1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
/**************************************************************************/
/* */
/* OCaml */
/* */
/* Stephen Dolan, University of Cambridge */
/* */
/* Copyright 2016 Stephen Dolan. */
/* */
/* All rights reserved. This file is distributed under the terms of */
/* the GNU Lesser General Public License version 2.1, with the */
/* special exception on linking described in the file LICENSE. */
/* */
/**************************************************************************/
/* Runtime support for afl-fuzz */
#define CAML_INTERNALS
#include "caml/config.h"
#include "caml/memory.h"
#include "caml/mlvalues.h"
/* Values used by the instrumentation logic (see cmmgen.ml) */
#define INITIAL_AFL_AREA_SIZE (1 << 16)
unsigned char * caml_afl_area_ptr = NULL;
uintnat caml_afl_prev_loc;
#if !defined(HAS_SYS_SHM_H) || !defined(HAS_SHMAT)
CAMLexport value caml_setup_afl(value unit)
{
/* AFL is not supported, but we still need to allocate space for the bitmap
(the instrumented OCaml code will write into it). */
if (caml_afl_area_ptr == NULL) {
caml_afl_area_ptr = caml_stat_alloc(INITIAL_AFL_AREA_SIZE);
memset(caml_afl_area_ptr, 0, INITIAL_AFL_AREA_SIZE);
}
return Val_unit;
}
CAMLprim value caml_reset_afl_instrumentation(value full)
{
return Val_unit;
}
#else
#include <unistd.h>
#include <sys/types.h>
#include <signal.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <stdio.h>
#include <string.h>
#include "caml/domain.h"
#include "caml/misc.h"
#include "caml/osdeps.h"
static int afl_initialised = 0;
/* afl uses abnormal termination (SIGABRT) to check whether
to count a testcase as "crashing" */
extern int caml_abort_on_uncaught_exn;
/* File descriptors used to synchronise with afl-fuzz */
#define FORKSRV_FD_READ 198
#define FORKSRV_FD_WRITE 199
static void afl_write(uint32_t msg)
{
if (write(FORKSRV_FD_WRITE, &msg, 4) != 4)
caml_fatal_error("writing to afl-fuzz");
}
static uint32_t afl_read(void)
{
uint32_t msg;
if (read(FORKSRV_FD_READ, &msg, 4) != 4)
caml_fatal_error("reading from afl-fuzz");
return msg;
}
CAMLexport value caml_setup_afl(value unit)
{
char* shm_id_str;
char* shm_id_end;
long int shm_id;
uint32_t startup_msg = 0;
if (afl_initialised) return Val_unit;
afl_initialised = 1;
shm_id_str = caml_secure_getenv("__AFL_SHM_ID");
if (shm_id_str == NULL) {
/* Not running under afl-fuzz. Allocate space for the bitmap
(the instrumented OCaml code will write into it),
and continue as normal. */
caml_afl_area_ptr = caml_stat_alloc(INITIAL_AFL_AREA_SIZE);
memset(caml_afl_area_ptr, 0, INITIAL_AFL_AREA_SIZE);
return Val_unit;
}
/* if afl-fuzz is attached, we want it to know about uncaught exceptions */
caml_abort_on_uncaught_exn = 1;
shm_id = strtol(shm_id_str, &shm_id_end, 10);
if (!(*shm_id_str != '\0' && *shm_id_end == '\0'))
caml_fatal_error("afl-fuzz: bad shm id");
caml_afl_area_ptr = shmat((int)shm_id, NULL, 0);
if (caml_afl_area_ptr == (void*)-1)
caml_fatal_error("afl-fuzz: could not attach shm area");
/* poke the bitmap so that afl-fuzz knows we exist, even if the
application has sparse instrumentation */
caml_afl_area_ptr[0] = 1;
/* synchronise with afl-fuzz */
if (write(FORKSRV_FD_WRITE, &startup_msg, 4) != 4) {
/* initial write failed, so assume we're not meant to fork.
afl-tmin uses this mode. */
return Val_unit;
}
afl_read();
/* ensure that another module has not already spawned a domain */
if (caml_domain_is_multicore())
caml_fatal_error("afl-fuzz: cannot fork with multiple domains running");
while (1) {
int child_pid = fork();
if (child_pid < 0) caml_fatal_error("afl-fuzz: could not fork");
else if (child_pid == 0) {
caml_atfork_hook();
/* Run the program */
close(FORKSRV_FD_READ);
close(FORKSRV_FD_WRITE);
return Val_unit;
}
/* As long as the child keeps raising SIGSTOP, we re-use the same process */
while (1) {
int status;
uint32_t was_killed;
afl_write((uint32_t)child_pid);
/* WUNTRACED means wait until termination or SIGSTOP */
if (waitpid(child_pid, &status, WUNTRACED) < 0)
caml_fatal_error("afl-fuzz: waitpid failed");
afl_write((uint32_t)status);
was_killed = afl_read();
if (WIFSTOPPED(status)) {
/* child stopped, waiting for another test case */
if (was_killed) {
/* we saw the child stop, but since then afl-fuzz killed it.
we should wait for it before forking another child */
if (waitpid(child_pid, &status, 0) < 0)
caml_fatal_error("afl-fuzz: waitpid failed");
break;
} else {
kill(child_pid, SIGCONT);
}
} else {
/* child died */
break;
}
}
}
}
CAMLprim value caml_reset_afl_instrumentation(value full)
{
if (full == Val_true && caml_afl_area_ptr != NULL) {
memset(caml_afl_area_ptr, 0, INITIAL_AFL_AREA_SIZE);
}
caml_afl_prev_loc = 0;
return Val_unit;
}
#endif /* HAS_SYS_SHM_H */
|
