xref: /aosp_15_r20/external/AFLplusplus/src/afl-sharedmem.c (revision 08b48e0b10e97b33e7b60c5b6e2243bd915777f2) 
1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker    american fuzzy lop++ - shared memory related code
3*08b48e0bSAndroid Build Coastguard Worker    -------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker 
5*08b48e0bSAndroid Build Coastguard Worker    Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker 
7*08b48e0bSAndroid Build Coastguard Worker    Forkserver design by Jann Horn <[email protected]>
8*08b48e0bSAndroid Build Coastguard Worker 
9*08b48e0bSAndroid Build Coastguard Worker    Now maintained by Marc Heuse <[email protected]>,
10*08b48e0bSAndroid Build Coastguard Worker                         Heiko Eißfeldt <[email protected]> and
11*08b48e0bSAndroid Build Coastguard Worker                         Andrea Fioraldi <[email protected]>
12*08b48e0bSAndroid Build Coastguard Worker 
13*08b48e0bSAndroid Build Coastguard Worker    Copyright 2016, 2017 Google Inc. All rights reserved.
14*08b48e0bSAndroid Build Coastguard Worker    Copyright 2019-2024 AFLplusplus Project. All rights reserved.
15*08b48e0bSAndroid Build Coastguard Worker 
16*08b48e0bSAndroid Build Coastguard Worker    Licensed under the Apache License, Version 2.0 (the "License");
17*08b48e0bSAndroid Build Coastguard Worker    you may not use this file except in compliance with the License.
18*08b48e0bSAndroid Build Coastguard Worker    You may obtain a copy of the License at:
19*08b48e0bSAndroid Build Coastguard Worker 
20*08b48e0bSAndroid Build Coastguard Worker      https://www.apache.org/licenses/LICENSE-2.0
21*08b48e0bSAndroid Build Coastguard Worker 
22*08b48e0bSAndroid Build Coastguard Worker    Shared code to handle the shared memory. This is used by the fuzzer
23*08b48e0bSAndroid Build Coastguard Worker    as well the other components like afl-tmin, afl-showmap, etc...
24*08b48e0bSAndroid Build Coastguard Worker 
25*08b48e0bSAndroid Build Coastguard Worker  */
26*08b48e0bSAndroid Build Coastguard Worker 
27*08b48e0bSAndroid Build Coastguard Worker #define AFL_MAIN
28*08b48e0bSAndroid Build Coastguard Worker 
29*08b48e0bSAndroid Build Coastguard Worker #ifdef __ANDROID__
30*08b48e0bSAndroid Build Coastguard Worker   #include "android-ashmem.h"
31*08b48e0bSAndroid Build Coastguard Worker #endif
32*08b48e0bSAndroid Build Coastguard Worker #include "config.h"
33*08b48e0bSAndroid Build Coastguard Worker #include "types.h"
34*08b48e0bSAndroid Build Coastguard Worker #include "debug.h"
35*08b48e0bSAndroid Build Coastguard Worker #include "alloc-inl.h"
36*08b48e0bSAndroid Build Coastguard Worker #include "hash.h"
37*08b48e0bSAndroid Build Coastguard Worker #include "sharedmem.h"
38*08b48e0bSAndroid Build Coastguard Worker #include "cmplog.h"
39*08b48e0bSAndroid Build Coastguard Worker #include "list.h"
40*08b48e0bSAndroid Build Coastguard Worker 
41*08b48e0bSAndroid Build Coastguard Worker #include <stdio.h>
42*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h>
43*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
44*08b48e0bSAndroid Build Coastguard Worker #include <string.h>
45*08b48e0bSAndroid Build Coastguard Worker #include <time.h>
46*08b48e0bSAndroid Build Coastguard Worker #include <errno.h>
47*08b48e0bSAndroid Build Coastguard Worker #include <signal.h>
48*08b48e0bSAndroid Build Coastguard Worker #include <dirent.h>
49*08b48e0bSAndroid Build Coastguard Worker #include <fcntl.h>
50*08b48e0bSAndroid Build Coastguard Worker 
51*08b48e0bSAndroid Build Coastguard Worker #include <sys/wait.h>
