From 05aeb677cf1970f9810b2d64f063e347ef5019cd Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Wed, 29 Sep 2021 09:28:55 +0200
Subject: [PATCH] Fix default UBSan options and avoid timeouts in crash handler
 (#304)

* exit

* ignore timeouts outside the targets

* do not store timeouts

* block sigalarm in handlers

* __ubsan_default_options
---
 fuzzers/fuzzbench/src/lib.rs        |  8 ++++----
 fuzzers/fuzzbench_gsoc/src/lib.rs   |  8 ++++----
 libafl/src/bolts/os/unix_signals.rs |  3 ++-
 libafl/src/executors/inprocess.rs   | 15 ++++++++-------
 libafl_targets/src/common.c         | 10 ++++++++++
 5 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/fuzzers/fuzzbench/src/lib.rs b/fuzzers/fuzzbench/src/lib.rs
index af705758d2..d4c7d5c955 100644
--- a/fuzzers/fuzzbench/src/lib.rs
+++ b/fuzzers/fuzzbench/src/lib.rs
@@ -25,8 +25,8 @@ use libafl::{
     corpus::{Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler},
     events::SimpleRestartingEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
-    feedback_or, feedback_or_fast,
-    feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
+    feedback_or,
+    feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     inputs::{BytesInput, HasTargetBytes},
     mutators::{
@@ -89,7 +89,7 @@ pub fn libafl_main() {
                 .short('t')
                 .long("timeout")
                 .about("Timeout for each individual execution, in milliseconds")
-                .default_value("1000"),
+                .default_value("1200"),
         )
         .try_get_matches()
     {
@@ -220,7 +220,7 @@ fn fuzz(
     );
 
     // A feedback to choose if an input is a solution or not
-    let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
+    let objective = CrashFeedback::new();
 
     // If not restarting, create a State from scratch
     let mut state = state.unwrap_or_else(|| {
diff --git a/fuzzers/fuzzbench_gsoc/src/lib.rs b/fuzzers/fuzzbench_gsoc/src/lib.rs
index 407ad8af1c..8fa8e8f958 100644
--- a/fuzzers/fuzzbench_gsoc/src/lib.rs
+++ b/fuzzers/fuzzbench_gsoc/src/lib.rs
@@ -27,8 +27,8 @@ use libafl::{
     },
     events::SimpleRestartingEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
-    feedback_or, feedback_or_fast,
-    feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
+    feedback_or,
+    feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     inputs::{BytesInput, HasTargetBytes},
     mutators::{
@@ -94,7 +94,7 @@ pub fn libafl_main() {
                 .short('t')
                 .long("timeout")
                 .about("Timeout for each individual execution, in milliseconds")
-                .default_value("1000"),
+                .default_value("1200"),
         )
         .try_get_matches()
     {
@@ -225,7 +225,7 @@ fn fuzz(
     );
 
     // A feedback to choose if an input is a solution or not
-    let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
+    let objective = CrashFeedback::new();
 
     // If not restarting, create a State from scratch
     let mut state = state.unwrap_or_else(|| {
diff --git a/libafl/src/bolts/os/unix_signals.rs b/libafl/src/bolts/os/unix_signals.rs
index 244e69272a..815f3cb950 100644
--- a/libafl/src/bolts/os/unix_signals.rs
+++ b/libafl/src/bolts/os/unix_signals.rs
@@ -54,7 +54,7 @@ pub struct ucontext_t {
 pub use libc::ucontext_t;
 
 use libc::{
-    c_int, malloc, sigaction, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK,
+    c_int, malloc, sigaction, sigaddset, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK,
     SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, SIGPIPE,
     SIGQUIT, SIGSEGV, SIGTERM, SIGTRAP, SIGUSR2,
 };
@@ -210,6 +210,7 @@ pub unsafe fn setup_signal_handler<T: 'static + Handler>(handler: &mut T) -> Res
 
     let mut sa: sigaction = mem::zeroed();
     sigemptyset(&mut sa.sa_mask as *mut libc::sigset_t);
+    sigaddset(&mut sa.sa_mask as *mut libc::sigset_t, SIGALRM);
     sa.sa_flags = SA_NODEFER | SA_SIGINFO | SA_ONSTACK;
     sa.sa_sigaction = handle_signal as usize;
     let signals = handler.signals();
diff --git a/libafl/src/executors/inprocess.rs b/libafl/src/executors/inprocess.rs
index d7722db067..9cdbc8b2bf 100644
--- a/libafl/src/executors/inprocess.rs
+++ b/libafl/src/executors/inprocess.rs
@@ -380,7 +380,8 @@ mod unix_signal_handler {
 
         if data.current_input_ptr.is_null() {
             #[cfg(feature = "std")]
-            dbg!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing. Exiting");
+            println!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing.");
+            return;
         } else {
             #[cfg(feature = "std")]
             println!("Timeout in fuzz run.");
@@ -426,7 +427,7 @@ mod unix_signal_handler {
 
             event_mgr.await_restart_safe();
 
-            libc::_exit(1);
+            libc::_exit(55);
         }
     }
 
@@ -435,7 +436,7 @@ mod unix_signal_handler {
     /// It will store the current State to shmem, then exit.
     #[allow(clippy::too_many_lines)]
     pub unsafe fn inproc_crash_handler<EM, I, OC, OF, OT, S, Z>(
-        _signal: Signal,
+        signal: Signal,
         _info: siginfo_t,
         _context: &mut ucontext_t,
         data: &mut InProcessExecutorHandlerData,
@@ -455,7 +456,7 @@ mod unix_signal_handler {
             as *mut libc::c_void as *mut ucontext_t);
 
         #[cfg(feature = "std")]
-        println!("Crashed with {}", _signal);
+        println!("Crashed with {}", signal);
         if data.current_input_ptr.is_null() {
             #[cfg(feature = "std")]
             {
@@ -505,7 +506,7 @@ mod unix_signal_handler {
                 println!("{:━^100}", " CRASH ");
                 println!(
                     "Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
-                    _signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address
+                    signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address
                 );
 
                 println!("{:━^100}", " REGISTERS ");
@@ -531,7 +532,7 @@ mod unix_signal_handler {
                 println!("{:━^100}", " CRASH ");
                 println!(
                     "Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
-                    _signal, mcontext.__ss.__pc, mcontext.__es.__far
+                    signal, mcontext.__ss.__pc, mcontext.__es.__far
                 );
 
                 println!("{:━^100}", " REGISTERS ");
@@ -589,7 +590,7 @@ mod unix_signal_handler {
             println!("Bye!");
         }
 
-        libc::_exit(1);
+        libc::_exit(128 + (signal as i32));
     }
 }
 
diff --git a/libafl_targets/src/common.c b/libafl_targets/src/common.c
index aa1d6101e9..33b4837b98 100644
--- a/libafl_targets/src/common.c
+++ b/libafl_targets/src/common.c
@@ -8,3 +8,13 @@ EXT_FUNC_IMPL(__asan_default_options, const char*, (), false) {
          "handle_sigbus=0:handle_abort=0:"
          "handle_sigfpe=0:handle_sigill=0";
 }
+
+EXT_FUNC_IMPL(__ubsan_default_options, const char*, (), false) {
+  return "abort_on_error=1:"
+         "allocator_release_to_os_interval_ms=500:"
+         "handle_abort=0:handle_segv=0:"
+         "handle_sigbus=0:handle_sigfpe=0:"
+         "handle_sigill=0:print_stacktrace=0:"
+         "symbolize=0:symbolize_inline_frames=0";
+}
+