diff --git a/libafl/src/bolts/llmp.rs b/libafl/src/bolts/llmp.rs index 222bc37b06..8e4076af86 100644 --- a/libafl/src/bolts/llmp.rs +++ b/libafl/src/bolts/llmp.rs @@ -101,9 +101,6 @@ use crate::{ use super::shmem::HasFd; -/// The sender on this map is exiting (if broker exits, clients should exit gracefully); -const LLMP_TAG_EXITING: u32 = 0x13C5171; - /// We'll start off with 256 megabyte maps per fuzzer client const LLMP_PREF_INITIAL_MAP_SIZE: usize = 1 << 28; /// What byte count to align messages to @@ -111,14 +108,16 @@ const LLMP_PREF_INITIAL_MAP_SIZE: usize = 1 << 28; const LLMP_PREF_ALIGNNMENT: usize = 64; /// A msg fresh from the press: No tag got sent by the user yet -const LLMP_TAG_UNSET: u32 = 0xDEADAF; +const LLMP_TAG_UNSET: Tag = 0xDEADAF; /// This message should not exist yet. Some bug in unsafe code! -const LLMP_TAG_UNINITIALIZED: u32 = 0xA143AF11; -/// The end of page mesasge +const LLMP_TAG_UNINITIALIZED: Tag = 0xA143AF11; +/// The end of page message /// When receiving this, a new sharedmap needs to be allocated. -const LLMP_TAG_END_OF_PAGE: u32 = 0xAF1E0F1; -/// A new client for this broekr got added. -const LLMP_TAG_NEW_SHM_CLIENT: u32 = 0xC11E471; +const LLMP_TAG_END_OF_PAGE: Tag = 0xAF1E0F1; +/// A new client for this broker got added. +const LLMP_TAG_NEW_SHM_CLIENT: Tag = 0xC11E471; +/// The sender on this map is exiting (if broker exits, clients should exit gracefully); +const LLMP_TAG_EXITING: Tag = 0x13C5171; /// An env var of this value indicates that the set value was a NULL PTR const _NULL_ENV_STR: &str = "_NULL"; @@ -865,6 +864,7 @@ where tag ))); } + unsafe { let msg = self.alloc_next(buf.len())?; (*msg).tag = tag; diff --git a/libafl/src/events/llmp.rs b/libafl/src/events/llmp.rs index 371df5383d..042fcf3719 100644 --- a/libafl/src/events/llmp.rs +++ b/libafl/src/events/llmp.rs @@ -1,8 +1,10 @@ -use crate::bolts::{llmp::LlmpSender, shmem::HasFd}; use alloc::{string::ToString, vec::Vec}; use core::{marker::PhantomData, time::Duration}; use serde::{de::DeserializeOwned, Serialize}; +#[cfg(feature = "std")] +use core::ptr::read_volatile; + #[cfg(feature = "std")] use crate::bolts::llmp::LlmpReceiver; @@ -16,8 +18,8 @@ use crate::utils::{fork, ForkResult}; use crate::bolts::shmem::UnixShMem; use crate::{ bolts::{ - llmp::{self, LlmpClient, LlmpClientDescription, Tag}, - shmem::ShMem, + llmp::{self, LlmpClient, LlmpClientDescription, LlmpSender, Tag}, + shmem::{HasFd, ShMem}, }, corpus::CorpusScheduler, events::{BrokerEventResult, Event, EventManager}, @@ -535,6 +537,7 @@ where mgr.broker_loop()?; return Err(Error::ShuttingDown); } else { + // We are the fuzzer respawner in a llmp client mgr.to_env(_ENV_FUZZER_BROKER_CLIENT_INITIAL); // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. @@ -547,7 +550,7 @@ where sender.to_env(_ENV_FUZZER_SENDER)?; receiver.to_env(_ENV_FUZZER_RECEIVER)?; - let mut ctr = 0; + let mut ctr: u64 = 0; // Client->parent loop loop { dbg!("Spawning next client (id {})", ctr); @@ -563,7 +566,12 @@ where #[cfg(windows)] startable_self()?.status()?; - ctr += 1; + if unsafe { read_volatile(&(*receiver.current_recv_map.page()).size_used) } == 0 { + // Storing state in the last round did not work + panic!("Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client!"); + } + + ctr = ctr.wrapping_add(1); } } } else {