From c8d1b66af3706ebd4da831e352d5720fc323312e Mon Sep 17 00:00:00 2001 From: GRAUX Pierre Date: Wed, 23 Apr 2025 14:39:31 +0200 Subject: [PATCH] add AFL_FORKSRV_UID and AFL_FORKSRV_GID env vars --- docs/env_variables.md | 17 ++++++ include/afl-fuzz.h | 23 +++++++- include/common.h | 4 +- include/config.h | 3 ++ include/envs.h | 3 +- include/forkserver.h | 10 ++++ include/sharedmem.h | 3 +- src/afl-analyze.c | 2 +- src/afl-common.c | 8 +-- src/afl-forkserver.c | 64 ++++++++++++++++++++-- src/afl-fuzz-bitmap.c | 24 +++++++-- src/afl-fuzz-extras.c | 8 ++- src/afl-fuzz-init.c | 117 ++++++++++++++++++++++++++++++++-------- src/afl-fuzz-mutators.c | 8 ++- src/afl-fuzz-one.c | 3 +- src/afl-fuzz-queue.c | 9 +++- src/afl-fuzz-run.c | 44 +++++++++++---- src/afl-fuzz-state.c | 85 +++++++++++++++++++++++++++++ src/afl-fuzz-stats.c | 24 +++++++-- src/afl-fuzz.c | 68 ++++++++++++++++++++--- src/afl-sharedmem.c | 70 ++++++++++++++++++++---- src/afl-showmap.c | 8 +-- src/afl-tmin.c | 8 +-- 23 files changed, 536 insertions(+), 77 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index a492a1bc..1faafcd4 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -686,6 +686,23 @@ checks or alter some of the more exotic semantics of the tool: } ``` + - `AFL_FORKSRV_UID` allows you to specify the UID that should be used when + running the fork server. When setting this variable, user should ensure + afl-fuzz binary has enough privileges to modify the UID (e.g. CAP\_SETUID + capability in Linux system). + + - `AFL_FORKSRV_GID` allows you to specify the GID and the supplementary group + IDs that should be used when running the fork server. When setting this + variable, user should ensure afl-fuzz binary has enough privileges to + modify the GIDs (e.g. CAP\_SETGID capability in Linux system). + + - When both `AFL_FORKSRV_UID` and `AFL_FORKSRV_GID` are set, afl-fuzz binary + and the fork server no longer share any IDs. Thus, afl-fuzz binary changes + the group owner of the created files to ensure that the fork server can + still access them. In such case, user should ensure afl-fuzz binary has + enough privileges to modify the ownership of entities (e.g. CAP\_CHOWN + capability in Linux system). + ## 6) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 60cc896b..a0ee58bf 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -462,7 +462,10 @@ typedef struct afl_env_vars { afl_no_startup_calibration, afl_no_warn_instability, afl_post_process_keep_original, afl_crashing_seeds_as_new_crash, afl_final_sync, afl_ignore_seed_problems, afl_disable_redundant, - afl_sha1_filenames, afl_no_sync, afl_no_fastresume; + afl_sha1_filenames, afl_no_sync, afl_no_fastresume, afl_forksrv_uid_set, + afl_forksrv_gid_set; + + u16 afl_forksrv_nb_supl_gids; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, @@ -473,6 +476,12 @@ typedef struct afl_env_vars { s32 afl_pizza_mode; + uid_t afl_forksrv_uid; + + gid_t afl_forksrv_gid; + + gid_t *afl_forksrv_supl_gids; + } afl_env_vars_t; struct afl_pass_stat { @@ -555,6 +564,10 @@ typedef struct afl_state { *orig_cmdline, /* Original command line */ *infoexec; /* Command to execute on a new crash */ + mode_t perm, /* File permission when creating files */ + dir_perm; /* File permission when creating directories */ + u8 chown_needed; /* Group owner of files needs to be modified */ + u32 hang_tmout, /* Timeout used for hang det (ms) */ stats_update_freq; /* Stats update frequency (execs) */ @@ -1443,7 +1456,7 @@ char *sha1_hex_for_file(const char *fname, u32 len); * enabled. */ static inline int permissive_create(afl_state_t *afl, const char *fn) { - int fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + int fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (unlikely(fd < 0)) { if (!