/*
|
*
|
* honggfuzz - the main file
|
* -----------------------------------------
|
*
|
* Authors: Robert Swiecki <swiecki@google.com>
|
* Felix Gröbert <groebert@google.com>
|
*
|
* Copyright 2010-2019 by Google Inc. All Rights Reserved.
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
* not use this file except in compliance with the License. You may obtain
|
* a copy of the License at
|
*
|
* http://www.apache.org/licenses/LICENSE-2.0
|
*
|
* Unless required by applicable law or agreed to in writing, software
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
* implied. See the License for the specific language governing
|
* permissions and limitations under the License.
|
*
|
*/
|
|
#include <errno.h>
|
#include <getopt.h>
|
#include <inttypes.h>
|
#include <signal.h>
|
#include <stdio.h>
|
#include <stdlib.h>
|
#include <string.h>
|
#include <sys/mman.h>
|
#include <sys/resource.h>
|
#include <sys/time.h>
|
#include <time.h>
|
#include <unistd.h>
|
|
#include "cmdline.h"
|
#include "display.h"
|
#include "fuzz.h"
|
#include "input.h"
|
#include "libhfcommon/common.h"
|
#include "libhfcommon/files.h"
|
#include "libhfcommon/log.h"
|
#include "libhfcommon/util.h"
|
#include "socketfuzzer.h"
|
#include "subproc.h"
|
|
static int sigReceived = 0;
|
|
/*
|
* CygWin/MinGW incorrectly copies stack during fork(), so we need to keep some
|
* structures in the data section
|
*/
|
honggfuzz_t hfuzz;
|
|
static void exitWithMsg(const char* msg, int exit_code) {
|
HF_ATTR_UNUSED ssize_t sz = write(STDERR_FILENO, msg, strlen(msg));
|
for (;;) {
|
exit(exit_code);
|
_exit(exit_code);
|
abort();
|
__builtin_trap();
|
}
|
}
|
|
static bool showDisplay = true;
|
static void sigHandler(int sig) {
|
/* We should not terminate upon SIGALRM delivery */
|
if (sig == SIGALRM) {
|
if (fuzz_shouldTerminate()) {
|
exitWithMsg("Terminating forcefully\n", EXIT_FAILURE);
|
}
|
showDisplay = true;
|
return;
|
}
|
/* Do nothing with pings from the main thread */
|
if (sig == SIGUSR1) {
|
return;
|
}
|
/* It's handled in the signal thread */
|
if (sig == SIGCHLD) {
|
return;
|
}
|
|
if (ATOMIC_GET(sigReceived) != 0) {
|
exitWithMsg("Repeated termination signal caugth\n", EXIT_FAILURE);
|
}
|
|
ATOMIC_SET(sigReceived, sig);
|
}
|
|
static void setupRLimits(void) {
|
struct rlimit rlim;
|
if (getrlimit(RLIMIT_NOFILE, &rlim) == -1) {
|
PLOG_W("getrlimit(RLIMIT_NOFILE)");
|
return;
|
}
|
if (rlim.rlim_cur >= 1024) {
|
return;
|
}
|
if (rlim.rlim_max < 1024) {
|
LOG_E("RLIMIT_NOFILE max limit < 1024 (%zu). Expect troubles!", (size_t)rlim.rlim_max);
|
return;
|
}
|
rlim.rlim_cur = MIN(1024, rlim.rlim_max); // we don't need more
|
if (setrlimit(RLIMIT_NOFILE, &rlim) == -1) {
|
PLOG_E("Couldn't setrlimit(RLIMIT_NOFILE, cur=%zu/max=%zu)", (size_t)rlim.rlim_cur,
|
(size_t)rlim.rlim_max);
|
}
|
}
|
|
static void setupMainThreadTimer(void) {
|
const struct itimerval it = {
|
.it_value =
|
{
|
.tv_sec = 1,
|
.tv_usec = 0,
|
},
|
.it_interval =
|
{
|
.tv_sec = 0,
|
.tv_usec = 1000ULL * 200ULL,
|
},
|
};
|
if (setitimer(ITIMER_REAL, &it, NULL) == -1) {
|
