SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix default UBSan options and avoid timeouts in crash handler (#304)

Browse Source 
* exit

* ignore timeouts outside the targets

* do not store timeouts

* block sigalarm in handlers

* __ubsan_default_options
This commit is contained in:
Andrea Fioraldi 2021-09-29 09:28:55 +02:00 committed by GitHub
parent 2c51c4abf4
commit 05aeb677cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fuzzers/fuzzbench/src/lib.rs
View File

@ -25,8 +25,8 @@ use libafl::{
corpus::{Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler},
events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes},
mutators::{
@ -89,7 +89,7 @@ pub fn libafl_main() {
.short('t')
.long("timeout")
.about("Timeout for each individual execution, in milliseconds")
.default_value("1000"),
.default_value("1200"),
)
.try_get_matches()
{
@ -220,7 +220,7 @@ fn fuzz(
);
// A feedback to choose if an input is a solution or not
let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
let objective = CrashFeedback::new();
// If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| {

8
fuzzers/fuzzbench_gsoc/src/lib.rs
View File

@ -27,8 +27,8 @@ use libafl::{
},
events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes},
mutators::{
@ -94,7 +94,7 @@ pub fn libafl_main() {
.short('t')
.long("timeout")
.about("Timeout for each individual execution, in milliseconds")
.default_value("1000"),
.default_value("1200"),
)
.try_get_matches()
{
@ -225,7 +225,7 @@ fn fuzz(
);
// A feedback to choose if an input is a solution or not
let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
let objective = CrashFeedback::new();
// If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| {

3
libafl/src/bolts/os/unix_signals.rs
View File

@ -54,7 +54,7 @@ pub struct ucontext_t {
pub use libc::ucontext_t;
use libc::{
c_int, malloc, sigaction, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK,
c_int, malloc, sigaction, sigaddset, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK,
SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, SIGPIPE,
SIGQUIT, SIGSEGV, SIGTERM, SIGTRAP, SIGUSR2,
};
@ -210,6 +210,7 @@ pub unsafe fn setup_signal_handler<T: 'static + Handler>(handler: &mut T) -> Res
let mut sa: sigaction = mem::zeroed();
sigemptyset(&mut sa.sa_mask as *mut libc::sigset_t);
sigaddset(&mut sa.sa_mask as *mut libc::sigset_t, SIGALRM);
sa.sa_flags = SA_NODEFER | SA_SIGINFO | SA_ONSTACK;
sa.sa_sigaction = handle_signal as usize;
let signals = handler.signals();

15
libafl/src/executors/inprocess.rs
View File

@ -380,7 +380,8 @@ mod unix_signal_handler {
if data.current_input_ptr.is_null() {
#[cfg(feature = "std")]
dbg!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing. Exiting");
println!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing.");
return;
} else {
#[cfg(feature = "std")]
println!("Timeout in fuzz run.");
@ -426,7 +427,7 @@ mod unix_signal_handler {
event_mgr.await_restart_safe();
libc::_exit(1);
libc::_exit(55);
}
}
@ -435,7 +436,7 @@ mod unix_signal_handler {
/// It will store the current State to shmem, then exit.
#[allow(clippy::too_many_lines)]
pub unsafe fn inproc_crash_handler<EM, I, OC, OF, OT, S, Z>(
_signal: Signal,
signal: Signal,
_info: siginfo_t,
_context: &mut ucontext_t,
data: &mut InProcessExecutorHandlerData,
@ -455,7 +456,7 @@ mod unix_signal_handler {
as *mut libc::c_void as *mut ucontext_t);
#[cfg(feature = "std")]
println!("Crashed with {}", _signal);
println!("Crashed with {}", signal);
if data.current_input_ptr.is_null() {
#[cfg(feature = "std")]
{
@ -505,7 +506,7 @@ mod unix_signal_handler {
println!("{:━^100}", " CRASH ");
println!(
"Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
_signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address
signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address
);
println!("{:━^100}", " REGISTERS ");
@ -531,7 +532,7 @@ mod unix_signal_handler {
println!("{:━^100}", " CRASH ");
println!(
"Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
_signal, mcontext.__ss.__pc, mcontext.__es.__far
signal, mcontext.__ss.__pc, mcontext.__es.__far
);
println!("{:━^100}", " REGISTERS ");
@ -589,7 +590,7 @@ mod unix_signal_handler {
println!("Bye!");
}
libc::_exit(1);
libc::_exit(128 + (signal as i32));
}
}

10
libafl_targets/src/common.c
View File

@ -8,3 +8,13 @@ EXT_FUNC_IMPL(__asan_default_options, const char*, (), false) {
"handle_sigbus=0:handle_abort=0:"
"handle_sigfpe=0:handle_sigill=0";
}
EXT_FUNC_IMPL(__ubsan_default_options, const char*, (), false) {
return "abort_on_error=1:"
"allocator_release_to_os_interval_ms=500:"
"handle_abort=0:handle_segv=0:"
"handle_sigbus=0:handle_sigfpe=0:"
"handle_sigill=0:print_stacktrace=0:"
"symbolize=0:symbolize_inline_frames=0";
}