1 /* 2 * 3 * honggfuzz - architecture dependent code (LINUX) 4 * ----------------------------------------- 5 * 6 * Author: Robert Swiecki <swiecki (at) google.com> 7 * 8 * Copyright 2010-2015 by Google Inc. All Rights Reserved. 9 * 10 * Licensed under the Apache License, Version 2.0 (the "License"); you may 11 * not use this file except in compliance with the License. You may obtain 12 * a copy of the License at 13 * 14 * http://www.apache.org/licenses/LICENSE-2.0 15 * 16 * Unless required by applicable law or agreed to in writing, software 17 * distributed under the License is distributed on an "AS IS" BASIS, 18 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 19 * implied. See the License for the specific language governing 20 * permissions and limitations under the License. 21 * 22 */ 23 24 #include "arch.h" 25 26 #include <ctype.h> 27 #include <dlfcn.h> 28 #include <errno.h> 29 #include <fcntl.h> 30 #include <inttypes.h> 31 #include <locale.h> 32 #include <setjmp.h> 33 #include <signal.h> 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <string.h> 37 #include <sys/cdefs.h> 38 #include <sys/personality.h> 39 #include <sys/prctl.h> 40 #include <sys/syscall.h> 41 #include <sys/time.h> 42 #include <sys/types.h> 43 #include <sys/user.h> 44 #include <sys/utsname.h> 45 #include <sys/wait.h> 46 #include <time.h> 47 #include <unistd.h> 48 49 #include "fuzz.h" 50 #include "libcommon/common.h" 51 #include "libcommon/files.h" 52 #include "libcommon/log.h" 53 #include "libcommon/ns.h" 54 #include "libcommon/util.h" 55 #include "linux/perf.h" 56 #include "linux/trace.h" 57 #include "sancov.h" 58 #include "sanitizers.h" 59 #include "subproc.h" 60 61 static inline bool arch_shouldAttach(run_t* run) { 62 if (run->global->persistent && run->linux.attachedPid == run->pid) { 63 return false; 64 } 65 if (run->global->linux.pid > 0 && run->linux.attachedPid == run->global->linux.pid) { 66 return false; 67 } 68 return true; 69 } 70 71 static uint8_t arch_clone_stack[128 * 1024]; 72 static __thread jmp_buf env; 73 74 #if defined(__has_feature) 75 #if __has_feature(address_sanitizer) 76 __attribute__((no_sanitize("address"))) __attribute__((no_sanitize("memory"))) 77 #endif /* if __has_feature(address_sanitizer) */ 78 #endif /* if defined(__has_feature) */ 79 static int 80 arch_cloneFunc(void* arg UNUSED) { 81 longjmp(env, 1); 82 abort(); 83 return 0; 84 } 85 86 /* Avoid problem with caching of PID/TID in glibc */ 87 static pid_t arch_clone(uintptr_t flags) { 88 if (flags & CLONE_VM) { 89 LOG_E("Cannot use clone(flags & CLONE_VM)"); 90 return -1; 91 } 92 93 if (setjmp(env) == 0) { 94 void* stack_mid = &arch_clone_stack[sizeof(arch_clone_stack) / 2]; 95 /* Parent */ 96 return clone(arch_cloneFunc, stack_mid, flags, NULL, NULL, NULL); 97 } 98 /* Child */ 99 return 0; 100 } 101 102 pid_t arch_fork(run_t* run) { 103 run->global->linux.useClone = true; 104 105 pid_t pid = run->global->linux.useClone ? arch_clone(CLONE_UNTRACED | SIGCHLD) : fork(); 106 if (pid == -1) { 107 return pid; 108 } 109 if (pid == 0) { 110 logMutexReset(); 111 if (prctl(PR_SET_PDEATHSIG, (unsigned long)SIGKILL, 0UL, 0UL, 0UL) == -1) { 112 PLOG_W("prctl(PR_SET_PDEATHSIG, SIGKILL)"); 113 } 114 return pid; 115 } 116 return pid; 117 } 118 119 bool