52*08b48e0bSAndroid Build Coastguard Worker #include <sys/time.h>
53*08b48e0bSAndroid Build Coastguard Worker #include <sys/stat.h>
54*08b48e0bSAndroid Build Coastguard Worker #include <sys/types.h>
55*08b48e0bSAndroid Build Coastguard Worker #include <sys/resource.h>
56*08b48e0bSAndroid Build Coastguard Worker #include <sys/mman.h>
57*08b48e0bSAndroid Build Coastguard Worker 
58*08b48e0bSAndroid Build Coastguard Worker #ifndef USEMMAP
59*08b48e0bSAndroid Build Coastguard Worker   #include <sys/ipc.h>
60*08b48e0bSAndroid Build Coastguard Worker   #include <sys/shm.h>
61*08b48e0bSAndroid Build Coastguard Worker #endif
62*08b48e0bSAndroid Build Coastguard Worker 
63*08b48e0bSAndroid Build Coastguard Worker static list_t shm_list = {.element_prealloc_count = 0};
64*08b48e0bSAndroid Build Coastguard Worker 
65*08b48e0bSAndroid Build Coastguard Worker /* Get rid of shared memory. */
66*08b48e0bSAndroid Build Coastguard Worker 
afl_shm_deinit(sharedmem_t * shm)67*08b48e0bSAndroid Build Coastguard Worker void afl_shm_deinit(sharedmem_t *shm) {
68*08b48e0bSAndroid Build Coastguard Worker 
69*08b48e0bSAndroid Build Coastguard Worker   if (shm == NULL) { return; }
70*08b48e0bSAndroid Build Coastguard Worker   list_remove(&shm_list, shm);
71*08b48e0bSAndroid Build Coastguard Worker   if (shm->shmemfuzz_mode) {
72*08b48e0bSAndroid Build Coastguard Worker 
73*08b48e0bSAndroid Build Coastguard Worker     unsetenv(SHM_FUZZ_ENV_VAR);
74*08b48e0bSAndroid Build Coastguard Worker 
75*08b48e0bSAndroid Build Coastguard Worker   } else {
76*08b48e0bSAndroid Build Coastguard Worker 
77*08b48e0bSAndroid Build Coastguard Worker     unsetenv(SHM_ENV_VAR);
78*08b48e0bSAndroid Build Coastguard Worker 
79*08b48e0bSAndroid Build Coastguard Worker   }
80*08b48e0bSAndroid Build Coastguard Worker 
81*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
82*08b48e0bSAndroid Build Coastguard Worker   if (shm->map != NULL) {
83*08b48e0bSAndroid Build Coastguard Worker 
84*08b48e0bSAndroid Build Coastguard Worker     munmap(shm->map, shm->map_size);
85*08b48e0bSAndroid Build Coastguard Worker     shm->map = NULL;
86*08b48e0bSAndroid Build Coastguard Worker 
87*08b48e0bSAndroid Build Coastguard Worker   }
88*08b48e0bSAndroid Build Coastguard Worker 
89*08b48e0bSAndroid Build Coastguard Worker   if (shm->g_shm_fd != -1) {
90*08b48e0bSAndroid Build Coastguard Worker 
91*08b48e0bSAndroid Build Coastguard Worker     close(shm->g_shm_fd);
92*08b48e0bSAndroid Build Coastguard Worker     shm->g_shm_fd = -1;
93*08b48e0bSAndroid Build Coastguard Worker 
94*08b48e0bSAndroid Build Coastguard Worker   }
95*08b48e0bSAndroid Build Coastguard Worker 
96*08b48e0bSAndroid Build Coastguard Worker   if (shm->g_shm_file_path[0]) {
97*08b48e0bSAndroid Build Coastguard Worker 
98*08b48e0bSAndroid Build Coastguard Worker     shm_unlink(shm->g_shm_file_path);
99*08b48e0bSAndroid Build Coastguard Worker     shm->g_shm_file_path[0] = 0;
100*08b48e0bSAndroid Build Coastguard Worker 
101*08b48e0bSAndroid Build Coastguard Worker   }
102*08b48e0bSAndroid Build Coastguard Worker 
103*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode) {
104*08b48e0bSAndroid Build Coastguard Worker 
105*08b48e0bSAndroid Build Coastguard Worker     unsetenv(CMPLOG_SHM_ENV_VAR);
106*08b48e0bSAndroid Build Coastguard Worker 
107*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmp_map != NULL) {
108*08b48e0bSAndroid Build Coastguard Worker 
109*08b48e0bSAndroid Build Coastguard Worker       munmap(shm->cmp_map, shm->map_size);
110*08b48e0bSAndroid Build Coastguard Worker       shm->cmp_map = NULL;
