Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / honggfuzz / 62e34aefc1b33f689047e5ea5d18246666a50afe / . / fuzz.c
blob: c984e72f9fd5294c7215c520b63b4409b09d588f [file] [log] [blame]
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]1/*
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]2 *
robert.swiecki@gmail.com90e99112015-02-15 02:05:14 +0000[diff] [blame]3 * honggfuzz - fuzzing routines
4 * -----------------------------------------
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]5 *
robert.swiecki@gmail.com8531f692015-02-17 12:25:36 +0000[diff] [blame]6 * Author:
7 * Robert Swiecki <swiecki@google.com>
8 * Felix Gröbert <groebert@google.com>
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]9 *
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]10 * Copyright 2010-2015 by Google Inc. All Rights Reserved.
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]11 *
12 * Licensed under the Apache License, Version 2.0 (the "License"); you may
13 * not use this file except in compliance with the License. You may obtain
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]14 * a copy of the License at
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]15 *
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]16 * http://www.apache.org/licenses/LICENSE-2.0
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]17 *
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
21 * implied. See the License for the specific language governing
22 * permissions and limitations under the License.
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]23 *
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]24 */
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]25
robert.swiecki@gmail.comba85c3e2015-02-02 14:55:16 +0000[diff] [blame]26#include "common.h"
27#include "fuzz.h"
28
29#include <errno.h>
30#include <fcntl.h>
robert.swiecki@gmail.com90e99112015-02-15 02:05:14 +0000[diff] [blame]31#include <inttypes.h>
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]32#include <pthread.h>
robert.swiecki@gmail.comba85c3e2015-02-02 14:55:16 +0000[diff] [blame]33#include <signal.h>
34#include <stddef.h>
35#include <stdint.h>
36#include <stdio.h>
37#include <stdlib.h>
38#include <string.h>
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]39#include <sys/mman.h>
40#include <sys/param.h>
41#include <sys/stat.h>
robert.swiecki@gmail.comba85c3e2015-02-02 14:55:16 +0000[diff] [blame]42#include <sys/time.h>
43#include <sys/types.h>
44#include <sys/wait.h>
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]45#include <time.h>
robert.swiecki@gmail.comba85c3e2015-02-02 14:55:16 +0000[diff] [blame]46#include <unistd.h>
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]47
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]48#include "arch.h"
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]49#include "files.h"
robert.swiecki@gmail.come7190b92015-02-14 23:05:42 +0000[diff] [blame]50#include "log.h"
robert.swiecki@gmail.com36700b52015-02-22 05:03:16 +0000[diff] [blame]51#include "mangle.h"
robert.swiecki@gmail.come7190b92015-02-14 23:05:42 +0000[diff] [blame]52#include "report.h"
53#include "util.h"
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]54
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]55static void fuzz_getFileName(honggfuzz_t * hfuzz, char *fileName)
56{
robert.swieckiba512632011-01-28 11:57:26 +0000[diff] [blame]57 struct timeval tv;
58 gettimeofday(&tv, NULL);
59
robert.swiecki@gmail.com6f319912015-02-28 05:01:37 +0000[diff] [blame]60 snprintf(fileName, PATH_MAX, ".honggfuzz.%d.%lu.%llx.%s", (int)getpid(),
