robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 1 | /* |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 2 | * |
robert.swiecki@gmail.com | 90e9911 | 2015-02-15 02:05:14 +0000 | [diff] [blame] | 3 | * honggfuzz - fuzzing routines |
| 4 | * ----------------------------------------- |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 5 | * |
Robert Swiecki | 46288f7 | 2018-02-27 17:28:47 +0100 | [diff] [blame] | 6 | * Authors: Robert Swiecki <swiecki@google.com> |
| 7 | * Felix Gröbert <groebert@google.com> |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 8 | * |
Robert Swiecki | 46288f7 | 2018-02-27 17:28:47 +0100 | [diff] [blame] | 9 | * Copyright 2010-2018 by Google Inc. All Rights Reserved. |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 10 | * |
| 11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 12 | * not use this file except in compliance with the License. You may obtain |
robert.swiecki@gmail.com | 772b33d | 2015-02-14 20:35:00 +0000 | [diff] [blame] | 13 | * a copy of the License at |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 14 | * |
robert.swiecki@gmail.com | 772b33d | 2015-02-14 20:35:00 +0000 | [diff] [blame] | 15 | * http://www.apache.org/licenses/LICENSE-2.0 |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 16 | * |
robert.swiecki@gmail.com | 772b33d | 2015-02-14 20:35:00 +0000 | [diff] [blame] | 17 | * Unless required by applicable law or agreed to in writing, software |
| 18 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 19 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
| 20 | * implied. See the License for the specific language governing |
| 21 | * permissions and limitations under the License. |
robert.swiecki@gmail.com | 3b630b4 | 2015-02-16 10:53:53 +0000 | [diff] [blame] | 22 | * |
robert.swiecki@gmail.com | 772b33d | 2015-02-14 20:35:00 +0000 | [diff] [blame] | 23 | */ |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 24 | |
robert.swiecki@gmail.com | ba85c3e | 2015-02-02 14:55:16 +0000 | [diff] [blame] | 25 | #include "fuzz.h" |
| 26 | |
| 27 | #include <errno.h> |
| 28 | #include <fcntl.h> |
robert.swiecki@gmail.com | 90e9911 | 2015-02-15 02:05:14 +0000 | [diff] [blame] | 29 | #include <inttypes.h> |
Robert Swiecki | 2af83ec | 2017-06-05 23:54:22 +0200 | [diff] [blame] | 30 | #include <libgen.h> |
robert.swiecki@gmail.com | 882900b | 2015-02-11 13:56:22 +0000 | [diff] [blame] | 31 | #include <pthread.h> |
robert.swiecki@gmail.com | ba85c3e | 2015-02-02 14:55:16 +0000 | [diff] [blame] | 32 | #include <signal.h> |
| 33 | #include <stddef.h> |
| 34 | #include <stdint.h> |
| 35 | #include <stdio.h> |
| 36 | #include <stdlib.h> |
| 37 | #include <string.h> |
Robert Swiecki | 10eeb0a | 2017-09-28 15:42:52 +0200 | [diff] [blame] | 38 | #include <sys/mman.h> |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 39 | #include <sys/param.h> |
| 40 | #include <sys/stat.h> |
robert.swiecki@gmail.com | ba85c3e | 2015-02-02 14:55:16 +0000 | [diff] [blame] | 41 | #include <sys/time.h> |
| 42 | #include <sys/types.h> |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 43 | #include <time.h> |
robert.swiecki@gmail.com | ba85c3e | 2015-02-02 14:55:16 +0000 | [diff] [blame] | 44 | #include <unistd.h> |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 45 | |
Robert Swiecki | d0fa62c | 2017-09-28 18:11:05 +0200 | [diff] [blame] | 46 | #include "arch.h" |
| 47 | #include "honggfuzz.h" |
| 48 | #include "input.h" |
Robert Swiecki | 246af3e | 2018-01-05 14:56:32 +0100 | [diff] [blame] | 49 | #include "libhfcommon/common.h" |
| 50 | #include "libhfcommon/files.h" |
| 51 | #include "libhfcommon/log.h" |
| 52 | #include "libhfcommon/util.h" |
robert.swiecki@gmail.com | 36700b5 | 2015-02-22 05:03:16 +0000 | [diff] [blame] | 53 | #include "mangle.h" |
robert.swiecki@gmail.com | e7190b9 | 2015-02-14 23:05:42 +0000 | [diff] [blame] | 54 | #include "report.h" |
Robert Swiecki | ec7b845 | 2017-06-01 13:25:56 +0200 | [diff] [blame] | 55 | #include "sanitizers.h" |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 56 | #include "socketfuzzer.h" |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 57 | #include "subproc.h" |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 58 | |
Robert Swiecki | 0dde76d | 2017-11-16 19:25:44 +0100 | [diff] [blame] | 59 | static time_t termTimeStamp = 0; |
| 60 | |
| 61 | bool fuzz_isTerminating(void) { |
| 62 | if (ATOMIC_GET(termTimeStamp) != 0) { |
Robert Swiecki | 35978ac | 2017-11-16 18:00:53 +0100 | [diff] [blame] | 63 | return true; |
| 64 | } |
| 65 | return false; |
| 66 | } |
| 67 | |
Robert Swiecki | 0dde76d | 2017-11-16 19:25:44 +0100 | [diff] [blame] | 68 | void fuzz_setTerminating(void) { |
