1 /*
2 american fuzzy lop++ - shared memory related code
3 -------------------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Forkserver design by Jann Horn <[email protected]>
8
9 Now maintained by Marc Heuse <[email protected]>,
10 Heiko Eißfeldt <[email protected]> and
11 Andrea Fioraldi <[email protected]>
12
13 Copyright 2016, 2017 Google Inc. All rights reserved.
14 Copyright 2019-2024 AFLplusplus Project. All rights reserved.
15
16 Licensed under the Apache License, Version 2.0 (the "License");
17 you may not use this file except in compliance with the License.
18 You may obtain a copy of the License at:
19
20 https://www.apache.org/licenses/LICENSE-2.0
21
22 Shared code to handle the shared memory. This is used by the fuzzer
23 as well the other components like afl-tmin, afl-showmap, etc...
24
25 */
26
27 #define AFL_MAIN
28
29 #ifdef __ANDROID__
30 #include "android-ashmem.h"
31 #endif
32 #include "config.h"
33 #include "types.h"
34 #include "debug.h"
35 #include "alloc-inl.h"
36 #include "hash.h"
37 #include "sharedmem.h"
38 #include "cmplog.h"
39 #include "list.h"
40
41 #include <stdio.h>
42 #include <unistd.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <time.h>
46 #include <errno.h>
47 #include <signal.h>
48 #include <dirent.h>
49 #include <fcntl.h>
50
51 #include <sys/wait.h>
52 #include <sys/time.h>
53 #include <sys/stat.h>
54 #include <sys/types.h>
55 #include <sys/resource.h>
56 #include <sys/mman.h>
57
58 #ifndef USEMMAP
59 #include <sys/ipc.h>
60 #include <sys/shm.h>
61 #endif
62
63 static list_t shm_list = {.element_prealloc_count = 0};
64
65 /* Get rid of shared memory. */
66
afl_shm_deinit(sharedmem_t * shm)67 void afl_shm_deinit(sharedmem_t *shm) {
68
69 if (shm == NULL) { return; }
70 list_remove(&shm_list, shm);
71 if (shm->shmemfuzz_mode) {
72
73 unsetenv(SHM_FUZZ_ENV_VAR);
74
75 } else {
76
77 unsetenv(SHM_ENV_VAR);
78
79 }
80
81 #ifdef USEMMAP
82 if (shm->map != NULL) {
83
84 munmap(shm->map, shm->map_size);
85 shm->map = NULL;
86
87 }
88
89 if (shm->g_shm_fd != -1) {
90
91 close(shm->g_shm_fd);
92 shm->g_shm_fd = -1;
93
94 }
95
96 if (shm->g_shm_file_path[0]) {
97
98 shm_unlink(shm->g_shm_file_path);
99 shm->g_shm_file_path[0] = 0;
100
101 }
102
103 if (shm->cmplog_mode) {
104
105 unsetenv(CMPLOG_SHM_ENV_VAR);
106
107 if (shm->cmp_map != NULL) {
108
109 munmap(shm->cmp_map, shm->map_size);
110 shm->cmp_map = NULL;
111
112 }
113
114 if (shm->cmplog_g_shm_fd != -1) {
115
116 close(shm->cmplog_g_shm_fd);
117 shm->cmplog_g_shm_fd = -1;
118
119 }
120
121 if (shm->cmplog_g_shm_file_path[0]) {
122
123 shm_unlink(shm->cmplog_g_shm_file_path);
124 shm->cmplog_g_shm_file_path[0] = 0;
125
126 }
127
128 }
129
130 #else
131 shmctl(shm->shm_id, IPC_RMID, NULL);
132 if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); }
133 #endif
134
135 shm->map = NULL;
136
137 }
138
139 /* Configure shared memory.
