starting shmap support for unicorn

2025-06-11 09:41:35 +00:00 · 2020-05-31 04:13:41 +02:00 · 2020-05-31 04:13:41 +02:00 · ee14785f68
commit ee14785f68
parent c0ed118ba5
9 changed files with 56 additions and 36 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -444,7 +444,8 @@ typedef struct afl_state {
      deferred_mode,                    /* Deferred forkserver mode?        */
      fixed_seed,                       /* do not reseed                    */
      fast_cal,                         /* Try to calibrate faster?         */
-      disable_trim;                     /* Never trim in fuzz_one           */
+      disable_trim,                     /* Never trim in fuzz_one           */
+      shmem_testcase_mode;              /* If sharedmem testcases are used  */

  u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
      *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
@ -806,6 +807,9 @@ void afl_states_clear_screen(void);
 /* Sets the skip flag on all states */
 void afl_states_request_skip(void);

+/* Setup shmem for testcase delivery */
+void setup_testcase_shmem(afl_state_t *afl);
+
 void read_afl_environment(afl_state_t *, char **);

 /**** Prototypes ****/
--- a/include/forkserver.h
+++ b/include/forkserver.h
@ -81,9 +81,9 @@ typedef struct afl_forkserver {

  u8 qemu_mode;                         /* if running in qemu mode or not   */

-  u32 shdmem_fuzz_len;                   /* length of the fuzzing test case */
+  u32 shmem_fuzz_len;                    /* length of the fuzzing test case */

-  u8 *shdmem_fuzz;                      /* allocated memory for fuzzing     */
+  u8 *shmem_fuzz;                       /* allocated memory for fuzzing     */

  char *cmplog_binary;                  /* the name of the cmplog binary    */

--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@ -286,7 +286,7 @@ static void report_error_and_exit(int error) {

 }

-/* Spins up fork server (instrumented mode only). The idea is explained here:
+/* Spins up fork server. The idea is explained here:

   http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html

@ -305,7 +305,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,

  if (fsrv->use_fauxsrv) {

-    /* TODO: Come up with sone nice way to initalize this all */
+    /* TODO: Come up with sone nice way to initialize this all */

    if (fsrv->init_child_func != fsrv_exec_child) {

@ -823,10 +823,10 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {

 void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {

-  if (fsrv->shdmem_fuzz) {
+  if (fsrv->shmem_fuzz) {

-    memcpy(fsrv->shdmem_fuzz, buf, len);
-    fsrv->shdmem_fuzz_len = len;
+    memcpy(fsrv->shmem_fuzz, buf, len);
+    fsrv->shmem_fuzz_len = len;

  } else {

@ -888,7 +888,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,

  MEM_BARRIER();

-  if (fsrv->shdmem_fuzz_len) write_value += (fsrv->shdmem_fuzz_len << 8);
+  if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8);

  /* we have the fork server (or faux server) up and running
  First, tell it if the previous run timed out. */
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -1949,6 +1949,36 @@ static void handle_skipreq(int sig) {

 }

+
+/* Setup shared map for fuzzing with input via sharedmem */
+
+void setup_testcase_shmem(afl_state_t *afl) {
+
+  afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+
+  // we need to set the dumb mode to not overwrite the SHM_ENV_VAR
+  if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) {
+
+#ifdef USEMMAP
+    setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
+#else
+    u8 *shm_str;
+    shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
+    setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
+    ck_free(shm_str);
+#endif
+    afl->fsrv.support_shdmen_fuzz = 1;
+
+  } else {
+
+    ck_free(afl->shm_fuzz);
+    afl->shm_fuzz = NULL;
+
+  }
+
+}
+
+
 /* Do a PATH search and find target binary to see that it exists and
   isn't a shell script - a common and painful mistake. We also check for
   a valid ELF header and for evidence of AFL instrumentation. */
@ -2153,30 +2183,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
    OKF(cPIN "Persistent mode binary detected.");
    setenv(PERSIST_ENV_VAR, "1", 1);
    afl->persistent_mode = 1;
-    // do not fail if we can not get the fuzzing shared mem
-    if ((afl->shm_fuzz = calloc(1, sizeof(sharedmem_t)))) {

-      // we need to set the dumb mode to not overwrite the SHM_ENV_VAR
-      if ((afl->fsrv.shdmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) {
-
-#ifdef USEMMAP
-        setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
-#else
-        u8 *shm_str;
-        shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
-        setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
-        ck_free(shm_str);
-#endif
-        afl->fsrv.support_shdmen_fuzz = 1;
-
-      } else {
-
-        free(afl->shm_fuzz);
-        afl->shm_fuzz = NULL;
-
-      }
-
-    }
+    afl->shmem_testcase_mode = 1;

  } else if (getenv("AFL_PERSISTENT")) {

--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -237,7 +237,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
      free(afl->shm_fuzz);
      afl->shm_fuzz = NULL;
      afl->fsrv.support_shdmen_fuzz = 0;
-      afl->fsrv.shdmem_fuzz = NULL;
+      afl->fsrv.shmem_fuzz = NULL;

    }

--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@ -103,7 +103,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
      "afl_banner        : %s\n"
      "afl_version       : " VERSION
      "\n"
-      "target_mode       : %s%s%s%s%s%s%s%s\n"
+      "target_mode       : %s%s%s%s%s%s%s%s%s\n"
      "command_line      : %s\n",
      afl->start_time / 1000, cur_time / 1000,
      (cur_time - afl->start_time) / 1000, (u32)getpid(),
@ -128,6 +128,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
      afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "",
      afl->crash_mode ? "crash " : "",
      afl->persistent_mode ? "persistent " : "",
+      afl->shmem_testcase_mode ? "shmem_testcase " : "",
      afl->deferred_mode ? "deferred " : "",
      (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode ||
       afl->no_forkserver || afl->crash_mode || afl->persistent_mode ||
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -572,6 +572,7 @@ int main(int argc, char **argv_orig, char **envp) {

        if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); }
        afl->unicorn_mode = 1;
+        afl->shmem_testcase_mode = 1;

        if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; }

@ -1178,6 +1179,12 @@ int main(int argc, char **argv_orig, char **envp) {

  check_binary(afl, argv[optind]);

+  if (afl->shmem_testcase_mode) {
+
+    setup_testcase_shmem(afl);
+
+  }
+
  afl->start_time = get_cur_time();

  if (afl->fsrv.qemu_mode) {
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@ -1 +1 @@
-212110c
+37067ac
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@ -1 +1 @@
-Subproject commit 212110cece6355222330906c5392a4255535cf03
+Subproject commit 37067ac1288febfe7157e6bc996d7771454f9627
 @ -1 +1 @@
 c
 ac