1 /*
2    american fuzzy lop++ - shared memory related code
3    -------------------------------------------------
4 
5    Originally written by Michal Zalewski
6 
7    Forkserver design by Jann Horn <jannhorn@googlemail.com>
8 
9    Now maintained by Marc Heuse <mh@mh-sec.de>,
10                         Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
11                         Andrea Fioraldi <andreafioraldi@gmail.com>
12 
13    Copyright 2016, 2017 Google Inc. All rights reserved.
14    Copyright 2019-2022 AFLplusplus Project. All rights reserved.
15 
16    Licensed under the Apache License, Version 2.0 (the "License");
17    you may not use this file except in compliance with the License.
18    You may obtain a copy of the License at:
19 
20      https://www.apache.org/licenses/LICENSE-2.0
21 
22    Shared code to handle the shared memory. This is used by the fuzzer
23    as well the other components like afl-tmin, afl-showmap, etc...
24 
25  */
26 
27 #define AFL_MAIN
28 
29 #ifdef __ANDROID__
30   #include "android-ashmem.h"
31 #endif
32 #include "config.h"
33 #include "types.h"
34 #include "debug.h"
35 #include "alloc-inl.h"
36 #include "hash.h"
37 #include "sharedmem.h"
38 #include "cmplog.h"
39 #include "list.h"
40 
41 #include <stdio.h>
42 #include <unistd.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <time.h>
46 #include <errno.h>
47 #include <signal.h>
48 #include <dirent.h>
49 #include <fcntl.h>
50 
51 #include <sys/wait.h>
52 #include <sys/time.h>
53 #include <sys/stat.h>
54 #include <sys/types.h>
55 #include <sys/resource.h>
56 #include <sys/mman.h>
57 
58 #ifndef USEMMAP
59   #include <sys/ipc.h>
60   #include <sys/shm.h>
61 #endif
62 
63 static list_t shm_list = {.element_prealloc_count = 0};
64 
65 /* Get rid of shared memory. */
66 
afl_shm_deinit(sharedmem_t * shm)67 void afl_shm_deinit(sharedmem_t *shm) {
68 
69   if (shm == NULL) { return; }
70   list_remove(&shm_list, shm);
71   if (shm->shmemfuzz_mode) {
72 
73     unsetenv(SHM_FUZZ_ENV_VAR);
74 
75   } else {
76 
77     unsetenv(SHM_ENV_VAR);
78 
79   }
80 
81 #ifdef USEMMAP
82   if (shm->map != NULL) {
83 
84     munmap(shm->map, shm->map_size);
85     shm->map = NULL;
86 
87   }
88 
89   if (shm->g_shm_fd != -1) {
90 
91     close(shm->g_shm_fd);
92     shm->g_shm_fd = -1;
93 
94   }
95 
96   if (shm->g_shm_file_path[0]) {
97 
98     shm_unlink(shm->g_shm_file_path);
99     shm->g_shm_file_path[0] = 0;
100 
101   }
102 
103   if (shm->cmplog_mode) {
104 
105     unsetenv(CMPLOG_SHM_ENV_VAR);
106 
107     if (shm->cmp_map != NULL) {
108 
109       munmap(shm->cmp_map, shm->map_size);
110       shm->cmp_map = NULL;
111 
112     }
113 
114     if (shm->cmplog_g_shm_fd != -1) {
115 
116       close(shm->cmplog_g_shm_fd);
117       shm->cmplog_g_shm_fd = -1;
118 
119     }
120 
121     if (shm->cmplog_g_shm_file_path[0]) {
122 
123       shm_unlink(shm->cmplog_g_shm_file_path);
124       shm->cmplog_g_shm_file_path[0] = 0;
125 
126     }
127 
128   }
129 
130 #else
131   shmctl(shm->shm_id, IPC_RMID, NULL);
132   if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); }
133 #endif
134 
135   shm->map = NULL;
136 
137 }
138 
139 /* Configure shared memory.