| 69 | if (ATOMIC_GET(termTimeStamp) != 0) { |
Robert Swiecki | 35978ac | 2017-11-16 18:00:53 +0100 | [diff] [blame] | 70 | return; |
| 71 | } |
Robert Swiecki | 0dde76d | 2017-11-16 19:25:44 +0100 | [diff] [blame] | 72 | ATOMIC_SET(termTimeStamp, time(NULL)); |
| 73 | } |
| 74 | |
| 75 | bool fuzz_shouldTerminate() { |
| 76 | if (ATOMIC_GET(termTimeStamp) == 0) { |
| 77 | return false; |
| 78 | } |
| 79 | if ((time(NULL) - ATOMIC_GET(termTimeStamp)) > 5) { |
| 80 | return true; |
| 81 | } |
| 82 | return false; |
Robert Swiecki | 35978ac | 2017-11-16 18:00:53 +0100 | [diff] [blame] | 83 | } |
| 84 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 85 | static fuzzState_t fuzz_getState(honggfuzz_t* hfuzz) { |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 86 | return ATOMIC_GET(hfuzz->feedback.state); |
Robert Swiecki | a7841da | 2017-02-24 17:27:06 +0100 | [diff] [blame] | 87 | } |
| 88 | |
Robert Swiecki | ced3eba | 2017-12-15 15:33:03 +0100 | [diff] [blame] | 89 | static bool fuzz_writeCovFile(const char* dir, const uint8_t* data, size_t len) { |
| 90 | char fname[PATH_MAX]; |
| 91 | |
| 92 | uint64_t crc64f = util_CRC64(data, len); |
| 93 | uint64_t crc64r = util_CRC64Rev(data, len); |
| 94 | snprintf(fname, sizeof(fname), "%s/%016" PRIx64 "%016" PRIx64 ".%08" PRIx32 ".honggfuzz.cov", |
| 95 | dir, crc64f, crc64r, (uint32_t)len); |
| 96 | |
Robert Swiecki | fff9981 | 2018-01-12 02:23:42 +0100 | [diff] [blame] | 97 | if (files_exists(fname)) { |
Robert Swiecki | ced3eba | 2017-12-15 15:33:03 +0100 | [diff] [blame] | 98 | LOG_D("File '%s' already exists in the output corpus directory '%s'", fname, dir); |
| 99 | return true; |
| 100 | } |
| 101 | |
| 102 | LOG_D("Adding file '%s' to the corpus directory '%s'", fname, dir); |
| 103 | |
Robert Swiecki | fff9981 | 2018-01-12 02:23:42 +0100 | [diff] [blame] | 104 | if (!files_writeBufToFile(fname, data, len, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC)) { |
Robert Swiecki | ced3eba | 2017-12-15 15:33:03 +0100 | [diff] [blame] | 105 | LOG_W("Couldn't write buffer to file '%s'", fname); |
| 106 | return false; |
| 107 | } |
| 108 | |
| 109 | return true; |
| 110 | } |
| 111 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 112 | static void fuzz_addFileToFileQ(honggfuzz_t* hfuzz, const uint8_t* data, size_t len) { |
Robert Swiecki | 36f7e51 | 2018-01-16 03:46:41 +0100 | [diff] [blame] | 113 | ATOMIC_SET(hfuzz->timing.lastCovUpdate, time(NULL)); |
| 114 | |
Robert Swiecki | 4e595fb | 2017-10-11 17:26:51 +0200 | [diff] [blame] | 115 | struct dynfile_t* dynfile = (struct dynfile_t*)util_Malloc(sizeof(struct dynfile_t)); |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 116 | dynfile->size = len; |
| 117 | dynfile->data = (uint8_t*)util_Malloc(len); |
| 118 | memcpy(dynfile->data, data, len); |
Robert Swiecki | 37498fd | 2017-03-12 21:12:54 +0100 | [diff] [blame] | 119 | |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 120 | MX_SCOPED_RWLOCK_WRITE(&hfuzz->io.dynfileq_mutex); |
| 121 | TAILQ_INSERT_TAIL(&hfuzz->io.dynfileq, dynfile, pointers); |
| 122 | hfuzz->io.dynfileqCnt++; |
Robert Swiecki | f3534bb | 2016-03-14 18:55:10 +0100 | [diff] [blame] | 123 | |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 124 | if (hfuzz->socketFuzzer.enabled) { |
Robert Swiecki | 5eeb29b | 2018-01-21 16:07:06 +0100 | [diff] [blame] | 125 | /* Don't add coverage data to files in socketFuzzer mode */ |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 126 | return; |
| 127 | } |
| 128 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 129 | if (!fuzz_writeCovFile(hfuzz->io.covDirAll, data, len)) { |
| 130 | LOG_E("Couldn't save the coverage data to '%s'", hfuzz->io.covDirAll); |
Robert Swiecki | ced3eba | 2017-12-15 15:33:03 +0100 | [diff] [blame] | 131 | } |
| 132 | |
| 133 | /* No need to add files to the new coverage dir, if this is just the dry-run phase */ |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 134 | if (fuzz_getState(hfuzz) == _HF_STATE_DYNAMIC_DRY_RUN || hfuzz->io.covDirNew == NULL) { |
Jagger | 3c7e7ce | 2016-09-25 16:05:19 +0200 | [diff] [blame] | 135 | return; |
| 136 | } |
| 137 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 138 | if (!fuzz_writeCovFile(hfuzz->io.covDirNew, data, len)) { |
| 139 | LOG_E("Couldn't save the new coverage data to '%s'", hfuzz->io.covDirNew); |
| 140 | } |
| 141 | } |
| 142 | |
| 143 | static void fuzz_setDynamicMainState(run_t* run) { |
| 144 | /* All threads need to indicate willingness to switch to the DYNAMIC_MAIN state. Count them! */ |
| 145 | static uint32_t cnt = 0; |
| 146 | ATOMIC_PRE_INC(cnt); |