(afl->afl_env.afl_sha1_filenames && errno == EEXIST)) { @@ -1454,6 +1467,12 @@ static inline int permissive_create(afl_state_t *afl, const char *fn) { } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + return fd; } diff --git a/include/common.h b/include/common.h index 7c665c9d..bd16a8ca 100644 --- a/include/common.h +++ b/include/common.h @@ -144,10 +144,10 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); u32 get_map_size(void); /* create a stream file */ -FILE *create_ffile(u8 *fn); +FILE *create_ffile(u8 *fn, mode_t perm); /* create a file */ -s32 create_file(u8 *fn); +s32 create_file(u8 *fn, mode_t perm); /* memmem implementation as not all platforms support this */ void *afl_memmem(const void *haystack, size_t haystacklen, const void *needle, diff --git a/include/config.h b/include/config.h index d00f1709..4757e559 100644 --- a/include/config.h +++ b/include/config.h @@ -49,6 +49,9 @@ Default: 300 (seconds) */ #define STRATEGY_SWITCH_TIME 1000 +/* Default file permission umode when creating directories */ +#define DEFAULT_DIRS_PERMISSION 0700 + /* Default file permission umode when creating files (default: 0600) */ #define DEFAULT_PERMISSION 0600 diff --git a/include/envs.h b/include/envs.h index 25063b8a..33642174 100644 --- a/include/envs.h +++ b/include/envs.h @@ -120,7 +120,8 @@ static char *afl_environment_variables[] = { "AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN", "AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME", "AFL_SAN_ABSTRACTION", "AFL_LLVM_ONLY_FSRV", "AFL_GCC_ONLY_FRSV", - "AFL_SAN_RECOVER", "AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT", NULL}; + "AFL_SAN_RECOVER", "AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT", + "AFL_FORKSRV_UID", "AFL_FORKSRV_GID", NULL}; extern char *afl_environment_variables[]; diff --git a/include/forkserver.h b/include/forkserver.h index 41f85327..cbd4711e 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -187,6 +187,16 @@ typedef struct afl_forkserver { s32 persistent_record_pid; #endif + u8 uid_set; + uid_t uid; + u8 gid_set; + pid_t gid; + u16 nb_supl_gids; + pid_t *supl_gids; + + mode_t perm; + u8 chown_needed; + /* Function to kick off the forkserver child */ void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); diff --git a/include/sharedmem.h b/include/sharedmem.h index 140ee266..948c9225 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -57,7 +57,8 @@ typedef struct sharedmem { } sharedmem_t; -u8 *afl_shm_init(sharedmem_t *, size_t, unsigned char non_instrumented_mode); +u8 *afl_shm_init(sharedmem_t *, size_t, unsigned char non_instrumented_mode, + mode_t mode, int gid); void afl_shm_deinit(sharedmem_t *); #endif diff --git a/src/afl-analyze.c b/src/afl-analyze.c index a006498a..250ceab1 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -984,7 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv.target_path = find_binary(argv[optind]); #endif - fsrv.trace_bits = afl_shm_init(&shm, map_size, 0); + fsrv.trace_bits = afl_shm_init(&shm, map_size, 0, DEFAULT_PERMISSION, -1); detect_file_args(argv + optind, fsrv.out_file, &use_stdin); signal(SIGALRM, kill_child); diff --git a/src/afl-common.c b/src/afl-common.c index fbbf8e0d..f4050896 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -1397,12 +1397,12 @@ u32 get_map_size(void) { /* Create a stream file */ -FILE *create_ffile(u8 *fn) { +FILE *create_ffile(u8 *fn, mode_t mode) { s32 fd; FILE *f; - fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION); + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, mode); if (fd < 0) { PFATAL("Unable to create '%s'", fn); } @@ -1416,11 +1416,11 @@ FILE *create_ffile(u8 *fn) { /* Create a file */ -s32 create_file(u8 *fn) { +s32 create_file(u8 *fn, mode_t mode) { s32 fd; - fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION); + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, mode); if (fd < 0) { PFATAL("Unable to create '%s'", fn); } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5bf300a3..a8bb8ca9 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -51,6 +51,7 @@ #include #include #include +#include #ifdef __linux__ #include @@ -208,9 +209,35 @@ static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { } + if (fsrv->gid_set) { + + if (setregid(fsrv->gid, fsrv->gid) == -1) { + + FATAL("setgid failed: %s\n", strerror(errno)); + + } + + if (setgroups(fsrv->nb_supl_gids, fsrv->supl_gids) == -1) { + + FATAL("setgroups failed: %s\n", strerror(errno)); + + } + + } + + if (fsrv->uid_set) { + + if (setreuid(fsrv->uid, fsrv->uid) == -1) { + + FATAL("setuid failed: %s\n", strerror(errno)); + + } + + } + execv(fsrv->target_path, argv); - WARNF("Execv failed