111*08b48e0bSAndroid Build Coastguard Worker 
112*08b48e0bSAndroid Build Coastguard Worker     }
113*08b48e0bSAndroid Build Coastguard Worker 
114*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmplog_g_shm_fd != -1) {
115*08b48e0bSAndroid Build Coastguard Worker 
116*08b48e0bSAndroid Build Coastguard Worker       close(shm->cmplog_g_shm_fd);
117*08b48e0bSAndroid Build Coastguard Worker       shm->cmplog_g_shm_fd = -1;
118*08b48e0bSAndroid Build Coastguard Worker 
119*08b48e0bSAndroid Build Coastguard Worker     }
120*08b48e0bSAndroid Build Coastguard Worker 
121*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmplog_g_shm_file_path[0]) {
122*08b48e0bSAndroid Build Coastguard Worker 
123*08b48e0bSAndroid Build Coastguard Worker       shm_unlink(shm->cmplog_g_shm_file_path);
124*08b48e0bSAndroid Build Coastguard Worker       shm->cmplog_g_shm_file_path[0] = 0;
125*08b48e0bSAndroid Build Coastguard Worker 
126*08b48e0bSAndroid Build Coastguard Worker     }
127*08b48e0bSAndroid Build Coastguard Worker 
128*08b48e0bSAndroid Build Coastguard Worker   }
129*08b48e0bSAndroid Build Coastguard Worker 
130*08b48e0bSAndroid Build Coastguard Worker #else
131*08b48e0bSAndroid Build Coastguard Worker   shmctl(shm->shm_id, IPC_RMID, NULL);
132*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); }
133*08b48e0bSAndroid Build Coastguard Worker #endif
134*08b48e0bSAndroid Build Coastguard Worker 
135*08b48e0bSAndroid Build Coastguard Worker   shm->map = NULL;
136*08b48e0bSAndroid Build Coastguard Worker 
137*08b48e0bSAndroid Build Coastguard Worker }
138*08b48e0bSAndroid Build Coastguard Worker 
139*08b48e0bSAndroid Build Coastguard Worker /* Configure shared memory.
140*08b48e0bSAndroid Build Coastguard Worker    Returns a pointer to shm->map for ease of use.
141*08b48e0bSAndroid Build Coastguard Worker */
142*08b48e0bSAndroid Build Coastguard Worker 
afl_shm_init(sharedmem_t * shm,size_t map_size,unsigned char non_instrumented_mode)143*08b48e0bSAndroid Build Coastguard Worker u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
144*08b48e0bSAndroid Build Coastguard Worker                  unsigned char non_instrumented_mode) {
145*08b48e0bSAndroid Build Coastguard Worker 
146*08b48e0bSAndroid Build Coastguard Worker   shm->map_size = 0;
147*08b48e0bSAndroid Build Coastguard Worker 
148*08b48e0bSAndroid Build Coastguard Worker   shm->map = NULL;
149*08b48e0bSAndroid Build Coastguard Worker   shm->cmp_map = NULL;
150*08b48e0bSAndroid Build Coastguard Worker 
151*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
152*08b48e0bSAndroid Build Coastguard Worker 
153*08b48e0bSAndroid Build Coastguard Worker   shm->g_shm_fd = -1;
154*08b48e0bSAndroid Build Coastguard Worker   shm->cmplog_g_shm_fd = -1;
155*08b48e0bSAndroid Build Coastguard Worker 
156*08b48e0bSAndroid Build Coastguard Worker   const int shmflags = O_RDWR | O_EXCL;
157*08b48e0bSAndroid Build Coastguard Worker 
158*08b48e0bSAndroid Build Coastguard Worker   /* ======
159*08b48e0bSAndroid Build Coastguard Worker   generate random file name for multi instance
160*08b48e0bSAndroid Build Coastguard Worker 
161*08b48e0bSAndroid Build Coastguard Worker   thanks to f*cking glibc we can not use tmpnam securely, it generates a
162*08b48e0bSAndroid Build Coastguard Worker   security warning that cannot be suppressed
163*08b48e0bSAndroid Build Coastguard Worker   so we do this worse workaround */
164*08b48e0bSAndroid Build Coastguard Worker   snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
165*08b48e0bSAndroid Build Coastguard Worker 
166*08b48e0bSAndroid Build Coastguard Worker   #ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
