1 /*
2  *
3  * honggfuzz - architecture dependent code (LINUX)
4  * -----------------------------------------
5  *
6  * Author: Robert Swiecki <swiecki@google.com>
7  *
8  * Copyright 2010-2018 by Google Inc. All Rights Reserved.
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License"); you may
11  * not use this file except in compliance with the License. You may obtain
12  * a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS,
18  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
19  * implied. See the License for the specific language governing
20  * permissions and limitations under the License.
21  *
22  */
23 
24 #include "arch.h"
25 
26 #include <ctype.h>
27 #include <dlfcn.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <inttypes.h>
31 #include <locale.h>
32 #include <setjmp.h>
33 #include <signal.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <sys/cdefs.h>
38 #include <sys/personality.h>
39 #include <sys/prctl.h>
40 #include <sys/syscall.h>
41 #include <sys/time.h>
42 #include <sys/types.h>
43 #include <sys/user.h>
44 #include <sys/utsname.h>
45 #include <sys/wait.h>
46 #include <time.h>
47 #include <unistd.h>
48 
49 #include "fuzz.h"
50 #include "libhfcommon/common.h"
51 #include "libhfcommon/files.h"
52 #include "libhfcommon/log.h"
53 #include "libhfcommon/ns.h"
54 #include "libhfcommon/util.h"
55 #include "linux/perf.h"
56 #include "linux/trace.h"
57 #include "sanitizers.h"
58 #include "subproc.h"
59 
60 static uint8_t arch_clone_stack[128 * 1024] __attribute__((aligned(__BIGGEST_ALIGNMENT__)));
61 static __thread jmp_buf env;
62 
63 HF_ATTR_NO_SANITIZE_ADDRESS
64 HF_ATTR_NO_SANITIZE_MEMORY
arch_cloneFunc(void * arg HF_ATTR_UNUSED)65 static int arch_cloneFunc(void* arg HF_ATTR_UNUSED) {
66     longjmp(env, 1);
67     abort();
68     return 0;
69 }
70 
71 /* Avoid problem with caching of PID/TID in glibc */
arch_clone(uintptr_t flags)72 static pid_t arch_clone(uintptr_t flags) {
73     if (flags & CLONE_VM) {
74         LOG_E("Cannot use clone(flags & CLONE_VM)");
75         return -1;
76     }
77 
78     if (setjmp(env) == 0) {
79         void* stack_mid = &arch_clone_stack[sizeof(arch_clone_stack) / 2];
80         /* Parent */
81         return clone(arch_cloneFunc, stack_mid, flags, NULL, NULL, NULL);
82     }
83     /* Child */
84     return 0;
85 }
86 
arch_fork(run_t * run)87 pid_t arch_fork(run_t* run) {
88     pid_t pid = run->global->linux.useClone ? arch_clone(CLONE_UNTRACED | SIGCHLD) : fork();
89     if (pid == -1) {
90         return pid;
91     }
92     if (pid == 0) {
93         logMutexReset();
94         if (prctl(PR_SET_PDEATHSIG, (unsigned long)SIGKILL, 0UL, 0UL, 0UL) == -1) {
95             PLOG_W("prctl(PR_SET_PDEATHSIG, SIGKILL)");
96         }
97         return pid;
98     }
99     return pid;
100 }
101 
arch_launchChild(run_t * run)102 bool arch_launchChild(run_t* run) {
103     if ((run->global->linux.cloneFlags & CLONE_NEWNET) && (nsIfaceUp("lo") == false)) {
104         LOG_W("Cannot bring interface 'lo' up");
105     }
106 
107     /*
108      * Make it attach-able by ptrace()
109      */
110     if (prctl(PR_SET_DUMPABLE, 1UL, 0UL, 0UL, 0UL) == -1) {
111         PLOG_E("prctl(PR_SET_DUMPABLE, 1)");
112         return false;
113     }
114 
115     /*
116      * Kill a process which corrupts its own heap (with ABRT)
117      */
118     if (setenv("MALLOC_CHECK_", "7", 0) == -1) {
119         PLOG_E("setenv(MALLOC_CHECK_=7) failed");
120         return false;
121     }
122     if (setenv("MALLOC_PERTURB_", "85", 0) == -1) {
123         PLOG_E("setenv(MALLOC_PERTURB_=85) failed");
124         return false;
125     }
126 
127     /*
128      * Disable ASLR:
129      * This might fail in Docker, as Docker blocks __NR_personality. Consequently
130      * it's just a debug warning
131      */
132     if (run->global->linux.disableRandomization &&
133         syscall(__NR_personality, ADDR_NO_RANDOMIZE) == -1) {
134         PLOG_D("personality(ADDR_NO_RANDOMIZE) failed");
135     }
136 
137 #define ARGS_MAX 512
138     const char* args[ARGS_MAX + 2];
139     char argData[PATH_MAX];
140 
141     char inputFile[PATH_MAX];
142     snprintf(inputFile, sizeof(inputFile), "/dev/fd/%d", run->dynamicFileCopyFd);
143 
144     int x = 0;
145     for (x = 0; x < ARGS_MAX && x < run->global->exe.argc; x++) {
