SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Windows timeout fix with critical sections (#391)

Browse Source 
* add

* unix fix

* unsafe positions

* another unsafe!

* ignore

* ignore

* make changes back

* fix

* fix

* fmt

* bug fix

* fmt

* compiler fence

* import

* typo

* add another critical section

* fix

* fix

* exclude windows book test

* typo

* fence

* why

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
This commit is contained in:
Dongjia Zhang 2021-12-09 21:55:20 +09:00 committed by GitHub
parent c6553c5351
commit fc0881194d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 261 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build_and_test.yml vendored
View File

@ -31,6 +31,8 @@ jobs:
- name: Build the book
run: cd docs && mdbook build
- name: Test the book
# TODO: fix books test fail with updated windows-rs
if: runner.os != 'Windows'
run: cd docs && mdbook test -L ../target/debug/deps
- name: Run tests
run: cargo test

7
libafl/Cargo.toml
View File

@ -68,7 +68,7 @@ rand_core = { version = "0.5.1", optional = true } # This dependency allows us t
nix = { version = "0.23.0", optional = true }
regex = { version = "1", optional = true }
build_id = { version = "0.2.1", git = "https://github.com/domenukk/build_id", rev = "6a61943", optional = true }
uuid = { version = "0.8.2", optional = true, features = ["serde"] }
uuid = { version = "0.8.2", optional = true, features = ["serde", "v4"] }
libm = "0.2.1"
wait-timeout = { version = "0.2", optional = true } # used by CommandExecutor to wait for child process
@ -86,11 +86,10 @@ regex = "1.4.5"
backtrace = "0.3"
[target.'cfg(windows)'.dependencies]
windows = "0.18.0"
uuid = { version = "0.8", features = ["v4"] }
windows = { version = "0.28.0", features = ["std", "Win32_Foundation", "Win32_System_Threading", "Win32_System_Diagnostics_Debug", "Win32_System_Kernel", "Win32_System_Memory", "Win32_Security"] }
[target.'cfg(windows)'.build-dependencies]
windows = "0.18.0"
windows = "0.28.0"
[[bench]]
name = "rand_speeds"

10
libafl/build.rs
View File

@ -4,16 +4,6 @@ use rustc_version::{version_meta, Channel};
#[allow(clippy::ptr_arg, clippy::upper_case_acronyms)]
fn main() {
#[cfg(target_os = "windows")]
windows::build!(
Windows::Win32::Foundation::{HANDLE, HWND, BOOL, PSTR, CloseHandle, NTSTATUS},
Windows::Win32::System::{
Memory::{CreateFileMappingA, OpenFileMappingA, MapViewOfFile, UnmapViewOfFile, FILE_MAP, PAGE_TYPE},
Diagnostics::Debug::{SetUnhandledExceptionFilter, EXCEPTION_POINTERS, EXCEPTION_RECORD, LPTOP_LEVEL_EXCEPTION_FILTER},
Threading::{CreateTimerQueue, CreateTimerQueueTimer, DeleteTimerQueueEx, DeleteTimerQueueTimer, ExitProcess},
},
);
// Set cfg flags depending on release channel
match version_meta().unwrap().channel {
Channel::Stable => {

4
libafl/src/bolts/bindings.rs
View File

@ -1,4 +0,0 @@
//! Generated bindings
#[cfg(all(windows, feature = "std"))]
::windows::include_bindings!();

1
libafl/src/bolts/mod.rs
View File

@ -1,6 +1,5 @@
//! Bolts are no conceptual fuzzing elements, but they keep libafl-based fuzzers together.
pub mod bindings;
#[cfg(feature = "llmp_compression")]
pub mod compress;
pub mod cpu;