167*08b48e0bSAndroid Build Coastguard Worker   /* trying to get large memory segment optimised and monitorable separately as
168*08b48e0bSAndroid Build Coastguard Worker    * such */
169*08b48e0bSAndroid Build Coastguard Worker   static size_t sizes[4] = {(size_t)-1};
170*08b48e0bSAndroid Build Coastguard Worker   static int    psizes = 0;
171*08b48e0bSAndroid Build Coastguard Worker   int           i;
172*08b48e0bSAndroid Build Coastguard Worker   if (sizes[0] == (size_t)-1) { psizes = getpagesizes(sizes, 4); }
173*08b48e0bSAndroid Build Coastguard Worker 
174*08b48e0bSAndroid Build Coastguard Worker   /* very unlikely to fail even if the arch supports only two sizes */
175*08b48e0bSAndroid Build Coastguard Worker   if (likely(psizes > 0)) {
176*08b48e0bSAndroid Build Coastguard Worker 
177*08b48e0bSAndroid Build Coastguard Worker     for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
178*08b48e0bSAndroid Build Coastguard Worker 
179*08b48e0bSAndroid Build Coastguard Worker       if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
180*08b48e0bSAndroid Build Coastguard Worker 
181*08b48e0bSAndroid Build Coastguard Worker       shm->g_shm_fd =
182*08b48e0bSAndroid Build Coastguard Worker           shm_create_largepage(shm->g_shm_file_path, shmflags, i,
183*08b48e0bSAndroid Build Coastguard Worker                                SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
184*08b48e0bSAndroid Build Coastguard Worker 
185*08b48e0bSAndroid Build Coastguard Worker     }
186*08b48e0bSAndroid Build Coastguard Worker 
187*08b48e0bSAndroid Build Coastguard Worker   }
188*08b48e0bSAndroid Build Coastguard Worker 
189*08b48e0bSAndroid Build Coastguard Worker   #endif
190*08b48e0bSAndroid Build Coastguard Worker 
191*08b48e0bSAndroid Build Coastguard Worker   /* create the shared memory segment as if it was a file */
192*08b48e0bSAndroid Build Coastguard Worker   if (shm->g_shm_fd == -1) {
193*08b48e0bSAndroid Build Coastguard Worker 
194*08b48e0bSAndroid Build Coastguard Worker     shm->g_shm_fd =
195*08b48e0bSAndroid Build Coastguard Worker         shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION);
196*08b48e0bSAndroid Build Coastguard Worker 
197*08b48e0bSAndroid Build Coastguard Worker   }
198*08b48e0bSAndroid Build Coastguard Worker 
199*08b48e0bSAndroid Build Coastguard Worker   if (shm->g_shm_fd == -1) { PFATAL("shm_open() failed"); }
200*08b48e0bSAndroid Build Coastguard Worker 
201*08b48e0bSAndroid Build Coastguard Worker   /* configure the size of the shared memory segment */
202*08b48e0bSAndroid Build Coastguard Worker   if (ftruncate(shm->g_shm_fd, map_size)) {
203*08b48e0bSAndroid Build Coastguard Worker 
204*08b48e0bSAndroid Build Coastguard Worker     PFATAL("setup_shm(): ftruncate() failed");
205*08b48e0bSAndroid Build Coastguard Worker 
206*08b48e0bSAndroid Build Coastguard Worker   }
207*08b48e0bSAndroid Build Coastguard Worker 
208*08b48e0bSAndroid Build Coastguard Worker   /* map the shared memory segment to the address space of the process */
209*08b48e0bSAndroid Build Coastguard Worker   shm->map =
210*08b48e0bSAndroid Build Coastguard Worker       mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
211*08b48e0bSAndroid Build Coastguard Worker   if (shm->map == MAP_FAILED) {
212*08b48e0bSAndroid Build Coastguard Worker 
213*08b48e0bSAndroid Build Coastguard Worker     close(shm->g_shm_fd);
214*08b48e0bSAndroid Build Coastguard Worker     shm->g_shm_fd = -1;
215*08b48e0bSAndroid Build Coastguard Worker     shm_unlink(shm->g_shm_file_path);