| 147 | |
| 148 | static pthread_mutex_t state_mutex = PTHREAD_MUTEX_INITIALIZER; |
| 149 | MX_SCOPED_LOCK(&state_mutex); |
| 150 | |
| 151 | if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) { |
| 152 | return; |
| 153 | } |
| 154 | |
| 155 | for (;;) { |
| 156 | /* Check if all threads have already reported in for changing state */ |
| 157 | if (ATOMIC_GET(cnt) == run->global->threads.threadsMax) { |
| 158 | break; |
| 159 | } |
| 160 | if (fuzz_isTerminating()) { |
| 161 | return; |
| 162 | } |
| 163 | usleep(1000 * 10); /* Check every 10ms */ |
| 164 | } |
| 165 | |
| 166 | LOG_I("Entering phase 2/2: Dynamic Main"); |
Robert Swiecki | 94d314c | 2018-02-07 21:23:00 +0100 | [diff] [blame] | 167 | snprintf(run->origFileName, sizeof(run->origFileName), "[DYNAMIC]"); |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 168 | ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MAIN); |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 169 | |
| 170 | /* |
| 171 | * If the initial fuzzing yielded no useful coverage, just add a single 1-byte file to the |
| 172 | * dynamic corpus, so the dynamic phase doesn't fail because of lack of useful inputs |
| 173 | */ |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 174 | if (run->global->io.dynfileqCnt == 0) { |
Robert Swiecki | cc6b929 | 2018-08-15 01:32:50 +0200 | [diff] [blame] | 175 | const char* single_byte = run->global->cfg.only_printable ? " " : "\0"; |
plusun | e2635e5 | 2018-08-06 07:06:46 +0000 | [diff] [blame] | 176 | fuzz_addFileToFileQ(run->global, (const uint8_t*)single_byte, 1U); |
Robert Swiecki | f3534bb | 2016-03-14 18:55:10 +0100 | [diff] [blame] | 177 | } |
| 178 | } |
| 179 | |
Robert Swiecki | d50ed42 | 2017-11-13 23:32:26 +0100 | [diff] [blame] | 180 | static void fuzz_perfFeedback(run_t* run) { |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 181 | if (run->global->feedback.skipFeedbackOnTimeout && run->tmOutSignaled) { |
Robert Swiecki | 53ec9e4 | 2017-02-15 20:34:27 +0100 | [diff] [blame] | 182 | return; |
| 183 | } |
| 184 | |
Robert Swiecki | 0b56611 | 2017-10-17 17:39:07 +0200 | [diff] [blame] | 185 | LOG_D("New file size: %zu, Perf feedback new/cur (instr,branch): %" PRIu64 "/%" PRIu64 |
| 186 | "/%" PRIu64 "/%" PRIu64 ", BBcnt new/total: %" PRIu64 "/%" PRIu64, |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 187 | run->dynamicFileSz, run->linux.hwCnts.cpuInstrCnt, run->global->linux.hwCnts.cpuInstrCnt, |
| 188 | run->linux.hwCnts.cpuBranchCnt, run->global->linux.hwCnts.cpuBranchCnt, |
| 189 | run->linux.hwCnts.newBBCnt, run->global->linux.hwCnts.bbCnt); |
Anestis Bechtsoudis | be0ac7b | 2015-12-26 15:38:47 +0200 | [diff] [blame] | 190 | |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 191 | MX_SCOPED_LOCK(&run->global->feedback.feedback_mutex); |
Anestis Bechtsoudis | be0ac7b | 2015-12-26 15:38:47 +0200 | [diff] [blame] | 192 | |
Robert Swiecki | f2da05a | 2018-01-12 03:01:09 +0100 | [diff] [blame] | 193 | uint64_t softCntPc = 0; |
| 194 | uint64_t softCntEdge = 0; |
| 195 | uint64_t softCntCmp = 0; |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 196 | if (run->global->feedback.bbFd != -1) { |
| 197 | softCntPc = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackPc[run->fuzzNo]); |
| 198 | ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackPc[run->fuzzNo]); |
| 199 | softCntEdge = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackEdge[run->fuzzNo]); |
| 200 | ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackEdge[run->fuzzNo]); |
| 201 | softCntCmp = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackCmp[run->fuzzNo]); |
| 202 | ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackCmp[run->fuzzNo]); |
Jagger | 251d019 | 2016-08-24 00:54:04 +0200 | [diff] [blame] | 203 | } |
Jagger | b01aaae | 2016-08-20 03:35:38 +0200 | [diff] [blame] | 204 | |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 205 | int64_t diff0 = run->global->linux.hwCnts.cpuInstrCnt - run->linux.hwCnts.cpuInstrCnt; |
| 206 | int64_t diff1 = run->global->linux.hwCnts.cpuBranchCnt - run->linux.hwCnts.cpuBranchCnt; |
Jagger | 302c2ea | 2016-09-07 03:54:43 +0200 | [diff] [blame] | 207 | |
Robert Swiecki | 7b19fe5 | 2018-01-12 03:56:42 +0100 | [diff] [blame] | 208 | /* Any increase in coverage (edge, pc, cmp, hw) counters forces adding input to the corpus */ |
Robert Swiecki | d50ed42 | 2017-11-13 23:32:26 +0100 | [diff] [blame] | 209 | if (run->linux.hwCnts.newBBCnt > 0 || softCntPc > 0 || softCntEdge > 0 || softCntCmp > 0 || |
| 210 | diff0 < 0 || diff1 < 0) { |