PLOG_F("setitimer(ITIMER_REAL)");
|
}
|
}
|
|
static void setupSignalsPreThreads(void) {
|
/* Block signals which should be handled or blocked in the main thread */
|
sigset_t ss;
|
sigemptyset(&ss);
|
sigaddset(&ss, SIGTERM);
|
sigaddset(&ss, SIGINT);
|
sigaddset(&ss, SIGQUIT);
|
sigaddset(&ss, SIGALRM);
|
sigaddset(&ss, SIGPIPE);
|
/* Linux/arch uses it to discover events from persistent fuzzing processes */
|
sigaddset(&ss, SIGIO);
|
/* Let the signal thread catch SIGCHLD */
|
sigaddset(&ss, SIGCHLD);
|
/* This is checked for via sigwaitinfo/sigtimedwait */
|
sigaddset(&ss, SIGUSR1);
|
if (sigprocmask(SIG_SETMASK, &ss, NULL) != 0) {
|
PLOG_F("pthread_sigmask(SIG_SETMASK)");
|
}
|
|
struct sigaction sa = {
|
.sa_handler = sigHandler,
|
.sa_flags = 0,
|
};
|
sigemptyset(&sa.sa_mask);
|
if (sigaction(SIGTERM, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGTERM) failed");
|
}
|
if (sigaction(SIGINT, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGINT) failed");
|
}
|
if (sigaction(SIGQUIT, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGQUIT) failed");
|
}
|
if (sigaction(SIGALRM, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGQUIT) failed");
|
}
|
if (sigaction(SIGUSR1, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGUSR1) failed");
|
}
|
if (sigaction(SIGCHLD, &sa, NULL) == -1) {
|
PLOG_F("sigaction(SIGCHLD) failed");
|
}
|
}
|
|
static void setupSignalsMainThread(void) {
|
/* Unblock signals which should be handled by the main thread */
|
sigset_t ss;
|
sigemptyset(&ss);
|
sigaddset(&ss, SIGTERM);
|
sigaddset(&ss, SIGINT);
|
sigaddset(&ss, SIGQUIT);
|
sigaddset(&ss, SIGALRM);
|
if (sigprocmask(SIG_UNBLOCK, &ss, NULL) != 0) {
|
PLOG_F("pthread_sigmask(SIG_UNBLOCK)");
|
}
|
}
|
|
static void printSummary(honggfuzz_t* hfuzz) {
|
uint64_t exec_per_sec = 0;
|
uint64_t elapsed_sec = time(NULL) - hfuzz->timing.timeStart;
|
if (elapsed_sec) {
|
exec_per_sec = hfuzz->cnts.mutationsCnt / elapsed_sec;
|
}
|
LOG_I("Summary iterations:%zu time:%" PRIu64 " speed:%" PRIu64, hfuzz->cnts.mutationsCnt,
|
elapsed_sec, exec_per_sec);
|
}
|
|
static void pingThreads(honggfuzz_t* hfuzz) {
|
for (size_t i = 0; i < hfuzz->threads.threadsMax; i++) {
|
if (pthread_kill(hfuzz->threads.threads[i], SIGUSR1) != 0 && errno != EINTR) {
|
PLOG_W("pthread_kill(thread=%zu, SIGUSR1)", i);
|
}
|
}
|
}
|
|
static void* signalThread(void* arg) {
|
honggfuzz_t* hfuzz = (honggfuzz_t*)arg;
|
|
sigset_t ss;
|
sigemptyset(&ss);
|
sigaddset(&ss, SIGCHLD);
|
if (pthread_sigmask(SIG_UNBLOCK, &ss, NULL) != 0) {
|
PLOG_F("Couldn't unblock SIGCHLD in the signal thread");
|
}
|
|
for (;;) {
|
int sig;
|
if (sigwait(&ss, &sig) != 0 && errno != EINTR) {
|
PLOG_F("sigwait(SIGCHLD)");
|
}
|
if (fuzz_isTerminating()) {
|
break;
|
}
|
if (sig == SIGCHLD) {
|
pingThreads(hfuzz);
|
}
|
}
|
|
return NULL;
|
}
|
|
int main(int argc, char** argv) {
|
/*
|
* Work around CygWin/MinGW
|
*/
|
char** myargs = (char**)util_Malloc(sizeof(char*) * (argc + 1));
|
defer {
|
free(myargs);
|
};
|
|
int i;
|
for (i = 0U; i < argc; i++) {
|
myargs[i] = argv[i];
|
}
|
myargs[i] = NULL;
