/* * * honggfuzz - architecture dependent code (MAC OS X) * ----------------------------------------- * * Author: Robert Swiecki <swiecki@google.com> Felix Gröbert * <groebert@google.com> * * Copyright 2010-2015 by Google Inc. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. You may obtain * a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or * implied. See the License for the specific language governing * permissions and limitations under the License. * */ #include "arch.h" #include <ctype.h> #include <dirent.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/cdefs.h> #include <sys/mman.h> #include <sys/resource.h> #include <sys/stat.h> #include <sys/time.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #include "honggfuzz.h" #include "libcommon/common.h" #include "libcommon/files.h" #include "libcommon/log.h" #include "libcommon/util.h" #include "sancov.h" #include "subproc.h" #include <mach/i386/thread_status.h> #include <mach/mach.h> #include <mach/mach_types.h> #include <mach/mach_vm.h> #include <mach/task_info.h> #include <pthread.h> #include <servers/bootstrap.h> #include "mach_exc.h" #include "mach_excServer.h" #import <Foundation/Foundation.h> /* * Interface to third_party/CrashReport_*.o */ @interface CrashReport : NSObject - (id)initWithTask:(task_t)task exceptionType:(exception_type_t)anExceptionType exceptionCode:(mach_exception_data_t)anExceptionCode exceptionCodeCount:(mach_msg_type_number_t)anExceptionCodeCount thread:(thread_t)thread threadStateFlavor:(thread_state_flavor_t)aThreadStateFlavor threadState:(thread_state_data_t)aThreadState threadStateCount:(mach_msg_type_number_t)aThreadStateCount; @end /* * Global to have exception port available in the collection thread */ static mach_port_t g_exception_port = MACH_PORT_NULL; /* * From xnu/bsd/sys/proc_internal.h */ #define PID_MAX 99999 /* * Global to store crash info in exception handler thread */ run_t g_fuzzer_crash_information[PID_MAX + 1]; /* * Global to store the CrashWrangler generated callstack from * the exception handler thread */ static char* g_fuzzer_crash_callstack[PID_MAX + 1]; /* * Global to have a unique service name for each honggfuzz process */ char g_service_name[256]; struct { bool important; const char* descr; } arch_sigs[NSIG]; __attribute__((constructor)) void arch_initSigs(void) { for (int x = 0; x < NSIG; x++) arch_sigs[x].important = false; arch_sigs[SIGILL].important = true; arch_sigs[SIGILL].descr = "SIGILL"; arch_sigs[SIGFPE].important = true; arch_sigs[SIGFPE].descr = "SIGFPE"; arch_sigs[SIGSEGV].important = true; arch_sigs[SIGSEGV].descr = "SIGSEGV"; arch_sigs[SIGBUS].important = true; arch_sigs[SIGBUS].descr = "SIGBUS"; /* Is affected from monitorSIGABRT flag */ arch_sigs[SIGABRT].important = true; arch_sigs[SIGABRT].descr = "SIGABRT"; /* Is affected from tmoutVTALRM flag */ arch_sigs[SIGVTALRM].important = false; arch_sigs[SIGVTALRM].descr = "SIGVTALRM"; } const char* exception_to_string(int exception) { switch (exception) { case EXC_BAD_ACCESS: return "EXC_BAD_ACCESS"; case EXC_BAD_INSTRUCTION: return "EXC_BAD_INSTRUCTION"; case EXC_ARITHMETIC: return "EXC_ARITHMETIC"; case EXC_EMULATION: return "EXC_EMULATION"; case EXC_SOFTWARE: return "EXC_SOFTWARE"; case EXC_BREAKPOINT: return "EXC_BREAKPOINT"; case EXC_SYSCALL: return "EXC_SYSCALL"; case EXC_MACH_SYSCALL: return "EXC_MACH_SYSCALL"; case EXC_RPC_ALERT: return "EXC_RPC_ALERT"; case EXC_CRASH: return "EXC_CRASH"; } return "UNKNOWN"; } static void arch_generateReport(run_t* run, int termsig) { run->report[0] = '\0'; util_ssnprintf(run->report, sizeof(run->report), "ORIG_FNAME: %s\n", run->origFileName); util_ssnprintf(run->report, sizeof(run->report), "FUZZ_FNAME: %s\n", run->crashFileName); util_ssnprintf(run->report, sizeof(run->report), "PID: %d\n", run->pid); util_ssnprintf( run->report, sizeof(run->report), "SIGNAL: %s (%d)\n", arch_sigs[termsig].descr, termsig); util_ssnprintf( run->report, sizeof(run->report), "EXCEPTION: %s\n", exception_to_string(run->exception)); util_ssnprintf(run->report, sizeof(run->report), "FAULT ADDRESS: %p\n", run->access); util_ssnprintf(run->report, sizeof(run->report), "CRASH FRAME PC: %p\n", run->pc); util_ssnprintf(run->report, sizeof(run->report), "STACK HASH: %016llx\n", run->backtrace); if (g_fuzzer_crash_callstack[run->pid]) { util_ssnprintf( run->report, sizeof(run->report), "STACK: \n%s\n", g_fuzzer_crash_callstack[run->pid]); } else { util_ssnprintf(run->report, sizeof(run->report), "STACK: \n Callstack not available.