Robert Swiecki | 92ec8d2 | 2016-11-21 01:10:18 +0100 | [diff] [blame] | 211 | if (diff0 < 0) { |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 212 | run->global->linux.hwCnts.cpuInstrCnt = run->linux.hwCnts.cpuInstrCnt; |
Robert Swiecki | 92ec8d2 | 2016-11-21 01:10:18 +0100 | [diff] [blame] | 213 | } |
| 214 | if (diff1 < 0) { |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 215 | run->global->linux.hwCnts.cpuBranchCnt = run->linux.hwCnts.cpuBranchCnt; |
Robert Swiecki | 92ec8d2 | 2016-11-21 01:10:18 +0100 | [diff] [blame] | 216 | } |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 217 | run->global->linux.hwCnts.bbCnt += run->linux.hwCnts.newBBCnt; |
| 218 | run->global->linux.hwCnts.softCntPc += softCntPc; |
| 219 | run->global->linux.hwCnts.softCntEdge += softCntEdge; |
| 220 | run->global->linux.hwCnts.softCntCmp += softCntCmp; |
Anestis Bechtsoudis | be0ac7b | 2015-12-26 15:38:47 +0200 | [diff] [blame] | 221 | |
Robert Swiecki | e60f353 | 2017-12-17 20:25:20 +0100 | [diff] [blame] | 222 | LOG_I("Size:%zu (i,b,hw,edge,ip,cmp): %" PRIu64 "/%" PRIu64 "/%" PRIu64 "/%" PRIu64 |
Robert Swiecki | 0b56611 | 2017-10-17 17:39:07 +0200 | [diff] [blame] | 223 | "/%" PRIu64 "/%" PRIu64 ", Tot:%" PRIu64 "/%" PRIu64 "/%" PRIu64 "/%" PRIu64 |
| 224 | "/%" PRIu64 "/%" PRIu64, |
Robert Swiecki | e7294ca | 2017-11-11 02:46:32 +0100 | [diff] [blame] | 225 | run->dynamicFileSz, run->linux.hwCnts.cpuInstrCnt, run->linux.hwCnts.cpuBranchCnt, |
Robert Swiecki | e60f353 | 2017-12-17 20:25:20 +0100 | [diff] [blame] | 226 | run->linux.hwCnts.newBBCnt, softCntEdge, softCntPc, softCntCmp, |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 227 | run->global->linux.hwCnts.cpuInstrCnt, run->global->linux.hwCnts.cpuBranchCnt, |
Robert Swiecki | e60f353 | 2017-12-17 20:25:20 +0100 | [diff] [blame] | 228 | run->global->linux.hwCnts.bbCnt, run->global->linux.hwCnts.softCntEdge, |
| 229 | run->global->linux.hwCnts.softCntPc, run->global->linux.hwCnts.softCntCmp); |
Jagger | 395df02 | 2016-08-21 01:13:25 +0200 | [diff] [blame] | 230 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 231 | fuzz_addFileToFileQ(run->global, run->dynamicFile, run->dynamicFileSz); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 232 | |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 233 | if (run->global->socketFuzzer.enabled) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 234 | LOG_D("SocketFuzzer: fuzz: new BB (perf)"); |
| 235 | fuzz_notifySocketFuzzerNewCov(run->global); |
| 236 | } |
Anestis Bechtsoudis | be0ac7b | 2015-12-26 15:38:47 +0200 | [diff] [blame] | 237 | } |
Anestis Bechtsoudis | be0ac7b | 2015-12-26 15:38:47 +0200 | [diff] [blame] | 238 | } |
| 239 | |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 240 | /* Return value indicates whether report file should be updated with the current verified crash */ |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 241 | static bool fuzz_runVerifier(run_t* run) { |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 242 | if (!run->crashFileName[0] || !run->backtrace) { |
| 243 | return false; |
| 244 | } |
| 245 | |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 246 | uint64_t backtrace = run->backtrace; |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 247 | |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 248 | char origCrashPath[PATH_MAX]; |
| 249 | snprintf(origCrashPath, sizeof(origCrashPath), "%s", run->crashFileName); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 250 | /* Workspace is inherited, just append a extra suffix */ |
| 251 | char verFile[PATH_MAX]; |
| 252 | snprintf(verFile, sizeof(verFile), "%s.verified", origCrashPath); |
| 253 | |
| 254 | if (files_exists(verFile)) { |
Robert Swiecki | 965af7f | 2018-01-12 02:30:14 +0100 | [diff] [blame] | 255 | LOG_D("Crash file to verify '%s' is already verified as '%s'", origCrashPath, verFile); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 256 | return false; |
| 257 | } |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 258 | |
| 259 | for (int i = 0; i < _HF_VERIFIER_ITER; i++) { |
Robert Swiecki | c4b573f | 2018-01-12 19:48:24 +0100 | [diff] [blame] | 260 | LOG_I("Launching verifier for HASH: %" PRIx64 " (iteration: %d out of %d)", run->backtrace, |
| 261 | i + 1, _HF_VERIFIER_ITER); |
Robert Swiecki | f2da05a | 2018-01-12 03:01:09 +0100 | [diff] [blame] | 262 | run->timeStartedMillis = 0; |
| 263 | run->backtrace = 0; |
| 264 | run->access = 0; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 265 | run->exception = 0; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 266 | run->mainWorker = false; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 267 | |
| 268 | if (!subproc_Run(run)) { |
| 269 | LOG_F("subproc_Run()"); |
