/* * * honggfuzz - architecture dependent code (LINUX) * ----------------------------------------- * * Author: Robert Swiecki <swiecki@google.com> * * Copyright 2010-2018 by Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. You may obtain * a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or * implied. See the License for the specific language governing * permissions and limitations under the License. * */ #include "arch.h" #include <ctype.h> #include <dlfcn.h> #include <errno.h> #include <fcntl.h> #include <inttypes.h> #include <locale.h> #include <setjmp.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/cdefs.h> #include <sys/personality.h> #include <sys/prctl.h> #include <sys/syscall.h> #include <sys/time.h> #include <sys/types.h> #include <sys/user.h> #include <sys/utsname.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #include "fuzz.h" #include "libhfcommon/common.h" #include "libhfcommon/files.h" #include "libhfcommon/log.h" #include "libhfcommon/ns.h" #include "libhfcommon/util.h" #include "linux/perf.h" #include "linux/trace.h" #include "sanitizers.h" #include "subproc.h" static uint8_t arch_clone_stack[128 * 1024] __attribute__((aligned(__BIGGEST_ALIGNMENT__))); static __thread jmp_buf env; HF_ATTR_NO_SANITIZE_ADDRESS HF_ATTR_NO_SANITIZE_MEMORY static int arch_cloneFunc(void* arg HF_ATTR_UNUSED) { longjmp(env, 1); abort(); return 0; } /* Avoid problem with caching of PID/TID in glibc */ static pid_t arch_clone(uintptr_t flags) { if (flags & CLONE_VM) { LOG_E("Cannot use clone(flags & CLONE_VM)"); return -1; } if (setjmp(env) == 0) { void* stack_mid = &arch_clone_stack[sizeof(arch_clone_stack) / 2]; /* Parent */ return clone(arch_cloneFunc, stack_mid, flags, NULL, NULL, NULL); } /* Child */ return 0; } pid_t arch_fork(run_t* run) { pid_t pid = run->global->linux.useClone ? arch_clone(CLONE_UNTRACED | SIGCHLD) : fork(); if (pid == -1) { return pid; } if (pid == 0) { logMutexReset(); if (prctl(PR_SET_PDEATHSIG, (unsigned long)SIGKILL, 0UL, 0UL, 0UL) == -1) { PLOG_W("prctl(PR_SET_PDEATHSIG, SIGKILL)"); } return pid; } return pid; } bool arch_launchChild(run_t* run) { if ((run->global->linux.cloneFlags & CLONE_NEWNET) && (nsIfaceUp("lo") == false)) { LOG_W("Cannot bring interface 'lo' up"); } /* * Make it attach-able by ptrace() */ if (prctl(PR_SET_DUMPABLE, 1UL, 0UL, 0UL, 0UL) == -1) { PLOG_E("prctl(PR_SET_DUMPABLE, 1)"); return false; } /* * Kill a process which corrupts its own heap (with ABRT) */ if (setenv("MALLOC_CHECK_", "7", 0) == -1) { PLOG_E("setenv(MALLOC_CHECK_=7) failed"); return false; } if (setenv("MALLOC_PERTURB_", "85", 0) == -1) { PLOG_E("setenv(MALLOC_PERTURB_=85) failed"); return false; } /* * Disable ASLR: * This might fail in Docker, as Docker blocks __NR_personality. Consequently * it's just a debug warning */ if (run->global->linux.disableRandomization && syscall(__NR_personality, ADDR_NO_RANDOMIZE) == -1) { PLOG_D("personality(ADDR_NO_RANDOMIZE) failed"); } #define ARGS_MAX 512 const char* args[ARGS_MAX + 2]; char argData[PATH_MAX]; char inputFile[PATH_MAX]; snprintf(inputFile, sizeof(inputFile), "/dev/fd/%d", run->dynamicFileCopyFd); int x = 0; for (x = 0; x < ARGS_MAX && x < run->global->exe.argc; x++) { if (run->global->exe.persistent || run->global->exe.fuzzStdin) { args[x] = run->global->exe.cmdline[x]; } else if (!strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { args[x] = inputFile; } else if (strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER); snprintf(argData, sizeof(argData), "%.