1*08b48e0bSAndroid Build Coastguard Worker /* 2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - forkserver header 3*08b48e0bSAndroid Build Coastguard Worker ---------------------------------------- 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker Forkserver design by Jann Horn <[email protected]> 8*08b48e0bSAndroid Build Coastguard Worker 9*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>, 10*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]>, 11*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>, 12*08b48e0bSAndroid Build Coastguard Worker Dominik Maier <[email protected]>> 13*08b48e0bSAndroid Build Coastguard Worker 14*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved. 15*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved. 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 18*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 19*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at: 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0 22*08b48e0bSAndroid Build Coastguard Worker 23*08b48e0bSAndroid Build Coastguard Worker Shared code that implements a forkserver. This is used by the fuzzer 24*08b48e0bSAndroid Build Coastguard Worker as well the other components like afl-tmin. 25*08b48e0bSAndroid Build Coastguard Worker 26*08b48e0bSAndroid Build Coastguard Worker */ 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker #ifndef __AFL_FORKSERVER_H 29*08b48e0bSAndroid Build Coastguard Worker #define __AFL_FORKSERVER_H 30*08b48e0bSAndroid Build Coastguard Worker 31*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h> 32*08b48e0bSAndroid Build Coastguard Worker #include <stdbool.h> 33*08b48e0bSAndroid Build Coastguard Worker 34*08b48e0bSAndroid Build Coastguard Worker #include "types.h" 35*08b48e0bSAndroid Build Coastguard Worker 36*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__ 37*08b48e0bSAndroid Build Coastguard Worker /** 38*08b48e0bSAndroid Build Coastguard Worker * Nyx related typedefs taken from libnyx.h 39*08b48e0bSAndroid Build Coastguard Worker */ 40*08b48e0bSAndroid Build Coastguard Worker 41*08b48e0bSAndroid Build Coastguard Worker typedef enum NyxReturnValue { 42*08b48e0bSAndroid Build Coastguard Worker 43*08b48e0bSAndroid Build Coastguard Worker Normal, 44*08b48e0bSAndroid Build Coastguard Worker Crash, 45*08b48e0bSAndroid Build Coastguard Worker Asan, 46*08b48e0bSAndroid Build Coastguard Worker Timeout, 47*08b48e0bSAndroid Build Coastguard Worker InvalidWriteToPayload, 48*08b48e0bSAndroid Build Coastguard Worker Error, 49*08b48e0bSAndroid Build Coastguard Worker IoError, 50*08b48e0bSAndroid Build Coastguard Worker Abort, 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard Worker } NyxReturnValue; 53*08b48e0bSAndroid Build Coastguard Worker 54*08b48e0bSAndroid Build Coastguard Worker typedef enum NyxProcessRole { 55*08b48e0bSAndroid Build Coastguard Worker 56*08b48e0bSAndroid Build Coastguard Worker StandAlone, 57*08b48e0bSAndroid Build Coastguard Worker Parent, 58*08b48e0bSAndroid Build Coastguard Worker Child, 59*08b48e0bSAndroid Build Coastguard Worker 60*08b48e0bSAndroid Build Coastguard Worker } NyxProcessRole; 61*08b48e0bSAndroid Build Coastguard Worker 62*08b48e0bSAndroid Build Coastguard Worker typedef struct { 63*08b48e0bSAndroid Build Coastguard Worker 64*08b48e0bSAndroid Build Coastguard Worker void *(*nyx_config_load)(const char *sharedir); 65*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_workdir_path)(void *config, const char *workdir); 