11
libafl/src/bolts/os/windows_exceptions.rs
View File

@ -1,10 +1,10 @@
//! Exception handling for Windows
pub use crate::bolts::bindings::Windows::Win32::System::Diagnostics::Debug::{
pub use windows::Win32::System::Diagnostics::Debug::{
SetUnhandledExceptionFilter, EXCEPTION_POINTERS,
};
pub use crate::bolts::bindings::Windows::Win32::Foundation::NTSTATUS;
pub use windows::Win32::Foundation::NTSTATUS;
use crate::Error;
use std::os::raw::{c_long, c_void};
@ -310,7 +310,6 @@ unsafe fn internal_handle_exception(
}
type NativeHandlerType = extern "system" fn(*mut EXCEPTION_POINTERS) -> c_long;
static mut PREVIOUS_HANDLER: Option<NativeHandlerType> = None;
/// Internal function that is being called whenever an exception arrives (stdcall).
unsafe extern "system" fn handle_exception(exception_pointers: *mut EXCEPTION_POINTERS) -> c_long {
@ -324,7 +323,7 @@ unsafe extern "system" fn handle_exception(exception_pointers: *mut EXCEPTION_PO
let exception_code = ExceptionCode::try_from(code.0).unwrap();
// println!("Received {}", exception_code);
let ret = internal_handle_exception(exception_code, exception_pointers);
PREVIOUS_HANDLER.map_or(ret, |prev_handler| prev_handler(exception_pointers))
ret
}
type NativeSignalHandlerType = unsafe extern "C" fn(i32);
@ -364,8 +363,6 @@ pub unsafe fn setup_exception_handler<T: 'static + Handler>(handler: &mut T) ->
}
if let Some(prev) = SetUnhandledExceptionFilter(Some(core::mem::transmute(
handle_exception as *const c_void,
))) {
PREVIOUS_HANDLER = Some(core::mem::transmute(prev as *const c_void));
}
))) {}
Ok(())
}

19
libafl/src/bolts/shmem.rs
View File

@ -1053,16 +1053,7 @@ pub mod unix_shmem {
pub mod win32_shmem {
use crate::{
bolts::{
bindings::{
Windows::Win32::Foundation::{CloseHandle, BOOL, HANDLE, PSTR},
Windows::Win32::System::Memory::{
CreateFileMappingA, MapViewOfFile, OpenFileMappingA, UnmapViewOfFile,
FILE_MAP_ALL_ACCESS, PAGE_READWRITE,
},
},
shmem::{ShMem, ShMemId, ShMemProvider},
},
bolts::shmem::{ShMem, ShMemId, ShMemProvider},
Error,
};
@ -1072,6 +1063,14 @@ pub mod win32_shmem {
const INVALID_HANDLE_VALUE: isize = -1;
use windows::{
Win32::Foundation::{CloseHandle, BOOL, HANDLE, PSTR},
Win32::System::Memory::{
CreateFileMappingA, MapViewOfFile, OpenFileMappingA, UnmapViewOfFile,
FILE_MAP_ALL_ACCESS, PAGE_READWRITE,
},
};
/// The default Sharedmap impl for windows using shmctl & shmget
#[derive(Clone, Debug)]
pub struct Win32ShMem {

