dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 1 | #include <errno.h> |
| 2 | #include <fcntl.h> |
| 3 | #include <inttypes.h> |
| 4 | #include <libgen.h> |
| 5 | #include <pthread.h> |
| 6 | #include <signal.h> |
| 7 | #include <stddef.h> |
| 8 | #include <stdint.h> |
| 9 | #include <stdio.h> |
| 10 | #include <stdlib.h> |
| 11 | #include <string.h> |
| 12 | #include <sys/mman.h> |
| 13 | #include <sys/param.h> |
| 14 | #include <sys/stat.h> |
| 15 | #include <sys/time.h> |
| 16 | #include <sys/types.h> |
| 17 | #include <time.h> |
| 18 | #include <unistd.h> |
| 19 | |
| 20 | #include <errno.h> |
| 21 | #include <string.h> |
| 22 | #include <sys/types.h> |
| 23 | #include <sys/socket.h> |
| 24 | #include <sys/un.h> |
| 25 | #include <unistd.h> |
| 26 | |
| 27 | #include "honggfuzz.h" |
| 28 | #include "libhfcommon/common.h" |
| 29 | #include "libhfcommon/files.h" |
| 30 | #include "libhfcommon/log.h" |
| 31 | #include "libhfcommon/ns.h" |
| 32 | #include "libhfcommon/util.h" |
| 33 | |
| 34 | #include "socketfuzzer.h" |
| 35 | |
| 36 | |
| 37 | bool fuzz_waitForExternalInput(run_t* run) { |
| 38 | /* tell the external fuzzer to do his thing */ |
| 39 | if (!fuzz_prepareSocketFuzzer(run)) { |
| 40 | LOG_F("fuzz_prepareSocketFuzzer() failed"); |
| 41 | return false; |
| 42 | } |
| 43 | |
| 44 | /* the external fuzzer may inform us of a crash */ |
| 45 | int result = fuzz_waitforSocketFuzzer(run); |
| 46 | if (result == 2) { |
| 47 | return false; |
| 48 | } |
| 49 | |
| 50 | return true; |
| 51 | } |
| 52 | |
| 53 | bool fuzz_prepareSocketFuzzer(run_t* run) |
| 54 | { |
| 55 | ssize_t ret; |
| 56 | |
| 57 | // Notify fuzzer that he should send teh things |
| 58 | LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz"); |
| 59 | ret = send(run->global->socketFuzzerData.clientSocket, "Fuzz", 4, 0); |
| 60 | if(ret < 0) { |
Robert Swiecki | f3ecc0e | 2018-01-21 15:42:22 +0100 | [diff] [blame^] | 61 | LOG_F("fuzz_prepareSocketFuzzer: received: %zu", ret); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 62 | return false; |
| 63 | } |
| 64 | |
| 65 | return true; |
| 66 | } |
| 67 | |
| 68 | /* Return values: |
| 69 | 0: error |
| 70 | 1: okay |
| 71 | 2: target unresponsive |
| 72 | */ |
| 73 | int fuzz_waitforSocketFuzzer(run_t* run) |
| 74 | { |
| 75 | ssize_t ret; |
| 76 | char buf[16]; |
| 77 | |
| 78 | // Wait until the external fuzzer did his thing |
| 79 | bzero(buf, 16); |
| 80 | ret = recv(run->global->socketFuzzerData.clientSocket, buf, 4, 0); |
| 81 | LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf); |
| 82 | |
| 83 | // We dont care what we receive, its just to block here |
| 84 | if(ret < 0) { |
Robert Swiecki | f3ecc0e | 2018-01-21 15:42:22 +0100 | [diff] [blame^] | 85 | LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 86 | return 0; |
| 87 | } |
| 88 | |
| 89 | if(memcmp(buf, "okay", 4) == 0) { |
| 90 | return 1; |
| 91 | } else if(memcmp(buf, "bad!", 4) == 0) { |
| 92 | return 2; |
| 93 | } |
| 94 | |
| 95 | return 0; |
| 96 | } |
| 97 | |
| 98 | bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t *hfuzz) |
| 99 | { |
| 100 | ssize_t ret; |
| 101 | |
| 102 | // Tell the fuzzer that the thing he sent reached new BB's |
| 103 | ret = send(hfuzz->socketFuzzerData.clientSocket, "New!", 4, 0); |
| 104 | LOG_D("fuzz_notifySocketFuzzer: SEND: New!"); |
| 105 | if(ret < 0) { |
Robert Swiecki | f3ecc0e | 2018-01-21 15:42:22 +0100 | [diff] [blame^] | 106 | LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 107 | return false; |
| 108 | } |
| 109 | |
| 110 | return true; |
| 111 | } |
| 112 | |
| 113 | bool fuzz_notifySocketFuzzerCrash(run_t* run) |
| 114 | { |
| 115 | ssize_t ret; |
| 116 | |
| 117 | ret = send(run->global->socketFuzzerData.clientSocket, "Cras", 4, 0); |
| 118 | LOG_D("fuzz_notifySocketFuzzer: SEND: Crash"); |
| 119 | if(ret < 0) { |
Robert Swiecki | f3ecc0e | 2018-01-21 15:42:22 +0100 | [diff] [blame^] | 120 | LOG_F("fuzz_notifySocketFuzzer: sent: %zu", ret); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 121 | return false; |
| 122 | } |
| 123 | |
| 124 | return true; |
| 125 | } |
| 126 | |
| 127 | bool setupSocketFuzzer(honggfuzz_t *run) { |
| 128 | int s, len; |
| 129 | socklen_t t; |
| 130 | struct sockaddr_un local, remote; |
| 131 | char socketPath[512]; |
| 132 | //snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); |
| 133 | snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket"); |
| 134 | |
| 135 | if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { |
| 136 | perror("socket"); |
| 137 | return false; |
| 138 | } |
| 139 | |
| 140 | local.sun_family = AF_UNIX; |
| 141 | strcpy(local.sun_path, socketPath); |
| 142 | unlink(local.sun_path); |
| 143 | len = strlen(local.sun_path) + sizeof(local.sun_family); |
| 144 | if (bind(s, (struct sockaddr *)&local, len) == -1) { |
| 145 | perror("bind"); |
| 146 | return false; |
| 147 | } |
| 148 | |
| 149 | if (listen(s, 5) == -1) { |
| 150 | perror("listen"); |
| 151 | return false; |
| 152 | } |
| 153 | |
| 154 | printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath); |
| 155 | t = sizeof(remote); |
| 156 | if ((run->socketFuzzerData.clientSocket = accept(s, (struct sockaddr *)&remote, &t)) == -1) { |
| 157 | perror("accept"); |
| 158 | return false; |
| 159 | } |
| 160 | |
| 161 | run->socketFuzzerData.serverSocket = s; |
| 162 | printf("A SocketFuzzer client connected. Continuing.\n"); |
| 163 | |
| 164 | return true; |
| 165 | } |
| 166 | |
| 167 | void cleanupSocketFuzzer() { |
| 168 | char socketPath[512]; |
| 169 | //snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); |
| 170 | snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket"); |
| 171 | unlink(socketPath); |
| 172 | } |