216*08b48e0bSAndroid Build Coastguard Worker     shm->g_shm_file_path[0] = 0;
217*08b48e0bSAndroid Build Coastguard Worker     PFATAL("mmap() failed");
218*08b48e0bSAndroid Build Coastguard Worker 
219*08b48e0bSAndroid Build Coastguard Worker   }
220*08b48e0bSAndroid Build Coastguard Worker 
221*08b48e0bSAndroid Build Coastguard Worker   /* If somebody is asking us to fuzz instrumented binaries in non-instrumented
222*08b48e0bSAndroid Build Coastguard Worker      mode, we don't want them to detect instrumentation, since we won't be
223*08b48e0bSAndroid Build Coastguard Worker      sending fork server commands. This should be replaced with better
224*08b48e0bSAndroid Build Coastguard Worker      auto-detection later on, perhaps? */
225*08b48e0bSAndroid Build Coastguard Worker 
226*08b48e0bSAndroid Build Coastguard Worker   if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1);
227*08b48e0bSAndroid Build Coastguard Worker 
228*08b48e0bSAndroid Build Coastguard Worker   if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed");
229*08b48e0bSAndroid Build Coastguard Worker 
230*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode) {
231*08b48e0bSAndroid Build Coastguard Worker 
232*08b48e0bSAndroid Build Coastguard Worker     snprintf(shm->cmplog_g_shm_file_path, L_tmpnam, "/afl_cmplog_%d_%ld",
233*08b48e0bSAndroid Build Coastguard Worker              getpid(), random());
234*08b48e0bSAndroid Build Coastguard Worker 
235*08b48e0bSAndroid Build Coastguard Worker     /* create the shared memory segment as if it was a file */
236*08b48e0bSAndroid Build Coastguard Worker     shm->cmplog_g_shm_fd =
237*08b48e0bSAndroid Build Coastguard Worker         shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL,
238*08b48e0bSAndroid Build Coastguard Worker                  DEFAULT_PERMISSION);
239*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); }
240*08b48e0bSAndroid Build Coastguard Worker 
241*08b48e0bSAndroid Build Coastguard Worker     /* configure the size of the shared memory segment */
242*08b48e0bSAndroid Build Coastguard Worker     if (ftruncate(shm->cmplog_g_shm_fd, map_size)) {
243*08b48e0bSAndroid Build Coastguard Worker 
244*08b48e0bSAndroid Build Coastguard Worker       PFATAL("setup_shm(): cmplog ftruncate() failed");
245*08b48e0bSAndroid Build Coastguard Worker 
246*08b48e0bSAndroid Build Coastguard Worker     }
247*08b48e0bSAndroid Build Coastguard Worker 
248*08b48e0bSAndroid Build Coastguard Worker     /* map the shared memory segment to the address space of the process */
249*08b48e0bSAndroid Build Coastguard Worker     shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
250*08b48e0bSAndroid Build Coastguard Worker                         shm->cmplog_g_shm_fd, 0);
251*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmp_map == MAP_FAILED) {
252*08b48e0bSAndroid Build Coastguard Worker 
253*08b48e0bSAndroid Build Coastguard Worker       close(shm->cmplog_g_shm_fd);
254*08b48e0bSAndroid Build Coastguard Worker       shm->cmplog_g_shm_fd = -1;
255*08b48e0bSAndroid Build Coastguard Worker       shm_unlink(shm->cmplog_g_shm_file_path);
256*08b48e0bSAndroid Build Coastguard Worker       shm->cmplog_g_shm_file_path[0] = 0;
257*08b48e0bSAndroid Build Coastguard Worker       PFATAL("mmap() failed");
258*08b48e0bSAndroid Build Coastguard Worker 
259*08b48e0bSAndroid Build Coastguard Worker     }
260*08b48e0bSAndroid Build Coastguard Worker 
261*08b48e0bSAndroid Build Coastguard Worker     /* If somebody is asking us to fuzz instrumented binaries in
