to parse the full string? */
if (*endptr != '\0' || endptr == afl_kill_signal_env) {
FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
afl_kill_signal_env);
}
fsrv->kill_signal = signal_code;
} else {
char *sigstr = alloc_printf("%d", (int)SIGKILL);
if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
/* Set the env for signal handler */
setenv("AFL_KILL_SIGNAL", sigstr, 1);
free(sigstr);
}
if (getenv("AFL_CRASH_EXITCODE")) { if (getenv("AFL_CRASH_EXITCODE")) {
long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);

29
src/afl-tmin.c
View File

@ -855,6 +855,7 @@ static void usage(u8 *argv0) {
"Environment variables used:\n" "Environment variables used:\n"
"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
"AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n" "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
" the target was compiled for\n" " the target was compiled for\n"
"AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
@ -1134,6 +1135,34 @@ int main(int argc, char **argv_orig, char **envp) {
} }
fsrv->kill_signal = SIGKILL;
char *afl_kill_signal_env = getenv("AFL_KILL_SIGNAL");
if (afl_kill_signal_env && afl_kill_signal_env[0]) {
char *endptr;
u8 signal_code;
signal_code = (u8)strtoul(afl_kill_signal_env, &endptr, 10);
/* Did we manage to parse the full string? */
if (*endptr != '\0' || endptr == afl_kill_signal_env) {
FATAL("Invalid AFL_KILL_SIGNAL: %s (expected unsigned int)",
afl_kill_signal_env);
}
fsrv->kill_signal = signal_code;
} else {
char *sigstr = alloc_printf("%d", (int)SIGKILL);
if (!sigstr) { FATAL("Failed to alloc mem for signal buf"); }
/* Set the env for signal handler */
setenv("AFL_KILL_SIGNAL", sigstr, 1);
free(sigstr);
}
if (getenv("AFL_CRASH_EXITCODE")) { if (getenv("AFL_CRASH_EXITCODE")) {
long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);