Robert Swiecki | c6e51b1 | 2019-05-22 16:02:57 +0200 | [diff] [blame] | 1 | #include "socketfuzzer.h" |
| 2 | |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 3 | #include <errno.h> |
| 4 | #include <fcntl.h> |
| 5 | #include <inttypes.h> |
| 6 | #include <libgen.h> |
| 7 | #include <pthread.h> |
| 8 | #include <signal.h> |
| 9 | #include <stddef.h> |
| 10 | #include <stdint.h> |
| 11 | #include <stdio.h> |
| 12 | #include <stdlib.h> |
| 13 | #include <string.h> |
| 14 | #include <sys/mman.h> |
| 15 | #include <sys/param.h> |
Robert Swiecki | c6e51b1 | 2019-05-22 16:02:57 +0200 | [diff] [blame] | 16 | #include <sys/socket.h> |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 17 | #include <sys/stat.h> |
| 18 | #include <sys/time.h> |
| 19 | #include <sys/types.h> |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 20 | #include <sys/un.h> |
Robert Swiecki | c6e51b1 | 2019-05-22 16:02:57 +0200 | [diff] [blame] | 21 | #include <time.h> |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 22 | #include <unistd.h> |
| 23 | |
| 24 | #include "honggfuzz.h" |
| 25 | #include "libhfcommon/common.h" |
| 26 | #include "libhfcommon/files.h" |
| 27 | #include "libhfcommon/log.h" |
| 28 | #include "libhfcommon/ns.h" |
| 29 | #include "libhfcommon/util.h" |
| 30 | |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 31 | bool fuzz_waitForExternalInput(run_t* run) { |
| 32 | /* tell the external fuzzer to do his thing */ |
| 33 | if (!fuzz_prepareSocketFuzzer(run)) { |
| 34 | LOG_F("fuzz_prepareSocketFuzzer() failed"); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 35 | } |
| 36 | |
| 37 | /* the external fuzzer may inform us of a crash */ |
| 38 | int result = fuzz_waitforSocketFuzzer(run); |
| 39 | if (result == 2) { |
| 40 | return false; |
| 41 | } |
| 42 | |
| 43 | return true; |
| 44 | } |
| 45 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 46 | bool fuzz_prepareSocketFuzzer(run_t* run) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 47 | // Notify fuzzer that he should send teh things |
| 48 | LOG_D("fuzz_prepareSocketFuzzer: SEND Fuzz"); |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 49 | return files_sendToSocket( |
| 50 | run->global->socketFuzzer.clientSocket, (uint8_t*)"Fuzz", strlen("Fuzz")); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 51 | } |
| 52 | |
| 53 | /* Return values: |
| 54 | 0: error |
| 55 | 1: okay |
| 56 | 2: target unresponsive |
| 57 | */ |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 58 | int fuzz_waitforSocketFuzzer(run_t* run) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 59 | ssize_t ret; |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 60 | uint8_t buf[16]; |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 61 | |
| 62 | // Wait until the external fuzzer did his thing |
| 63 | bzero(buf, 16); |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 64 | ret = files_readFromFd(run->global->socketFuzzer.clientSocket, buf, 4); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 65 | LOG_D("fuzz_waitforSocketFuzzer: RECV: %s", buf); |
| 66 | |
| 67 | // We dont care what we receive, its just to block here |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 68 | if (ret < 0) { |
Robert Swiecki | f3ecc0e | 2018-01-21 15:42:22 +0100 | [diff] [blame] | 69 | LOG_F("fuzz_waitforSocketFuzzer: received: %zu", ret); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 70 | } |
| 71 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 72 | if (memcmp(buf, "okay", 4) == 0) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 73 | return 1; |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 74 | } else if (memcmp(buf, "bad!", 4) == 0) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 75 | return 2; |
| 76 | } |
| 77 | |
| 78 | return 0; |
| 79 | } |
| 80 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 81 | bool fuzz_notifySocketFuzzerNewCov(honggfuzz_t* hfuzz) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 82 | // Tell the fuzzer that the thing he sent reached new BB's |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 83 | bool ret = files_sendToSocket(hfuzz->socketFuzzer.clientSocket, (uint8_t*)"New!", 4); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 84 | LOG_D("fuzz_notifySocketFuzzer: SEND: New!"); |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 85 | if (!ret) { |
| 86 | LOG_F("fuzz_notifySocketFuzzer"); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 87 | } |
| 88 | |
| 89 | return true; |
| 90 | } |
| 91 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 92 | bool fuzz_notifySocketFuzzerCrash(run_t* run) { |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 93 | bool ret = files_sendToSocket(run->global->socketFuzzer.clientSocket, (uint8_t*)"Cras", 4); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 94 | LOG_D("fuzz_notifySocketFuzzer: SEND: Crash"); |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 95 | if (!ret) { |
| 96 | LOG_F("fuzz_notifySocketFuzzer"); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 97 | } |
| 98 | |
| 99 | return true; |
| 100 | } |
| 101 | |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 102 | bool setupSocketFuzzer(honggfuzz_t* run) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 103 | int s, len; |
| 104 | socklen_t t; |
| 105 | struct sockaddr_un local, remote; |
| 106 | char socketPath[512]; |
dobin | 040a98e | 2018-04-14 15:55:23 +0200 | [diff] [blame] | 107 | snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 108 | |
| 109 | if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { |
| 110 | perror("socket"); |
| 111 | return false; |
| 112 | } |
| 113 | |
| 114 | local.sun_family = AF_UNIX; |
| 115 | strcpy(local.sun_path, socketPath); |
| 116 | unlink(local.sun_path); |
| 117 | len = strlen(local.sun_path) + sizeof(local.sun_family); |
Robert Swiecki | 5627619 | 2018-01-21 15:43:02 +0100 | [diff] [blame] | 118 | if (bind(s, (struct sockaddr*)&local, len) == -1) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 119 | perror("bind"); |
| 120 | return false; |
| 121 | } |
| 122 | |
| 123 | if (listen(s, 5) == -1) { |
| 124 | perror("listen"); |
| 125 | return false; |
| 126 | } |
| 127 | |
| 128 | printf("Waiting for SocketFuzzer connection on socket: %s\n", socketPath); |
| 129 | t = sizeof(remote); |
Robert Swiecki | 251ee7c | 2019-04-17 21:56:22 +0200 | [diff] [blame] | 130 | if ((run->socketFuzzer.clientSocket = |
| 131 | TEMP_FAILURE_RETRY(accept(s, (struct sockaddr*)&remote, &t))) == -1) { |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 132 | perror("accept"); |
| 133 | return false; |
| 134 | } |
| 135 | |
Robert Swiecki | 5e26bd9 | 2018-03-02 12:09:34 +0100 | [diff] [blame] | 136 | run->socketFuzzer.serverSocket = s; |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 137 | printf("A SocketFuzzer client connected. Continuing.\n"); |
| 138 | |
| 139 | return true; |
| 140 | } |
| 141 | |
| 142 | void cleanupSocketFuzzer() { |
| 143 | char socketPath[512]; |
dobin | 040a98e | 2018-04-14 15:55:23 +0200 | [diff] [blame] | 144 | snprintf(socketPath, sizeof(socketPath), "/tmp/honggfuzz_socket.%i", getpid()); |
dobin | edf9f8d | 2018-01-21 13:57:02 +0100 | [diff] [blame] | 145 | unlink(socketPath); |
| 146 | } |