262*08b48e0bSAndroid Build Coastguard Worker        non-instrumented mode, we don't want them to detect instrumentation,
263*08b48e0bSAndroid Build Coastguard Worker        since we won't be sending fork server commands. This should be replaced
264*08b48e0bSAndroid Build Coastguard Worker        with better auto-detection later on, perhaps? */
265*08b48e0bSAndroid Build Coastguard Worker 
266*08b48e0bSAndroid Build Coastguard Worker     if (!non_instrumented_mode)
267*08b48e0bSAndroid Build Coastguard Worker       setenv(CMPLOG_SHM_ENV_VAR, shm->cmplog_g_shm_file_path, 1);
268*08b48e0bSAndroid Build Coastguard Worker 
269*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmp_map == (void *)-1 || !shm->cmp_map)
270*08b48e0bSAndroid Build Coastguard Worker       PFATAL("cmplog mmap() failed");
271*08b48e0bSAndroid Build Coastguard Worker 
272*08b48e0bSAndroid Build Coastguard Worker   }
273*08b48e0bSAndroid Build Coastguard Worker 
274*08b48e0bSAndroid Build Coastguard Worker #else
275*08b48e0bSAndroid Build Coastguard Worker   u8 *shm_str;
276*08b48e0bSAndroid Build Coastguard Worker 
277*08b48e0bSAndroid Build Coastguard Worker   // for qemu+unicorn we have to increase by 8 to account for potential
278*08b48e0bSAndroid Build Coastguard Worker   // compcov map overwrite
279*08b48e0bSAndroid Build Coastguard Worker   shm->shm_id =
280*08b48e0bSAndroid Build Coastguard Worker       shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size,
281*08b48e0bSAndroid Build Coastguard Worker              IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
282*08b48e0bSAndroid Build Coastguard Worker   if (shm->shm_id < 0) {
283*08b48e0bSAndroid Build Coastguard Worker 
284*08b48e0bSAndroid Build Coastguard Worker     PFATAL("shmget() failed, try running afl-system-config");
285*08b48e0bSAndroid Build Coastguard Worker 
286*08b48e0bSAndroid Build Coastguard Worker   }
287*08b48e0bSAndroid Build Coastguard Worker 
288*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode) {
289*08b48e0bSAndroid Build Coastguard Worker 
290*08b48e0bSAndroid Build Coastguard Worker     shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map),
291*08b48e0bSAndroid Build Coastguard Worker                                 IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
292*08b48e0bSAndroid Build Coastguard Worker 
293*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmplog_shm_id < 0) {
294*08b48e0bSAndroid Build Coastguard Worker 
295*08b48e0bSAndroid Build Coastguard Worker       shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
296*08b48e0bSAndroid Build Coastguard Worker       PFATAL("shmget() failed, try running afl-system-config");
297*08b48e0bSAndroid Build Coastguard Worker 
298*08b48e0bSAndroid Build Coastguard Worker     }
299*08b48e0bSAndroid Build Coastguard Worker 
300*08b48e0bSAndroid Build Coastguard Worker   }
301*08b48e0bSAndroid Build Coastguard Worker 
302*08b48e0bSAndroid Build Coastguard Worker   if (!non_instrumented_mode) {
303*08b48e0bSAndroid Build Coastguard Worker 
304*08b48e0bSAndroid Build Coastguard Worker     shm_str = alloc_printf("%d", shm->shm_id);
305*08b48e0bSAndroid Build Coastguard Worker 
306*08b48e0bSAndroid Build Coastguard Worker     /* If somebody is asking us to fuzz instrumented binaries in
307*08b48e0bSAndroid Build Coastguard Worker        non-instrumented mode, we don't want them to detect instrumentation,
308*08b48e0bSAndroid Build Coastguard Worker        since we won't be sending fork server commands. This should be replaced
309*08b48e0bSAndroid Build Coastguard Worker        with better auto-detection later on, perhaps? */