| 270 | } |
| 271 | |
| 272 | /* If stack hash doesn't match skip name tag and exit */ |
| 273 | if (run->backtrace != backtrace) { |
| 274 | LOG_E("Verifier stack mismatch: (original) %" PRIx64 " != (new) %" PRIx64, backtrace, |
| 275 | run->backtrace); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 276 | run->backtrace = backtrace; |
| 277 | return true; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 278 | } |
Robert Swiecki | 17b37eb | 2018-01-12 13:47:12 +0100 | [diff] [blame] | 279 | |
Robert Swiecki | c4b573f | 2018-01-12 19:48:24 +0100 | [diff] [blame] | 280 | LOG_I("Verifier for HASH: %" PRIx64 " (iteration: %d, left: %d). MATCH!", run->backtrace, |
| 281 | i + 1, _HF_VERIFIER_ITER - i - 1); |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 282 | } |
| 283 | |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 284 | /* Copy file with new suffix & remove original copy */ |
| 285 | int fd = TEMP_FAILURE_RETRY(open(verFile, O_CREAT | O_EXCL | O_WRONLY, 0600)); |
| 286 | if (fd == -1 && errno == EEXIST) { |
| 287 | LOG_I("It seems that '%s' already exists, skipping", verFile); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 288 | return false; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 289 | } |
| 290 | if (fd == -1) { |
| 291 | PLOG_E("Couldn't create '%s'", verFile); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 292 | return true; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 293 | } |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 294 | defer { |
| 295 | close(fd); |
| 296 | }; |
Robert Swiecki | 965af7f | 2018-01-12 02:30:14 +0100 | [diff] [blame] | 297 | if (!files_writeToFd(fd, run->dynamicFile, run->dynamicFileSz)) { |
| 298 | LOG_E("Couldn't save verified file as '%s'", verFile); |
| 299 | unlink(verFile); |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 300 | return true; |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 301 | } |
| 302 | |
| 303 | LOG_I("Verified crash for HASH: %" PRIx64 " and saved it as '%s'", backtrace, verFile); |
Robert Swiecki | acdf0bd | 2019-02-17 02:42:04 +0100 | [diff] [blame] | 304 | ATOMIC_PRE_INC(run->global->cnts.verifiedCrashesCnt); |
Robert Swiecki | 9badb55 | 2018-01-12 01:42:08 +0100 | [diff] [blame] | 305 | |
| 306 | return true; |
| 307 | } |
| 308 | |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 309 | static bool fuzz_fetchInput(run_t* run) { |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 310 | if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_DRY_RUN) { |
Robert Swiecki | 2bad0b4 | 2018-01-13 04:00:18 +0100 | [diff] [blame] | 311 | run->mutationsPerRun = 0U; |
Robert Swiecki | 0f2c30a | 2018-01-13 14:03:39 +0100 | [diff] [blame] | 312 | if (input_prepareStaticFile(run, /* rewind= */ false)) { |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 313 | return true; |
| 314 | } |
Robert Swiecki | 308ebac | 2018-01-13 03:59:22 +0100 | [diff] [blame] | 315 | fuzz_setDynamicMainState(run); |
Robert Swiecki | 04dcac3 | 2018-03-02 03:05:26 +0100 | [diff] [blame] | 316 | run->mutationsPerRun = run->global->mutate.mutationsPerRun; |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 317 | } |
| 318 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 319 | if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) { |
Robert Swiecki | a9e34ed | 2018-01-17 00:31:56 +0100 | [diff] [blame] | 320 | if (run->global->exe.externalCommand) { |
| 321 | if (!input_prepareExternalFile(run)) { |
| 322 | LOG_E("input_prepareFileExternally() failed"); |
| 323 | return false; |
| 324 | } |
Robert Swiecki | 0f2c30a | 2018-01-13 14:03:39 +0100 | [diff] [blame] | 325 | } else if (!input_prepareDynamicInput(run)) { |
| 326 | LOG_E("input_prepareFileDynamically() failed"); |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 327 | return false; |
| 328 | } |
| 329 | } |
| 330 | |
Robert Swiecki | fb8a5b6 | 2018-01-14 05:16:59 +0100 | [diff] [blame] | 331 | if (fuzz_getState(run->global) == _HF_STATE_STATIC) { |
Robert Swiecki | a9e34ed | 2018-01-17 00:31:56 +0100 | [diff] [blame] | 332 | if (run->global->exe.externalCommand) { |
| 333 | if (!input_prepareExternalFile(run)) { |
| 334 | LOG_E("input_prepareFileExternally() failed"); |
| 335 | return false; |
| 336 | } |
Robert Swiecki | 0f2c30a | 2018-01-13 14:03:39 +0100 | [diff] [blame] | 337 | } else if (!input_prepareStaticFile(run, true /* rewind */)) { |
| 338 | LOG_E("input_prepareFile() failed"); |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 339 | return false; |
| 340 | } |
| 341 | } |
| 342 | |
Robert Swiecki | 0f2c30a | 2018-01-13 14:03:39 +0100 | [diff] [blame] | 343 | if (run->global->exe.postExternalCommand && !input_postProcessFile(run)) { |