61 (unsigned long int)tv.tv_sec, (unsigned long long int)util_rndGet(0, 1ULL << 62),
robert.swiecki@gmail.combb5d2642015-02-25 20:00:00 +0000[diff] [blame]62 hfuzz->fileExtn);
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]63
64 return;
65}
66
robert.swiecki@gmail.com624233e2015-02-18 10:26:05 +0000[diff] [blame]67static bool fuzz_prepareFileDynamically(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]68{
robert.swiecki@gmail.com41d8e052015-02-19 01:10:41 +0000[diff] [blame]69 while (pthread_mutex_lock(&hfuzz->dynamicFile_mutex)) ;
70
robert.swiecki@gmail.com7aad7172015-03-03 04:34:15 +0000[diff] [blame]71 if (hfuzz->inputFile && hfuzz->branchBestCnt[0] == 0 && hfuzz->branchBestCnt[1] == 0
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]72 && hfuzz->branchBestCnt[2] == 0 && hfuzz->branchBestCnt[3] == 0) {
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]73 size_t fileSz = files_readFileToBufMax(hfuzz->files[rnd_index], hfuzz->dynamicFileBest,
74 hfuzz->maxFileSz);
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]75 if (fileSz == 0) {
robert.swiecki@gmail.com41d8e052015-02-19 01:10:41 +0000[diff] [blame]76 while (pthread_mutex_unlock(&hfuzz->dynamicFile_mutex)) ;
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]77 LOGMSG(l_ERROR, "Couldn't read '%s'", hfuzz->files[rnd_index]);
robert.swiecki@gmail.com624233e2015-02-18 10:26:05 +0000[diff] [blame]78 return false;
79 }
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]80 hfuzz->dynamicFileBestSz = fileSz;
robert.swiecki@gmail.com624233e2015-02-18 10:26:05 +0000[diff] [blame]81 }
82
robert.swiecki@gmail.com060a9dd2015-02-28 06:37:27 +0000[diff] [blame]83 if (hfuzz->dynamicFileBestSz > hfuzz->maxFileSz) {
84 LOGMSG(l_FATAL, "Current BEST file Sz > maxFileSz (%zu > %zu)", hfuzz->dynamicFileBestSz,
85 hfuzz->maxFileSz);
86 }
87
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]88 fuzzer->dynamicFileSz = hfuzz->dynamicFileBestSz;
robert.swiecki@gmail.com3b6c6292015-02-26 11:48:46 +0000[diff] [blame]89 memcpy(fuzzer->dynamicFile, hfuzz->dynamicFileBest, hfuzz->dynamicFileBestSz);
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]90
robert.swiecki@gmail.com41d8e052015-02-19 01:10:41 +0000[diff] [blame]91 while (pthread_mutex_unlock(&hfuzz->dynamicFile_mutex)) ;
92
robert.swiecki@gmail.com141c4522015-02-19 15:49:23 +0000[diff] [blame]93 /* The first pass should be on an empty/initial file */
robert.swiecki@gmail.comf845d4d2015-03-05 02:46:33 +0000[diff] [blame]94 if (hfuzz->branchBestCnt[0] > 0 || hfuzz->branchBestCnt[1] > 0 || hfuzz->branchBestCnt[2] > 0
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]95 || hfuzz->branchBestCnt[3] > 0) {
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]96 mangle_Resize(hfuzz, &fuzzer->dynamicFileSz);
robert.swiecki@gmail.com36700b52015-02-22 05:03:16 +0000[diff] [blame]97 mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fuzzer->dynamicFileSz);
robert.swiecki@gmail.com141c4522015-02-19 15:49:23 +0000[diff] [blame]98 }
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]99
robert.swiecki@gmail.comdc8403e2015-03-01 01:33:00 +0000[diff] [blame]100 if (files_writeBufToFile
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]101 (fuzzer->fileName, fuzzer->dynamicFile, fuzzer->dynamicFileSz,
102 O_WRONLY | O_CREAT | O_EXCL | O_TRUNC) == false) {
robert.swiecki@gmail.comdc8403e2015-03-01 01:33:00 +0000[diff] [blame]103 LOGMSG(l_ERROR, "Couldn't write buffer to file '%s'", fuzzer->fileName);
robert.swiecki@gmail.com3b6c6292015-02-26 11:48:46 +0000[diff] [blame]104 return false;
105 }