\n"); } return; } /* * Returns true if a process exited (so, presumably, we can delete an input * file) */ static bool arch_analyzeSignal(run_t* run, int status) { /* * Resumed by delivery of SIGCONT */ if (WIFCONTINUED(status)) { return false; } if (WIFEXITED(status) || WIFSIGNALED(status)) { sancov_Analyze(run); } /* * Boring, the process just exited */ if (WIFEXITED(status)) { LOG_D("Process (pid %d) exited normally with status %d", run->pid, WEXITSTATUS(status)); return true; } /* * Shouldn't really happen, but, well.. */ if (!WIFSIGNALED(status)) { LOG_E("Process (pid %d) exited with the following status %d, please report that as a bug", run->pid, status); return true; } int termsig = WTERMSIG(status); LOG_D("Process (pid %d) killed by signal %d '%s'", run->pid, termsig, strsignal(termsig)); if (!arch_sigs[termsig].important) { LOG_D("It's not that important signal, skipping"); return true; } /* * Signal is interesting */ /* * Increase crashes counter presented by ASCII display */ ATOMIC_POST_INC(run->global->cnts.crashesCnt); /* * Get data from exception handler */ run->pc = g_fuzzer_crash_information[run->pid].pc; run->exception = g_fuzzer_crash_information[run->pid].exception; run->access = g_fuzzer_crash_information[run->pid].access; run->backtrace = g_fuzzer_crash_information[run->pid].backtrace; defer { if (g_fuzzer_crash_callstack[run->pid]) { free(g_fuzzer_crash_callstack[run->pid]); g_fuzzer_crash_callstack[run->pid] = NULL; } }; /* * Check if stackhash is blacklisted */ if (run->global->blacklist && (fastArray64Search(run->global->blacklist, run->global->blacklistCnt, run->backtrace) != -1)) { LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", run->backtrace); ATOMIC_POST_INC(run->global->cnts.blCrashesCnt); return true; } /* If dry run mode, copy file with same name into workspace */ if (run->global->mutationsPerRun == 0U && run->global->useVerifier) { snprintf(run->crashFileName, sizeof(run->crashFileName), "%s/%s", run->global->io.crashDir, run->origFileName); } else if (run->global->io.saveUnique) { snprintf(run->crashFileName, sizeof(run->crashFileName), "%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.%s", run->global->io.crashDir, arch_sigs[termsig].descr, exception_to_string(run->exception), run->pc, run->backtrace, run->access, run->global->io.fileExtn); } else { char localtmstr[PATH_MAX]; util_getLocalTime("%F.%H.%M.%S", localtmstr, sizeof(localtmstr), time(NULL)); snprintf(run->crashFileName, sizeof(run->crashFileName), "%s/%s.%s.PC.%.16llx.STACK.%.16llx.ADDR.%.16llx.TIME.%s.PID.%.5d.%s", run->global->io.crashDir, arch_sigs[termsig].descr, exception_to_string(run->exception), run->pc, run->backtrace, run->access, localtmstr, run->pid, run->global->io.fileExtn); } if (files_exists(run->crashFileName)) { LOG_I("It seems that '%s' already exists, skipping", run->crashFileName); // Clear filename so that verifier can understand we hit a duplicate memset(run->crashFileName, 0, sizeof(run->crashFileName)); return true; } if (files_writeBufToFile(run->crashFileName, run->dynamicFile, run->dynamicFileSz, O_CREAT | O_EXCL | O_WRONLY) == false) { LOG_E("Couldn't copy '%s' to '%s'", run->fileName, run->crashFileName); return true; } LOG_I("Ok, that's interesting, saved '%s' as '%s'", run->fileName, run->crashFileName); ATOMIC_POST_INC(run->global->cnts.uniqueCrashesCnt); /* If unique crash found, reset dynFile counter */ ATOMIC_CLEAR(run->global->dynFileIterExpire); arch_generateReport(run, termsig); return true; } pid_t arch_fork(run_t* run UNUSED) { return fork(); } bool arch_launchChild(run_t* run) { #define ARGS_MAX 512 const char* args[ARGS_MAX + 2]; char argData[PATH_MAX] = {0}; int x; for (x = 0; x < ARGS_MAX && run->global->exe.cmdline[x]; x++) { if (!run->global->exe.fuzzStdin && strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER) == 0) { args[x] = run->fileName; } else if (!run->global->exe.fuzzStdin && strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER); snprintf(argData, PATH_MAX, "%.