"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "linux/trace.c" between
honggfuzz-2.1.tar.gz and honggfuzz-2.2.tar.gz

About: honggfuzz is a security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with powerful analysis options.

trace.c  (honggfuzz-2.1):trace.c  (honggfuzz-2.2)
skipping to change at line 443 skipping to change at line 443
uint8_t buf[MAX_INSTR_SZ]; uint8_t buf[MAX_INSTR_SZ];
size_t memsz; size_t memsz;
snprintf(instr, _HF_INSTR_SZ, "%s", "[UNKNOWN]"); snprintf(instr, _HF_INSTR_SZ, "%s", "[UNKNOWN]");
if ((memsz = arch_getProcMem(pid, buf, sizeof(buf), pc)) == 0) { if ((memsz = arch_getProcMem(pid, buf, sizeof(buf), pc)) == 0) {
snprintf(instr, _HF_INSTR_SZ, "%s", "[NOT_MMAPED]"); snprintf(instr, _HF_INSTR_SZ, "%s", "[NOT_MMAPED]");
return; return;
} }
#if !defined(__ANDROID__) #if !defined(__ANDROID__)
#if !defined(_HF_LINUX_NO_BFD)
arch_bfdDisasm(pid, buf, memsz, instr); arch_bfdDisasm(pid, buf, memsz, instr);
#else #endif /* !defined(_HF_LINUX_NO_BFD) */
#else /* !defined(__ANDROID__) */
cs_arch arch; cs_arch arch;
cs_mode mode; cs_mode mode;
#if defined(__arm__) || defined(__aarch64__) #if defined(__arm__) || defined(__aarch64__)
arch = (pcRegSz == sizeof(struct user_regs_struct_64)) ? CS_ARCH_ARM64 : CS_ ARCH_ARM; arch = (pcRegSz == sizeof(struct user_regs_struct_64)) ? CS_ARCH_ARM64 : CS_ ARCH_ARM;
if (arch == CS_ARCH_ARM) { if (arch == CS_ARCH_ARM) {
mode = (status_reg & 0x20) ? CS_MODE_THUMB : CS_MODE_ARM; mode = (status_reg & 0x20) ? CS_MODE_THUMB : CS_MODE_ARM;
} else { } else {
mode = CS_MODE_ARM; mode = CS_MODE_ARM;
} }
#elif defined(__i386__) || defined(__x86_64__) #elif defined(__i386__) || defined(__x86_64__)
skipping to change at line 512 skipping to change at line 514
LOG_W("ptrace arch_getPC failed"); LOG_W("ptrace arch_getPC failed");
return; return;
} }
uint64_t crashAddr = 0; uint64_t crashAddr = 0;
char description[HF_STR_LEN] = {}; char description[HF_STR_LEN] = {};
size_t funcCnt = sanitizers_parseReport(run, pid, funcs, &pc, &crashAddr, de scription); size_t funcCnt = sanitizers_parseReport(run, pid, funcs, &pc, &crashAddr, de scription);
if (funcCnt <= 0) { if (funcCnt <= 0) {
funcCnt = arch_unwindStack(pid, funcs); funcCnt = arch_unwindStack(pid, funcs);
#if !defined(__ANDROID__) #if !defined(__ANDROID__)
#if !defined(_HF_LINUX_NO_BFD)
arch_bfdResolveSyms(pid, funcs, funcCnt); arch_bfdResolveSyms(pid, funcs, funcCnt);
#endif /* !defined(_HF_LINUX_NO_BFD) */
#endif /* !defined(__ANDROID__) */ #endif /* !defined(__ANDROID__) */
} }
#if !defined(__ANDROID__) #if !defined(__ANDROID__)
#if !defined(_HF_LINUX_NO_BFD)
arch_bfdDemangle(funcs, funcCnt); arch_bfdDemangle(funcs, funcCnt);
#endif /* !defined(_HF_LINUX_NO_BFD) */
#endif /* !defined(__ANDROID__) */ #endif /* !defined(__ANDROID__) */
/* /*
* Calculate backtrace callstack hash signature * Calculate backtrace callstack hash signature
*/ */
run->backtrace = sanitizers_hashCallstack(run, funcs, funcCnt, false); run->backtrace = sanitizers_hashCallstack(run, funcs, funcCnt, false);
} }
static void arch_traceSaveData(run_t* run, pid_t pid) { static void arch_traceSaveData(run_t* run, pid_t pid) {
char instr[_HF_INSTR_SZ] = "\x00"; char instr[_HF_INSTR_SZ] = "\x00";
siginfo_t si = {}; siginfo_t si = {};
