1#!/usr/bin/env bash 2# 3# american fuzzy lop++ - limit memory using cgroups 4# ----------------------------------------------- 5# 6# Written by Samir Khakimov <samir.hakim@nyu.edu> and 7# David A. Wheeler <dwheeler@ida.org> 8# 9# Edits to bring the script in line with afl-cmin and other companion scripts 10# by Michal Zalewski. All bugs are my fault. 11# 12# Copyright 2015 Institute for Defense Analyses. 13# 14# Licensed under the Apache License, Version 2.0 (the "License"); 15# you may not use this file except in compliance with the License. 16# You may obtain a copy of the License at: 17# 18# http://www.apache.org/licenses/LICENSE-2.0 19# 20# This tool allows the amount of actual memory allocated to a program 21# to be limited on Linux systems using cgroups, instead of the traditional 22# setrlimit() API. This helps avoid the address space problems discussed in 23# docs/notes_for_asan.md. 24# 25# Important: the limit covers *both* afl-fuzz and the fuzzed binary. In some 26# hopefully rare circumstances, afl-fuzz could be killed before the fuzzed 27# task. 28# 29 30echo "cgroup tool for afl-fuzz by <samir.hakim@nyu.edu> and <dwheeler@ida.org>" 31echo 32 33unset NEW_USER 34MEM_LIMIT="50" 35 36while getopts "+u:m:" opt; do 37 38 case "$opt" in 39 40 "u") 41 NEW_USER="$OPTARG" 42 ;; 43 44 "m") 45 MEM_LIMIT="$[OPTARG]" 46 ;; 47 48 "?") 49 exit 1 50 ;; 51 52 esac 53 54done 55 56if [ "$MEM_LIMIT" -lt "5" ]; then 57 echo "[-] Error: malformed or dangerously low value of -m." 1>&2 58 exit 1 59fi 60 61shift $((OPTIND-1)) 62 63TARGET_BIN="$1" 64 65if [ "$TARGET_BIN" = "" -o "$NEW_USER" = "" ]; then 66 67 cat 1>&2 <<_EOF_ 68Usage: $0 [ options ] -- /path/to/afl-fuzz [ ...afl options... ] 69 70Required parameters: 71 72 -u user - run the fuzzer as a specific user after setting up limits 73 74Optional parameters: 75 76 -m megs - set memory limit to a specified value ($MEM_LIMIT MB) 77 78This tool configures cgroups-based memory limits for a fuzzing job to simplify 79the task of fuzzing ASAN or MSAN binaries. You would normally want to use it in 80conjunction with '-m none' passed to the afl-fuzz binary itself, say: 81 82 $0 -u joe ./afl-fuzz -i input -o output -m none /path/to/target 83 84_EOF_ 85 86 exit 1 87 88fi 89 90# Basic sanity checks 91 92if [ ! "`uname -s`" = "Linux" ]; then 93 echo "[-] Error: this tool does not support non-Linux systems." 1>&2 94 exit 1 95fi 96 97if [ ! "`id -u`" = "0" ]; then 98 echo "[-] Error: you need to run this script as root (sorry!)." 1>&2 99 exit 1 100fi 101 102if ! type cgcreate 2>/dev/null 1>&2; then 103 104 echo "[-] Error: you need to install cgroup tools first." 1>&2 105 106 if type apt-get 2>/dev/null 1>&2; then 107 echo " (Perhaps 'apt-get install cgroup-bin' will work.)" 1>&2 108 elif type yum 2>/dev/null 1>&2; then 109 echo " (Perhaps 'yum install libcgroup-tools' will work.)" 1>&2 110 fi 111 112 exit 1 113 114fi 115 116if ! id -u "$NEW_USER" 2>/dev/null 1>&2; then 117 echo "[-] Error: user '$NEW_USER' does not seem to exist." 1>&2 118 exit 1 119fi 120 121# Create a new cgroup path if necessary... We used PID-keyed groups to keep 122# parallel afl-fuzz tasks separate from each other. 123 124CID="afl-$NEW_USER-$$" 125 126CPATH="/sys/fs/cgroup/memory/$CID" 127 128if [ ! -d "$CPATH" ]; then 129 130 cgcreate -a "$NEW_USER" -g memory:"$CID" || exit 1 131 132fi 133 134# Set the appropriate limit... 135 136if [ -f "$CPATH/memory.memsw.limit_in_bytes" ]; then 137 138 echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" 2>/dev/null 139 echo "${MEM_LIMIT}M" > "$CPATH/memory.memsw.limit_in_bytes" || exit 1 140 echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1 141 142elif grep -qE 'partition|file' /proc/swaps; then 143 144 echo "[-] Error: your system requires swap to be disabled first (swapoff -a)." 1>&2 145 exit 1 146 147else 148 149 echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1 150 151fi 152 153# All right. At this point, we can just run the command. 154 155cgexec -g "memory:$CID" su -c "$*" "$NEW_USER" 156 157cgdelete -g "memory:$CID" 158