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]106
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]107 return true;
robert.swiecki@gmail.comd7aed312015-02-03 21:26:37 +0000[diff] [blame]108}
109
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]110static bool fuzz_prepareFile(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]111{
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]112 size_t fileSz =
113 files_readFileToBufMax(hfuzz->files[rnd_index], fuzzer->dynamicFile, hfuzz->maxFileSz);
114 if (fileSz == 0UL) {
115 LOGMSG(l_ERROR, "Couldn't read contents of '%s'", hfuzz->files[rnd_index]);
robert.swiecki@gmail.combb5d2642015-02-25 20:00:00 +0000[diff] [blame]116 return false;
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]117 }
118
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]119 mangle_Resize(hfuzz, &fileSz);
120 mangle_mangleContent(hfuzz, fuzzer->dynamicFile, fileSz);
robert.swiecki@gmail.comc070b942015-02-25 18:29:19 +0000[diff] [blame]121
robert.swiecki@gmail.comdc8403e2015-03-01 01:33:00 +0000[diff] [blame]122 if (files_writeBufToFile
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]123 (fuzzer->fileName, fuzzer->dynamicFile, fileSz, O_WRONLY | O_CREAT | O_EXCL) == false) {
robert.swiecki@gmail.comdc8403e2015-03-01 01:33:00 +0000[diff] [blame]124 LOGMSG(l_ERROR, "Couldn't write buffer to file '%s'", fuzzer->fileName);
robert.swiecki@gmail.come7680522015-02-22 22:22:37 +0000[diff] [blame]125 return false;
126 }
127
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]128 return true;
129}
130
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]131static bool fuzz_prepareFileExternally(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, int rnd_index)
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]132{
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]133 int dstfd = open(fuzzer->fileName, O_CREAT | O_EXCL | O_RDWR, 0644);
robert.swiecki3d505e22010-10-14 01:17:17 +0000[diff] [blame]134 if (dstfd == -1) {
robert.swiecki@gmail.combb5d2642015-02-25 20:00:00 +0000[diff] [blame]135 LOGMSG_P(l_ERROR, "Couldn't create a temporary file '%s' in the current directory",
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]136 fuzzer->fileName);
robert.swiecki@gmail.comebc1cac2011-07-02 03:15:51 +0000[diff] [blame]137 return false;
138 }
139
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]140 LOGMSG(l_DEBUG, "Created '%f' as an input file", fuzzer->fileName);
robert.swiecki@gmail.comebc1cac2011-07-02 03:15:51 +0000[diff] [blame]141
142 if (hfuzz->inputFile) {
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]143 size_t fileSz =
144 files_readFileToBufMax(hfuzz->files[rnd_index], fuzzer->dynamicFile, hfuzz->maxFileSz);
145 if (fileSz == 0UL) {
146 LOGMSG(l_ERROR, "Couldn't read '%s'", hfuzz->files[rnd_index]);
147 unlink(fuzzer->fileName);
robert.swiecki@gmail.comebc1cac2011-07-02 03:15:51 +0000[diff] [blame]148 return false;
149 }
150
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]151 if (files_writeToFd(dstfd, fuzzer->dynamicFile, fileSz) == false) {
robert.swiecki@gmail.comebc1cac2011-07-02 03:15:51 +0000[diff] [blame]152 close(dstfd);
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]153 unlink(fuzzer->fileName);
robert.swiecki@gmail.comebc1cac2011-07-02 03:15:51 +0000[diff] [blame]154 return false;
155 }
robert.swiecki3d505e22010-10-14 01:17:17 +0000[diff] [blame]156 }
157
robert.swiecki3d505e22010-10-14 01:17:17 +0000[diff] [blame]158 close(dstfd);
159
robert.swiecki@gmail.combb2b4aa2015-03-05 01:48:46 +0000[diff] [blame]160 pid_t pid = fork();