if (ptrace(PTRACE_GETSIGINFO, pid, 0, &si) == -1) { if (ptrace(PTRACE_GETSIGINFO, pid, 0, &si) == -1) {
PLOG_W("Couldn't get siginfo for pid %d", pid); PLOG_W("Couldn't get siginfo for pid %d", pid);
} }
uint64_t crashAddr = (uint64_t)si.si_addr; uint64_t crashAddr = (uint64_t)(uintptr_t)si.si_addr;
/* User-induced signals don't set si.si_addr */ /* User-induced signals don't set si.si_addr */
if (SI_FROMUSER(&si)) { if (SI_FROMUSER(&si)) {
crashAddr = 0UL; crashAddr = 0UL;
} }
uint64_t pc = 0; uint64_t pc = 0;
uint64_t status_reg = 0; uint64_t status_reg = 0;
size_t pcRegSz = arch_getPC(pid, &pc, &status_reg); size_t pcRegSz = arch_getPC(pid, &pc, &status_reg);
if (!pcRegSz) { if (!pcRegSz) {
LOG_W("ptrace arch_getPC failed"); LOG_W("ptrace arch_getPC failed");
skipping to change at line 561 skipping to change at line 567
funcs_t* funcs = util_Calloc(_HF_MAX_FUNCS * sizeof(funcs_t)); funcs_t* funcs = util_Calloc(_HF_MAX_FUNCS * sizeof(funcs_t));
defer { defer {
free(funcs); free(funcs);
}; };
char description[HF_STR_LEN] = {}; char description[HF_STR_LEN] = {};
size_t funcCnt = sanitizers_parseReport(run, pid, funcs, &pc, &crashAddr, de scription); size_t funcCnt = sanitizers_parseReport(run, pid, funcs, &pc, &crashAddr, de scription);
if (funcCnt == 0) { if (funcCnt == 0) {
funcCnt = arch_unwindStack(pid, funcs); funcCnt = arch_unwindStack(pid, funcs);
#if !defined(__ANDROID__) #if !defined(__ANDROID__)
#if !defined(_HF_LINUX_NO_BFD)
arch_bfdResolveSyms(pid, funcs, funcCnt); arch_bfdResolveSyms(pid, funcs, funcCnt);
#endif /* !defined(_HF_LINUX_NO_BFD) */
#endif /* !defined(__ANDROID__) */ #endif /* !defined(__ANDROID__) */
} }
#if !defined(__ANDROID__) #if !defined(__ANDROID__)
#if !defined(_HF_LINUX_NO_BFD)
arch_bfdDemangle(funcs, funcCnt); arch_bfdDemangle(funcs, funcCnt);
#endif /* !defined(_HF_LINUX_NO_BFD) */
#endif /* !defined(__ANDROID__) */ #endif /* !defined(__ANDROID__) */
arch_getInstrStr(pid, pc, status_reg, pcRegSz, instr); arch_getInstrStr(pid, pc, status_reg, pcRegSz, instr);
LOG_D("Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %" PRIx64 ", c rashAddr: %" PRIx64 LOG_D("Pid: %d, signo: %d, errno: %d, code: %d, addr: %p, pc: %" PRIx64 ", c rashAddr: %" PRIx64
" instr: '%s'", " instr: '%s'",
pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc, crashAddr, in str); pid, si.si_signo, si.si_errno, si.si_code, si.si_addr, pc, crashAddr, in str);
if (!SI_FROMUSER(&si) && pc && crashAddr < (uint64_t)run->global->linux.igno if (!SI_FROMUSER(&si) && pc &&
reAddr) { crashAddr < (uint64_t)(uintptr_t)run->global->arch_linux.ignoreAddr) {
LOG_I("Input is interesting (%s), but the si.si_addr is %p (below %p), s kipping", LOG_I("Input is interesting (%s), but the si.si_addr is %p (below %p), s kipping",
util_sigName(si.si_signo), si.si_addr, run->global->linux.ignoreAddr ); util_sigName(si.si_signo), si.si_addr, run->global->arch_linux.ignor eAddr);
return; return;
} }
/* /*
* Temp local copy of previous backtrace value in case worker hit crashes in to multiple * Temp local copy of previous backtrace value in case worker hit crashes in to multiple
* tids for same target master thread. Will be 0 for first crash against tar get. * tids for same target master thread. Will be 0 for first crash against tar get.