140 Returns a pointer to shm->map for ease of use.
141 */
142
afl_shm_init(sharedmem_t * shm,size_t map_size,unsigned char non_instrumented_mode)143 u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
144 unsigned char non_instrumented_mode) {
145
146 shm->map_size = 0;
147
148 shm->map = NULL;
149 shm->cmp_map = NULL;
150
151 #ifdef USEMMAP
152
153 shm->g_shm_fd = -1;
154 shm->cmplog_g_shm_fd = -1;
155
156 const int shmflags = O_RDWR | O_EXCL;
157
158 /* ======
159 generate random file name for multi instance
160
161 thanks to f*cking glibc we can not use tmpnam securely, it generates a
162 security warning that cannot be suppressed
163 so we do this worse workaround */
164 snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
165
166 #ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
167 /* trying to get large memory segment optimised and monitorable separately as
168 * such */
169 static size_t sizes[4] = {(size_t)-1};
170 static int psizes = 0;
171 int i;
172 if (sizes[0] == (size_t)-1) { psizes = getpagesizes(sizes, 4); }
173
174 /* very unlikely to fail even if the arch supports only two sizes */
175 if (likely(psizes > 0)) {
176
177 for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
178
179 if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
180
181 shm->g_shm_fd =
182 shm_create_largepage(shm->g_shm_file_path, shmflags, i,
183 SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
184
185 }
186
187 }
188
189 #endif
190
191 /* create the shared memory segment as if it was a file */
192 if (shm->g_shm_fd == -1) {
193
194 shm->g_shm_fd =
195 shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION);
196
197 }
198
199 if (shm->g_shm_fd == -1) { PFATAL("shm_open() failed"); }
200
201 /* configure the size of the shared memory segment */
202 if (ftruncate(shm->g_shm_fd, map_size)) {
203
204 PFATAL("setup_shm(): ftruncate() failed");
205
206 }
207
208 /* map the shared memory segment to the address space of the process */
209 shm->map =
210 mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
211 if (shm->map == MAP_FAILED) {
212
213 close(shm->g_shm_fd);
214 shm->g_shm_fd = -1;
215 shm_unlink(shm->g_shm_file_path);
216 shm->g_shm_file_path[0] = 0;
217 PFATAL("mmap() failed");
218
219 }
220
221 /* If somebody is asking us to fuzz instrumented binaries in non-instrumented
222 mode, we don't want them to detect instrumentation, since we won't be
223 sending fork server commands. This should be replaced with better
224 auto-detection later on, perhaps? */
225
226 if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1);
227
228 if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed");
229
230 if (shm->cmplog_mode) {
231
232 snprintf(shm->cmplog_g_shm_file_path, L_tmpnam, "/afl_cmplog_%d_%ld",
233 getpid(), random());
234
235 /* create the shared memory segment as if it was a file */
236 shm->cmplog_g_shm_fd =
237 shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL,
238 DEFAULT_PERMISSION);
239 if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); }
240
241 /* configure the size of the shared memory segment */
242 if (ftruncate(shm->cmplog_g_shm_fd, map_size)) {
243
244 PFATAL("setup_shm(): cmplog ftruncate() failed");
245
246 }
247
248 /* map the shared memory segment to the address space of the process */
249 shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
250 shm->cmplog_g_shm_fd, 0);
251 if (shm->cmp_map == MAP_FAILED) {
252
253 close(shm->cmplog_g_shm_fd);
254 shm->cmplog_g_shm_fd = -1;
255 shm_unlink(shm->cmplog_g_shm_file_path);
256 shm->cmplog_g_shm_file_path[0] = 0;
257 PFATAL("mmap() failed");
258
259 }
260
261 /* If somebody is asking us to fuzz instrumented binaries in
262 non-instrumented mode, we don't want them to detect instrumentation,
263 since we won't be sending fork server commands. This should be replaced
264 with better auto-detection later on, perhaps? */
265
266 if (!non_instrumented_mode)
267 setenv(CMPLOG_SHM_ENV_VAR, shm->cmplog_g_shm_file_path, 1);
268
269 if (shm->cmp_map == (void *)-1 || !shm->cmp_map)
270 PFATAL("cmplog mmap() failed");
271
272 }
273
274 #else
275 u8 *shm_str;
276
277 // for qemu+unicorn we have to increase by 8 to account for potential
278 // compcov map overwrite
279 shm->shm_id =
280 shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size,
281 IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
282 if (shm->shm_id < 0) {
283
284 PFATAL("shmget() failed, try running afl-system-config");
285
286 }
287
288 if (shm->cmplog_mode) {
289
290 shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map),
291 IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
292
293 if (shm->cmplog_shm_id < 0) {
294
295 shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem
296 PFATAL("shmget() failed, try running afl-system-config");
297
298 }
299
300 }
301
302 if (!non_instrumented_mode) {
303
304 shm_str = alloc_printf("%d", shm->shm_id);
305
306 /* If somebody is asking us to fuzz instrumented binaries in
307 non-instrumented mode, we don't want them to detect instrumentation,
308 since we won't be sending fork server commands. This should be replaced
309 with better auto-detection later on, perhaps? */
310
311 setenv(SHM_ENV_VAR, shm_str, 1);
312
313 ck_free(shm_str);
314
315 }
316
317 if (shm->cmplog_mode && !non_instrumented_mode) {
318
319 shm_str = alloc_printf("%d", shm->cmplog_shm_id);
320
321 setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1);
322
323 ck_free(shm_str);
324
325 }
326
327 shm->map = shmat(shm->shm_id, NULL, 0);
328
329 if (shm->map == (void *)-1 || !shm->map) {
330
331 shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem
332
333 if (shm->cmplog_mode) {
334
335 shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem
336
337 }
338
339 PFATAL("shmat() failed");
340
341 }
342
343 if (shm->cmplog_mode) {
344
345 shm->cmp_map = shmat(shm->cmplog_shm_id, NULL, 0);
346
347 if (shm->cmp_map == (void *)-1 || !shm->cmp_map) {
348
349 shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem
350
351 shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); // do not leak shmem
352
353 PFATAL("shmat() failed");
354
355 }
356
357 }
358
359 #endif
360
361 shm->map_size = map_size;
362 list_append(&shm_list, shm);
363
364 return shm->map;
365
366 }
367
368