107
libafl/src/executors/inprocess.rs
View File

@ -37,9 +37,6 @@ use crate::{
Error,
};
#[cfg(windows)]
use core::mem::transmute;
/// The inmem executor simply calls a target function, then returns afterwards.
#[allow(dead_code)]
#[derive(Debug)]
@ -143,6 +140,16 @@ where
pub fn harness_mut(&mut self) -> &mut H {
self.harness_fn
}
#[inline]
pub fn handlers(&self) -> &InProcessHandlers {
&self.handlers
}
#[inline]
pub fn handlers_mut(&mut self) -> &mut InProcessHandlers {
&mut self.handlers
}
}
#[derive(Debug)]
@ -304,7 +311,13 @@ pub struct InProcessExecutorHandlerData {
pub crash_handler: *const c_void,
pub timeout_handler: *const c_void,
#[cfg(windows)]
pub timer_queue: *mut c_void,
pub tp_timer: *mut c_void,
#[cfg(windows)]
pub in_target: u64,
#[cfg(windows)]
pub critical: *mut c_void,
#[cfg(windows)]
pub timeout_input_ptr: *mut c_void,
}
unsafe impl Send for InProcessExecutorHandlerData {}
@ -327,7 +340,13 @@ pub static mut GLOBAL_STATE: InProcessExecutorHandlerData = InProcessExecutorHan
/// The timeout handler fn
timeout_handler: ptr::null(),
#[cfg(windows)]
timer_queue: ptr::null_mut(),
tp_timer: ptr::null_mut(),
#[cfg(windows)]
in_target: 0,
#[cfg(windows)]
critical: ptr::null_mut(),
#[cfg(windows)]
timeout_input_ptr: ptr::null_mut(),
};
#[must_use]
@ -629,12 +648,9 @@ mod windows_exception_handler {
use std::io::{stdout, Write};
use crate::{
bolts::{
bindings::Windows::Win32::{Foundation::HANDLE, System::Threading::ExitProcess},
os::windows_exceptions::{
bolts::os::windows_exceptions::{
ExceptionCode, Handler, CRASH_EXCEPTIONS, EXCEPTION_POINTERS,
},
},
corpus::{Corpus, Testcase},
events::{Event, EventFirer, EventRestarter},
executors::{
@ -649,6 +665,9 @@ mod windows_exception_handler {
state::{HasClientPerfMonitor, HasMetadata, HasSolutions},
};
use core::sync::atomic::{compiler_fence, Ordering};
use windows::Win32::System::Threading::ExitProcess;
pub type HandlerFuncPtr =
unsafe fn(ExceptionCode, *mut EXCEPTION_POINTERS, &mut InProcessExecutorHandlerData);
@ -676,9 +695,14 @@ mod windows_exception_handler {
}
}
use windows::Win32::System::Threading::{
EnterCriticalSection, LeaveCriticalSection, RTL_CRITICAL_SECTION,
};
pub unsafe extern "system" fn inproc_timeout_handler<E, EM, I, OC, OF, OT, S, Z>(
_p0: *mut u8,
global_state: *mut c_void,
_p1: u8,
_p1: *mut u8,
) where
E: HasObservers<I, OT, S>,
EM: EventFirer<I> + EventRestarter<S>,
@ -691,14 +715,22 @@ mod windows_exception_handler {
{
let data: &mut InProcessExecutorHandlerData =
&mut *(global_state as *mut InProcessExecutorHandlerData);
compiler_fence(Ordering::SeqCst);
EnterCriticalSection(
(data.critical as *mut RTL_CRITICAL_SECTION)
.as_mut()
.unwrap(),
);
compiler_fence(Ordering::SeqCst);
if data.in_target == 1 {
let state = (data.state_ptr as *mut S).as_mut().unwrap();
let event_mgr = (data.event_mgr_ptr as *mut EM).as_mut().unwrap();
let fuzzer = (data.fuzzer_ptr as *mut Z).as_mut().unwrap();