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]161 if (pid == -1) {
robert.swiecki@gmail.com8a9df0e2015-02-13 17:08:06 +0000[diff] [blame]162 LOGMSG_P(l_ERROR, "Couldn't vfork");
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]163 return false;
164 }
165
166 if (!pid) {
167 /*
robert.swiecki@gmail.comcdf18f92015-02-11 22:22:18 +0000[diff] [blame]168 * child performs the external file modifications
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]169 */
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]170 execl(hfuzz->externalCommand, hfuzz->externalCommand, fuzzer->fileName, NULL);
171 LOGMSG_P(l_FATAL, "Couldn't execute '%s %s'", hfuzz->externalCommand, fuzzer->fileName);
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]172 return false;
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]173 }
robert.swiecki@gmail.com8a9df0e2015-02-13 17:08:06 +0000[diff] [blame]174
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]175 /*
176 * parent waits until child is done fuzzing the input file
177 */
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]178 int childStatus;
179 int flags = 0;
robert.swiecki@gmail.coma2291182015-02-13 16:56:27 +0000[diff] [blame]180#if defined(__WNOTHREAD)
181 flags |= __WNOTHREAD;
robert.swiecki@gmail.com8a9df0e2015-02-13 17:08:06 +0000[diff] [blame]182#endif /* defined(__WNOTHREAD) */
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]183 while (wait4(pid, &childStatus, flags, NULL) != pid) ;
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]184 if (WIFEXITED(childStatus)) {
185 LOGMSG(l_DEBUG, "External command exited with status %d", WEXITSTATUS(childStatus));
186 return true;
187 }
188 if (WIFSIGNALED(childStatus)) {
robert.swiecki@gmail.coma2291182015-02-13 16:56:27 +0000[diff] [blame]189 LOGMSG(l_ERROR, "External command terminated with signal %d", WTERMSIG(childStatus));
robert.swiecki3d505e22010-10-14 01:17:17 +0000[diff] [blame]190 return false;
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]191 }
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]192 LOGMSG(l_FATAL, "External command terminated abnormally, status: %d", childStatus);
193 return false;
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]194
195 abort(); /* NOTREACHED */
196}
197
robert.swiecki@gmail.com6ff9af82015-02-11 18:52:05 +0000[diff] [blame]198static int fuzz_numOfProc(honggfuzz_t * hfuzz)
199{
200 int i;
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]201 sem_getvalue(hfuzz->sem, &i);
robert.swiecki@gmail.com6ff9af82015-02-11 18:52:05 +0000[diff] [blame]202 return hfuzz->threadsMax - i;
203}
204
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]205static void *fuzz_threadNew(void *arg)
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]206{
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]207 honggfuzz_t *hfuzz = (honggfuzz_t *) arg;
208 fuzzer_t fuzzer = {
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]209 .pid = 0,
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]210 .timeStarted = time(NULL),
211 .pc = 0ULL,
212 .backtrace = 0ULL,
213 .access = 0ULL,
214 .exception = 0,
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]215 .dynamicFileSz = 0,
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]216 .dynamicFile = malloc(hfuzz->maxFileSz),
robert.swiecki@gmail.com4be26672015-03-05 03:36:50 +0000[diff] [blame]217 .branchCnt = {[0 ... (ARRAYSIZE(fuzzer.branchCnt) - 1)] = 0},
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]218 .report = {'\0'}
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]219 };
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]220 if (fuzzer.dynamicFile == NULL) {