*s%s", (int)(off - run->global->exe.cmdline[x]), run->global->exe.cmdline[x], inputFile); args[x] = argData; } else { args[x] = run->global->exe.cmdline[x]; } } args[x++] = NULL; LOG_D("Launching '%s' on file '%s'", args[0], run->global->exe.persistent ? "PERSISTENT_MODE" : inputFile); /* alarms persist across execve(), so disable it here */ alarm(0); /* Wait for the ptrace to attach now */ if (kill(syscall(__NR_getpid), SIGSTOP) == -1) { LOG_F("Couldn't stop itself"); } #if defined(__NR_execveat) syscall(__NR_execveat, run->global->linux.exeFd, "", args, environ, AT_EMPTY_PATH); #endif /* defined__NR_execveat) */ execve(args[0], (char* const*)args, environ); int errno_cpy = errno; alarm(1); LOG_E("execve('%s', fd=%d): %s", args[0], run->global->linux.exeFd, strerror(errno_cpy)); return false; } static bool arch_attachToNewPid(run_t* run) { if (!arch_traceAttach(run)) { LOG_W("arch_traceAttach(pid=%d) failed", run->pid); return false; } return true; } void arch_prepareParentAfterFork(run_t* run) { /* Parent */ if (run->global->exe.persistent) { const struct f_owner_ex fown = { .type = F_OWNER_TID, .pid = syscall(__NR_gettid), }; if (fcntl(run->persistentSock, F_SETOWN_EX, &fown)) { PLOG_F("fcntl(%d, F_SETOWN_EX)", run->persistentSock); } if (fcntl(run->persistentSock, F_SETSIG, SIGIO) == -1) { PLOG_F("fcntl(%d, F_SETSIG, SIGIO)", run->persistentSock); } if (fcntl(run->persistentSock, F_SETFL, O_ASYNC) == -1) { PLOG_F("fcntl(%d, F_SETFL, O_ASYNC)", run->persistentSock); } } if (!arch_perfOpen(run)) { LOG_F("Couldn't open perf event for pid=%d", (int)run->pid); } if (!arch_attachToNewPid(run)) { LOG_F("Couldn't attach to pid=%d", (int)run->pid); } } void arch_prepareParent(run_t* run) { if (!arch_perfEnable(run)) { LOG_F("Couldn't enable perf counters for pid=%d", (int)run->pid); } } static bool arch_checkWait(run_t* run) { /* All queued wait events must be tested when SIGCHLD was delivered */ for (;;) { int status; pid_t pid = TEMP_FAILURE_RETRY(waitpid(-1, &status, __WALL | __WNOTHREAD | WNOHANG)); if (pid == 0) { return false; } if (pid == -1 && errno == ECHILD) { LOG_D("No more processes to track"); return true; } if (pid == -1) { PLOG_F("waitpid() failed"); } char statusStr[4096]; LOG_D("pid=%d returned with status: %s", pid, subproc_StatusToStr(status, statusStr, sizeof(statusStr))); arch_traceAnalyze(run, status, pid); if (pid == run->pid && (WIFEXITED(status) || WIFSIGNALED(status))) { if (run->global->exe.persistent) { if (!fuzz_isTerminating()) { LOG_W("Persistent mode: pid=%d exited with status: %s", (int)run->pid, subproc_StatusToStr(status, statusStr, sizeof(statusStr))); } } return true; } } } void arch_reapChild(run_t* run) { for (;;) { if (subproc_persistentModeStateMachine(run)) { break; } subproc_checkTimeLimit(run); subproc_checkTermination(run); const struct timespec ts = { .tv_sec = 0ULL, .tv_nsec = (1000ULL * 1000ULL * 250ULL), }; /* Return with SIGIO, SIGCHLD and with SIGUSR1 */ int sig = sigtimedwait(&run->global->exe.waitSigSet, NULL, &ts /* 0.25s */); if (sig == -1 && (errno != EAGAIN && errno != EINTR)) { PLOG_F("sigwaitinfo(SIGIO|SIGCHLD|SIGUSR1)"); } if (arch_checkWait(run)) { run->pid = 0; break; } if (run->global->socketFuzzer.enabled) { // Do not wait for new events break; } } if (run->global->sanitizer.enable) { char crashReport[PATH_MAX]; snprintf(crashReport, sizeof(crashReport), "%s/%s.%d", run->global->io.workDir, kLOGPREFIX, run->pid); if (files_exists(crashReport)) { if (run->backtrace) { unlink(crashReport); } else { LOG_W("Un-handled ASan report due to compiler-rt internal error - retry with '%s'", crashReport); /* Try to parse report file */ arch_traceExitAnalyze(run, run->pid); } } } if (run->pid == 0) { arch_perfClose(run); } arch_perfAnalyze(run); } bool arch_archInit(honggfuzz_t* hfuzz) { /* Make %'d work */ setlocale(LC_NUMERIC, "en_US.UTF-8"); if (access(hfuzz->exe.cmdline[0], X_OK) == -1) { PLOG_E("File '%s' doesn't seem to be executable", hfuzz->exe.cmdline[0]); return false; } if ((hfuzz->linux.exeFd = TEMP_FAILURE_RETRY(open(hfuzz->exe.cmdline[0], O_RDONLY | O_CLOEXEC))) == -1) { PLOG_E("Cannot open the executable binary: %s)", hfuzz->exe.cmdline[0]); return false; } for (;;) { __attribute__((weak)) const char* gnu_get_libc_version(void); if (!gnu_get_libc_version) { LOG_W("Unknown libc implementation. Using clone() instead of fork()"); break; } const char* gversion = gnu_get_libc_version(); int major, minor; if (sscanf(gversion, "%d.