146         if (run->global->exe.persistent || run->global->exe.fuzzStdin) {
147             args[x] = run->global->exe.cmdline[x];
148         } else if (!strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) {
149             args[x] = inputFile;
150         } else if (strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) {
151             const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER);
152             snprintf(argData, sizeof(argData), "%.*s%s", (int)(off - run->global->exe.cmdline[x]),
153                 run->global->exe.cmdline[x], inputFile);
154             args[x] = argData;
155         } else {
156             args[x] = run->global->exe.cmdline[x];
157         }
158     }
159     args[x++] = NULL;
160 
161     LOG_D("Launching '%s' on file '%s'", args[0],
162         run->global->exe.persistent ? "PERSISTENT_MODE" : inputFile);
163 
164     /* alarms persist across execve(), so disable it here */
165     alarm(0);
166 
167     /* Wait for the ptrace to attach now */
168     if (kill(syscall(__NR_getpid), SIGSTOP) == -1) {
169         LOG_F("Couldn't stop itself");
170     }
171 #if defined(__NR_execveat)
172     syscall(__NR_execveat, run->global->linux.exeFd, "", args, environ, AT_EMPTY_PATH);
173 #endif /* defined__NR_execveat) */
174     execve(args[0], (char* const*)args, environ);
175     int errno_cpy = errno;
176     alarm(1);
177 
178     LOG_E("execve('%s', fd=%d): %s", args[0], run->global->linux.exeFd, strerror(errno_cpy));
179 
180     return false;
181 }
182 
arch_attachToNewPid(run_t * run)183 static bool arch_attachToNewPid(run_t* run) {
184     if (!arch_traceAttach(run)) {
185         LOG_W("arch_traceAttach(pid=%d) failed", run->pid);
186         return false;
187     }
188 
189     return true;
190 }
191 
arch_prepareParentAfterFork(run_t * run)192 void arch_prepareParentAfterFork(run_t* run) {
193     /* Parent */
194     if (run->global->exe.persistent) {
195         const struct f_owner_ex fown = {
196             .type = F_OWNER_TID,
197             .pid = syscall(__NR_gettid),
198         };
199         if (fcntl(run->persistentSock, F_SETOWN_EX, &fown)) {
200             PLOG_F("fcntl(%d, F_SETOWN_EX)", run->persistentSock);
201         }
202         if (fcntl(run->persistentSock, F_SETSIG, SIGIO) == -1) {
203             PLOG_F("fcntl(%d, F_SETSIG, SIGIO)", run->persistentSock);
204         }
205         if (fcntl(run->persistentSock, F_SETFL, O_ASYNC) == -1) {
206             PLOG_F("fcntl(%d, F_SETFL, O_ASYNC)", run->persistentSock);
207         }
208     }
209 
210     if (!arch_perfOpen(run)) {
211         LOG_F("Couldn't open perf event for pid=%d", (int)run->pid);
212     }
213     if (!arch_attachToNewPid(run)) {
214         LOG_F("Couldn't attach to pid=%d", (int)run->pid);
215     }
216 }
217 
arch_prepareParent(run_t * run)218 void arch_prepareParent(run_t* run) {
219     if (!arch_perfEnable(run)) {
220         LOG_F("Couldn't enable perf counters for pid=%d", (int)run->pid);
221     }
222 }
223 
arch_checkWait(run_t * run)224 static bool arch_checkWait(run_t* run) {
225     /* All queued wait events must be tested when SIGCHLD was delivered */
226     for (;;) {
227         int status;
228         pid_t pid = TEMP_FAILURE_RETRY(waitpid(-1, &status, __WALL | __WNOTHREAD | WNOHANG));
229         if (pid == 0) {
230             return false;
231         }
232         if (pid == -1 && errno == ECHILD) {
233             LOG_D("No more processes to track");
234             return true;
235         }
236         if (pid == -1) {
237             PLOG_F("waitpid() failed");
238         }
239 
240         char statusStr[4096];
241         LOG_D("pid=%d returned with status: %s", pid,
242             subproc_StatusToStr(status, statusStr, sizeof(statusStr)));
243 
244         arch_traceAnalyze(run, status, pid);
245 
246         if (pid == run->pid && (WIFEXITED(status) || WIFSIGNALED(status))) {
247             if (run->global->exe.persistent) {
248                 if (!fuzz_isTerminating()) {
249                     LOG_W("Persistent mode: pid=%d exited with status: %s", (int)run->pid,
250                         subproc_StatusToStr(status, statusStr, sizeof(statusStr)));
251                 }
252             }
253             return true;
254         }
255     }
256 }
257 
arch_reapChild(run_t * run)258 void arch_reapChild(run_t* run) {