| 344 | LOG_E("input_postProcessFile() failed"); |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 345 | return false; |
| 346 | } |
| 347 | |
| 348 | return true; |
| 349 | } |
| 350 | |
Robert Swiecki | d50ed42 | 2017-11-13 23:32:26 +0100 | [diff] [blame] | 351 | static void fuzz_fuzzLoop(run_t* run) { |
Robert Swiecki | f2da05a | 2018-01-12 03:01:09 +0100 | [diff] [blame] | 352 | run->timeStartedMillis = 0; |
Robert Swiecki | e7294ca | 2017-11-11 02:46:32 +0100 | [diff] [blame] | 353 | run->crashFileName[0] = '\0'; |
Robert Swiecki | f2da05a | 2018-01-12 03:01:09 +0100 | [diff] [blame] | 354 | run->pc = 0; |
| 355 | run->backtrace = 0; |
| 356 | run->access = 0; |
Robert Swiecki | e7294ca | 2017-11-11 02:46:32 +0100 | [diff] [blame] | 357 | run->exception = 0; |
| 358 | run->report[0] = '\0'; |
| 359 | run->mainWorker = true; |
Robert Swiecki | 04dcac3 | 2018-03-02 03:05:26 +0100 | [diff] [blame] | 360 | run->mutationsPerRun = run->global->mutate.mutationsPerRun; |
Robert Swiecki | e7294ca | 2017-11-11 02:46:32 +0100 | [diff] [blame] | 361 | run->dynamicFileSz = 0; |
Robert Swiecki | 98e2337 | 2019-01-30 11:50:18 +0100 | [diff] [blame] | 362 | run->dynamicFileCopyFd = -1; |
| 363 | run->tmOutSignaled = false; |
Robert Swiecki | a96d78d | 2016-03-14 16:50:50 +0100 | [diff] [blame] | 364 | |
Robert Swiecki | f2da05a | 2018-01-12 03:01:09 +0100 | [diff] [blame] | 365 | run->linux.hwCnts.cpuInstrCnt = 0; |
| 366 | run->linux.hwCnts.cpuBranchCnt = 0; |
| 367 | run->linux.hwCnts.bbCnt = 0; |
| 368 | run->linux.hwCnts.newBBCnt = 0; |
Jagger | 190f0dc | 2015-09-05 16:41:22 +0200 | [diff] [blame] | 369 | |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 370 | if (!fuzz_fetchInput(run)) { |
| 371 | LOG_F("Cound't prepare input for fuzzing"); |
Robert Swiecki | 92a3136 | 2017-02-24 16:21:40 +0100 | [diff] [blame] | 372 | } |
Robert Swiecki | 3ab1664 | 2018-01-12 18:08:37 +0100 | [diff] [blame] | 373 | if (!subproc_Run(run)) { |
| 374 | LOG_F("Couldn't run fuzzed command"); |
Jagger | 190f0dc | 2015-09-05 16:41:22 +0200 | [diff] [blame] | 375 | } |
| 376 | |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 377 | if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) { |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 378 | fuzz_perfFeedback(run); |
Robert Swiecki | 53ec9e4 | 2017-02-15 20:34:27 +0100 | [diff] [blame] | 379 | } |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 380 | if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { |
Robert Swiecki | 28cc4cb | 2018-01-12 02:18:29 +0100 | [diff] [blame] | 381 | return; |
Anestis Bechtsoudis | 5c86ebc | 2015-09-27 18:06:43 +0300 | [diff] [blame] | 382 | } |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 383 | report_Report(run); |
Jagger | 190f0dc | 2015-09-05 16:41:22 +0200 | [diff] [blame] | 384 | } |
| 385 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 386 | static void fuzz_fuzzLoopSocket(run_t* run) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 387 | run->pid = 0; |
| 388 | run->timeStartedMillis = 0; |
| 389 | run->crashFileName[0] = '\0'; |
| 390 | run->pc = 0; |
| 391 | run->backtrace = 0; |
| 392 | run->access = 0; |
| 393 | run->exception = 0; |
| 394 | run->report[0] = '\0'; |
| 395 | run->mainWorker = true; |
Robert Swiecki | 04dcac3 | 2018-03-02 03:05:26 +0100 | [diff] [blame] | 396 | run->mutationsPerRun = run->global->mutate.mutationsPerRun; |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 397 | run->dynamicFileSz = 0; |
Robert Swiecki | 98e2337 | 2019-01-30 11:50:18 +0100 | [diff] [blame] | 398 | run->dynamicFileCopyFd = -1; |
| 399 | run->tmOutSignaled = false; |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 400 | |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 401 | run->linux.hwCnts.cpuInstrCnt = 0; |
| 402 | run->linux.hwCnts.cpuBranchCnt = 0; |
| 403 | run->linux.hwCnts.bbCnt = 0; |
| 404 | run->linux.hwCnts.newBBCnt = 0; |
| 405 | |
| 406 | LOG_I("------------------------------------------------------"); |
| 407 | |
| 408 | /* First iteration: Start target |
| 409 | Other iterations: re-start target, if necessary |
| 410 | subproc_Run() will decide by itself if a restart is necessary, via |
| 411 | subproc_New() |
| 412 | */ |
| 413 | LOG_D("------[ 1: subproc_run"); |
| 414 | if (!subproc_Run(run)) { |
| 415 | LOG_W("Couldn't run server"); |
| 416 | } |
| 417 | |
| 418 | /* Tell the external fuzzer to send data to target |
| 419 | The fuzzer will notify us when finished; block until then. |
| 420 | */ |
| 421 | LOG_D("------[ 2: fetch input"); |
| 422 | if (!fuzz_waitForExternalInput(run)) { |
