Pie  |  9.0.0_r8
C++程序  |  257行  |  7.35 KB 

/*
 *
 * honggfuzz - architecture dependent code (POSIX / SIGNAL)
 * -----------------------------------------
 *
 * Author: Robert Swiecki <swiecki@google.com>
 *
 * Copyright 2010-2015 by Google Inc. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License.
 *
 */

#include "arch.h"

#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <poll.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/cdefs.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#include "fuzz.h"
#include "libcommon/common.h"
#include "libcommon/files.h"
#include "libcommon/log.h"
#include "libcommon/util.h"
#include "sancov.h"
#include "subproc.h"

struct {
    bool important;
    const char* descr;
} arch_sigs[NSIG] = {
    [0 ...(NSIG - 1)].important = false,
    [0 ...(NSIG - 1)].descr = "UNKNOWN",

    [SIGILL].important = true,
    [SIGILL].descr = "SIGILL",

    [SIGFPE].important = true,
    [SIGFPE].descr = "SIGFPE",

    [SIGSEGV].important = true,
    [SIGSEGV].descr = "SIGSEGV",

    [SIGBUS].important = true,
    [SIGBUS].descr = "SIGBUS",

    /* Is affected from monitorSIGABRT flag */
    [SIGABRT].important = false,
    [SIGABRT].descr = "SIGABRT",

    /* Is affected from tmout_vtalrm flag */
    [SIGVTALRM].important = false,
    [SIGVTALRM].descr = "SIGVTALRM-TMOUT",
};

/*
 * Returns true if a process exited (so, presumably, we can delete an input
 * file)
 */
static bool arch_analyzeSignal(run_t* run, int status) {
    /*
     * Resumed by delivery of SIGCONT
     */
    if (WIFCONTINUED(status)) {
        return false;
    }

    if (WIFEXITED(status) || WIFSIGNALED(status)) {
        sancov_Analyze(run);
    }

    /*
     * Boring, the process just exited
     */
    if (WIFEXITED(status)) {
        LOG_D("Process (pid %d) exited normally with status %d", run->pid, WEXITSTATUS(status));
        return true;
    }

    /*
     * Shouldn't really happen, but, well..
     */
    if (!WIFSIGNALED(status)) {
        LOG_E("Process (pid %d) exited with the following status %d, please report that as a bug",
            run->pid, status);
        return true;
    }

    int termsig = WTERMSIG(status);
    LOG_D("Process (pid %d) killed by signal %d '%s'", run->pid, termsig, strsignal(termsig));
    if (!arch_sigs[termsig].important) {
        LOG_D("It's not that important signal, skipping");
        return true;
    }

    char localtmstr[PATH_MAX];
    util_getLocalTime("%F.%H.%M.%S", localtmstr, sizeof(localtmstr), time(NULL));

    char newname[PATH_MAX];

    /* If dry run mode, copy file with same name into workspace */
    if (run->global->mutationsPerRun == 0U && run->global->useVerifier) {
        snprintf(newname, sizeof(newname), "%s", run->origFileName);
    } else {
        snprintf(newname, sizeof(newname), "%s/%s.PID.%d.TIME.%s.%s", run->global->io.crashDir,
            arch_sigs[termsig].descr, run->pid, localtmstr, run->global->io.fileExtn);
    }

    LOG_I("Ok, that's interesting, saving the '%s' as '%s'", run->fileName, newname);

    /*
     * All crashes are marked as unique due to lack of information in POSIX arch
     */
    ATOMIC_POST_INC(run->global->cnts.crashesCnt);
    ATOMIC_POST_INC(run->global->cnts.uniqueCrashesCnt);

    if (files_writeBufToFile(
            newname, run->dynamicFile, run->dynamicFileSz, O_CREAT | O_EXCL | O_WRONLY) == false) {
        LOG_E("Couldn't copy '%s' to '%s'", run->fileName, run->crashFileName);
    }

    return true;
}

pid_t arch_fork(run_t* fuzzer UNUSED) { return fork(); }

bool arch_launchChild(run_t* run) {
#define ARGS_MAX 512
    const char* args[ARGS_MAX + 2];
    char argData[PATH_MAX] = {0};
    int x;

    for (x = 0; x < ARGS_MAX && run->global->exe.cmdline[x]; x++) {
        if (!run->global->exe.fuzzStdin &&
            strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER) == 0) {
            args[x] = run->fileName;
        } else if (!run->global->exe.fuzzStdin &&
                   strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) {
            const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER);
            snprintf(argData, PATH_MAX, "%.*s%s", (int)(off - run->global->exe.cmdline[x]),
                run->global->exe.cmdline[x], run->fileName);
            args[x] = argData;
        } else {
            args[x] = run->global->exe.cmdline[x];
        }
    }

    args[x++] = NULL;

    LOG_D("Launching '%s' on file '%s'", args[0], run->fileName);

    /* alarm persists across forks, so disable it here */
    alarm(0);
    execvp(args[0], (char* const*)args);
    alarm(1);

    return false;
}

void arch_prepareParent(run_t* fuzzer UNUSED) {}

void arch_prepareParentAfterFork(run_t* fuzzer UNUSED) {}

void arch_reapChild(run_t* run) {
    for (;;) {
        if (run->global->persistent) {
            struct pollfd pfd = {
                .fd = run->persistentSock,
                .events = POLLIN,
            };
            int r = poll(&pfd, 1, 250 /* 0.25s */);
            if (r == 0 || (r == -1 && errno == EINTR)) {
                subproc_checkTimeLimit(run);
                subproc_checkTermination(run);
            }
            if (r == -1 && errno != EINTR) {
                PLOG_F("poll(fd=%d)", run->persistentSock);
            }
        }
        if (subproc_persistentModeRoundDone(run) == true) {
            break;
        }

        int status;
        int flags = run->global->persistent ? WNOHANG : 0;
        int ret = waitpid(run->pid, &status, flags);
        if (ret == 0) {
            continue;
        }
        if (ret == -1 && errno == EINTR) {
            subproc_checkTimeLimit(run);
            continue;
        }
        if (ret == -1) {
            PLOG_W("waitpid(pid=%d)", run->pid);
            continue;
        }
        if (ret != run->pid) {
            continue;
        }

        char strStatus[4096];
        if (run->global->persistent && ret == run->persistentPid &&
            (WIFEXITED(status) || WIFSIGNALED(status))) {
            run->persistentPid = 0;
            if (fuzz_isTerminating() == false) {
                LOG_W("Persistent mode: PID %d exited with status: %s", ret,
                    subproc_StatusToStr(status, strStatus, sizeof(strStatus)));
            }
        }

        LOG_D("Process (pid %d) came back with status: %s", run->pid,
            subproc_StatusToStr(status, strStatus, sizeof(strStatus)));

        if (arch_analyzeSignal(run, status)) {
            break;
        }
    }
}

bool arch_archInit(honggfuzz_t* hfuzz) {
    /* Default is true for all platforms except Android */
    arch_sigs[SIGABRT].important = hfuzz->monitorSIGABRT;

    /* Default is false */
    arch_sigs[SIGVTALRM].important = hfuzz->timing.tmoutVTALRM;

    return true;
}

void arch_sigFunc(int sig UNUSED) { return; }

bool arch_archThreadInit(run_t* fuzzer UNUSED) { return true; }