in forkserver."); + WARNF("Execv failed in forkserver: %s.", strerror(errno)); } @@ -274,6 +301,9 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->persistent_trace_bits = NULL; #endif + fsrv->uid_set = 0; + fsrv->gid_set = 0; + fsrv->init_child_func = fsrv_exec_child; list_append(&fsrv_list, fsrv); @@ -493,6 +523,26 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { close(FORKSRV_FD); close(FORKSRV_FD + 1); + if (fsrv->gid_set) { + + if (setgid(fsrv->gid) == -1) { + + FATAL("setgid failed: %s\n", strerror(errno)); + + } + + } + + if (fsrv->uid_set) { + + if (setuid(fsrv->uid) == -1) { + + FATAL("setuid failed: %s\n", strerror(errno)); + + } + + } + // finally: exec... execv(fsrv->target_path, argv); @@ -1839,14 +1889,18 @@ void __attribute__((hot)) afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, if (unlikely(fsrv->no_unlink)) { - fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC, - DEFAULT_PERMISSION); + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC, fsrv->perm); } else { unlink(fsrv->out_file); /* Ignore errors. */ - fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, - DEFAULT_PERMISSION); + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, fsrv->perm); + + } + + if (fsrv->chown_needed) { + + if (fchown(fd, -1, fsrv->gid) == -1) { PFATAL("fchown() failed"); } } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index e3c114f5..c6b1723d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -84,10 +84,16 @@ void write_bitmap(afl_state_t *afl) { afl->bitmap_changed = 0; snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir); - fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION); + fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, afl->perm); if (fd < 0) { PFATAL("Unable to open '%s'", fname); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_write(fd, afl->virgin_bits, afl->fsrv.map_size, fname); close(fd); @@ -429,12 +435,18 @@ void write_crash_readme(afl_state_t *afl) { sprintf(fn, "%s/crashes/README.txt", afl->out_dir); - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, afl->perm); /* Do not die on errors here - that would be impolite. */ if (unlikely(fd < 0)) { return; } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + f = fdopen(fd, "w"); if (unlikely(!f)) { @@ -1076,9 +1088,15 @@ may_save_fault: u8 fn_log[PATH_MAX]; (void)(snprintf(fn_log, PATH_MAX, "%s.log", fn) + 1); - fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(fn_log, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn_log); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + u32 nyx_aux_string_len = afl->fsrv.nyx_handlers->nyx_get_aux_string( afl->fsrv.nyx_runner, afl->fsrv.nyx_aux_string, afl->fsrv.nyx_aux_string_len); diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 09338bb6..c2e4b24b 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -748,10 +748,16 @@ void save_auto(afl_state_t *afl) { s32 fd; - fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION); + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", fn); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_write(fd, afl->a_extras[i].data, afl->a_extras[i].len, fn); close(fd); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index d6dee352..14f36802 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1268,9 +1268,20 @@ void perform_dry_run(afl_state_t *afl) { ++afl->saved_crashes; - fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); } ck_write(fd, use_mem, read_len, crash_fn); + + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } + close(fd); #ifdef __linux__ @@ -1279,8 +1290,7 @@ void perform_dry_run(afl_state_t *afl) { u8 crash_log_fn[PATH_MAX]; snprintf(crash_log_fn, PATH_MAX, "%s.log", crash_fn); - fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, - DEFAULT_PERMISSION); + fd = open(crash_log_fn, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_log_fn); @@ -1293,6 +1303,17 @@ void perform_dry_run(afl_state_t *afl) { ck_write(fd, afl->fsrv.nyx_aux_string, nyx_aux_string_len, crash_log_fn); + + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } + close(fd); } @@ -1483,7 +1504,7 @@ void perform_dry_run(afl_state_t *afl) { /* Helper function: link() if possible, copy otherwise. */ -static void