140    Returns a pointer to shm->map for ease of use.
141 */
142 
afl_shm_init(sharedmem_t * shm,size_t map_size,unsigned char non_instrumented_mode)143 u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
144                  unsigned char non_instrumented_mode) {
145 
146   shm->map_size = 0;
147 
148   shm->map = NULL;
149   shm->cmp_map = NULL;
150 
151 #ifdef USEMMAP
152 
153   shm->g_shm_fd = -1;
154   shm->cmplog_g_shm_fd = -1;
155 
156   const int shmflags = O_RDWR | O_EXCL;
157 
158   /* ======
159   generate random file name for multi instance
160 
161   thanks to f*cking glibc we can not use tmpnam securely, it generates a
162   security warning that cannot be suppressed
163   so we do this worse workaround */
164   snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
165 
166   #ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
167   /* trying to get large memory segment optimised and monitorable separately as
168    * such */
169   static size_t sizes[4] = {(size_t)-1};
170   static int    psizes = 0;
171   int           i;
172   if (sizes[0] == (size_t)-1) { psizes = getpagesizes(sizes, 4); }
173 
174   /* very unlikely to fail even if the arch supports only two sizes */
175   if (likely(psizes > 0)) {
176 
177     for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
178 
179       if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
180 
181       shm->g_shm_fd =
182           shm_create_largepage(shm->g_shm_file_path, shmflags, i,
183                                SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
184 
185     }
186 
187   }
188 
189   #endif
190 
191   /* create the shared memory segment as if it was a file */
192   if (shm->g_shm_fd == -1) {
193 
194     shm->g_shm_fd =
195         shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION);
196 
197   }
198 
199   if (shm->g_shm_fd == -1) { PFATAL("shm_open() failed"); }
200 
201   /* configure the size of the shared memory segment */
202   if (ftruncate(shm->g_shm_fd, map_size)) {
203 
204     PFATAL("setup_shm(): ftruncate() failed");
205 
206   }
207 
208   /* map the shared memory segment to the address space of the process */
209   shm->map =
210       mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm->g_shm_fd, 0);
211   if (shm->map == MAP_FAILED) {
212 
213     close(shm->g_shm_fd);
214     shm->g_shm_fd = -1;
215     shm_unlink(shm->g_shm_file_path);
216     shm->g_shm_file_path[0] = 0;
217     PFATAL("mmap() failed");
218 
219   }
220 
221   /* If somebody is asking us to fuzz instrumented binaries in non-instrumented
222      mode, we don't want them to detect instrumentation, since we won't be
223      sending fork server commands. This should be replaced with better
224      auto-detection later on, perhaps? */
225 
226   if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1);
227 
228   if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed");
229 
230   if (shm->cmplog_mode) {
231 
232     snprintf(shm->cmplog_g_shm_file_path, L_tmpnam, "/afl_cmplog_%d_%ld",
233              getpid(), random());
234 
235     /* create the shared memory segment as if it was a file */
236     shm->cmplog_g_shm_fd =
237         shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL,
238                  DEFAULT_PERMISSION);
239     if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); }
240 
241     /* configure the size of the shared memory segment */
242     if (ftruncate(shm->cmplog_g_shm_fd, map_size)) {
243 
244       PFATAL("setup_shm(): cmplog ftruncate() failed");
245 
246     }
247 
248     /* map the shared memory segment to the address space of the process */
249     shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
250                         shm->cmplog_g_shm_fd, 0);
251     if (shm->cmp_map == MAP_FAILED) {
252 
253       close(shm->cmplog_g_shm_fd);
254       shm->cmplog_g_shm_fd = -1;
255       shm_unlink(shm->cmplog_g_shm_file_path);
256       shm->cmplog_g_shm_file_path[0] = 0;
257       PFATAL("mmap() failed");
258 
259     }
260 
261     /* If somebody is asking us to fuzz instrumented binaries in
262        non-instrumented mode, we don't want them to detect instrumentation,
263        since we won't be sending fork server commands. This should be replaced
264        with better auto-detection later on, perhaps? */
265 
266     if (!non_instrumented_mode)
267       setenv(CMPLOG_SHM_ENV_VAR, shm->cmplog_g_shm_file_path, 1);
268 
269     if (shm->cmp_map == (void *)-1 || !shm->cmp_map)
270       PFATAL("cmplog mmap() failed");
271 
272   }
273 
274 #else
275   u8 *shm_str;
276 
277   // for qemu+unicorn we have to increase by 8 to account for potential
278   // compcov map overwrite
279   shm->shm_id =
280       shmget(IPC_PRIVATE, map_size == MAP_SIZE ? map_size + 8 : map_size,
281              IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
282   if (shm->shm_id < 0) {
283 
284     PFATAL("shmget() failed, try running afl-system-config");
285 
286   }
287 
288   if (shm->cmplog_mode) {
289 
290     shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map),
291                                 IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
292 
293     if (shm->cmplog_shm_id < 0) {
294 
295       shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
296       PFATAL("shmget() failed, try running afl-system-config");
297 
298     }
299 
300   }
301 
302   if (!non_instrumented_mode) {
303 
304     shm_str = alloc_printf("%d", shm->shm_id);
305 
306     /* If somebody is asking us to fuzz instrumented binaries in
307        non-instrumented mode, we don't want them to detect instrumentation,
308        since we won't be sending fork server commands. This should be replaced
309        with better auto-detection later on, perhaps? */
310 
311     setenv(SHM_ENV_VAR, shm_str, 1);
312 
313     ck_free(shm_str);
314 
315   }
316 
317   if (shm->cmplog_mode && !non_instrumented_mode) {
318 
319     shm_str = alloc_printf("%d", shm->cmplog_shm_id);
320 
321     setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1);
322 
323     ck_free(shm_str);
324 
325   }
326 
327   shm->map = shmat(shm->shm_id, NULL, 0);
328 
329   if (shm->map == (void *)-1 || !shm->map) {
330 
331     shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
332 
333     if (shm->cmplog_mode) {
334 
335       shmctl(shm->cmplog_shm_id, IPC_RMID, NULL);  // do not leak shmem
336 
337     }
338 
339     PFATAL("shmat() failed");
340 
341   }
342 
343   if (shm->cmplog_mode) {
344 
345     shm->cmp_map = shmat(shm->cmplog_shm_id, NULL, 0);
346 
347     if (shm->cmp_map == (void *)-1 || !shm->cmp_map) {
348 
349       shmctl(shm->shm_id, IPC_RMID, NULL);  // do not leak shmem
350 
351       shmctl(shm->cmplog_shm_id, IPC_RMID, NULL);  // do not leak shmem
352 
353       PFATAL("shmat() failed");
354 
355     }
356 
357   }
358 
359 #endif
360 
361   shm->map_size = map_size;
362   list_append(&shm_list, shm);
363 
364   return shm->map;
365 
366 }
367 
368