fix timeout bug in afl tools

docs/Changelog.md

@@ -19,8 +19,10 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - fix stability issue with LTO and cmplog
     - better banner
   - frida_mode: David Carlier added Android support :)
-  - afl-showmap, afl-tmin and afl-analyze now honor persistent mode
+  - afl-showmap, afl-tmin and afl-analyze:
-    for more speed. thanks to dloffre-snl for reporting!
+    - honor persistent mode for more speed. thanks to dloffre-snl for
+      reporting!
+    - fix bug where targets are not killed on timeouts
   - Prevent accidently killing non-afl/fuzz services when aborting
     afl-showmap and other tools.
   - afl-cc:

src/afl-analyze.c

@@ -120,6 +120,17 @@ static u8 count_class_lookup[256] = {
 #undef TIMES8
 #undef TIMES4
 
+static void kill_child() {
+
+  if (fsrv.child_pid > 0) {
+
+    kill(fsrv.child_pid, fsrv.kill_signal);
+    fsrv.child_pid = -1;
+
+  }
+
+}
+
 static void classify_counts(u8 *mem) {
 
   u32 i = map_size;
@@ -1053,6 +1064,7 @@ int main(int argc, char **argv_orig, char **envp) {
   fsrv.target_path = find_binary(argv[optind]);
   fsrv.trace_bits = afl_shm_init(&shm, map_size, 0);
   detect_file_args(argv + optind, fsrv.out_file, &use_stdin);
+  signal(SIGALRM, kill_child);
 
   if (qemu_mode) {
 

src/afl-fuzz-init.c

@@ -1325,8 +1325,8 @@ void pivot_inputs(afl_state_t *afl) {
 
       }
 
-      nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", afl->out_dir, id,
+      nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s",
-                         afl->fsrv.total_execs, use_name);
+                         afl->out_dir, id, afl->fsrv.total_execs, use_name);
 
 #else
 

src/afl-showmap.c

@@ -146,6 +146,17 @@ static const u8 count_class_binary[256] = {
 #undef TIMES8
 #undef TIMES4
 
+static void kill_child() {
+
+  if (fsrv->child_pid > 0) {
+
+    kill(fsrv->child_pid, fsrv->kill_signal);
+    fsrv->child_pid = -1;
+
+  }
+
+}
+
 static void classify_counts(afl_forkserver_t *fsrv) {
 
   u8 *      mem = fsrv->trace_bits;
@@ -526,6 +537,8 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
 
   }
 
+  signal(SIGALRM, kill_child);
+
   setitimer(ITIMER_REAL, &it, NULL);
 
   if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); }

src/afl-tmin.c

@@ -120,6 +120,17 @@ static const u8 count_class_lookup[256] = {
 #undef TIMES8
 #undef TIMES4
 
+static void kill_child() {
+
+  if (fsrv->child_pid > 0) {
+
+    kill(fsrv->child_pid, fsrv->kill_signal);
+    fsrv->child_pid = -1;
+
+  }
+
+}
+
 static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
                                  sharedmem_t *     shm_fuzz) {
 
@@ -1125,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) {
   fsrv->target_path = find_binary(argv[optind]);
   fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
   detect_file_args(argv + optind, out_file, &fsrv->use_stdin);
+  signal(SIGALRM, kill_child);
 
   if (fsrv->qemu_mode) {