*s%s", (int)(off - run->global->exe.cmdline[x]), run->global->exe.cmdline[x], run->fileName); args[x] = argData; } else { args[x] = run->global->exe.cmdline[x]; } } args[x++] = NULL; LOG_D("Launching '%s' on file '%s'", args[0], run->fileName); /* * Get child's bootstrap port. */ mach_port_t child_bootstrap = MACH_PORT_NULL; if (task_get_bootstrap_port(mach_task_self(), &child_bootstrap) != KERN_SUCCESS) { return false; } /* * Get exception port. */ mach_port_t exception_port = MACH_PORT_NULL; if (bootstrap_look_up(child_bootstrap, g_service_name, &exception_port) != KERN_SUCCESS) { return false; } /* * Here we register the exception port in the child */ if (task_set_exception_ports(mach_task_self(), EXC_MASK_CRASH, exception_port, EXCEPTION_STATE_IDENTITY | MACH_EXCEPTION_CODES, MACHINE_THREAD_STATE) != KERN_SUCCESS) { return false; } /* alarm persists across forks, so disable it here */ alarm(0); execvp(args[0], (char* const*)args); alarm(1); return false; } void arch_prepareParent(run_t* run UNUSED) {} void arch_prepareParentAfterFork(run_t* run UNUSED) {} void arch_reapChild(run_t* run) { /* * First check manually if we have expired children */ subproc_checkTimeLimit(run); /* * Now check for signals using wait4 */ int options = WUNTRACED; if (run->global->timing.tmOut) { options |= WNOHANG; } for (;;) { int status = 0; while (wait4(run->pid, &status, options, NULL) != run->pid) { if (run->global->timin.tmOut) { subproc_checkTimeLimit(run); usleep(0.20 * 1000000); } } char strStatus[4096]; LOG_D("Process (pid %d) came back with status: %s", run->pid, subproc_StatusToStr(status, strStatus, sizeof(strStatus))); if (arch_analyzeSignal(run, status)) { return; } } } void* wait_for_exception() { while (1) { mach_msg_server_once(mach_exc_server, 4096, g_exception_port, MACH_MSG_OPTION_NONE); } } /* * Called once before fuzzing starts. Prepare mach ports for attaching crash reporter. */ bool arch_archInit(honggfuzz_t* hfuzz) { char plist[PATH_MAX]; snprintf(plist, sizeof(plist), "/Users/%s/Library/Preferences/com.apple.DebugSymbols.plist", getlogin()); if (files_exists(plist)) { LOG_W( "honggfuzz won't work if DBGShellCommands are set in " "~/Library/Preferences/com.apple.DebugSymbols.plist"); } /* * Allocate exception port. */ if (mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &g_exception_port) != KERN_SUCCESS) { return false; } /* * Insert exception receive port. */ if (mach_port_insert_right(mach_task_self(), g_exception_port, g_exception_port, MACH_MSG_TYPE_MAKE_SEND) != KERN_SUCCESS) { return false; } /* * Get bootstrap port. */ mach_port_t bootstrap = MACH_PORT_NULL; if (task_get_bootstrap_port(mach_task_self(), &bootstrap) != KERN_SUCCESS) { return false; } /* * Generate and register exception port service. */ snprintf(g_service_name, sizeof(g_service_name), "com.google.code.honggfuzz.%d", (int)util_rndGet(0, 999999)); if (bootstrap_check_in(bootstrap, g_service_name, &g_exception_port) != KERN_SUCCESS) { return false; } /* * Create a collection thread to catch the exceptions from the * children */ pthread_t exception_thread; if (pthread_create(&exception_thread, NULL, wait_for_exception, 0)) { LOG_F("Parent: could not create thread to wait for child's exception"); return false; } if (pthread_detach(exception_thread)) { LOG_F("Parent: could not detach thread to wait for child's exception"); return false; } /* Default is true for all platforms except Android */ arch_sigs[SIGABRT].important = hfuzz->monitorSIGABRT; /* Default