let executor = (data.executor_ptr as *const E).as_ref().unwrap();
let observers = executor.observers();
if data.current_input_ptr.is_null() {
if data.timeout_input_ptr.is_null() {
#[cfg(feature = "std")]
dbg!("TIMEOUT or SIGUSR2 happened, but currently not fuzzing. Exiting");
} else {
@ -707,8 +739,8 @@ mod windows_exception_handler {
#[cfg(feature = "std")]
let _res = stdout().flush();
let input = (data.current_input_ptr as *const I).as_ref().unwrap();
data.current_input_ptr = ptr::null();
let input = (data.timeout_input_ptr as *const I).as_ref().unwrap();
data.timeout_input_ptr = ptr::null_mut();
let interesting = fuzzer
.objective_mut()
@ -745,9 +777,24 @@ mod windows_exception_handler {
println!("Bye!");
event_mgr.await_restart_safe();
compiler_fence(Ordering::SeqCst);
LeaveCriticalSection(
(data.critical as *mut RTL_CRITICAL_SECTION)
.as_mut()
.unwrap(),
);
ExitProcess(1);
}
}
compiler_fence(Ordering::SeqCst);
LeaveCriticalSection(
(data.critical as *mut RTL_CRITICAL_SECTION)
.as_mut()
.unwrap(),
);
compiler_fence(Ordering::SeqCst);
// println!("TIMER INVOKED!");
}
@ -766,8 +813,24 @@ mod windows_exception_handler {
Z: HasObjective<I, OF, S>,
{
// Have we set a timer_before?
if let Some(x) = (data.timer_queue as *mut HANDLE).as_mut() {
windows_delete_timer_queue(*x);
if let Some(x) =
(data.tp_timer as *mut windows::Win32::System::Threading::TP_TIMER).as_mut()
{
/*
We want to prevent the timeout handler being run while the main thread is executing the crash handler
Timeout handler runs if it has access to the critical section or data.in_target == 0
Writing 0 to the data.in_target makes the timeout handler makes the timeout handler invalid.
*/
compiler_fence(Ordering::SeqCst);
EnterCriticalSection(data.critical as *mut RTL_CRITICAL_SECTION);
compiler_fence(Ordering::SeqCst);
data.in_target = 0;
compiler_fence(Ordering::SeqCst);
LeaveCriticalSection(data.critical as *mut RTL_CRITICAL_SECTION);
compiler_fence(Ordering::SeqCst);
windows_delete_timer_queue(x);
data.tp_timer = ptr::null_mut();
}
#[cfg(feature = "std")]
@ -855,15 +918,12 @@ mod windows_exception_handler {
}
#[cfg(windows)]
type WaitOrTimerCallback = unsafe extern "system" fn(param0: *mut c_void, param1: u8);
#[cfg(windows)]
pub trait HasTimeoutHandler {
fn timeout_handler(&self) -> WaitOrTimerCallback;
pub trait HasInProcessHandlers {
fn inprocess_handlers(&self) -> &InProcessHandlers;
}
#[cfg(windows)]
impl<'a, H, I, OT, S> HasTimeoutHandler for InProcessExecutor<'a, H, I, OT, S>
impl<'a, H, I, OT, S> HasInProcessHandlers for InProcessExecutor<'a, H, I, OT, S>
where
H: FnMut(&I) -> ExitKind,
I: Input,
@ -871,9 +931,8 @@ where
{
/// the timeout handler
#[inline]
fn timeout_handler(&self) -> WaitOrTimerCallback {
let func: WaitOrTimerCallback = unsafe { transmute(self.handlers.timeout_handler) };
func
fn inprocess_handlers(&self) -> &InProcessHandlers {
&self.handlers
}
}