259     for (;;) {
260         if (subproc_persistentModeStateMachine(run)) {
261             break;
262         }
263 
264         subproc_checkTimeLimit(run);
265         subproc_checkTermination(run);
266 
267         const struct timespec ts = {
268             .tv_sec = 0ULL,
269             .tv_nsec = (1000ULL * 1000ULL * 250ULL),
270         };
271         /* Return with SIGIO, SIGCHLD and with SIGUSR1 */
272         int sig = sigtimedwait(&run->global->exe.waitSigSet, NULL, &ts /* 0.25s */);
273         if (sig == -1 && (errno != EAGAIN && errno != EINTR)) {
274             PLOG_F("sigwaitinfo(SIGIO|SIGCHLD|SIGUSR1)");
275         }
276 
277         if (arch_checkWait(run)) {
278             run->pid = 0;
279             break;
280         }
281         if (run->global->socketFuzzer.enabled) {
282             // Do not wait for new events
283             break;
284         }
285     }
286     if (run->global->sanitizer.enable) {
287         char crashReport[PATH_MAX];
288         snprintf(crashReport, sizeof(crashReport), "%s/%s.%d", run->global->io.workDir, kLOGPREFIX,
289             run->pid);
290         if (files_exists(crashReport)) {
291             if (run->backtrace) {
292                 unlink(crashReport);
293             } else {
294                 LOG_W("Un-handled ASan report due to compiler-rt internal error - retry with '%s'",
295                     crashReport);
296                 /* Try to parse report file */
297                 arch_traceExitAnalyze(run, run->pid);
298             }
299         }
300     }
301 
302     if (run->pid == 0) {
303         arch_perfClose(run);
304     }
305     arch_perfAnalyze(run);
306 }
307 
arch_archInit(honggfuzz_t * hfuzz)308 bool arch_archInit(honggfuzz_t* hfuzz) {
309     /* Make %'d work */
310     setlocale(LC_NUMERIC, "en_US.UTF-8");
311 
312     if (access(hfuzz->exe.cmdline[0], X_OK) == -1) {
313         PLOG_E("File '%s' doesn't seem to be executable", hfuzz->exe.cmdline[0]);
314         return false;
315     }
316     if ((hfuzz->linux.exeFd =
317                 TEMP_FAILURE_RETRY(open(hfuzz->exe.cmdline[0], O_RDONLY | O_CLOEXEC))) == -1) {
318         PLOG_E("Cannot open the executable binary: %s)", hfuzz->exe.cmdline[0]);
319         return false;
320     }
321 
322     for (;;) {
323         __attribute__((weak)) const char* gnu_get_libc_version(void);
324         if (!gnu_get_libc_version) {
325             LOG_W("Unknown libc implementation. Using clone() instead of fork()");
326             break;
327         }
328         const char* gversion = gnu_get_libc_version();
329         int major, minor;
330         if (sscanf(gversion, "%d.%d", &major, &minor) != 2) {
331             LOG_W("Unknown glibc version:'%s'. Using clone() instead of fork()", gversion);
332             break;
333         }
334         if ((major < 2) || (major == 2 && minor < 23)) {
335             LOG_W("Your glibc version:'%s' will most likely result in malloc()-related "
336                   "deadlocks. Min. version 2.24 (Or, Ubuntu's 2.23-0ubuntu6) suggested. "
337                   "See https://sourceware.org/bugzilla/show_bug.cgi?id=19431 for explanation. "
338                   "Using clone() instead of fork()",
339                 gversion);
340             break;
341         }
342         LOG_D("Glibc version:'%s', OK", gversion);
343         hfuzz->linux.useClone = false;
344         break;
345     }
346 
347     if (hfuzz->feedback.dynFileMethod != _HF_DYNFILE_NONE) {
348         unsigned long major = 0, minor = 0;
349         char* p = NULL;
350 
351         /*
352          * Check that Linux kernel is compatible
353          *
354          * Compatibility list:
355          *  1) Perf exclude_callchain_kernel requires kernel >= 3.7
356          *     TODO: Runtime logic to disable it for unsupported kernels
357          *           if it doesn't affect perf counters processing
358          *  2) If 'PERF_TYPE_HARDWARE' is not supported by kernel, ENOENT
359          *     is returned from perf_event_open(). Unfortunately, no reliable
360          *     way to detect it here. libperf exports some list functions,
361          *     although small guarantees it's installed. Maybe a more targeted
362          *     message at perf_event_open() error handling will help.