221 LOGMSG(l_FATAL, "malloc(%zu) failed", hfuzz->maxFileSz);
222 }
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]223
groebert@google.com1c7e3b02013-06-19 09:27:38 +0000[diff] [blame]224 int rnd_index = util_rndGet(0, hfuzz->fileCnt - 1);
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]225 strncpy(fuzzer.origFileName, files_basename(hfuzz->files[rnd_index]), PATH_MAX);
226 fuzz_getFileName(hfuzz, fuzzer.fileName);
groebert@google.com1c7e3b02013-06-19 09:27:38 +0000[diff] [blame]227
robert.swiecki@gmail.comcac22fd2015-02-19 14:03:28 +0000[diff] [blame]228 if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE) {
robert.swiecki@gmail.com624233e2015-02-18 10:26:05 +0000[diff] [blame]229 if (!fuzz_prepareFileDynamically(hfuzz, &fuzzer, rnd_index)) {
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]230 exit(EXIT_FAILURE);
231 }
232 } else if (hfuzz->externalCommand != NULL) {
robert.swiecki@gmail.com20851202015-03-01 01:48:15 +0000[diff] [blame]233 if (!fuzz_prepareFileExternally(hfuzz, &fuzzer, rnd_index)) {
robert.swiecki@gmail.com6ff9af82015-02-11 18:52:05 +0000[diff] [blame]234 exit(EXIT_FAILURE);
235 }
236 } else {
robert.swiecki@gmail.com4a7a9d82015-03-01 01:25:16 +0000[diff] [blame]237 if (!fuzz_prepareFile(hfuzz, &fuzzer, rnd_index)) {
robert.swiecki@gmail.com6ff9af82015-02-11 18:52:05 +0000[diff] [blame]238 exit(EXIT_FAILURE);
239 }
robert.swiecki@gmail.com1f98a162015-02-11 15:09:22 +0000[diff] [blame]240 }
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]241
robert.swiecki5fa9d902015-02-25 15:31:56 +0000[diff] [blame]242#if defined(_HF_ARCH_LINUX)
robert.swiecki@gmail.comdfde1c72015-02-18 13:22:55 +0000[diff] [blame]243#include <unistd.h>
244#include <sys/syscall.h>
245 fuzzer.pid = syscall(__NR_fork);
robert.swiecki@gmail.com4fc19692015-02-25 15:45:11 +0000[diff] [blame]246#else /* defined(_HF_ARCH_LINUX) */
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]247 fuzzer.pid = fork();
robert.swiecki5fa9d902015-02-25 15:31:56 +0000[diff] [blame]248#endif /* defined(_HF_ARCH_LINUX) */
robert.swiecki@gmail.comdfde1c72015-02-18 13:22:55 +0000[diff] [blame]249
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]250 if (fuzzer.pid == -1) {
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]251 LOGMSG_P(l_FATAL, "Couldn't fork");
252 exit(EXIT_FAILURE);
253 }
254
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]255 if (!fuzzer.pid) {
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]256 /*
robert.swiecki@gmail.com6ff9af82015-02-11 18:52:05 +0000[diff] [blame]257 * Ok, kill the parent if this fails
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]258 */
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]259 if (!arch_launchChild(hfuzz, fuzzer.fileName)) {
robert.swiecki@gmail.com6f5c2392015-02-16 18:13:09 +0000[diff] [blame]260 LOGMSG(l_ERROR, "Error launching child process, killing parent");
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]261 exit(EXIT_FAILURE);
262 }
263 }
264
robert.swiecki@gmail.combb5d2642015-02-25 20:00:00 +0000[diff] [blame]265 LOGMSG(l_INFO, "Launched new process, pid: %d, (%d/%d)", fuzzer.pid, fuzz_numOfProc(hfuzz),
266 hfuzz->threadsMax);
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]267
268 arch_reapChild(hfuzz, &fuzzer);
269 unlink(fuzzer.fileName);
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]270
robert.swiecki@gmail.comcac22fd2015-02-19 14:03:28 +0000[diff] [blame]271 if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE) {
robert.swiecki@gmail.com41d8e052015-02-19 01:10:41 +0000[diff] [blame]272 while (pthread_mutex_lock(&hfuzz->dynamicFile_mutex)) ;