arch_launchChild(run_t* run) { 120 if ((run->global->linux.cloneFlags & CLONE_NEWNET) && (nsIfaceUp("lo") == false)) { 121 LOG_W("Cannot bring interface 'lo' up"); 122 } 123 124 /* 125 * Make it attach-able by ptrace() 126 */ 127 if (prctl(PR_SET_DUMPABLE, 1UL, 0UL, 0UL, 0UL) == -1) { 128 PLOG_E("prctl(PR_SET_DUMPABLE, 1)"); 129 return false; 130 } 131 132 /* 133 * Kill a process which corrupts its own heap (with ABRT) 134 */ 135 if (setenv("MALLOC_CHECK_", "7", 0) == -1) { 136 PLOG_E("setenv(MALLOC_CHECK_=7) failed"); 137 return false; 138 } 139 if (setenv("MALLOC_PERTURB_", "85", 0) == -1) { 140 PLOG_E("setenv(MALLOC_PERTURB_=85) failed"); 141 return false; 142 } 143 144 /* 145 * Disable ASLR: 146 * This might fail in Docker, as Docker blocks __NR_personality. Consequently 147 * it's just a debug warning 148 */ 149 if (run->global->linux.disableRandomization && 150 syscall(__NR_personality, ADDR_NO_RANDOMIZE) == -1) { 151 PLOG_D("personality(ADDR_NO_RANDOMIZE) failed"); 152 } 153 #define ARGS_MAX 512 154 const char* args[ARGS_MAX + 2]; 155 char argData[PATH_MAX] = {0}; 156 int x = 0; 157 158 for (x = 0; x < ARGS_MAX && run->global->exe.cmdline[x]; x++) { 159 if (!run->global->exe.fuzzStdin && !run->global->persistent && 160 strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER) == 0) { 161 args[x] = (char*)run->fileName; 162 } else if (!run->global->exe.fuzzStdin && !run->global->persistent && 163 strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { 164 const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER); 165 snprintf(argData, PATH_MAX, "%.*s%s", (int)(off - run->global->exe.cmdline[x]), 166 run->global->exe.cmdline[x], run->fileName); 167 args[x] = argData; 168 } else { 169 args[x] = run->global->exe.cmdline[x]; 170 } 171 } 172 173 args[x++] = NULL; 174 175 LOG_D("Launching '%s' on file '%s'", args[0], 176 run->global->persistent ? "PERSISTENT_MODE" : run->fileName); 177 178 /* alarm persists across forks, so disable it here */ 179 alarm(0); 180 181 /* 182 * Wait for the ptrace to attach 183 */ 184 if (kill(syscall(__NR_getpid), SIGSTOP) == -1) { 185 LOG_F("Couldn't stop itself"); 186 } 187 #if defined(__NR_execveat) 188 syscall(__NR_execveat, run->global->linux.exeFd, "", args, environ, AT_EMPTY_PATH); 189 #endif /* defined__NR_execveat) */ 190 execve(args[0], (char* const*)args, environ); 191 int errno_cpy = errno; 192 alarm(1); 193 194 LOG_E("execve('%s', fd=%d): %s", args[0], run->global->linux.exeFd, strerror(errno_cpy)); 195 196 return false; 197 } 198 199 void arch_prepareParentAfterFork(run_t* run) { 200 /* Parent */ 201 if (run->global->persistent) { 202 const struct f_owner_ex fown = { 203 .type = F_OWNER_TID, 204 .pid = syscall(__NR_gettid), 205 }; 206 if (fcntl(run->persistentSock, F_SETOWN_EX, &fown)) { 207 PLOG_F("fcntl(%d, F_SETOWN_EX)", run->persistentSock); 208 } 209 if (fcntl(run->persistentSock, F_SETSIG, SIGIO) == -1) { 210 PLOG_F("fcntl(%d, F_SETSIG, SIGIO)", run->persistentSock); 211 } 212 if (fcntl(run->persistentSock, F_SETFL, O_ASYNC) == -1) { 213 PLOG_F("fcntl(%d, F_SETFL, O_ASYNC)", run->persistentSock); 214 } 215 } 216 } 217 218 static bool arch_attachToNewPid(run_t* run, pid_t pid) { 219 if (!arch_shouldAttach(run)) { 220 return true; 221 } 222 run->linux.attachedPid = pid; 223 if (!arch_traceAttach(run, pid)) { 224 LOG_W("arch_traceAttach(pid=%d) failed", pid); 225 kill(pid, SIGKILL); 226 return false; 227 } 228 229 arch_perfClose(run); 230 if (arch_perfOpen(pid, run) == false) { 231 kill(pid, SIGKILL); 232 return false; 233 } 234 235 return true; 236 } 237 238 void arch_prepareParent(run_t* run) { 239 pid_t ptracePid = (run->global->linux.pid > 0) ? run->global->linux.pid : run->pid; 240 pid_t childPid = run->pid; 241 242 if (!arch_attachToNewPid(run, ptracePid)) { 243 LOG_E("Couldn't attach to PID=%d", (int)ptracePid); 244 } 245 246 /* A long-lived process could have already exited, and we wouldn't know */ 247 if (childPid != ptracePid && kill(ptracePid, 0) == -1) { 248 if (run->global->linux.pidFile) { 249 /* If pid from file, check again for cases of auto-restart daemons that update it */ 250 /* 251 * TODO: Investigate if we need to delay here, so that target process has 252 * enough time to restart. Tricky to answer since is target dependent. 253 */ 254 if (files_readPidFromFile(run->global->linux.pidFile, &run->global->linux.pid) == 255 false) { 256 LOG_F("Failed to read new PID from file - abort"); 257 } else { 258 if (kill(run->global->linux.pid, 0) == -1) { 259 PLOG_F("Liveness of PID %d read from file questioned - abort", 260 run->global->linux.pid); 261 } else { 262 LOG_D("Monitor PID has been updated (pid=%d)", run->global->linux.pid); 263 ptracePid = run->global->linux.pid; 264 } 265 } 266 } 267 } 268 269 if (arch_perfEnable(run) == false) { 270 LOG_E("Couldn't enable perf counters for pid %d", ptracePid); 271 } 272 if (childPid != ptracePid) { 273 if (arch_traceWaitForPidStop(childPid) == false) { 274 LOG_F("PID: %d not in a stopped state", childPid); 275 } 276 if (kill(childPid, SIGCONT) == -1) { 277 PLOG_F("Restarting PID: %d failed", childPid); 278 } 279 } 280 } 281 282 static bool arch_checkWait(run_t* run) { 283 pid_t ptracePid = (run->global->linux.pid > 0) ? run->global->linux.pid : run->pid; 284 pid_t childPid = run->pid; 285 286 /* All queued wait events must be tested */ 287 for (;;) { 288 int status; 289 pid_t pid = waitpid(-1, &status, __WALL | __WNOTHREAD | WNOHANG); 290 if (pid == 0) { 291 return false; 292 } 293 if (pid == -1 && errno == EINTR) { 294 continue; 295 } 296 if (pid == -1 && errno == ECHILD) { 297 LOG_D("No more processes to track"); 298 return true; 299 } 300 if (pid == -1) { 301 PLOG_F("wait4() failed"); 302 } 303 304 char statusStr[4096]; 305 LOG_D("PID '%d' returned with status: %s", pid, 306 subproc_StatusToStr(status, statusStr, sizeof(statusStr))); 307 308 if (run->global->persistent && pid == run->persistentPid && 309 (WIFEXITED(status) || WIFSIGNALED(status))) { 310 arch_traceAnalyze(run, status, pid); 311 run->persistentPid = 0; 312 if (fuzz_isTerminating() == false) { 313 LOG_W("Persistent mode: PID %d exited with status: %s", pid, 314 subproc_StatusToStr(status, statusStr, sizeof(statusStr))); 315 } 316 return true; 317 } 318 if (ptracePid == childPid) { 319 arch_traceAnalyze(run, status, pid); 320 continue; 321 } 322 if (pid == childPid && (WIFEXITED(status) || WIFSIGNALED(status))) { 323 return true; 324 } 325 if (pid == childPid) { 326 continue; 327 } 328 329 arch_traceAnalyze(run, status, pid); 330 } 331 } 332 333 __thread sigset_t sset_io_chld; 334 void arch_reapChild(run_t* run) { 335 static const struct timespec ts = { 336 .tv_sec = 0L, 337 .tv_nsec = 250000000L, 338 }; 339 for (;;) { 340 int sig = sigtimedwait(&sset_io_chld, NULL, &ts); 341 if (sig == -1 && (errno != EAGAIN && errno != EINTR)) { 342 PLOG_F("sigtimedwait(SIGIO|SIGCHLD, 0.25s)"); 343 } 344 if (sig == -1) { 345 subproc_checkTimeLimit(run); 346 subproc_checkTermination(run); 347 } 348 if (subproc_persistentModeRoundDone(run)) { 349 break; 350 } 351 if (arch_checkWait(run)) { 352 break; 353 } 354 } 355 356 if (run->global->enableSanitizers) { 357 pid_t ptracePid = (run->global->linux.pid > 0) ? run->global->linux.pid : run->pid; 358 char crashReport[PATH_MAX]; 359 snprintf(crashReport, sizeof(crashReport), "%s/%s.%d", run->global->io.workDir, kLOGPREFIX, 360 ptracePid); 361 if (files_exists(crashReport)) { 362 if (run->backtrace) { 363 unlink(crashReport); 364 } else { 365 LOG_W( 366 "Un-handled ASan report due to compiler-rt internal error - retry with '%s' " 367 "(%s)", 368 crashReport, run->fileName); 369 370 /* Try to parse report file */ 371 arch_traceExitAnalyze(run, ptracePid); 372 } 373 } 374 } 375 376 arch_perfAnalyze(run); 377 sancov_Analyze(run); 378 } 379 380 bool arch_archInit(honggfuzz_t* hfuzz) { 381 /* Make %'d work */ 382 setlocale(LC_NUMERIC, "en_US"); 383 384 if (access(hfuzz->exe.cmdline[0], X_OK) == -1) { 385 PLOG_E("File '%s' doesn't seem to be executable", hfuzz->exe.cmdline[0]); 386 return false; 387 } 388 if ((hfuzz->linux.exeFd = open(hfuzz->exe.cmdline[0], O_RDONLY | O_CLOEXEC)) == -1) { 389 PLOG_E("Cannot open the executable binary: %s)", hfuzz->exe.cmdline[0]); 390 return false; 391 } 392 393 const char* (*gvs)(void) = dlsym(RTLD_DEFAULT, "gnu_get_libc_version"); 394 for (;;) { 395 if (!gvs) { 396 LOG_W("Unknown libc implementation. Using clone() instead of fork()"); 397 break; 398 } 399 const char* gversion = gvs(); 400 int major, minor; 401 if (sscanf(gversion, "%d.%d", &major, &minor) != 2) { 402 LOG_W("Unknown glibc version:'%s'. Using clone() instead of fork()", gversion); 403 break; 404 } 405 if ((major < 2) || (major == 2 && minor < 23)) { 406 LOG_W( 407 "Your glibc version:'%s' will most likely result in malloc()-related " 408 "deadlocks. Min. version 2.24 (Or, Ubuntu's 2.23-0ubuntu6) suggested. " 409 "See https://sourceware.org/bugzilla/show_bug.cgi?id=19431 for explanation. " 410 "Using clone() instead of fork()", 411 gversion); 412 break; 413 } 414 LOG_D("Glibc version:'%s', OK", gversion); 415 hfuzz->linux.useClone = false; 416 break; 417 } 418 419 if (hfuzz->dynFileMethod != _HF_DYNFILE_NONE) { 420 unsigned long major = 0, minor = 0; 421 char* p = NULL; 422 423 /* 424 * Check that Linux kernel is compatible 425 * 426 * Compatibility list: 427 * 1) Perf exclude_callchain_kernel requires kernel >= 3.7 428 * TODO: Runtime logic to disable it for unsupported kernels 429 * if it doesn't affect perf counters processing 430 * 2) If 'PERF_TYPE_HARDWARE' is not supported by kernel, ENOENT 431 * is returned from perf_event_open(). Unfortunately, no reliable 432 * way to detect it here. libperf exports some list functions, 433 * although small guarantees it's installed. Maybe a more targeted 434 * message at perf_event_open() error