is false */ arch_sigs[SIGVTALRM].important = hfuzz->tmoutVTALRM; return true; } #ifdef DEBUG /* * Write the crash report to DEBUG */ static void write_crash_report(thread_port_t thread, task_port_t task, exception_type_t exception, mach_exception_data_t code, mach_msg_type_number_t code_count, int* flavor, thread_state_t in_state, mach_msg_type_number_t in_state_count) { NSAutoreleasePool* pool = [[NSAutoreleasePool alloc] init]; CrashReport* _crashReport = nil; _crashReport = [[CrashReport alloc] initWithTask:task exceptionType:exception exceptionCode:code exceptionCodeCount:code_count thread:thread threadStateFlavor:*flavor threadState:(thread_state_t)in_state threadStateCount:in_state_count]; NSString* crashDescription = [_crashReport description]; char* description = (char*)[crashDescription UTF8String]; LOG_D("CrashReport: %s", description); [_crashReport release]; [pool drain]; } #endif /* Hash the callstack in an unique way */ static uint64_t hash_callstack(thread_port_t thread, task_port_t task, exception_type_t exception, mach_exception_data_t code, mach_msg_type_number_t code_count, int* flavor, thread_state_t in_state, mach_msg_type_number_t in_state_count) { NSAutoreleasePool* pool = [[NSAutoreleasePool alloc] init]; CrashReport* _crashReport = nil; _crashReport = [[CrashReport alloc] initWithTask:task exceptionType:exception exceptionCode:code exceptionCodeCount:code_count thread:thread threadStateFlavor:*flavor threadState:(thread_state_t)in_state threadStateCount:in_state_count]; NSString* crashDescription = [_crashReport description]; char* description = (char*)[crashDescription UTF8String]; /* * The callstack begins with the following word */ char* callstack = strstr(description, "Crashed:"); if (callstack == NULL) { LOG_F("Could not find callstack in crash report %s", description); } /* * Scroll forward to the next newline */ char* callstack_start = strstr(callstack, "\n"); if (callstack_start == NULL) { LOG_F("Could not find callstack start in crash report %s", description); } /* * Skip the newline */ callstack_start++; /* * Determine the end of the callstack */ char* callstack_end = strstr(callstack_start, "\n\nThread"); if (callstack_end == NULL) { LOG_F("Could not find callstack end in crash report %s", description); } if (callstack_end <= callstack_start) { LOG_F("Malformed callstack: %s", description); } /* * Check for too large callstack. */ #define MAX_CALLSTACK_SIZE 4096 const size_t callstack_size = (callstack_end - callstack_start); if (callstack_size > MAX_CALLSTACK_SIZE) { LOG_W("Too large callstack (%zu bytes), truncating to %d bytes", callstack_size, MAX_CALLSTACK_SIZE); callstack_start[MAX_CALLSTACK_SIZE] = '\0'; callstack_end = callstack_start + MAX_CALLSTACK_SIZE; } pid_t pid; pid_for_task(task, &pid); char** buf = &g_fuzzer_crash_callstack[pid]; /* * Check for memory leaks. This shouldn't happen. */ if (*buf) { LOG_E("Memory leak: arch_analyzeSignal didn't free previous callstack"); free(*buf); *buf = NULL; } /* * Copy the CrashWrangler formatted callstack and make sure * it's NULL-terminated. */ *callstack_end = '\0'; *buf = util_StrDup(callstack_start); /* * * For each line, we only take the last three nibbles from the * address. * * Sample outputs: * * 0 libsystem_kernel.dylib 0x00007fff80514d46 __kill + 10 * 1 libsystem_c.dylib 0x00007fff85731ec0 __abort + 193 * 2 libsystem_c.dylib 0x00007fff85732d17 __stack_chk_fail + 195 * 3 stack_buffer_overflow64-stripped 0x000000010339def5 0x10339d000 + 3829 * 4 ??? 0x4141414141414141 0 + 4702111234474983745 * * 0 libsystem_kernel.dylib 0x00007fff80514d46 __kill + 10 * 1 libsystem_c.dylib 0x00007fff85731ec0 __abort + 193 * 2 libsystem_c.dylib 0x00007fff85732d17 __stack_chk_fail + 195 * 3 stack_buffer_overflow64 0x0000000108f41ef5 main + 133 * 4 ??? 