1 //===- FuzzerUtilDarwin.cpp - Misc utils ----------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // Misc utils for Darwin. 9 //===----------------------------------------------------------------------===// 10 #include "FuzzerPlatform.h" 11 #if LIBFUZZER_APPLE 12 #include "FuzzerCommand.h" 13 #include "FuzzerIO.h" 14 #include <mutex> 15 #include <signal.h> 16 #include <spawn.h> 17 #include <stdlib.h> 18 #include <string.h> 19 #include <sys/wait.h> 20 #include <unistd.h> 21 22 // There is no header for this on macOS so declare here 23 extern "C" char **environ; 24 25 namespace fuzzer { 26 27 static std::mutex SignalMutex; 28 // Global variables used to keep track of how signal handling should be 29 // restored. They should **not** be accessed without holding `SignalMutex`. 30 static int ActiveThreadCount = 0; 31 static struct sigaction OldSigIntAction; 32 static struct sigaction OldSigQuitAction; 33 static sigset_t OldBlockedSignalsSet; 34 35 // This is a reimplementation of Libc's `system()`. On Darwin the Libc 36 // implementation contains a mutex which prevents it from being used 37 // concurrently. This implementation **can** be used concurrently. It sets the 38 // signal handlers when the first thread enters and restores them when the last 39 // thread finishes execution of the function and ensures this is not racey by 40 // using a mutex. 41 int ExecuteCommand(const Command &Cmd) { 42 std::string CmdLine = Cmd.toString(); 43 posix_spawnattr_t SpawnAttributes; 44 if (posix_spawnattr_init(&SpawnAttributes)) 45 return -1; 46 // Block and ignore signals of the current process when the first thread 47 // enters. 48 { 49 std::lock_guard<std::mutex> Lock(SignalMutex); 50 if (ActiveThreadCount == 0) { 51 static struct sigaction IgnoreSignalAction; 52 sigset_t BlockedSignalsSet; 53 memset(&IgnoreSignalAction, 0, sizeof(IgnoreSignalAction)); 54 IgnoreSignalAction.sa_handler = SIG_IGN; 55 56 if (sigaction(SIGINT, &IgnoreSignalAction, &OldSigIntAction) == -1) { 57 Printf("Failed to ignore SIGINT\n"); 58 (void)posix_spawnattr_destroy(&SpawnAttributes); 59 return -1; 60 } 61 if (sigaction(SIGQUIT, &IgnoreSignalAction, &OldSigQuitAction) == -1) { 62 Printf("Failed to ignore SIGQUIT\n"); 63 // Try our best to restore the signal handlers. 64 (void)sigaction(SIGINT, &OldSigIntAction, NULL); 65 (void)posix_spawnattr_destroy(&SpawnAttributes); 66 return -1; 67 } 68 69 (void)sigemptyset(&BlockedSignalsSet); 70 (void)sigaddset(&BlockedSignalsSet, SIGCHLD); 71 if (sigprocmask(SIG_BLOCK, &BlockedSignalsSet, &OldBlockedSignalsSet) == 72 -1) { 73 Printf("Failed to block SIGCHLD\n"); 74 // Try our best to restore the signal handlers. 75 (void)sigaction(SIGQUIT, &OldSigQuitAction, NULL); 76 (void)sigaction(SIGINT, &OldSigIntAction, NULL); 77 (void)posix_spawnattr_destroy(&SpawnAttributes); 78 return -1; 79 } 80 } 81 ++ActiveThreadCount; 82 } 83 84 // NOTE: Do not introduce any new `return` statements past this 85 // point. It is important that `ActiveThreadCount` always be decremented 86 // when leaving this function. 87 88 // Make sure the child process uses the default handlers for the 89 // following signals rather than inheriting what the parent has. 90 sigset_t DefaultSigSet; 91 (void)sigemptyset(&DefaultSigSet); 92 (void)sigaddset(&DefaultSigSet, SIGQUIT); 93 (void)sigaddset(&DefaultSigSet, SIGINT); 94 (void)posix_spawnattr_setsigdefault(&SpawnAttributes, &DefaultSigSet); 95 // Make sure the child process doesn't block SIGCHLD 96 (void)posix_spawnattr_setsigmask(&SpawnAttributes, &OldBlockedSignalsSet); 97 short SpawnFlags = POSIX_SPAWN_SETSIGDEF | POSIX_SPAWN_SETSIGMASK; 98 (void)posix_spawnattr_setflags(&SpawnAttributes, SpawnFlags); 99 100 pid_t Pid; 101 char **Environ = environ; // Read from global 102 const char *CommandCStr = CmdLine.c_str(); 103 char *const Argv[] = { 104 strdup("sh"), 105 strdup("-c"), 106 strdup(CommandCStr), 107 NULL 108 }; 109 int ErrorCode = 0, ProcessStatus = 0; 110 // FIXME: We probably shouldn't hardcode the shell path. 111 ErrorCode = posix_spawn(&Pid, "/bin/sh", NULL, &SpawnAttributes, 112 Argv, Environ); 113 (void)posix_spawnattr_destroy(&SpawnAttributes); 114 if (!ErrorCode) { 115 pid_t SavedPid = Pid; 116 do { 117 // Repeat until call completes uninterrupted. 118 Pid = waitpid(SavedPid, &ProcessStatus, /*options=*/0); 119 } while (Pid == -1 && errno == EINTR); 120 if (Pid == -1) { 121 // Fail for some other reason. 122 ProcessStatus = -1; 123 } 124 } else if (ErrorCode == ENOMEM || ErrorCode == EAGAIN) { 125 // Fork failure. 126 ProcessStatus = -1; 127 } else { 128 // Shell execution failure. 129 ProcessStatus = W_EXITCODE(127, 0); 130 } 131 for (unsigned i = 0, n = sizeof(Argv) / sizeof(Argv[0]); i < n; ++i) 132 free(Argv[i]); 133 134 // Restore the signal handlers of the current process when the last thread 135 // using this function finishes. 136 { 137 std::lock_guard<std::mutex> Lock(SignalMutex); 138 --ActiveThreadCount; 139 if (ActiveThreadCount == 0) { 140 bool FailedRestore = false; 141 if (sigaction(SIGINT, &OldSigIntAction, NULL) == -1) { 142 Printf("Failed to restore SIGINT handling\n"); 143 FailedRestore = true; 144 } 145 if (sigaction(SIGQUIT, &OldSigQuitAction, NULL) == -1) { 146 Printf("Failed to restore SIGQUIT handling\n"); 147 FailedRestore = true; 148 } 149 if (sigprocmask(SIG_BLOCK, &OldBlockedSignalsSet, NULL) == -1) { 150 Printf("Failed to unblock SIGCHLD\n"); 151 FailedRestore = true; 152 } 153 if (FailedRestore) 154 ProcessStatus = -1; 155 } 156 } 157 return ProcessStatus; 158 } 159 160 void DiscardOutput(int Fd) { 161 FILE* Temp = fopen("/dev/null", "w"); 162 if (!Temp) 163 return; 164 dup2(fileno(Temp), Fd); 165 fclose(Temp); 166 } 167 168 void SetThreadName(std::thread &thread, const std::string &name) { 169 // TODO ? 170 // Darwin allows to set the name only on the current thread it seems 171 } 172 173 } // namespace fuzzer 174 175 #endif // LIBFUZZER_APPLE 176