66*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_input_buffer_size)(void *config, 67*08b48e0bSAndroid Build Coastguard Worker uint32_t input_buffer_size); 68*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_input_buffer_write_protection)( 69*08b48e0bSAndroid Build Coastguard Worker void *config, bool input_buffer_write_protection); 70*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_hprintf_fd)(void *config, int32_t hprintf_fd); 71*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_process_role)(void *config, enum NyxProcessRole role); 72*08b48e0bSAndroid Build Coastguard Worker void (*nyx_config_set_reuse_snapshot_path)(void *config, 73*08b48e0bSAndroid Build Coastguard Worker const char *reuse_snapshot_path); 74*08b48e0bSAndroid Build Coastguard Worker 75*08b48e0bSAndroid Build Coastguard Worker void *(*nyx_new)(void *config, uint32_t worker_id); 76*08b48e0bSAndroid Build Coastguard Worker void (*nyx_shutdown)(void *qemu_process); 77*08b48e0bSAndroid Build Coastguard Worker void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable); 78*08b48e0bSAndroid Build Coastguard Worker void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec, 79*08b48e0bSAndroid Build Coastguard Worker uint32_t timeout_usec); 80*08b48e0bSAndroid Build Coastguard Worker void (*nyx_option_apply)(void *qemu_process); 81*08b48e0bSAndroid Build Coastguard Worker void (*nyx_set_afl_input)(void *qemu_process, uint8_t *buffer, uint32_t size); 82*08b48e0bSAndroid Build Coastguard Worker enum NyxReturnValue (*nyx_exec)(void *qemu_process); 83*08b48e0bSAndroid Build Coastguard Worker uint8_t *(*nyx_get_bitmap_buffer)(void *qemu_process); 84*08b48e0bSAndroid Build Coastguard Worker size_t (*nyx_get_bitmap_buffer_size)(void *qemu_process); 85*08b48e0bSAndroid Build Coastguard Worker uint32_t (*nyx_get_aux_string)(void *nyx_process, uint8_t *buffer, 86*08b48e0bSAndroid Build Coastguard Worker uint32_t size); 87*08b48e0bSAndroid Build Coastguard Worker 88*08b48e0bSAndroid Build Coastguard Worker bool (*nyx_remove_work_dir)(const char *workdir); 89*08b48e0bSAndroid Build Coastguard Worker bool (*nyx_config_set_aux_buffer_size)(void *config, 90*08b48e0bSAndroid Build Coastguard Worker uint32_t aux_buffer_size); 91*08b48e0bSAndroid Build Coastguard Worker 92*08b48e0bSAndroid Build Coastguard Worker } nyx_plugin_handler_t; 93*08b48e0bSAndroid Build Coastguard Worker 94*08b48e0bSAndroid Build Coastguard Worker /* Imports helper functions to enable Nyx mode (Linux only )*/ 95*08b48e0bSAndroid Build Coastguard Worker nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary); 96*08b48e0bSAndroid Build Coastguard Worker 97*08b48e0bSAndroid Build Coastguard Worker #endif 98*08b48e0bSAndroid Build Coastguard Worker 99*08b48e0bSAndroid Build Coastguard Worker typedef struct afl_forkserver { 100*08b48e0bSAndroid Build Coastguard Worker 101*08b48e0bSAndroid Build Coastguard Worker /* a program that includes afl-forkserver needs to define these */ 102*08b48e0bSAndroid Build Coastguard Worker 103*08b48e0bSAndroid Build Coastguard Worker u8 *trace_bits; /* SHM with instrumentation bitmap */ 104*08b48e0bSAndroid Build Coastguard Worker 105*08b48e0bSAndroid Build Coastguard Worker s32 fsrv_pid, /* PID of the fork server */ 106*08b48e0bSAndroid Build Coastguard Worker child_pid, /* PID of the fuzzed program */ 107*08b48e0bSAndroid Build Coastguard Worker child_status, /* waitpid result for the child */ 108*08b48e0bSAndroid Build Coastguard Worker out_dir_fd; /* FD of the lock file */ 109*08b48e0bSAndroid Build Coastguard Worker 110*08b48e0bSAndroid Build Coastguard Worker s32 out_fd, /* Persistent fd for fsrv->out_file */ 111*08b48e0bSAndroid Build Coastguard Worker dev_urandom_fd, /* Persistent fd for /dev/urandom */ 112*08b48e0bSAndroid Build Coastguard Worker 113*08b48e0bSAndroid Build Coastguard Worker dev_null_fd, /* Persistent fd for /dev/null */ 114*08b48e0bSAndroid Build Coastguard Worker fsrv_ctl_fd, /* Fork server control pipe (write) */ 115*08b48e0bSAndroid Build Coastguard Worker fsrv_st_fd; /* Fork server status pipe (read) */ 116*08b48e0bSAndroid Build Coastguard Worker 117*08b48e0bSAndroid Build Coastguard Worker u32 exec_tmout; /* Configurable exec timeout (ms) */ 118*08b48e0bSAndroid Build Coastguard Worker u32 init_tmout; /* Configurable init timeout (ms) */ 119*08b48e0bSAndroid Build Coastguard Worker u32 map_size; /* map size used by the target */ 120*08b48e0bSAndroid Build Coastguard Worker u32 real_map_size; /* real map size, unaligned */ 121*08b48e0bSAndroid Build Coastguard Worker u32 snapshot; /* is snapshot feature used */ 122*08b48e0bSAndroid Build Coastguard Worker u64 mem_limit; /* Memory cap for child (MB) */ 123*08b48e0bSAndroid Build Coastguard Worker 124*08b48e0bSAndroid Build Coastguard Worker u64 total_execs; /* How often run_target was called */ 125*08b48e0bSAndroid Build Coastguard Worker 126*08b48e0bSAndroid Build Coastguard Worker u8 *out_file, /* File to fuzz, if any */ 127*08b48e0bSAndroid Build Coastguard Worker *target_path; /* Path of the target */ 128*08b48e0bSAndroid Build Coastguard Worker 129*08b48e0bSAndroid Build Coastguard Worker FILE *plot_file, /* Gnuplot output file */ 130*08b48e0bSAndroid Build Coastguard Worker *det_plot_file; 131*08b48e0bSAndroid Build Coastguard Worker 132*08b48e0bSAndroid Build Coastguard Worker /* Note: last_run_timed_out is u32 to send it to the child as 4 byte array */ 133*08b48e0bSAndroid Build Coastguard Worker u32 last_run_timed_out; /* Traced process timed out? */ 134*08b48e0bSAndroid Build Coastguard Worker 135*08b48e0bSAndroid Build Coastguard Worker u8 last_kill_signal; /* Signal that killed the child */ 136*08b48e0bSAndroid Build Coastguard Worker 137*08b48e0bSAndroid Build Coastguard Worker bool use_shmem_fuzz; /* use shared mem for test cases */ 138*08b48e0bSAndroid Build Coastguard Worker 139*08b48e0bSAndroid Build Coastguard Worker bool support_shmem_fuzz; /* set by afl-fuzz */ 140*08b48e0bSAndroid Build Coastguard Worker 141*08b48e0bSAndroid Build Coastguard Worker bool use_fauxsrv; /* Fauxsrv for non-forking targets? */ 142*08b48e0bSAndroid Build Coastguard Worker 143*08b48e0bSAndroid Build Coastguard Worker bool qemu_mode; /* if running in qemu mode or not */ 144*08b48e0bSAndroid Build Coastguard Worker 145*08b48e0bSAndroid Build Coastguard Worker bool frida_mode; /* if running in frida mode or not */ 146*08b48e0bSAndroid Build Coastguard Worker 147*08b48e0bSAndroid Build Coastguard Worker bool frida_asan; /* if running with asan in frida mode */ 148*08b48e0bSAndroid Build Coastguard Worker 149*08b48e0bSAndroid Build Coastguard Worker bool cs_mode; /* if running in CoreSight mode or not */ 150*08b48e0bSAndroid Build Coastguard Worker 151*08b48e0bSAndroid Build Coastguard Worker bool use_stdin; /* use stdin for sending data */ 152*08b48e0bSAndroid Build Coastguard Worker 153*08b48e0bSAndroid Build Coastguard Worker bool no_unlink; /* do not unlink cur_input */ 154*08b48e0bSAndroid Build Coastguard Worker 155*08b48e0bSAndroid