link_or_copy(u8 *old_path, u8 *new_path) { +static void link_or_copy(u8 *old_path, u8 *new_path, mode_t perm) { s32 i = link(old_path, new_path); if (!i) { return; } @@ -1494,7 +1515,7 @@ static void link_or_copy(u8 *old_path, u8 *new_path) { sfd = open(old_path, O_RDONLY); if (sfd < 0) { PFATAL("Unable to open '%s'", old_path); } - dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, perm); if (dfd < 0) { PFATAL("Unable to create '%s'", new_path); } tmp = ck_alloc(64 * 1024); @@ -1630,10 +1651,16 @@ void pivot_inputs(afl_state_t *afl) { /* Pivot to the new queue entry. */ - link_or_copy(q->fname, nfn); + link_or_copy(q->fname, nfn, afl->perm); ck_free(q->fname); q->fname = nfn; + if (afl->chown_needed) { + + if (chown(nfn, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + /* Make sure that the passed_det value carries over, too. */ if (q->passed_det) { mark_as_det_done(afl, q); } @@ -2240,13 +2267,15 @@ void setup_dirs_fds(afl_state_t *afl) { ACTF("Setting up output directories..."); - if (afl->sync_id && mkdir(afl->sync_dir, 0700) && errno != EEXIST) { + if (afl->sync_id && mkdir(afl->sync_dir, afl->dir_perm) && errno != EEXIST) { PFATAL("Unable to create '%s'", afl->sync_dir); } - if (mkdir(afl->out_dir, 0700)) { + printf("out_dir = %s\n", afl->out_dir); + + if (mkdir(afl->out_dir, afl->dir_perm)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -2254,6 +2283,16 @@ void setup_dirs_fds(afl_state_t *afl) { } else { + if (afl->chown_needed) { + + if (chown(afl->out_dir, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } + if (afl->in_place_resume) { FATAL("Resume attempted but old output directory not found"); @@ -2288,27 +2327,27 @@ void setup_dirs_fds(afl_state_t *afl) { /* Queue directory for any starting & discovered paths. */ tmp = alloc_printf("%s/queue", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Top-level directory for queue metadata used for session resume and related tasks. */ tmp = alloc_printf("%s/queue/.state/", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Directory for flagging queue entries that went through deterministic fuzzing in the past. */ tmp = alloc_printf("%s/queue/.state/deterministic_done/", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Directory with the auto-selected dictionary entries. */ tmp = alloc_printf("%s/queue/.state/auto_extras/", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Sync directory for keeping track of cooperating fuzzers. */ @@ -2317,7 +2356,8 @@ void setup_dirs_fds(afl_state_t *afl) { tmp = alloc_printf("%s/.synced/", afl->out_dir); - if (mkdir(tmp, 0700) && (!afl->in_place_resume || errno != EEXIST)) { + if (mkdir(tmp, afl->dir_perm) && + (!afl->in_place_resume || errno != EEXIST)) { PFATAL("Unable to create '%s'", tmp); @@ -2330,13 +2370,13 @@ void setup_dirs_fds(afl_state_t *afl) { /* All recorded crashes. */ tmp = alloc_printf("%s/crashes", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* All recorded hangs. */ tmp = alloc_printf("%s/hangs", afl->out_dir); - if (mkdir(tmp, 0700)) { PFATAL("Unable to create '%s'", tmp); } + if (mkdir(tmp, afl->dir_perm)) { PFATAL("Unable to create '%s'", tmp); } ck_free(tmp); /* Generally useful file descriptors. */ @@ -2353,8 +2393,14 @@ void setup_dirs_fds(afl_state_t *afl) { if (!afl->in_place_resume) { - int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_free(tmp); afl->fsrv.plot_file = fdopen(fd, "w"); @@ -2380,8 +2426,14 @@ void setup_dirs_fds(afl_state_t *afl) { } else { - int fd = open(tmp, O_WRONLY | O_CREAT, DEFAULT_PERMISSION); + int fd = open(tmp, O_WRONLY | O_CREAT, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_free(tmp); afl->fsrv.plot_file = fdopen(fd, "w"); @@ -2397,8 +2449,14 @@ void setup_dirs_fds(afl_state_t *afl) { tmp = alloc_printf("%s/plot_det_data", afl->out_dir); - int fd = open(tmp, O_WRONLY | O_CREAT, DEFAULT_PERMISSION); + int fd = open(tmp, O_WRONLY | O_CREAT, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_free(tmp); afl->fsrv.det_plot_file = fdopen(fd, "w"); @@ -2422,8 +2480,14 @@ void setup_cmdline_file(afl_state_t *afl, char **argv) { /* Store the command line to reproduce our findings */ tmp = alloc_printf("%s/cmdline", afl->out_dir); - fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", tmp); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_free(tmp); cmdline_file = fdopen(fd, "w"); @@ -2458,7 +2522,7 @@ void setup_stdio_file(afl_state_t *afl) { unlink(afl->fsrv.out_file); /* Ignore errors */ afl->fsrv.out_fd = - open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, afl->perm); if (afl->fsrv.out_fd < 0) { @@ -2466,6 +2530,16 @@ void setup_stdio_file(afl_state_t *afl) { } + if (afl->chown_needed) { + + if (fchown(afl->fsrv.out_fd, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } + } /* Make sure that core dumps don't go to a program. */ @@ -2902,7 +2976,8 @@ void setup_testcase_shmem(afl_state_t *afl) { // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR size_t shm_fuzz_map_size = SHM_FUZZ_MAP_SIZE_DEFAULT; - u8 *map = afl_shm_init(afl->shm_fuzz, shm_fuzz_map_size, 1); + u8 *map = afl_shm_init(afl->shm_fuzz, shm_fuzz_map_size, 1, afl->perm, + afl->chown_needed ? afl->fsrv.gid : -1); afl->shm_fuzz->shmemfuzz_mode = 1; if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 7c7a4b9f..186bac47 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -623,10 +623,16 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, unlink(q->fname); /* ignore errors */ - fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + ck_write(fd, out_buf, out_len, q->fname); close(fd); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index bccfe45f..ea44be5a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -6178,7 +6178,8 @@ u8 fuzz_one(afl_state_t *afl) { if (afl->do_document == 0) { snprintf(path_buf, PATH_MAX, "%s/mutations", afl->out_dir); - afl->do_document = mkdir(path_buf, 0700); // if it exists we do not care + afl->do_document = + mkdir(path_buf, afl->dir_perm); // if it exists we do not care afl->do_document = 1; } else { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index faec406d..2b8dbd71 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -432,8 +432,15 @@ void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) { snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir, strrchr((char *)q->fname, '/') + 1); - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", fn); } + + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + close(fd); q->passed_det = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a6a70c59..828094c4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -258,11 +258,21 @@ u32 __attribute__((hot)) write_to_testcase(afl_state_t *afl, void **mem, afl->document_counter++, describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); - if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >= - 0) { + if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, afl->perm)) >= 0) { if (write(doc_fd, *mem, len) != len) PFATAL("write to mutation file failed: %s", fn); + + if (afl->chown_needed) { + + if (fchown(doc_fd, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } + close(doc_fd); } @@ -386,19 +396,23 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, if (unlikely(afl->no_unlink)) { - fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC, - DEFAULT_PERMISSION); + fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC, afl->perm); } else { unlink(afl->fsrv.out_file); /* Ignore errors. */ - fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL, - DEFAULT_PERMISSION); + fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL, afl->perm); } if (fd < 0) { PFATAL("Unable to create '%s'", afl->fsrv.out_file); } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + } else { lseek(fd, 0, SEEK_SET); @@ -895,10 +909,16 @@ void sync_fuzzers(afl_state_t *afl) { sprintf(qd_synced_path, "%s/.synced/%s", afl->out_dir, sd_ent->d_name); - id_fd = open(qd_synced_path, O_RDWR | O_CREAT, DEFAULT_PERMISSION); + id_fd = open(qd_synced_path, O_RDWR | O_CREAT, afl->perm); if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); } + if (afl->chown_needed) { + + if (fchown(id_fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + if (read(id_fd, &min_accept, sizeof(u32)) == sizeof(u32)) { next_min_accept = min_accept; @@ -1296,7 +1316,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (unlikely(afl->no_unlink)) { - fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION); + fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } @@ -1311,7 +1331,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { } else { unlink(q->fname); /* ignore errors */ - fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, afl->perm); if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); } @@ -1319,6 +1339,12 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { } + if (afl->chown_needed) { + + if (fchown(fd, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } + close(fd); queue_testcase_retake_mem(afl, q, in_buf, q->len, orig_len); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index f1a94910..993bb5db 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -683,6 +683,89 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_sha1_filenames = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_FORKSRV_UID", + + afl_environment_variable_len)) { + + u8 *uid_str = (u8 *)get_afl_env(afl_environment_variables[i]); + char *ret; + int uid = strtol(uid_str, &ret, 10); + if (*ret != '\0') { + + WARNF("Incorrect value given to AFL_FORKSRV_UID\n"); + + } else { + + afl->afl_env.afl_forksrv_uid_set = 1; + afl->afl_env.afl_forksrv_uid = uid; + + } + + } else if (!strncmp(env, "AFL_FORKSRV_GID", + + afl_environment_variable_len)) { + + u8 *gid_str = (u8 *)get_afl_env(afl_environment_variables[i]); + + // Count the number of supplementary GIDs + // and prepare the string for the next loop + afl->afl_env.afl_forksrv_nb_supl_gids = 0; + for (u32 i = 0; gid_str[i] != '\0'; i++) { + + if (gid_str[i] == ',') { + + afl->afl_env.afl_forksrv_nb_supl_gids++; + gid_str[i] = '\0'; + + } + + } + + if (afl->afl_env.afl_forksrv_nb_supl_gids > 0) { + + afl->afl_env.afl_forksrv_supl_gids = ck_alloc( + sizeof(gid_t) * afl->afl_env.afl_forksrv_nb_supl_gids); + + } + + for (u16 i = 0; i < afl->afl_env.afl_forksrv_nb_supl_gids + 1; + i++) { + + char *ret; + int gid = strtol(gid_str, &ret, 10); + + if (*ret != '\0') { + + WARNF("Incorrect value given to AFL_FORKSRV_GID\n"); + + afl->afl_env.afl_forksrv_gid_set = 0; + afl->afl_env.afl_forksrv_gid = 0; + free(afl->afl_env.afl_forksrv_supl_gids); + + break; + + } else { + + // First GID is the effective one, others are supplementary + // ones. + if (i == 0) { + + afl->afl_env.afl_forksrv_gid_set = 1; + afl->afl_env.afl_forksrv_gid = gid; + + } else { + + afl->afl_env.afl_forksrv_supl_gids[i - 1] = gid; + + } + + // Jump to next GID + gid_str = ret + 1; + + } + + } + } } else { @@ -808,6 +891,8 @@ void afl_state_deinit(afl_state_t *afl) { ck_free(afl->skipdet_g); ck_free(afl->havoc_prof); + ck_free(afl->afl_env.afl_forksrv_supl_gids); + list_remove(&afl_states, afl); } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 8a04f475..4de2c855 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -86,7 +86,13 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { u8 fn[PATH_MAX], fn2[PATH_MAX]; snprintf(fn2, PATH_MAX, "%s/target_hash", afl->out_dir); - FILE *f2 = create_ffile(fn2); + FILE *f2 = create_ffile(fn2, afl->perm); + + if (afl->chown_needed) { + + if (chown(fn2, -1, afl->fsrv.gid) == -1) { PFATAL("chown() failed"); } + + } #ifdef __linux__ if (afl->fsrv.nyx_mode) { @@ -106,9 +112,15 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) { fclose(f2); snprintf(fn, PATH_MAX, "%s/fuzzer_setup", afl->out_dir); - FILE *f = create_ffile(fn); + FILE *f = create_ffile(fn, afl->perm); u32 i; + if (afl->chown_needed) { + + if (chown(fn, -1, afl->fsrv.gid) == -1) { PFATAL("chown() failed"); } + + } + fprintf(f, "# environment variables:\n"); u32 s_afl_env = (u32)sizeof(afl_environment_variables) / sizeof(afl_environment_variables[0]) - @@ -323,7 +335,13 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, snprintf(fn_tmp, PATH_MAX, "%s/.fuzzer_stats_tmp", afl->out_dir); snprintf(fn_final, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); - f = create_ffile(fn_tmp); + f = create_ffile(fn_tmp, afl->perm); + + if (afl->chown_needed) { + + if (chown(fn_tmp, -1, afl->fsrv.gid) == -1) { PFATAL("fchown() failed"); } + + } /* Keep last values in case we're called from another context where exec/sec stats and such are not readily available. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index ae203349..07d5367f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -602,6 +602,49 @@ int main(int argc, char **argv_orig, char **envp) { if (debug) { afl->fsrv.debug = true; } read_afl_environment(afl, envp); if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; } + + if (afl->afl_env.afl_forksrv_uid_set) { + + afl->fsrv.uid_set = 1; + afl->fsrv.uid = afl->afl_env.afl_forksrv_uid; + + } + + if (afl->afl_env.afl_forksrv_gid_set) { + + afl->fsrv.gid_set = 1; + afl->fsrv.gid = afl->afl_env.afl_forksrv_gid; + afl->fsrv.nb_supl_gids = afl->afl_env.afl_forksrv_nb_supl_gids; + afl->fsrv.supl_gids = afl->afl_env.afl_forksrv_supl_gids; + + } + + if (afl->fsrv.uid_set) { + + /* If the UID is modified, allow group to open files and dirs */ + afl->perm = DEFAULT_PERMISSION | 0060; + afl->fsrv.perm = afl->perm; + afl->dir_perm = DEFAULT_DIRS_PERMISSION | 0070; + + /* Ensure permissions will be really set*/ + umask(~(afl->perm | afl->dir_perm)); + + /* If the GID is also modified, then change the group of files and dirs */ + if (afl->fsrv.gid_set) { + + afl->chown_needed = 1; + afl->fsrv.chown_needed = 1; + + } + + } else { + + afl->perm = DEFAULT_PERMISSION; + afl->fsrv.perm = afl->perm; + afl->dir_perm = DEFAULT_DIRS_PERMISSION; + + } + exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST @@ -2505,7 +2548,8 @@ int main(int argc, char **argv_orig, char **envp) { afl->argv = use_argv; afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); + afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode, + afl->perm, afl->chown_needed ? afl->fsrv.gid : -1); if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode && @@ -2533,7 +2577,8 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&afl->shm); afl->fsrv.map_size = new_map_size; afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode, + afl->perm, afl->chown_needed ? afl->fsrv.gid : -1); setenv("AFL_NO_AUTODICT", "1", 1); // loaded already afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); @@ -2630,7 +2675,8 @@ int main(int argc, char **argv_orig, char **envp) { setenv("AFL_NO_AUTODICT", "1", 1); // loaded already afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode, + afl->perm, afl->chown_needed ? afl->fsrv.gid : -1); ck_free(afl->san_fsrvs[i].trace_bits); afl->san_fsrvs[i].trace_bits = ck_alloc(afl->fsrv.map_size + 8); afl->san_fsrvs[i].map_size = afl->fsrv.map_size; @@ -2696,7 +2742,8 @@ int main(int argc, char **argv_orig, char **envp) { setenv("AFL_NO_AUTODICT", "1", 1); // loaded already afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode, + afl->perm, afl->chown_needed ? afl->fsrv.gid : -1); afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); @@ -3446,8 +3493,17 @@ stop_fuzzing: if ((fr_fd = ZLIBOPEN(fr, "wb9")) != NULL) { #else - if ((fr_fd = open(fr, O_WRONLY | O_TRUNC | O_CREAT, DEFAULT_PERMISSION)) >= - 0) { + if ((fr_fd = open(fr, O_WRONLY | O_TRUNC | O_CREAT, afl->perm)) >= 0) { + + if (afl->chown_needed) { + + if (fchown(fr_fd, -1, afl->fsrv.gid) == -1) { + + PFATAL("fchown() failed"); + + } + + } #endif diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 5de4fc7b..7ed8fd49 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -142,7 +142,8 @@ void afl_shm_deinit(sharedmem_t *shm) { */ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, - unsigned char non_instrumented_mode) { + unsigned char non_instrumented_mode, mode_t permission, + int gid) { shm->map_size = 0; @@ -181,7 +182,13 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->g_shm_fd = shm_create_largepage(shm->g_shm_file_path, shmflags, i, - SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION); + SHM_LARGEPAGE_ALLOC_DEFAULT, permission); + + if (gid != -1 && shm->g_shm_fd != -1) { + + if (fchown(shm->g_shm_fd, -1, gid) == -1) { PFATAL("fchown() failed"); } + + } } @@ -193,7 +200,13 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->g_shm_fd == -1) { shm->g_shm_fd = - shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION); + shm_open(shm->g_shm_file_path, shmflags | O_CREAT, permission); + + if (gid != -1 && shm->g_shm_fd != -1) { + + if (fchown(shm->g_shm_fd, -1, gid) == -1) { PFATAL("fchown() failed"); } + + } } @@ -234,10 +247,14 