363          *  3) Intel's PT and new Intel BTS format require kernel >= 4.1
364          */
365         unsigned long checkMajor = 3, checkMinor = 7;
366         if ((hfuzz->feedback.dynFileMethod & _HF_DYNFILE_BTS_EDGE) ||
367             (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_IPT_BLOCK)) {
368             checkMajor = 4;
369             checkMinor = 1;
370         }
371 
372         struct utsname uts;
373         if (uname(&uts) == -1) {
374             PLOG_F("uname() failed");
375             return false;
376         }
377 
378         p = uts.release;
379         major = strtoul(p, &p, 10);
380         if (*p++ != '.') {
381             LOG_F("Unsupported kernel version (%s)", uts.release);
382             return false;
383         }
384 
385         minor = strtoul(p, &p, 10);
386         if ((major < checkMajor) || ((major == checkMajor) && (minor < checkMinor))) {
387             LOG_E("Kernel version '%s' not supporting chosen perf method", uts.release);
388             return false;
389         }
390 
391         if (!arch_perfInit(hfuzz)) {
392             return false;
393         }
394     }
395 #if defined(__ANDROID__) && defined(__arm__) && defined(OPENSSL_ARMCAP_ABI)
396     /*
397      * For ARM kernels running Android API <= 21, if fuzzing target links to
398      * libcrypto (OpenSSL), OPENSSL_cpuid_setup initialization is triggering a
399      * SIGILL/ILLOPC at armv7_tick() due to  "mrrc p15, #1, r0, r1, c14)" instruction.
400      * Setups using BoringSSL (API >= 22) are not affected.
401      */
402     if (setenv("OPENSSL_armcap", OPENSSL_ARMCAP_ABI, 1) == -1) {
403         PLOG_E("setenv(OPENSSL_armcap) failed");
404         return false;
405     }
406 #endif
407 
408     /* Updates the important signal array based on input args */
409     arch_traceSignalsInit(hfuzz);
410 
411     /*
412      * If sanitizer fuzzing enabled and SIGABRT is monitored (abort_on_error=1),
413      * increase number of major frames, since top 7-9 frames will be occupied
414      * with sanitizer runtime library & libc symbols
415      */
416     if (hfuzz->sanitizer.enable && hfuzz->cfg.monitorSIGABRT) {
417         hfuzz->linux.numMajorFrames = 14;
418     }
419 
420     if (hfuzz->linux.cloneFlags && unshare(hfuzz->linux.cloneFlags) == -1) {
421         LOG_E("unshare(%tx)", hfuzz->linux.cloneFlags);
422         return false;
423     }
424 
425     return true;
426 }
427 
arch_archThreadInit(run_t * run)428 bool arch_archThreadInit(run_t* run) {
429     run->linux.perfMmapBuf = NULL;
430     run->linux.perfMmapAux = NULL;
431     run->linux.cpuInstrFd = -1;
432     run->linux.cpuBranchFd = -1;
433     run->linux.cpuIptBtsFd = -1;
434 
435     if (prctl(PR_SET_CHILD_SUBREAPER, 1UL, 0UL, 0UL, 0UL) == -1) {
436         PLOG_W("prctl(PR_SET_CHILD_SUBREAPER, 1)");
437     }
438 
439     sigset_t ss;
440     sigemptyset(&ss);
441     sigaddset(&ss, SIGUSR1);
442     if (pthread_sigmask(SIG_BLOCK, &ss, NULL) != 0) {
443         PLOG_W("Couldn't block SIGUSR1");
444         return false;
445     }
446 
447     return true;
448 }
449