| 423 | /* Fuzzer could not connect to target, and told us to |
| 424 | restart it. Do it on the next iteration. */ |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 425 | LOG_D("------[ 2.1: Target down, will restart it"); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 426 | return; |
| 427 | } |
| 428 | |
| 429 | LOG_D("------[ 3: feedback"); |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 430 | if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 431 | fuzz_perfFeedback(run); |
| 432 | } |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 433 | if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 434 | return; |
| 435 | } |
| 436 | |
| 437 | report_Report(run); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 438 | } |
| 439 | |
Robert Swiecki | d50ed42 | 2017-11-13 23:32:26 +0100 | [diff] [blame] | 440 | static void* fuzz_threadNew(void* arg) { |
Robert Swiecki | 4e595fb | 2017-10-11 17:26:51 +0200 | [diff] [blame] | 441 | honggfuzz_t* hfuzz = (honggfuzz_t*)arg; |
Robert Swiecki | 66b6512 | 2017-11-11 02:55:55 +0100 | [diff] [blame] | 442 | unsigned int fuzzNo = ATOMIC_POST_INC(hfuzz->threads.threadsActiveCnt); |
Robert Swiecki | 0ec9811 | 2017-02-03 02:08:14 +0100 | [diff] [blame] | 443 | LOG_I("Launched new fuzzing thread, no. #%" PRId32, fuzzNo); |
Anestis Bechtsoudis | 02b99be | 2015-12-27 11:53:01 +0200 | [diff] [blame] | 444 | |
Robert Swiecki | e7294ca | 2017-11-11 02:46:32 +0100 | [diff] [blame] | 445 | run_t run = { |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 446 | .global = hfuzz, |
Robert Swiecki | decf14b | 2016-03-31 15:09:28 +0200 | [diff] [blame] | 447 | .pid = 0, |
Robert Swiecki | bf8f8cc | 2017-11-09 00:42:50 +0100 | [diff] [blame] | 448 | .dynfileqCurrent = NULL, |
Robert Swiecki | 599dee1 | 2018-01-10 02:21:58 +0100 | [diff] [blame] | 449 | .dynamicFile = NULL, |
| 450 | .dynamicFileFd = -1, |
Jagger | fa3544a | 2016-08-30 02:55:55 +0200 | [diff] [blame] | 451 | .fuzzNo = fuzzNo, |
Jagger | 93253f7 | 2016-09-01 22:40:12 +0200 | [diff] [blame] | 452 | .persistentSock = -1, |
Robert Swiecki | 013bc9c | 2016-12-12 17:31:06 +0100 | [diff] [blame] | 453 | .tmOutSignaled = false, |
Robert Swiecki | 94d314c | 2018-02-07 21:23:00 +0100 | [diff] [blame] | 454 | .origFileName = "[DYNAMIC]", |
Robert Swiecki | decf14b | 2016-03-31 15:09:28 +0200 | [diff] [blame] | 455 | }; |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 456 | |
Robert Swiecki | 5eeb29b | 2018-01-21 16:07:06 +0100 | [diff] [blame] | 457 | /* Do not try to handle input files with socketfuzzer */ |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 458 | if (!hfuzz->socketFuzzer.enabled) { |
Robert Swiecki | e9231d6 | 2018-03-02 03:35:11 +0100 | [diff] [blame] | 459 | if (!(run.dynamicFile = files_mapSharedMem(hfuzz->mutate.maxFileSz, &run.dynamicFileFd, |
| 460 | "hfuzz-input", run.global->io.workDir))) { |
| 461 | LOG_F("Couldn't create an input file of size: %zu", hfuzz->mutate.maxFileSz); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 462 | } |
Robert Swiecki | 599dee1 | 2018-01-10 02:21:58 +0100 | [diff] [blame] | 463 | } |
Robert Swiecki | 4103381 | 2018-01-21 16:02:45 +0100 | [diff] [blame] | 464 | defer { |
| 465 | if (run.dynamicFileFd != -1) { |
| 466 | close(run.dynamicFileFd); |
| 467 | } |
| 468 | }; |
Robert Swiecki | decf14b | 2016-03-31 15:09:28 +0200 | [diff] [blame] | 469 | |
Robert Swiecki | fc7520e | 2018-03-10 04:37:59 +0100 | [diff] [blame] | 470 | if (!arch_archThreadInit(&run)) { |
Robert Swiecki | 0f937af | 2016-03-30 18:19:16 +0200 | [diff] [blame] | 471 | LOG_F("Could not initialize the thread"); |
| 472 | } |
| 473 | |
Robert Swiecki | a96d78d | 2016-03-14 16:50:50 +0100 | [diff] [blame] | 474 | for (;;) { |
Anestis Bechtsoudis | 46ea10e | 2015-11-07 18:16:25 +0200 | [diff] [blame] | 475 | /* Check if dry run mode with verifier enabled */ |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 476 | if (run.global->mutate.mutationsPerRun == 0U && run.global->cfg.useVerifier && |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 477 | !hfuzz->socketFuzzer.enabled) { |
Robert Swiecki | 82c707c | 2017-11-14 16:36:23 +0100 | [diff] [blame] | 478 | if (ATOMIC_POST_INC(run.global->cnts.mutationsCnt) >= run.global->io.fileCnt) { |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 479 | break; |
Anestis Bechtsoudis | 46ea10e | 2015-11-07 18:16:25 +0200 | [diff] [blame] | 480 | } |
| 481 | } |
| 482 | /* Check for max iterations limit if set */ |
Robert Swiecki | 04dcac3 | 2018-03-02 03:05:26 +0100 | [diff] [blame] | 483 | else if ((ATOMIC_POST_INC(run.global->cnts.mutationsCnt) >= |
| 484 | run.global->mutate.mutationsMax) && |