robert.swiecki@gmail.com90f36e62015-03-01 15:13:54 +0000[diff] [blame]273
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]274 int64_t diff0 = hfuzz->branchBestCnt[0] - fuzzer.branchCnt[0];
275 int64_t diff1 = hfuzz->branchBestCnt[1] - fuzzer.branchCnt[1];
276 int64_t diff2 = hfuzz->branchBestCnt[2] - fuzzer.branchCnt[2];
robert.swiecki@gmail.comf845d4d2015-03-05 02:46:33 +0000[diff] [blame]277 int64_t diff3 = hfuzz->branchBestCnt[3] - fuzzer.branchCnt[3];
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]278
279 if (diff0 <= hfuzz->dynamicRegressionCnt && diff1 <= hfuzz->dynamicRegressionCnt
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]280 && diff2 <= hfuzz->dynamicRegressionCnt && diff3 <= hfuzz->dynamicRegressionCnt) {
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]281
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]282 LOGMSG(l_INFO,
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]283 "New BEST feedback: File Size (New/Old): %zu/%zu', Perf feedback (Curr, High): %"
robert.swiecki@gmail.comf845d4d2015-03-05 02:46:33 +0000[diff] [blame]284 PRId64 "/%" PRId64 "/%" PRId64 "/%" PRId64 ", %" PRId64 "/%" PRId64 "/%" PRId64
285 "/%" PRId64, fuzzer.dynamicFileSz, hfuzz->dynamicFileBestSz, fuzzer.branchCnt[0],
286 fuzzer.branchCnt[1], fuzzer.branchCnt[2], fuzzer.branchCnt[3],
287 hfuzz->branchBestCnt[0], hfuzz->branchBestCnt[1], hfuzz->branchBestCnt[2],
288 hfuzz->branchBestCnt[3]);
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]289
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]290 memcpy(hfuzz->dynamicFileBest, fuzzer.dynamicFile, fuzzer.dynamicFileSz);
robert.swiecki@gmail.com90f36e62015-03-01 15:13:54 +0000[diff] [blame]291
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]292 hfuzz->dynamicFileBestSz = fuzzer.dynamicFileSz;
robert.swiecki@gmail.com81e26dc2015-03-03 04:26:04 +0000[diff] [blame]293 hfuzz->branchBestCnt[0] =
294 fuzzer.branchCnt[0] >
295 hfuzz->branchBestCnt[0] ? fuzzer.branchCnt[0] : hfuzz->branchBestCnt[0];
296 hfuzz->branchBestCnt[1] =
297 fuzzer.branchCnt[1] >
298 hfuzz->branchBestCnt[1] ? fuzzer.branchCnt[1] : hfuzz->branchBestCnt[1];
299 hfuzz->branchBestCnt[2] =
300 fuzzer.branchCnt[2] >
301 hfuzz->branchBestCnt[2] ? fuzzer.branchCnt[2] : hfuzz->branchBestCnt[2];
robert.swiecki@gmail.comf845d4d2015-03-05 02:46:33 +0000[diff] [blame]302 hfuzz->branchBestCnt[3] =
303 fuzzer.branchCnt[3] >
304 hfuzz->branchBestCnt[3] ? fuzzer.branchCnt[3] : hfuzz->branchBestCnt[3];
robert.swiecki@gmail.com85a0a952015-02-19 01:58:39 +0000[diff] [blame]305
robert.swiecki@gmail.comba92e192015-02-21 02:14:07 +0000[diff] [blame]306#define _HF_CURRENT_BEST "CURRENT_BEST"
307#define _HF_CURRENT_BEST_TMP ".tmp.CURRENT_BEST"
robert.swiecki@gmail.comf3fbf032015-03-01 01:52:11 +0000[diff] [blame]308 if (files_writeBufToFile
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]309 (_HF_CURRENT_BEST_TMP, fuzzer.dynamicFile, fuzzer.dynamicFileSz,
310 O_WRONLY | O_CREAT | O_TRUNC)) {
robert.swiecki@gmail.comf3fbf032015-03-01 01:52:11 +0000[diff] [blame]311 rename(_HF_CURRENT_BEST_TMP, _HF_CURRENT_BEST);
312 } else {
313 unlink(_HF_CURRENT_BEST_TMP);
robert.swiecki@gmail.comba92e192015-02-21 02:14:07 +0000[diff] [blame]314 }
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]315 }
robert.swiecki@gmail.com41d8e052015-02-19 01:10:41 +0000[diff] [blame]316 while (pthread_mutex_unlock(&hfuzz->dynamicFile_mutex)) ;
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]317 }
318
robert.swiecki@gmail.come7190b92015-02-14 23:05:42 +0000[diff] [blame]319 report_Report(hfuzz, fuzzer.report);