Build Coastguard Worker bool uses_asan; /* Target uses ASAN? */ 156*08b48e0bSAndroid Build Coastguard Worker 157*08b48e0bSAndroid Build Coastguard Worker bool debug; /* debug mode? */ 158*08b48e0bSAndroid Build Coastguard Worker 159*08b48e0bSAndroid Build Coastguard Worker bool uses_crash_exitcode; /* Custom crash exitcode specified? */ 160*08b48e0bSAndroid Build Coastguard Worker u8 crash_exitcode; /* The crash exitcode specified */ 161*08b48e0bSAndroid Build Coastguard Worker 162*08b48e0bSAndroid Build Coastguard Worker u32 *shmem_fuzz_len; /* length of the fuzzing test case */ 163*08b48e0bSAndroid Build Coastguard Worker 164*08b48e0bSAndroid Build Coastguard Worker u8 *shmem_fuzz; /* allocated memory for fuzzing */ 165*08b48e0bSAndroid Build Coastguard Worker 166*08b48e0bSAndroid Build Coastguard Worker char *cmplog_binary; /* the name of the cmplog binary */ 167*08b48e0bSAndroid Build Coastguard Worker 168*08b48e0bSAndroid Build Coastguard Worker /* persistent mode replay functionality */ 169*08b48e0bSAndroid Build Coastguard Worker u32 persistent_record; /* persistent replay setting */ 170*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_PERSISTENT_RECORD 171*08b48e0bSAndroid Build Coastguard Worker u32 persistent_record_idx; /* persistent replay cache ptr */ 172*08b48e0bSAndroid Build Coastguard Worker u32 persistent_record_cnt; /* persistent replay counter */ 173*08b48e0bSAndroid Build Coastguard Worker u8 *persistent_record_dir; 174*08b48e0bSAndroid Build Coastguard Worker u8 **persistent_record_data; 175*08b48e0bSAndroid Build Coastguard Worker u32 *persistent_record_len; 176*08b48e0bSAndroid Build Coastguard Worker s32 persistent_record_pid; 177*08b48e0bSAndroid Build Coastguard Worker #endif 178*08b48e0bSAndroid Build Coastguard Worker 179*08b48e0bSAndroid Build Coastguard Worker /* Function to kick off the forkserver child */ 180*08b48e0bSAndroid Build Coastguard Worker void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); 181*08b48e0bSAndroid Build Coastguard Worker 182*08b48e0bSAndroid Build Coastguard Worker u8 *afl_ptr; /* for autodictionary: afl ptr */ 183*08b48e0bSAndroid Build Coastguard Worker 184*08b48e0bSAndroid Build Coastguard Worker void (*add_extra_func)(void *afl_ptr, u8 *mem, u32 len); 185*08b48e0bSAndroid Build Coastguard Worker 186*08b48e0bSAndroid Build Coastguard Worker u8 child_kill_signal; 187*08b48e0bSAndroid Build Coastguard Worker u8 fsrv_kill_signal; 188*08b48e0bSAndroid Build Coastguard Worker 189*08b48e0bSAndroid Build Coastguard Worker u8 persistent_mode; 190*08b48e0bSAndroid Build Coastguard Worker 191*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__ 192*08b48e0bSAndroid Build Coastguard Worker nyx_plugin_handler_t *nyx_handlers; 193*08b48e0bSAndroid Build Coastguard Worker char *out_dir_path; /* path to the output directory */ 194*08b48e0bSAndroid Build Coastguard Worker u8 nyx_mode; /* if running in nyx mode or not */ 195*08b48e0bSAndroid Build Coastguard Worker bool nyx_parent; /* create initial snapshot */ 196*08b48e0bSAndroid Build Coastguard Worker bool nyx_standalone; /* don't serialize the snapshot */ 197*08b48e0bSAndroid Build Coastguard Worker void *nyx_runner; /* nyx runner object */ 198*08b48e0bSAndroid Build Coastguard Worker u32 nyx_id; /* nyx runner id (0 -> master) */ 199*08b48e0bSAndroid Build Coastguard Worker u32 nyx_bind_cpu_id; /* nyx runner cpu id */ 200*08b48e0bSAndroid Build Coastguard Worker char *nyx_aux_string; 201*08b48e0bSAndroid Build Coastguard Worker u32 