0x4141414141414141 0 + 4702111234474983745 * * 0 libsystem_kernel.dylib 0x940023ba __kill + 10 * 1 libsystem_kernel.dylib 0x940014bc kill$UNIX2003 + 32 * 2 libsystem_c.dylib 0x926f362e __abort + 246 * 3 libsystem_c.dylib 0x926c2b60 __chk_fail + 49 * 4 libsystem_c.dylib 0x926c2bf9 __memset_chk + 53 * 5 stack_buffer_overflow32-stripped 0x00093ee5 0x93000 + 3813 * 6 libdyld.dylib 0x978c6725 start + 1 * * 0 libsystem_kernel.dylib 0x940023ba __kill + 10 * 1 libsystem_kernel.dylib 0x940014bc kill$UNIX2003 + 32 * 2 libsystem_c.dylib 0x926f362e __abort + 246 * 3 libsystem_c.dylib 0x926c2b60 __chk_fail + 49 * 4 libsystem_c.dylib 0x926c2bf9 __memset_chk + 53 * 5 stack_buffer_overflow32 0x0003cee5 main + 117 * 6 libdyld.dylib 0x978c6725 start + 1 * */ uint64_t hash = 0; char* pos = callstack_start; /* * Go through each line until we run out of lines */ while (strstr(pos, "\t") != NULL) { /* * Format: dylib spaces tab address space symbol space plus space offset * Scroll pos forward to the last three nibbles of the address. */ if ((pos = strstr(pos, "\t")) == NULL) break; if ((pos = strstr(pos, " ")) == NULL) break; pos = pos - 3; /* * Hash the last three nibbles */ hash ^= util_hash(pos, 3); /* * Scroll pos one forward to skip the current tab */ pos++; } LOG_D("Callstack hash %llu", hash); [_crashReport release]; [pool drain]; return hash; } kern_return_t catch_mach_exception_raise(mach_port_t exception_port, mach_port_t thread, mach_port_t task, exception_type_t exception, mach_exception_data_t code, mach_msg_type_number_t codeCnt) { LOG_F("This function should never get called"); return KERN_SUCCESS; } kern_return_t catch_mach_exception_raise_state(mach_port_t exception_port, exception_type_t exception, const mach_exception_data_t code, mach_msg_type_number_t codeCnt, int* flavor, const thread_state_t old_state, mach_msg_type_number_t old_stateCnt, thread_state_t new_state, mach_msg_type_number_t* new_stateCnt) { LOG_F("This function should never get called"); return KERN_SUCCESS; } kern_return_t catch_mach_exception_raise_state_identity( __attribute__((unused)) exception_port_t exception_port, thread_port_t thread, task_port_t task, exception_type_t exception, mach_exception_data_t code, mach_msg_type_number_t code_count, int* flavor, thread_state_t in_state, mach_msg_type_number_t in_state_count, thread_state_t out_state, mach_msg_type_number_t* out_state_count) { if (exception != EXC_CRASH) { LOG_F("Got non EXC_CRASH! This should not happen."); } /* * We will save our results to the honggfuzz_t global */ pid_t pid; pid_for_task(task, &pid); LOG_D("Crash of pid %d", pid); run_t* run = &g_fuzzer_crash_information[pid]; /* * Get program counter. * Cast to void* in order to silence the alignment warnings */ x86_thread_state_t* platform_in_state = ((x86_thread_state_t*)(void*)in_state); if (x86_THREAD_STATE32 == platform_in_state->tsh.flavor) { run->pc = platform_in_state->uts.ts32.__eip; } else { run->pc = platform_in_state->uts.ts64.__rip; } /* * Get the exception type */ exception_type_t exception_type = ((code[0] >> 20) & 0x0F); if (exception_type == 0) { exception_type = EXC_CRASH; } run->exception = exception_type; /* * Get the access address. */ mach_exception_data_type_t exception_data[2]; memcpy(exception_data, code, sizeof(exception_data)); exception_data[0] = (code[0] & ~(0x00000000FFF00000)); exception_data[1] = code[1]; mach_exception_data_type_t access_address = exception_data[1]; run->access = (uint64_t)access_address; /* * Get a hash of the callstack */ uint64_t hash = hash_callstack(thread, task, exception, code, code_count, flavor, in_state, in_state_count); run->backtrace = hash; #ifdef DEBUG write_crash_report(thread, task, exception, code, code_count, flavor, in_state, in_state_count); #endif /* * Cleanup */ if (mach_port_deallocate(mach_task_self(), task) != KERN_SUCCESS) { LOG_W("Exception Handler: Could not deallocate task"); } if (mach_port_deallocate(mach_task_self(), thread) != KERN_SUCCESS) { LOG_W("Exception Handler: Could not deallocate thread"); } /* * KERN_SUCCESS indicates that this should not be forwarded to other crash * handlers */ return KERN_SUCCESS; } bool arch_archThreadInit(run_t* run UNUSED) { return true; }