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]320 free(fuzzer.dynamicFile);
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]321
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]322 sem_post(hfuzz->sem);
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]323
324 return NULL;
325}
326
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]327static void *fuzz_threadPid(void *arg)
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]328{
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]329 honggfuzz_t *hfuzz = (honggfuzz_t *) arg;
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]330 if (!arch_archInit(hfuzz)) {
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]331 LOGMSG(l_FATAL, "Couldn't prepare parent for fuzzing");
robert.swiecki@gmail.com882900b2015-02-11 13:56:22 +0000[diff] [blame]332 }
333
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]334 fuzzer_t fuzzer = {
335 .pid = hfuzz->pid,
336 .timeStarted = time(NULL),
337 .pc = 0ULL,
338 .backtrace = 0ULL,
339 .access = 0ULL,
340 .exception = 0,
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]341 .dynamicFileSz = 0,
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]342 .dynamicFile = malloc(hfuzz->maxFileSz),
robert.swiecki@gmail.com62e34ae2015-03-05 03:39:32 +0000[diff] [blame^]343 .branchCnt = {[0 ... (ARRAYSIZE(fuzzer.branchCnt) - 1)] = 0}
344 ,
robert.swiecki@gmail.comd4dd4df2015-02-18 00:50:12 +0000[diff] [blame]345 .report = {'\0'}
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]346 };
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]347 if (fuzzer.dynamicFile == NULL) {
348 LOGMSG(l_FATAL, "malloc(%zu) failed", hfuzz->maxFileSz);
349 }
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]350
351 char fileName[] = ".honggfuzz.empty.XXXXXX";
352 int fd;
353 if ((fd = mkstemp(fileName)) == -1) {
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]354 free(fuzzer.dynamicFile);
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]355 LOGMSG_P(l_ERROR, "Couldn't create a temporary file");
356 return NULL;
357 }
358 close(fd);
359
360 strncpy(fuzzer.origFileName, "PID_FUZZING", PATH_MAX);
361 strncpy(fuzzer.fileName, fileName, PATH_MAX);
362
363 arch_reapChild(hfuzz, &fuzzer);
364 unlink(fuzzer.fileName);
robert.swiecki@gmail.come7190b92015-02-14 23:05:42 +0000[diff] [blame]365 report_Report(hfuzz, fuzzer.report);
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]366 free(fuzzer.dynamicFile);
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]367
368 // There's no more hfuzz->pid to analyze. Just exit
369 LOGMSG(l_INFO, "PID: %d exited. Exiting", fuzzer.pid);
370 exit(EXIT_SUCCESS);
371
372 return NULL;
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]373}
374
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]375static void fuzz_runThread(honggfuzz_t * hfuzz, void *(*thread) (void *))
376{
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]377 pthread_attr_t attr;
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]378
robert.swiecki@gmail.com6f5c2392015-02-16 18:13:09 +0000[diff] [blame]379 pthread_attr_init(&attr);
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]380 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
robert.swiecki@gmail.com441089a2015-02-23 13:14:07 +0000[diff] [blame]381 pthread_attr_setstacksize(&attr, _HF_PTHREAD_STACKSIZE);
robert.swiecki@gmail.com011981f2015-02-17 19:06:44 +0000[diff] [blame]382 pthread_attr_setguardsize(&attr, (size_t) sysconf(_SC_PAGESIZE));
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]383