129
libafl/src/executors/timeout.rs
View File

@ -11,7 +11,7 @@ use crate::{
};
#[cfg(all(windows, feature = "std"))]
use crate::executors::inprocess::{HasTimeoutHandler, GLOBAL_STATE};
use crate::executors::inprocess::{HasInProcessHandlers, GLOBAL_STATE};
#[cfg(unix)]
use core::{mem::zeroed, ptr::null_mut};
@ -19,16 +19,23 @@ use core::{mem::zeroed, ptr::null_mut};
use libc::c_int;
#[cfg(all(windows, feature = "std"))]
use crate::bolts::bindings::Windows::Win32::{
Foundation::HANDLE,
use windows::Win32::{
Foundation::FILETIME,
System::Threading::{
CreateTimerQueue, CreateTimerQueueTimer, DeleteTimerQueueEx, DeleteTimerQueueTimer,
WORKER_THREAD_FLAGS,
CloseThreadpoolTimer, CreateThreadpoolTimer, EnterCriticalSection,
InitializeCriticalSection, LeaveCriticalSection, SetThreadpoolTimer, RTL_CRITICAL_SECTION,
TP_CALLBACK_ENVIRON_V3, TP_TIMER,
},
};
#[cfg(all(windows, feature = "std"))]
use core::{ffi::c_void, ptr::write_volatile};
use core::{
ffi::c_void,
ptr::{write, write_volatile},
};
#[cfg(windows)]
use core::sync::atomic::{compiler_fence, Ordering};
#[repr(C)]
#[cfg(unix)]
@ -54,18 +61,14 @@ const ITIMER_REAL: c_int = 0;
/// Reset and remove the timeout
#[cfg(unix)]
pub fn unix_remove_timeout() {
unsafe {
pub unsafe fn unix_remove_timeout() {
let mut itimerval_zero: Itimerval = zeroed();
setitimer(ITIMER_REAL, &mut itimerval_zero, null_mut());
}
}
#[cfg(all(windows, feature = "std"))]
pub fn windows_delete_timer_queue(timer_queue: HANDLE) {
unsafe {
DeleteTimerQueueEx(timer_queue, HANDLE::NULL);
}
pub unsafe fn windows_delete_timer_queue(tp_timer: *mut TP_TIMER) {
CloseThreadpoolTimer(tp_timer);
}
/// The timeout excutor is a wrapper that sets a timeout before each run
@ -74,17 +77,25 @@ pub struct TimeoutExecutor<E> {
#[cfg(unix)]
itimerval: Itimerval,
#[cfg(windows)]
milli_sec: u32,
milli_sec: i64,
#[cfg(windows)]
ph_new_timer: HANDLE,
tp_timer: *mut TP_TIMER,
#[cfg(windows)]
timer_queue: HANDLE,
critical: RTL_CRITICAL_SECTION,
}
#[cfg(windows)]
#[allow(non_camel_case_types)]
type PTP_TIMER_CALLBACK = unsafe extern "system" fn(
param0: *mut windows::Win32::System::Threading::TP_CALLBACK_INSTANCE,
param1: *mut c_void,
param2: *mut windows::Win32::System::Threading::TP_TIMER,
);
#[cfg(unix)]
impl<E> TimeoutExecutor<E> {
/// Create a new `TimeoutExecutor`, wrapping the given `executor` and checking for timeouts.
/// This should usually be used for `InProcess` fuzzing.
#[cfg(unix)]
pub fn new(executor: E, exec_tmout: Duration) -> Self {
let milli_sec = exec_tmout.as_millis();
let it_value = Timeval {
@ -104,17 +115,32 @@ impl<E> TimeoutExecutor<E> {
itimerval,
}
}
}
#[cfg(windows)]
#[cfg(windows)]
impl<E: HasInProcessHandlers> TimeoutExecutor<E> {
pub fn new(executor: E, exec_tmout: Duration) -> Self {
let milli_sec = exec_tmout.as_millis() as u32;
let timer_queue = unsafe { CreateTimerQueue() };
let ph_new_timer = HANDLE::NULL;
let milli_sec = exec_tmout.as_millis() as i64;
let timeout_handler: PTP_TIMER_CALLBACK =
unsafe { std::mem::transmute(executor.inprocess_handlers().timeout_handler) };
let tp_timer = unsafe {
CreateThreadpoolTimer(
Some(timeout_handler),
&mut GLOBAL_STATE as *mut _ as *mut c_void,
&TP_CALLBACK_ENVIRON_V3::default(),
)
};
let mut critical = RTL_CRITICAL_SECTION::default();
unsafe {
InitializeCriticalSection(&mut critical);
}
Self {
executor,
milli_sec,
ph_new_timer,
timer_queue,
tp_timer,
critical,