310*08b48e0bSAndroid Build Coastguard Worker 
311*08b48e0bSAndroid Build Coastguard Worker     setenv(SHM_ENV_VAR, shm_str, 1);
312*08b48e0bSAndroid Build Coastguard Worker 
313*08b48e0bSAndroid Build Coastguard Worker     ck_free(shm_str);
314*08b48e0bSAndroid Build Coastguard Worker 
315*08b48e0bSAndroid Build Coastguard Worker   }
316*08b48e0bSAndroid Build Coastguard Worker 
317*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode && !non_instrumented_mode) {
318*08b48e0bSAndroid Build Coastguard Worker 
319*08b48e0bSAndroid Build Coastguard Worker     shm_str = alloc_printf("%d", shm->cmplog_shm_id);
320*08b48e0bSAndroid Build Coastguard Worker 
321*08b48e0bSAndroid Build Coastguard Worker     setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1);
322*08b48e0bSAndroid Build Coastguard Worker 
323*08b48e0bSAndroid Build Coastguard Worker     ck_free(shm_str);
324*08b48e0bSAndroid Build Coastguard Worker 
325*08b48e0bSAndroid Build Coastguard Worker   }
326*08b48e0bSAndroid Build Coastguard Worker 
327*08b48e0bSAndroid Build Coastguard Worker   shm->map = shmat(shm->shm_id, NULL, 0);
328*08b48e0bSAndroid Build Coastguard Worker 
329*08b48e0bSAndroid Build Coastguard Worker   if (shm->map == (void *)-1 || !shm->map) {
330*08b48e0bSAndroid Build Coastguard Worker 
331*08b48e0bSAndroid Build Coastguard Worker     shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
332*08b48e0bSAndroid Build Coastguard Worker 
333*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmplog_mode) {
334*08b48e0bSAndroid Build Coastguard Worker 
335*08b48e0bSAndroid Build Coastguard Worker       shmctl(shm->cmplog_shm_id, IPC_RMID, NULL);  // do not leak shmem
336*08b48e0bSAndroid Build Coastguard Worker 
337*08b48e0bSAndroid Build Coastguard Worker     }
338*08b48e0bSAndroid Build Coastguard Worker 
339*08b48e0bSAndroid Build Coastguard Worker     PFATAL("shmat() failed");
340*08b48e0bSAndroid Build Coastguard Worker 
341*08b48e0bSAndroid Build Coastguard Worker   }
342*08b48e0bSAndroid Build Coastguard Worker 
343*08b48e0bSAndroid Build Coastguard Worker   if (shm->cmplog_mode) {
344*08b48e0bSAndroid Build Coastguard Worker 
345*08b48e0bSAndroid Build Coastguard Worker     shm->cmp_map = shmat(shm->cmplog_shm_id, NULL, 0);
346*08b48e0bSAndroid Build Coastguard Worker 
347*08b48e0bSAndroid Build Coastguard Worker     if (shm->cmp_map == (void *)-1 || !shm->cmp_map) {
348*08b48e0bSAndroid Build Coastguard Worker 
349*08b48e0bSAndroid Build Coastguard Worker       shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
350*08b48e0bSAndroid Build Coastguard Worker 
351*08b48e0bSAndroid Build Coastguard Worker       shmctl(shm->cmplog_shm_id, IPC_RMID, NULL);  // do not leak shmem
352*08b48e0bSAndroid Build Coastguard Worker 
353*08b48e0bSAndroid Build Coastguard Worker       PFATAL("shmat() failed");
354*08b48e0bSAndroid Build Coastguard Worker 
355*08b48e0bSAndroid Build Coastguard Worker     }
356*08b48e0bSAndroid Build Coastguard Worker 
357*08b48e0bSAndroid Build Coastguard Worker   }
358*08b48e0bSAndroid Build Coastguard Worker 
359*08b48e0bSAndroid Build Coastguard Worker #endif
360*08b48e0bSAndroid Build Coastguard Worker 
361*08b48e0bSAndroid Build Coastguard Worker   shm->map_size = map_size;
362*08b48e0bSAndroid Build Coastguard Worker   list_append(&shm_list, shm);
363*08b48e0bSAndroid Build Coastguard Worker 
364*08b48e0bSAndroid Build Coastguard Worker   return shm->map;
365*08b48e0bSAndroid Build Coastguard Worker 
366*08b48e0bSAndroid Build Coastguard Worker }
367*08b48e0bSAndroid Build Coastguard Worker 
368