SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix default UBSan options and avoid timeouts in crash handler (#304)

Browse Source 
* exit

* ignore timeouts outside the targets

* do not store timeouts

* block sigalarm in handlers

* __ubsan_default_options
This commit is contained in:
Andrea Fioraldi 2021-09-29 09:28:55 +02:00 committed by GitHub
parent 2c51c4abf4
commit 05aeb677cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fuzzers/fuzzbench/src/lib.rs
View File

@ -25,8 +25,8 @@ use libafl::{
corpus::{Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler}, corpus::{Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler},
events::SimpleRestartingEventManager, events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor}, executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast, feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer}, fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes}, inputs::{BytesInput, HasTargetBytes},
mutators::{ mutators::{
@ -89,7 +89,7 @@ pub fn libafl_main() {
.short('t') .short('t')
.long("timeout") .long("timeout")
.about("Timeout for each individual execution, in milliseconds") .about("Timeout for each individual execution, in milliseconds")
.default_value("1000"), .default_value("1200"),
) )
.try_get_matches() .try_get_matches()
{ {
@ -220,7 +220,7 @@ fn fuzz(
); );
// A feedback to choose if an input is a solution or not // A feedback to choose if an input is a solution or not
let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new()); let objective = CrashFeedback::new();
// If not restarting, create a State from scratch // If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| { let mut state = state.unwrap_or_else(|| {

8
fuzzers/fuzzbench_gsoc/src/lib.rs
View File

@ -27,8 +27,8 @@ use libafl::{
}, },
events::SimpleRestartingEventManager, events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor}, executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast, feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer}, fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes}, inputs::{BytesInput, HasTargetBytes},
mutators::{ mutators::{
@ -94,7 +94,7 @@ pub fn libafl_main() {
.short('t') .short('t')
.long("timeout") .long("timeout")
.about("Timeout for each individual execution, in milliseconds") .about("Timeout for each individual execution, in milliseconds")
.default_value("1000"), .default_value("1200"),
) )
.try_get_matches() .try_get_matches()
{ {
@ -225,7 +225,7 @@ fn fuzz(
); );
// A feedback to choose if an input is a solution or not // A feedback to choose if an input is a solution or not
let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new()); let objective = CrashFeedback::new();
// If not restarting, create a State from scratch // If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| { let mut state = state.unwrap_or_else(|| {

3
libafl/src/bolts/os/unix_signals.rs
View File

@ -54,7 +54,7 @@ pub struct ucontext_t {
pub use libc::ucontext_t; pub use libc::ucontext_t;
use libc::{ use libc::{
c_int, malloc, sigaction, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK, c_int, malloc, sigaction, sigaddset, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK,
SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, SIGPIPE, SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, SIGPIPE,
SIGQUIT, SIGSEGV, SIGTERM, SIGTRAP, SIGUSR2, SIGQUIT, SIGSEGV, SIGTERM, SIGTRAP, SIGUSR2,
}; };
@ -210,6 +210,7 @@ pub unsafe fn setup_signal_handler<T: 'static + Handler>(handler: &mut T) -> Res
let mut sa: sigaction = mem::zeroed(); let mut sa: sigaction = mem::zeroed();
sigemptyset(&mut sa.sa_mask as *mut libc::sigset_t); sigemptyset(&mut sa.sa_mask as *mut libc::sigset_t);
sigaddset(&mut sa.sa_mask as *mut libc::sigset_t, SIGALRM);
sa.sa_flags = SA_NODEFER | SA_SIGINFO | SA_ONSTACK; sa.sa_flags = SA_NODEFER | SA_SIGINFO | SA_ONSTACK;
sa.sa_sigaction = handle_signal as usize; sa.sa_sigaction = handle_signal as usize;
let signals = handler.signals(); let signals = handler.signals();

15
libafl/src/executors/inprocess.rs
View File

@ -380,7 +380,8 @@ mod unix_signal_handler {
if data.current_input_ptr.is_null() { if data.current_input_ptr.is_null() {
#[cfg(feature = "std")] #[cfg(feature = "std")]
dbg!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing. Exiting"); println!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing.");
return;
} else { } else {
#[cfg(feature = "std")] #[cfg(feature = "std")]
println!("Timeout in fuzz run."); println!("Timeout in fuzz run.");
@ -426,7 +427,7 @@ mod unix_signal_handler {
event_mgr.await_restart_safe(); event_mgr.await_restart_safe();
libc::_exit(1); libc::_exit(55);
} }
} }
@ -435,7 +436,7 @@ mod unix_signal_handler {
/// It will store the current State to shmem, then exit. /// It will store the current State to shmem, then exit.
#[allow(clippy::too_many_lines)] #[allow(clippy::too_many_lines)]
pub unsafe fn inproc_crash_handler<EM, I, OC, OF, OT, S, Z>( pub unsafe fn inproc_crash_handler<EM, I, OC, OF, OT, S, Z>(
_signal: Signal, signal: Signal,
_info: siginfo_t, _info: siginfo_t,
_context: &mut ucontext_t, _context: &mut ucontext_t,
data: &mut InProcessExecutorHandlerData, data: &mut InProcessExecutorHandlerData,
@ -455,7 +456,7 @@ mod unix_signal_handler {
as *mut libc::c_void as *mut ucontext_t); as *mut libc::c_void as *mut ucontext_t);
#[cfg(feature = "std")] #[cfg(feature = "std")]
println!("Crashed with {}", _signal); println!("Crashed with {}", signal);
if data.current_input_ptr.is_null() { if data.current_input_ptr.is_null() {
#[cfg(feature = "std")] #[cfg(feature = "std")]
{ {
@ -505,7 +506,7 @@ mod unix_signal_handler {
println!("{:━^100}", " CRASH "); println!("{:━^100}", " CRASH ");
println!( println!(
"Received signal {} at 0x{:016x}, fault address: 0x{:016x}", "Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
_signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address
); );
println!("{:━^100}", " REGISTERS "); println!("{:━^100}", " REGISTERS ");
@ -531,7 +532,7 @@ mod unix_signal_handler {
println!("{:━^100}", " CRASH "); println!("{:━^100}", " CRASH ");
println!( println!(
"Received signal {} at 0x{:016x}, fault address: 0x{:016x}", "Received signal {} at 0x{:016x}, fault address: 0x{:016x}",
_signal, mcontext.__ss.__pc, mcontext.__es.__far signal, mcontext.__ss.__pc, mcontext.__es.__far
); );
println!("{:━^100}", " REGISTERS "); println!("{:━^100}", " REGISTERS ");
@ -589,7 +590,7 @@ mod unix_signal_handler {
println!("Bye!"); println!("Bye!");
} }
libc::_exit(1); libc::_exit(128 + (signal as i32));
} }
} }

10
libafl_targets/src/common.c
View File

@ -8,3 +8,13 @@ EXT_FUNC_IMPL(__asan_default_options, const char*, (), false) {
"handle_sigbus=0:handle_abort=0:" "handle_sigbus=0:handle_abort=0:"
"handle_sigfpe=0:handle_sigill=0"; "handle_sigfpe=0:handle_sigill=0";
} }
EXT_FUNC_IMPL(__ubsan_default_options, const char*, (), false) {
return "abort_on_error=1:"
"allocator_release_to_os_interval_ms=500:"
"handle_abort=0:handle_segv=0:"
"handle_sigbus=0:handle_sigfpe=0:"
"handle_sigill=0:print_stacktrace=0:"
"symbolize=0:symbolize_inline_frames=0";
}