}
}
@ -149,10 +175,7 @@ impl<E> TimeoutExecutor<E> {
#[cfg(windows)]
pub fn windows_reset_timeout(&self) -> Result<(), Error> {
unsafe {
let code = DeleteTimerQueueTimer(self.timer_queue, self.ph_new_timer, HANDLE::NULL);
if !code.as_bool() {
return Err(Error::Unknown("DeleteTimerQueueTimer failed.".to_string()));
}
SetThreadpoolTimer(self.tp_timer, core::ptr::null(), 0, 0);
}
Ok(())
}
@ -161,7 +184,7 @@ impl<E> TimeoutExecutor<E> {
#[cfg(windows)]
impl<E, EM, I, S, Z> Executor<EM, I, S, Z> for TimeoutExecutor<E>
where
E: Executor<EM, I, S, Z> + HasTimeoutHandler,
E: Executor<EM, I, S, Z> + HasInProcessHandlers,
I: Input,
{
fn run_target(
@ -173,23 +196,43 @@ where
) -> Result<ExitKind, Error> {
unsafe {
let data = &mut GLOBAL_STATE;
write_volatile(&mut data.tp_timer, self.tp_timer as *mut _ as *mut c_void);
write_volatile(
&mut data.timer_queue,
&mut self.timer_queue as *mut _ as *mut c_void,
&mut data.critical,
&mut self.critical as *mut _ as *mut c_void,
);
let code = CreateTimerQueueTimer(
&mut self.ph_new_timer,
&self.timer_queue,
Some(self.executor.timeout_handler()),
&mut GLOBAL_STATE as *mut _ as *mut c_void,
self.milli_sec,
0,
WORKER_THREAD_FLAGS::default(),
write_volatile(
&mut data.timeout_input_ptr,
&mut data.current_input_ptr as *mut _ as *mut c_void,
);
if !code.as_bool() {
return Err(Error::Unknown("CreateTimerQueue failed.".to_string()));
}
let tm: i64 = -1 * self.milli_sec * 10 * 1000;
let mut ft = FILETIME::default();
ft.dwLowDateTime = (tm & 0xffffffff) as u32;
ft.dwHighDateTime = (tm >> 32) as u32;
compiler_fence(Ordering::SeqCst);
EnterCriticalSection(&mut self.critical);
compiler_fence(Ordering::SeqCst);
data.in_target = 1;
compiler_fence(Ordering::SeqCst);
LeaveCriticalSection(&mut self.critical);
compiler_fence(Ordering::SeqCst);
SetThreadpoolTimer(self.tp_timer, &ft, 0, 0);
let ret = self.executor.run_target(fuzzer, state, mgr, input);
compiler_fence(Ordering::SeqCst);
EnterCriticalSection(&mut self.critical);
compiler_fence(Ordering::SeqCst);
// Timeout handler will do nothing after we increment in_target value.
data.in_target = 0;
compiler_fence(Ordering::SeqCst);
LeaveCriticalSection(&mut self.critical);
compiler_fence(Ordering::SeqCst);
write_volatile(&mut data.timeout_input_ptr, core::ptr::null_mut());
self.windows_reset_timeout()?;
ret
}
@ -238,6 +281,8 @@ where
#[cfg(windows)]
impl<E> Drop for TimeoutExecutor<E> {
fn drop(&mut self) {
windows_delete_timer_queue(self.timer_queue);
unsafe {
windows_delete_timer_queue(self.tp_timer);
}
}
}

19
libafl_frida/src/executor.rs
View File

@ -17,6 +17,9 @@ use libafl::{
#[cfg(unix)]
use crate::asan_errors::ASAN_ERRORS;
#[cfg(windows)]
use libafl::executors::inprocess::{HasInProcessHandlers, InProcessHandlers};
pub struct FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT, S>
where
FH: FridaHelper<'b>,
@ -125,3 +128,19 @@ where
}
}
}
#[cfg(windows)]
impl<'a, 'b, 'c, FH, H, I, OT, S> HasInProcessHandlers
for FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT, S>
where
H: FnMut(&I) -> ExitKind,
I: Input + HasTargetBytes,
OT: ObserversTuple<I, S>,
FH: FridaHelper<'b>,
{
/// the timeout handler
#[inline]
fn inprocess_handlers(&self) -> &InProcessHandlers {
&self.base.handlers()
}
}

3
scripts/test_all_fuzzers.sh
View File

@ -30,6 +30,9 @@ do
cargo build || exit 1
echo "[+] Done building $fuzzer"
fi
# Save disk space
cargo clean
cd ..
echo ""
done