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, getpid(), random()); /* create the shared memory segment as if it was a file */ - shm->cmplog_g_shm_fd = - shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL, - DEFAULT_PERMISSION); + shm->cmplog_g_shm_fd = shm_open(shm->cmplog_g_shm_file_path, + O_CREAT | O_RDWR | O_EXCL, permission); if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); } + if (gid != -1) { + + if (fchown(shm->g_shm_fd, -1, gid) == -1) { PFATAL("fchown() failed"); } + + } /* configure the size of the shared memory segment */ if (ftruncate(shm->cmplog_g_shm_fd, sizeof(struct cmp_map))) { @@ -273,23 +290,41 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, } #else - u8 *shm_str; + u8 *shm_str; + struct shmid_ds shmid_ds; // for qemu+unicorn we have to increase by 8 to account for potential // compcov map overwrite shm->shm_id = shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size, - IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); + IPC_CREAT | IPC_EXCL | permission); if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } + if (gid != -1) { + + if (shmctl(shm->shm_id, IPC_STAT, &shmid_ds) == -1) { + + PFATAL("shmctl(IPC_STAT) failed"); + + } + + shmid_ds.shm_perm.gid = (gid_t)gid; + if (shmctl(shm->shm_id, IPC_SET, &shmid_ds) == -1) { + + PFATAL("shmctl(IPC_SET) failed"); + + } + + } + if (shm->cmplog_mode) { shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map), - IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); + IPC_CREAT | IPC_EXCL | permission); if (shm->cmplog_shm_id < 0) { @@ -298,6 +333,23 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, } + if (gid != -1) { + + if (shmctl(shm->cmplog_shm_id, IPC_STAT, &shmid_ds) == -1) { + + PFATAL("shmctl(IPC_STAT) failed"); + + } + + shmid_ds.shm_perm.gid = (gid_t)gid; + if (shmctl(shm->cmplog_shm_id, IPC_SET, &shmid_ds) == -1) { + + PFATAL("shmctl(IPC_SET) failed"); + + } + + } + } if (!non_instrumented_mode) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index bd0594dc..a9e084f9 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1348,7 +1348,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->target_path = find_binary(argv[optind]); #endif - fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); + fsrv->trace_bits = afl_shm_init(&shm, map_size, 0, DEFAULT_PERMISSION, -1); if (!quiet_mode) { @@ -1488,7 +1488,8 @@ int main(int argc, char **argv_orig, char **envp) { atexit(at_exit_handler); size_t shm_fuzz_map_size = SHM_FUZZ_MAP_SIZE_DEFAULT; - u8 *map = afl_shm_init(shm_fuzz, shm_fuzz_map_size, 1); + u8 *map = afl_shm_init(shm_fuzz, SHM_FUZZ_MAP_SIZE_DEFAULT, 1, + DEFAULT_PERMISSION, -1); shm_fuzz->shmemfuzz_mode = true; if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } @@ -1550,7 +1551,8 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); fsrv->map_size = new_map_size; - fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0); + fsrv->trace_bits = + afl_shm_init(&shm, new_map_size, 0, DEFAULT_PERMISSION, -1); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 60f0c84f..57d970a5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1332,7 +1332,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->target_path = find_binary(argv[optind]); #endif - fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); + fsrv->trace_bits = afl_shm_init(&shm, map_size, 0, DEFAULT_PERMISSION, -1); detect_file_args(argv + optind, out_file, &fsrv->use_stdin); signal(SIGALRM, kill_child); @@ -1431,7 +1431,8 @@ int main(int argc, char **argv_orig, char **envp) { shm_fuzz->cmplog_mode = 0; size_t shm_fuzz_map_size = SHM_FUZZ_MAP_SIZE_DEFAULT; - u8 *map = afl_shm_init(shm_fuzz, shm_fuzz_map_size, 1); + u8 *map = afl_shm_init(shm_fuzz, SHM_FUZZ_MAP_SIZE_DEFAULT, 1, + DEFAULT_PERMISSION, -1); shm_fuzz->shmemfuzz_mode = 1; if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } @@ -1502,7 +1503,8 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&shm); afl_fsrv_kill(fsrv); fsrv->map_size = new_map_size; - fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0); + fsrv->trace_bits = + afl_shm_init(&shm, new_map_size, 0, DEFAULT_PERMISSION, -1); afl_fsrv_start(fsrv, use_argv, &stop_soon, (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))