robert.swiecki@gmail.com01b6dd42015-02-16 18:11:28 +0000[diff] [blame]384 pthread_t t;
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]385 if (pthread_create(&t, &attr, thread, (void *)hfuzz) < 0) {
386 LOGMSG_P(l_FATAL, "Couldn't create a new thread");
387 }
388
389 return;
390}
391
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]392void fuzz_main(honggfuzz_t * hfuzz)
393{
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]394 char semName[PATH_MAX];
robert.swiecki5fa9d902015-02-25 15:31:56 +0000[diff] [blame]395 snprintf(semName, sizeof(semName), "/honggfuzz.%d.%d.%" PRIx64, getpid(),
robert.swiecki@gmail.com90e99112015-02-15 02:05:14 +0000[diff] [blame]396 (int)time(NULL), util_rndGet(1, 1ULL << 62));
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]397
robert.swiecki@gmail.com757ee192015-02-13 16:54:02 +0000[diff] [blame]398 hfuzz->sem = sem_open(semName, O_CREAT, 0644, hfuzz->threadsMax);
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]399 if (hfuzz->sem == SEM_FAILED) {
400 LOGMSG_P(l_FATAL, "sem_open() failed");
robert.swiecki@gmail.come7635392015-02-11 16:17:49 +0000[diff] [blame]401 }
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]402 // If we're doing a PID fuzzing, the parent of the PID will be a
403 // dedicated thread anyway
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]404 if (hfuzz->pid) {
405 fuzz_runThread(hfuzz, fuzz_threadPid);
406 } else {
robert.swiecki@gmail.com6d6f7562015-02-17 22:18:51 +0000[diff] [blame]407 if (!arch_archInit(hfuzz)) {
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]408 LOGMSG(l_FATAL, "Couldn't prepare parent for fuzzing");
409 }
robert.swiecki@gmail.comef829fa2011-06-22 13:51:57 +0000[diff] [blame]410 }
411
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]412 for (;;) {
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]413 if (sem_wait(hfuzz->sem) == -1) {
robert.swiecki@gmail.come507cb62015-02-11 17:14:49 +0000[diff] [blame]414 LOGMSG_P(l_FATAL, "sem_wait() failed");
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]415 }
robert.swiecki@gmail.come507cb62015-02-11 17:14:49 +0000[diff] [blame]416
417 if (hfuzz->mutationsMax && (hfuzz->mutationsCnt >= hfuzz->mutationsMax)) {
robert.swiecki@gmail.com89068552015-02-28 05:18:25 +0000[diff] [blame]418#if defined(_HF_ARCH_DARWIN)
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]419 /*
robert.swiecki@gmail.com3b630b42015-02-16 10:53:53 +0000[diff] [blame]420 * Sleep a bit to let any running fuzzers terminate
robert.swiecki@gmail.com772b33d2015-02-14 20:35:00 +0000[diff] [blame]421 */
groebert@google.com20e368f2015-02-13 14:19:25 +0000[diff] [blame]422 usleep(1.2 * hfuzz->tmOut * 1000000);
robert.swiecki@gmail.com89068552015-02-28 05:18:25 +0000[diff] [blame]423#else /* defined(_HF_ARCH_DARWIN) */
424 while (fuzz_numOfProc(hfuzz) > 1) {
robert.swiecki@gmail.comc1fdcfb2015-02-28 05:26:38 +0000[diff] [blame]425 usleep(10000);
robert.swiecki@gmail.com89068552015-02-28 05:18:25 +0000[diff] [blame]426 }
427#endif /* defined(_HF_ARCH_DARWIN) */
robert.swiecki@gmail.come507cb62015-02-11 17:14:49 +0000[diff] [blame]428 LOGMSG(l_INFO, "Finished fuzzing %ld times.", hfuzz->mutationsMax);
robert.swiecki@gmail.com9bc725e2015-02-13 12:40:06 +0000[diff] [blame]429 sem_destroy(hfuzz->sem);
robert.swiecki@gmail.come507cb62015-02-11 17:14:49 +0000[diff] [blame]430 exit(EXIT_SUCCESS);
431 }
432
433 hfuzz->mutationsCnt++;
robert.swiecki@gmail.comc8443142015-02-13 13:46:40 +0000[diff] [blame]434 fuzz_runThread(hfuzz, fuzz_threadNew);
robert.swiecki3bb518c2010-10-14 00:48:24 +0000[diff] [blame]435 }
436}