| 485 | run.global->mutate.mutationsMax) { |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 486 | break; |
Robert Swiecki | 8d01b01 | 2017-02-19 15:48:11 +0100 | [diff] [blame] | 487 | } |
| 488 | |
Robert Swiecki | e9231d6 | 2018-03-02 03:35:11 +0100 | [diff] [blame] | 489 | input_setSize(&run, run.global->mutate.maxFileSz); |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 490 | if (hfuzz->socketFuzzer.enabled) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 491 | fuzz_fuzzLoopSocket(&run); |
| 492 | } else { |
| 493 | fuzz_fuzzLoop(&run); |
| 494 | } |
| 495 | |
Robert Swiecki | 0dde76d | 2017-11-16 19:25:44 +0100 | [diff] [blame] | 496 | if (fuzz_isTerminating()) { |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 497 | break; |
| 498 | } |
| 499 | |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 500 | if (run.global->cfg.exitUponCrash && ATOMIC_GET(run.global->cnts.crashesCnt) > 0) { |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 501 | LOG_I("Seen a crash. Terminating all fuzzing threads"); |
Robert Swiecki | 0dde76d | 2017-11-16 19:25:44 +0100 | [diff] [blame] | 502 | fuzz_setTerminating(); |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 503 | break; |
| 504 | } |
robert.swiecki@gmail.com | d4dd4df | 2015-02-18 00:50:12 +0000 | [diff] [blame] | 505 | } |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 506 | |
Robert Swiecki | 98e2337 | 2019-01-30 11:50:18 +0100 | [diff] [blame] | 507 | if (run.pid) { |
| 508 | kill(run.pid, SIGKILL); |
| 509 | } |
| 510 | |
Robert Swiecki | 20fc98f | 2018-11-19 00:08:09 +0100 | [diff] [blame] | 511 | LOG_I("Terminating thread no. #%" PRId32 ", left: %zu", fuzzNo, |
Robert Swiecki | acdf0bd | 2019-02-17 02:42:04 +0100 | [diff] [blame] | 512 | hfuzz->threads.threadsMax - ATOMIC_GET(run.global->threads.threadsFinished)); |
Robert Swiecki | 78633d1 | 2017-11-13 23:24:55 +0100 | [diff] [blame] | 513 | ATOMIC_POST_INC(run.global->threads.threadsFinished); |
Robert Swiecki | 069b48f | 2017-05-31 01:00:08 +0200 | [diff] [blame] | 514 | return NULL; |
robert.swiecki@gmail.com | 882900b | 2015-02-11 13:56:22 +0000 | [diff] [blame] | 515 | } |
| 516 | |
Robert Swiecki | 64d5243 | 2019-02-14 23:02:13 +0100 | [diff] [blame] | 517 | void fuzz_threadsStart(honggfuzz_t* hfuzz) { |
robert.swiecki@gmail.com | 956276a | 2015-04-16 16:51:52 +0000 | [diff] [blame] | 518 | if (!arch_archInit(hfuzz)) { |
Robert Swiecki | c8c32db | 2015-10-09 18:06:22 +0200 | [diff] [blame] | 519 | LOG_F("Couldn't prepare arch for fuzzing"); |
robert.swiecki@gmail.com | ef829fa | 2011-06-22 13:51:57 +0000 | [diff] [blame] | 520 | } |
Anestis Bechtsoudis | e5f09f8 | 2016-12-27 16:06:05 +0200 | [diff] [blame] | 521 | if (!sanitizers_Init(hfuzz)) { |
| 522 | LOG_F("Couldn't prepare sanitizer options"); |
| 523 | } |
robert.swiecki@gmail.com | ef829fa | 2011-06-22 13:51:57 +0000 | [diff] [blame] | 524 | |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 525 | if (hfuzz->socketFuzzer.enabled) { |
Robert Swiecki | 5eeb29b | 2018-01-21 16:07:06 +0100 | [diff] [blame] | 526 | /* Don't do dry run with socketFuzzer */ |
Robert Swiecki | 4103381 | 2018-01-21 16:02:45 +0100 | [diff] [blame] | 527 | LOG_I("Entering phase - Feedback Driven Mode (SocketFuzzer)"); |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 528 | hfuzz->feedback.state = _HF_STATE_DYNAMIC_MAIN; |
Robert Swiecki | a5b918a | 2018-03-07 23:59:53 +0100 | [diff] [blame] | 529 | } else if (hfuzz->feedback.dynFileMethod != _HF_DYNFILE_NONE) { |
Robert Swiecki | 4103381 | 2018-01-21 16:02:45 +0100 | [diff] [blame] | 530 | LOG_I("Entering phase 1/2: Dry Run"); |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 531 | hfuzz->feedback.state = _HF_STATE_DYNAMIC_DRY_RUN; |
Robert Swiecki | a96d78d | 2016-03-14 16:50:50 +0100 | [diff] [blame] | 532 | } else { |
Robert Swiecki | 4103381 | 2018-01-21 16:02:45 +0100 | [diff] [blame] | 533 | LOG_I("Entering phase: Static"); |
Robert Swiecki | 363510f | 2018-03-09 02:00:30 +0100 | [diff] [blame] | 534 | hfuzz->feedback.state = _HF_STATE_STATIC; |
Robert Swiecki | a96d78d | 2016-03-14 16:50:50 +0100 | [diff] [blame] | 535 | } |
| 536 | |
Robert Swiecki | 66b6512 | 2017-11-11 02:55:55 +0100 | [diff] [blame] | 537 | for (size_t i = 0; i < hfuzz->threads.threadsMax; i++) { |
Robert Swiecki | 64d5243 | 2019-02-14 23:02:13 +0100 | [diff] [blame] | 538 | if (!subproc_runThread(hfuzz, &hfuzz->threads.threads[i], fuzz_threadNew)) { |
| 539 | PLOG_F("Couldn't run a thread #%zu", i); |
| 540 | } |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 541 | } |
robert.swiecki | 3bb518c | 2010-10-14 00:48:24 +0000 | [diff] [blame] | 542 | } |