nyx_aux_string_len; 202*08b48e0bSAndroid Build Coastguard Worker bool nyx_use_tmp_workdir; 203*08b48e0bSAndroid Build Coastguard Worker char *nyx_tmp_workdir_path; 204*08b48e0bSAndroid Build Coastguard Worker s32 nyx_log_fd; 205*08b48e0bSAndroid Build Coastguard Worker #endif 206*08b48e0bSAndroid Build Coastguard Worker 207*08b48e0bSAndroid Build Coastguard Worker } afl_forkserver_t; 208*08b48e0bSAndroid Build Coastguard Worker 209*08b48e0bSAndroid Build Coastguard Worker typedef enum fsrv_run_result { 210*08b48e0bSAndroid Build Coastguard Worker 211*08b48e0bSAndroid Build Coastguard Worker /* 00 */ FSRV_RUN_OK = 0, 212*08b48e0bSAndroid Build Coastguard Worker /* 01 */ FSRV_RUN_TMOUT, 213*08b48e0bSAndroid Build Coastguard Worker /* 02 */ FSRV_RUN_CRASH, 214*08b48e0bSAndroid Build Coastguard Worker /* 03 */ FSRV_RUN_ERROR, 215*08b48e0bSAndroid Build Coastguard Worker /* 04 */ FSRV_RUN_NOINST, 216*08b48e0bSAndroid Build Coastguard Worker /* 05 */ FSRV_RUN_NOBITS, 217*08b48e0bSAndroid Build Coastguard Worker 218*08b48e0bSAndroid Build Coastguard Worker } fsrv_run_result_t; 219*08b48e0bSAndroid Build Coastguard Worker 220*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_init(afl_forkserver_t *fsrv); 221*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); 222*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, 223*08b48e0bSAndroid Build Coastguard Worker volatile u8 *stop_soon_p, u8 debug_child_output); 224*08b48e0bSAndroid Build Coastguard Worker u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv, 225*08b48e0bSAndroid Build Coastguard Worker volatile u8 *stop_soon_p, u8 debug_child_output); 226*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); 227*08b48e0bSAndroid Build Coastguard Worker fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, 228*08b48e0bSAndroid Build Coastguard Worker volatile u8 *stop_soon_p); 229*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_killall(void); 230*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_deinit(afl_forkserver_t *fsrv); 231*08b48e0bSAndroid Build Coastguard Worker void afl_fsrv_kill(afl_forkserver_t *fsrv); 232*08b48e0bSAndroid Build Coastguard Worker 233*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__ 234*08b48e0bSAndroid Build Coastguard Worker #define MSG_FORK_ON_APPLE \ 235*08b48e0bSAndroid Build Coastguard Worker " - On MacOS X, the semantics of fork() syscalls are non-standard and " \ 236*08b48e0bSAndroid Build Coastguard Worker "may\n" \ 237*08b48e0bSAndroid Build Coastguard Worker " break afl-fuzz performance optimizations when running " \ 238*08b48e0bSAndroid Build Coastguard Worker "platform-specific\n" \ 239*08b48e0bSAndroid Build Coastguard Worker " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" 240*08b48e0bSAndroid Build Coastguard Worker #else 241*08b48e0bSAndroid Build Coastguard Worker #define MSG_FORK_ON_APPLE "" 242*08b48e0bSAndroid Build Coastguard Worker #endif 243*08b48e0bSAndroid Build Coastguard Worker 244*08b48e0bSAndroid Build Coastguard Worker #ifdef RLIMIT_AS 245*08b48e0bSAndroid Build Coastguard Worker #define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" 246*08b48e0bSAndroid Build Coastguard Worker #else 247*08b48e0bSAndroid Build Coastguard Worker #define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" 248*08b48e0bSAndroid Build Coastguard Worker #endif /* ^RLIMIT_AS */ 249*08b48e0bSAndroid Build Coastguard Worker 250*08b48e0bSAndroid Build Coastguard Worker #endif 251*08b48e0bSAndroid Build Coastguard Worker 252