*/ */
uint64_t oldBacktrace = run->backtrace; uint64_t oldBacktrace = run->backtrace;
/* Local copy since flag is overridden for some crashes */ /* Local copy since flag is overridden for some crashes */
skipping to change at line 627 skipping to change at line 638
} }
/* Increase global crashes counter */ /* Increase global crashes counter */
ATOMIC_POST_INC(run->global->cnts.crashesCnt); ATOMIC_POST_INC(run->global->cnts.crashesCnt);
/* /*
* Check if backtrace contains whitelisted symbol. Whitelist overrides * Check if backtrace contains whitelisted symbol. Whitelist overrides
* both stackhash and symbol blacklist. Crash is always kept regardless * both stackhash and symbol blacklist. Crash is always kept regardless
* of the status of uniqueness flag. * of the status of uniqueness flag.
*/ */
if (run->global->linux.symsWl) { if (run->global->arch_linux.symsWl) {
char* wlSymbol = arch_btContainsSymbol( char* wlSymbol = arch_btContainsSymbol(
run->global->linux.symsWlCnt, run->global->linux.symsWl, funcCnt, fu ncs); run->global->arch_linux.symsWlCnt, run->global->arch_linux.symsWl, f uncCnt, funcs);
if (wlSymbol != NULL) { if (wlSymbol != NULL) {
saveUnique = false; saveUnique = false;
LOG_D("Whitelisted symbol '%s' found, skipping blacklist checks", wl Symbol); LOG_D("Whitelisted symbol '%s' found, skipping blacklist checks", wl Symbol);
} }
} else { } else {
/* /*
* Check if stackhash is blacklisted * Check if stackhash is blacklisted
*/ */
if (run->global->feedback.blacklist && if (run->global->feedback.blacklist &&
(fastArray64Search(run->global->feedback.blacklist, run->global->fee dback.blacklistCnt, (fastArray64Search(run->global->feedback.blacklist, run->global->fee dback.blacklistCnt,
run->backtrace) != -1)) { run->backtrace) != -1)) {
LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", run->backtra ce); LOG_I("Blacklisted stack hash '%" PRIx64 "', skipping", run->backtra ce);
ATOMIC_POST_INC(run->global->cnts.blCrashesCnt); ATOMIC_POST_INC(run->global->cnts.blCrashesCnt);
return; return;
} }
/* /*
* Check if backtrace contains blacklisted symbol * Check if backtrace contains blacklisted symbol
*/ */
char* blSymbol = arch_btContainsSymbol( char* blSymbol = arch_btContainsSymbol(
run->global->linux.symsBlCnt, run->global->linux.symsBl, funcCnt, fu ncs); run->global->arch_linux.symsBlCnt, run->global->arch_linux.symsBl, f uncCnt, funcs);
if (blSymbol != NULL) { if (blSymbol != NULL) {
LOG_I("Blacklisted symbol '%s' found, skipping", blSymbol); LOG_I("Blacklisted symbol '%s' found, skipping", blSymbol);
ATOMIC_POST_INC(run->global->cnts.blCrashesCnt); ATOMIC_POST_INC(run->global->cnts.blCrashesCnt);
return; return;
} }
} }
/* If non-blacklisted crash detected, zero set two MSB */ /* If non-blacklisted crash detected, zero set two MSB */
ATOMIC_POST_ADD(run->global->cfg.dynFileIterExpire, _HF_DYNFILE_SUB_MASK); ATOMIC_POST_ADD(run->global->cfg.dynFileIterExpire, _HF_DYNFILE_SUB_MASK);
/* Those addresses will be random, so depend on stack-traces for uniqueness */ /* Those addresses will be random, so depend on stack-traces for uniqueness */
if (!run->global->linux.disableRandomization) { if (!run->global->arch_linux.disableRandomization) {
pc = 0UL; pc = 0UL;
crashAddr = 0UL; crashAddr = 0UL;
} }