handling will help. 435 * 3) Intel's PT and new Intel BTS format require kernel >= 4.1 436 */ 437 unsigned long checkMajor = 3, checkMinor = 7; 438 if ((hfuzz->dynFileMethod & _HF_DYNFILE_BTS_EDGE) || 439 (hfuzz->dynFileMethod & _HF_DYNFILE_IPT_BLOCK)) { 440 checkMajor = 4; 441 checkMinor = 1; 442 } 443 444 struct utsname uts; 445 if (uname(&uts) == -1) { 446 PLOG_F("uname() failed"); 447 return false; 448 } 449 450 p = uts.release; 451 major = strtoul(p, &p, 10); 452 if (*p++ != '.') { 453 LOG_F("Unsupported kernel version (%s)", uts.release); 454 return false; 455 } 456 457 minor = strtoul(p, &p, 10); 458 if ((major < checkMajor) || ((major == checkMajor) && (minor < checkMinor))) { 459 LOG_E("Kernel version '%s' not supporting chosen perf method", uts.release); 460 return false; 461 } 462 463 if (arch_perfInit(hfuzz) == false) { 464 return false; 465 } 466 } 467 #if defined(__ANDROID__) && defined(__arm__) && defined(OPENSSL_ARMCAP_ABI) 468 /* 469 * For ARM kernels running Android API <= 21, if fuzzing target links to 470 * libcrypto (OpenSSL), OPENSSL_cpuid_setup initialization is triggering a 471 * SIGILL/ILLOPC at armv7_tick() due to "mrrc p15, #1, r0, r1, c14)" instruction. 472 * Setups using BoringSSL (API >= 22) are not affected. 473 */ 474 if (setenv("OPENSSL_armcap", OPENSSL_ARMCAP_ABI, 1) == -1) { 475 PLOG_E("setenv(OPENSSL_armcap) failed"); 476 return false; 477 } 478 #endif 479 480 /* If read PID from file enable - read current value */ 481 if (hfuzz->linux.pidFile) { 482 if (files_readPidFromFile(hfuzz->linux.pidFile, &hfuzz->linux.pid) == false) { 483 LOG_E("Failed to read PID from file"); 484 return false; 485 } 486 } 487 488 /* If remote pid, resolve command using procfs */ 489 if (hfuzz->linux.pid > 0) { 490 char procCmd[PATH_MAX] = {0}; 491 snprintf(procCmd, sizeof(procCmd), "/proc/%d/cmdline", hfuzz->linux.pid); 492 493 ssize_t sz = files_readFileToBufMax( 494 procCmd, (uint8_t*)hfuzz->linux.pidCmd, sizeof(hfuzz->linux.pidCmd) - 1); 495 if (sz < 1) { 496 LOG_E("Couldn't read '%s'", procCmd); 497 return false; 498 } 499 500 /* Make human readable */ 501 for (size_t i = 0; i < ((size_t)sz - 1); i++) { 502 if (hfuzz->linux.pidCmd[i] == '\0') { 503 hfuzz->linux.pidCmd[i] = ' '; 504 } 505 } 506 hfuzz->linux.pidCmd[sz] = '\0'; 507 } 508 509 /* Updates the important signal array based on input args */ 510 arch_traceSignalsInit(hfuzz); 511 512 /* 513 * If sanitizer fuzzing enabled and SIGABRT is monitored (abort_on_error=1), 514 * increase number of major frames, since top 7-9 frames will be occupied 515 * with sanitizer runtime library & libc symbols 516 */ 517 if (hfuzz->enableSanitizers && hfuzz->monitorSIGABRT) { 518 hfuzz->linux.numMajorFrames = 14; 519 } 520 521 if (hfuzz->linux.cloneFlags && unshare(hfuzz->linux.cloneFlags) == -1) { 522 LOG_E("unshare(%tx)", hfuzz->linux.cloneFlags); 523 return false; 524 } 525 526 return true; 527 } 528 529 bool arch_archThreadInit(run_t* run) { 530 run->linux.perfMmapBuf = NULL; 531 run->linux.perfMmapAux = NULL; 532 run->linux.cpuInstrFd = -1; 533 run->linux.cpuBranchFd = -1; 534 run->linux.cpuIptBtsFd = -1; 535 536 sigemptyset(&sset_io_chld); 537 sigaddset(&sset_io_chld, SIGIO); 538 sigaddset(&sset_io_chld, SIGCHLD); 539 540 return true; 541 } 542
