starting shmap support for unicorn

Author: domenukk

include/afl-fuzz.h

@@ -444,7 +444,8 @@ typedef struct afl_state {
       deferred_mode,                    /* Deferred forkserver mode?        */
       fixed_seed,                       /* do not reseed                    */
       fast_cal,                         /* Try to calibrate faster?         */
-      disable_trim;                     /* Never trim in fuzz_one           */
+      disable_trim,                     /* Never trim in fuzz_one           */
+      shmem_testcase_mode;              /* If sharedmem testcases are used  */
 
   u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
       *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
@@ -806,6 +807,9 @@ void afl_states_clear_screen(void);
 /* Sets the skip flag on all states */
 void afl_states_request_skip(void);
 
+/* Setup shmem for testcase delivery */
+void setup_testcase_shmem(afl_state_t *afl);
+
 void read_afl_environment(afl_state_t *, char **);
 
 /**** Prototypes ****/

include/forkserver.h

@@ -81,9 +81,9 @@ typedef struct afl_forkserver {
 
   u8 qemu_mode;                         /* if running in qemu mode or not   */
 
-  u32 shdmem_fuzz_len;                   /* length of the fuzzing test case */
+  u32 shmem_fuzz_len;                    /* length of the fuzzing test case */
 
-  u8 *shdmem_fuzz;                      /* allocated memory for fuzzing     */
+  u8 *shmem_fuzz;                       /* allocated memory for fuzzing     */
 
   char *cmplog_binary;                  /* the name of the cmplog binary    */
 

src/afl-forkserver.c

@@ -286,7 +286,7 @@ static void report_error_and_exit(int error) {
 
 }
 
-/* Spins up fork server (instrumented mode only). The idea is explained here:
+/* Spins up fork server. The idea is explained here:
 
    http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
 
@@ -305,7 +305,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
   if (fsrv->use_fauxsrv) {
 
-    /* TODO: Come up with sone nice way to initalize this all */
+    /* TODO: Come up with sone nice way to initialize this all */
 
     if (fsrv->init_child_func != fsrv_exec_child) {
 
@@ -823,10 +823,10 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
 
 void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
 
-  if (fsrv->shdmem_fuzz) {
+  if (fsrv->shmem_fuzz) {
 
-    memcpy(fsrv->shdmem_fuzz, buf, len);
-    fsrv->shdmem_fuzz_len = len;
+    memcpy(fsrv->shmem_fuzz, buf, len);
+    fsrv->shmem_fuzz_len = len;
 
   } else {
 
@@ -888,7 +888,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
 
   MEM_BARRIER();
 
-  if (fsrv->shdmem_fuzz_len) write_value += (fsrv->shdmem_fuzz_len << 8);
+  if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8);
 
   /* we have the fork server (or faux server) up and running
   First, tell it if the previous run timed out. */

src/afl-fuzz-init.c

@@ -1949,6 +1949,36 @@ static void handle_skipreq(int sig) {
 
 }
 
+
+/* Setup shared map for fuzzing with input via sharedmem */
+
+void setup_testcase_shmem(afl_state_t *afl) {
+
+  afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
+
+  // we need to set the dumb mode to not overwrite the SHM_ENV_VAR
+  if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) {
+
+#ifdef USEMMAP
+    setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
+#else
+    u8 *shm_str;
+    shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
+    setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
+    ck_free(shm_str);
+#endif
+    afl->fsrv.support_shdmen_fuzz = 1;
+
+  } else {
+
+    ck_free(afl->shm_fuzz);
+    afl->shm_fuzz = NULL;
+
+  }
+
+}
+
+
 /* Do a PATH search and find target binary to see that it exists and
    isn't a shell script - a common and painful mistake. We also check for
    a valid ELF header and for evidence of AFL instrumentation. */
@@ -2153,30 +2183,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
     OKF(cPIN "Persistent mode binary detected.");
     setenv(PERSIST_ENV_VAR, "1", 1);
     afl->persistent_mode = 1;
-    // do not fail if we can not get the fuzzing shared mem
-    if ((afl->shm_fuzz = calloc(1, sizeof(sharedmem_t)))) {
-
-      // we need to set the dumb mode to not overwrite the SHM_ENV_VAR
-      if ((afl->fsrv.shdmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) {
-
-#ifdef USEMMAP
-        setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
-#else
-        u8 *shm_str;
-        shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
-        setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
-        ck_free(shm_str);
-#endif
-        afl->fsrv.support_shdmen_fuzz = 1;
-
-      } else {
-
-        free(afl->shm_fuzz);
-        afl->shm_fuzz = NULL;
 
-      }
-
-    }
+    afl->shmem_testcase_mode = 1;
 
   } else if (getenv("AFL_PERSISTENT")) {
 

src/afl-fuzz-run.c

@@ -237,7 +237,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
       free(afl->shm_fuzz);
       afl->shm_fuzz = NULL;
       afl->fsrv.support_shdmen_fuzz = 0;
-      afl->fsrv.shdmem_fuzz = NULL;
+      afl->fsrv.shmem_fuzz = NULL;
 
     }
 

src/afl-fuzz-stats.c

@@ -103,7 +103,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
       "afl_banner        : %s\n"
       "afl_version       : " VERSION
       "\n"
-      "target_mode       : %s%s%s%s%s%s%s%s\n"
+      "target_mode       : %s%s%s%s%s%s%s%s%s\n"
       "command_line      : %s\n",
       afl->start_time / 1000, cur_time / 1000,
       (cur_time - afl->start_time) / 1000, (u32)getpid(),
@@ -128,6 +128,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
       afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "",
       afl->crash_mode ? "crash " : "",
       afl->persistent_mode ? "persistent " : "",
+      afl->shmem_testcase_mode ? "shmem_testcase " : "",
       afl->deferred_mode ? "deferred " : "",
       (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode ||
        afl->no_forkserver || afl->crash_mode || afl->persistent_mode ||

src/afl-fuzz.c

@@ -572,6 +572,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
         if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); }
         afl->unicorn_mode = 1;
+        afl->shmem_testcase_mode = 1;
 
         if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; }
 
@@ -1178,6 +1179,12 @@ int main(int argc, char **argv_orig, char **envp) {
 
   check_binary(afl, argv[optind]);
 
+  if (afl->shmem_testcase_mode) {
+
+    setup_testcase_shmem(afl);
+
+  }
+
   afl->start_time = get_cur_time();
 
   if (afl->fsrv.qemu_mode) {

unicorn_mode/UNICORNAFL_VERSION

@@ -1 +1 @@
-212110c
+37067ac