/* crashAddr (si.si_addr) never makes sense for SIGABRT */ /* crashAddr (si.si_addr) never makes sense for SIGABRT */
if (si.si_signo == SIGABRT) { if (si.si_signo == SIGABRT) {
crashAddr = 0UL; crashAddr = 0UL;
} }
/* If dry run mode, copy file with same name into workspace */ /* If dry run mode, copy file with same name into workspace */
if (run->global->mutate.mutationsPerRun == 0U && run->global->cfg.useVerifie r) { if (run->global->mutate.mutationsPerRun == 0U && run->global->cfg.useVerifie r) {
snprintf(run->crashFileName, sizeof(run->crashFileName), "%s/%s", run->g lobal->io.crashDir, snprintf(run->crashFileName, sizeof(run->crashFileName), "%s/%s", run->g lobal->io.crashDir,
run->origFileName); run->dynfile->path);
} else if (saveUnique) { } else if (saveUnique) {
snprintf(run->crashFileName, sizeof(run->crashFileName), snprintf(run->crashFileName, sizeof(run->crashFileName),
"%s/%s.PC.%" PRIx64 ".STACK.%" PRIx64 ".CODE.%d.ADDR.%" PRIx64 ".INS TR.%s.%s", "%s/%s.PC.%" PRIx64 ".STACK.%" PRIx64 ".CODE.%d.ADDR.%" PRIx64 ".INS TR.%s.%s",
run->global->io.crashDir, util_sigName(si.si_signo), pc, run->backtr ace, si.si_code, run->global->io.crashDir, util_sigName(si.si_signo), pc, run->backtr ace, si.si_code,
crashAddr, instr, run->global->io.fileExtn); crashAddr, instr, run->global->io.fileExtn);
} else { } else {
char localtmstr[HF_STR_LEN]; char localtmstr[HF_STR_LEN];
util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NU LL)); util_getLocalTime("%F.%H:%M:%S", localtmstr, sizeof(localtmstr), time(NU LL));
snprintf(run->crashFileName, sizeof(run->crashFileName), snprintf(run->crashFileName, sizeof(run->crashFileName),
"%s/%s.PC.%" PRIx64 ".STACK.%" PRIx64 ".CODE.%d.ADDR.%" PRIx64 ".INS TR.%s.%s.%d.%s", "%s/%s.PC.%" PRIx64 ".STACK.%" PRIx64 ".CODE.%d.ADDR.%" PRIx64 ".INS TR.%s.%s.%d.%s",
skipping to change at line 701 skipping to change at line 712
LOG_D("SocketFuzzer: trace: Crash Identified"); LOG_D("SocketFuzzer: trace: Crash Identified");
} }
if (files_exists(run->crashFileName)) { if (files_exists(run->crashFileName)) {
LOG_I("Crash (dup): '%s' already exists, skipping", run->crashFileName); LOG_I("Crash (dup): '%s' already exists, skipping", run->crashFileName);
/* Clear filename so that verifier can understand we hit a duplicate */ /* Clear filename so that verifier can understand we hit a duplicate */
memset(run->crashFileName, 0, sizeof(run->crashFileName)); memset(run->crashFileName, 0, sizeof(run->crashFileName));
return; return;
} }
if (!files_writeBufToFile(run->crashFileName, run->dynamicFile, run->dynamic FileSz, if (!files_writeBufToFile(run->crashFileName, run->dynfile->data, run->dynfi le->size,
O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC)) { O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC)) {
LOG_E("Couldn't write to '%s'", run->crashFileName); LOG_E("Couldn't write to '%s'", run->crashFileName);
return; return;
} }
/* Unique new crash, notify fuzzer */ /* Unique new crash, notify fuzzer */
if (run->global->socketFuzzer.enabled) { if (run->global->socketFuzzer.enabled) {
LOG_D("SocketFuzzer: trace: New Uniqu Crash"); LOG_D("SocketFuzzer: trace: New Uniqu Crash");
fuzz_notifySocketFuzzerCrash(run); fuzz_notifySocketFuzzerCrash(run);
} }
 End of changes. 19 change blocks. 
11 lines changed or deleted 21 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)