|
|
if (cmdlineParse(argc, myargs, &hfuzz) == false) {
|
LOG_F("Parsing of the cmd-line arguments failed");
|
}
|
|
if (hfuzz.display.useScreen) {
|
display_init();
|
}
|
|
if (hfuzz.socketFuzzer.enabled) {
|
LOG_I("No input file corpus loaded, the external socket_fuzzer is responsible for "
|
"creating the fuzz data");
|
setupSocketFuzzer(&hfuzz);
|
} else if (!input_init(&hfuzz)) {
|
LOG_F("Couldn't load input corpus");
|
exit(EXIT_FAILURE);
|
}
|
|
if (hfuzz.mutate.dictionaryFile && (input_parseDictionary(&hfuzz) == false)) {
|
LOG_F("Couldn't parse dictionary file ('%s')", hfuzz.mutate.dictionaryFile);
|
}
|
|
if (hfuzz.feedback.blacklistFile && (input_parseBlacklist(&hfuzz) == false)) {
|
LOG_F("Couldn't parse stackhash blacklist file ('%s')", hfuzz.feedback.blacklistFile);
|
}
|
#define hfuzzl hfuzz.linux
|
if (hfuzzl.symsBlFile &&
|
((hfuzzl.symsBlCnt = files_parseSymbolFilter(hfuzzl.symsBlFile, &hfuzzl.symsBl)) == 0)) {
|
LOG_F("Couldn't parse symbols blacklist file ('%s')", hfuzzl.symsBlFile);
|
}
|
|
if (hfuzzl.symsWlFile &&
|
((hfuzzl.symsWlCnt = files_parseSymbolFilter(hfuzzl.symsWlFile, &hfuzzl.symsWl)) == 0)) {
|
LOG_F("Couldn't parse symbols whitelist file ('%s')", hfuzzl.symsWlFile);
|
}
|
|
if (hfuzz.feedback.dynFileMethod != _HF_DYNFILE_NONE) {
|
if (!(hfuzz.feedback.feedbackMap = files_mapSharedMem(
|
sizeof(feedback_t), &hfuzz.feedback.bbFd, "hfuzz-feedback", hfuzz.io.workDir))) {
|
LOG_F("files_mapSharedMem(sz=%zu, dir='%s') failed", sizeof(feedback_t),
|
hfuzz.io.workDir);
|
}
|
}
|
|
setupRLimits();
|
setupSignalsPreThreads();
|
fuzz_threadsStart(&hfuzz);
|
|
pthread_t sigthread;
|
if (!subproc_runThread(&hfuzz, &sigthread, signalThread)) {
|
LOG_F("Couldn't start the signal thread");
|
}
|
|
setupSignalsMainThread();
|
setupMainThreadTimer();
|
|
for (;;) {
|
if (hfuzz.display.useScreen && showDisplay) {
|
display_display(&hfuzz);
|
showDisplay = false;
|
}
|
if (ATOMIC_GET(sigReceived) > 0) {
|
LOG_I("Signal %d (%s) received, terminating", ATOMIC_GET(sigReceived),
|
strsignal(ATOMIC_GET(sigReceived)));
|
break;
|
}
|
if (ATOMIC_GET(hfuzz.threads.threadsFinished) >= hfuzz.threads.threadsMax) {
|
break;
|
}
|
if (hfuzz.timing.runEndTime > 0 && (time(NULL) > hfuzz.timing.runEndTime)) {
|
LOG_I("Maximum run time reached, terminating");
|
break;
|
}
|
pingThreads(&hfuzz);
|
pause();
|
}
|
|
fuzz_setTerminating();
|
|
for (;;) {
|
if (ATOMIC_GET(hfuzz.threads.threadsFinished) >= hfuzz.threads.threadsMax) {
|
break;
|
}
|
pingThreads(&hfuzz);
|
usleep(50000); /* 50ms */
|
}
|
|
/* Clean-up global buffers */
|
if (hfuzz.feedback.blacklist) {
|
free(hfuzz.feedback.blacklist);
|
}
|
#if defined(_HF_ARCH_LINUX)
|
if (hfuzz.linux.symsBl) {
|
free(hfuzz.linux.symsBl);
|
}
|
if (hfuzz.linux.symsWl) {
|
free(hfuzz.linux.symsWl);
|
}
|
#elif defined(_HF_ARCH_NETBSD)
|
if (hfuzz.netbsd.symsBl) {
|
free(hfuzz.netbsd.symsBl);
|
}
|
if (hfuzz.netbsd.symsWl) {
|
free(hfuzz.netbsd.symsWl);
|
}
|
#endif
|
if (hfuzz.socketFuzzer.enabled) {
|
cleanupSocketFuzzer();
|
}
|
|
printSummary(&hfuzz);
|
|
return EXIT_SUCCESS;
|
}
|