%d", &major, &minor) != 2) { LOG_W("Unknown glibc version:'%s'. Using clone() instead of fork()", gversion); break; } if ((major < 2) || (major == 2 && minor < 23)) { LOG_W("Your glibc version:'%s' will most likely result in malloc()-related " "deadlocks. Min. version 2.24 (Or, Ubuntu's 2.23-0ubuntu6) suggested. " "See https://sourceware.org/bugzilla/show_bug.cgi?id=19431 for explanation. " "Using clone() instead of fork()", gversion); break; } LOG_D("Glibc version:'%s', OK", gversion); hfuzz->linux.useClone = false; break; } if (hfuzz->feedback.dynFileMethod != _HF_DYNFILE_NONE) { unsigned long major = 0, minor = 0; char* p = NULL; /* * Check that Linux kernel is compatible * * Compatibility list: * 1) Perf exclude_callchain_kernel requires kernel >= 3.7 * TODO: Runtime logic to disable it for unsupported kernels * if it doesn't affect perf counters processing * 2) If 'PERF_TYPE_HARDWARE' is not supported by kernel, ENOENT * is returned from perf_event_open(). Unfortunately, no reliable * way to detect it here. libperf exports some list functions, * although small guarantees it's installed. Maybe a more targeted * message at perf_event_open() error handling will help. * 3) Intel's PT and new Intel BTS format require kernel >= 4.1 */ unsigned long checkMajor = 3, checkMinor = 7; if ((hfuzz->feedback.dynFileMethod & _HF_DYNFILE_BTS_EDGE) || (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_IPT_BLOCK)) { checkMajor = 4; checkMinor = 1; } struct utsname uts; if (uname(&uts) == -1) { PLOG_F("uname() failed"); return false; } p = uts.release; major = strtoul(p, &p, 10); if (*p++ != '.') { LOG_F("Unsupported kernel version (%s)", uts.release); return false; } minor = strtoul(p, &p, 10); if ((major < checkMajor) || ((major == checkMajor) && (minor < checkMinor))) { LOG_E("Kernel version '%s' not supporting chosen perf method", uts.release); return false; } if (!arch_perfInit(hfuzz)) { return false; } } #if defined(__ANDROID__) && defined(__arm__) && defined(OPENSSL_ARMCAP_ABI) /* * For ARM kernels running Android API <= 21, if fuzzing target links to * libcrypto (OpenSSL), OPENSSL_cpuid_setup initialization is triggering a * SIGILL/ILLOPC at armv7_tick() due to "mrrc p15, #1, r0, r1, c14)" instruction. * Setups using BoringSSL (API >= 22) are not affected. */ if (setenv("OPENSSL_armcap", OPENSSL_ARMCAP_ABI, 1) == -1) { PLOG_E("setenv(OPENSSL_armcap) failed"); return false; } #endif /* Updates the important signal array based on input args */ arch_traceSignalsInit(hfuzz); /* * If sanitizer fuzzing enabled and SIGABRT is monitored (abort_on_error=1), * increase number of major frames, since top 7-9 frames will be occupied * with sanitizer runtime library & libc symbols */ if (hfuzz->sanitizer.enable && hfuzz->cfg.monitorSIGABRT) { hfuzz->linux.numMajorFrames = 14; } if (hfuzz->linux.cloneFlags && unshare(hfuzz->linux.cloneFlags) == -1) { LOG_E("unshare(%tx)", hfuzz->linux.cloneFlags); return false; } return true; } bool arch_archThreadInit(run_t* run) { run->linux.perfMmapBuf = NULL; run->linux.perfMmapAux = NULL; run->linux.cpuInstrFd = -1; run->linux.cpuBranchFd = -1; run->linux.cpuIptBtsFd = -1; if (prctl(PR_SET_CHILD_SUBREAPER, 1UL, 0UL, 0UL, 0UL) == -1) { PLOG_W("prctl(PR_SET_CHILD_SUBREAPER, 1)"); } sigset_t ss; sigemptyset(&ss); sigaddset(&ss, SIGUSR1); if (pthread_sigmask(SIG_BLOCK, &ss, NULL) != 0) { PLOG_W("Couldn't block SIGUSR1"); return false; } return true; }