1 //===- FuzzerUtilFuchsia.cpp - Misc utils for Fuchsia. --------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // Misc utils implementation using Fuchsia/Zircon APIs. 9 //===----------------------------------------------------------------------===// 10 #include "FuzzerPlatform.h" 11 12 #if LIBFUZZER_FUCHSIA 13 14 #include "FuzzerInternal.h" 15 #include "FuzzerUtil.h" 16 #include <cassert> 17 #include <cerrno> 18 #include <cinttypes> 19 #include <cstdint> 20 #include <fcntl.h> 21 #include <lib/fdio/fdio.h> 22 #include <lib/fdio/spawn.h> 23 #include <string> 24 #include <sys/select.h> 25 #include <thread> 26 #include <unistd.h> 27 #include <zircon/errors.h> 28 #include <zircon/process.h> 29 #include <zircon/sanitizer.h> 30 #include <zircon/status.h> 31 #include <zircon/syscalls.h> 32 #include <zircon/syscalls/debug.h> 33 #include <zircon/syscalls/exception.h> 34 #include <zircon/syscalls/object.h> 35 #include <zircon/types.h> 36 37 #include <vector> 38 39 namespace fuzzer { 40 41 // Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written 42 // around, the general approach is to spin up dedicated threads to watch for 43 // each requested condition (alarm, interrupt, crash). Of these, the crash 44 // handler is the most involved, as it requires resuming the crashed thread in 45 // order to invoke the sanitizers to get the needed state. 46 47 // Forward declaration of assembly trampoline needed to resume crashed threads. 48 // This appears to have external linkage to C++, which is why it's not in the 49 // anonymous namespace. The assembly definition inside MakeTrampoline() 50 // actually defines the symbol with internal linkage only. 51 void CrashTrampolineAsm() __asm__("CrashTrampolineAsm"); 52 53 namespace { 54 55 // The signal handler thread uses Zircon exceptions to resume crashed threads 56 // into libFuzzer's POSIX signal handlers. The associated event is used to 57 // signal when the thread is running, and when it should stop. 58 std::thread SignalHandler; 59 zx_handle_t SignalHandlerEvent = ZX_HANDLE_INVALID; 60 61 // Helper function to handle Zircon syscall failures. 62 void ExitOnErr(zx_status_t Status, const char *Syscall) { 63 if (Status != ZX_OK) { 64 Printf("libFuzzer: %s failed: %s\n", Syscall, 65 _zx_status_get_string(Status)); 66 exit(1); 67 } 68 } 69 70 void AlarmHandler(int Seconds) { 71 while (true) { 72 SleepSeconds(Seconds); 73 Fuzzer::StaticAlarmCallback(); 74 } 75 } 76 77 // For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback 78 // without POSIX signal handlers. To achieve this, we use an assembly function 79 // to add the necessary CFI unwinding information and a C function to bridge 80 // from that back into C++. 81 82 // FIXME: This works as a short-term solution, but this code really shouldn't be 83 // architecture dependent. A better long term solution is to implement remote 84 // unwinding and expose the necessary APIs through sanitizer_common and/or ASAN 85 // to allow the exception handling thread to gather the crash state directly. 86 // 87 // Alternatively, Fuchsia may in future actually implement basic signal 88 // handling for the machine trap signals. 89 #if defined(__x86_64__) 90 #define FOREACH_REGISTER(OP_REG, OP_NUM) \ 91 OP_REG(rax) \ 92 OP_REG(rbx) \ 93 OP_REG(rcx) \ 94 OP_REG(rdx) \ 95 OP_REG(rsi) \ 96 OP_REG(rdi) \ 97 OP_REG(rbp) \ 98 OP_REG(rsp) \ 99 OP_REG(r8) \ 100 OP_REG(r9) \ 101 OP_REG(r10) \ 102 OP_REG(r11) \ 103 OP_REG(r12) \ 104 OP_REG(r13) \ 105 OP_REG(r14) \ 106 OP_REG(r15) \ 107 OP_REG(rip) 108 109 #elif defined(__aarch64__) 110 #define FOREACH_REGISTER(OP_REG, OP_NUM) \ 111 OP_NUM(0) \ 112 OP_NUM(1) \ 113 OP_NUM(2) \ 114 OP_NUM(3) \ 115 OP_NUM(4) \ 116 OP_NUM(5) \ 117 OP_NUM(6) \ 118 OP_NUM(7) \ 119 OP_NUM(8) \ 120 OP_NUM(9) \ 121 OP_NUM(10) \ 122 OP_NUM(11) \ 123 OP_NUM(12) \ 124 OP_NUM(13) \ 125 OP_NUM(14) \ 126 OP_NUM(15) \ 127 OP_NUM(16) \ 128 OP_NUM(17) \ 129 OP_NUM(18) \ 130 OP_NUM(19) \ 131 OP_NUM(20) \ 132 OP_NUM(21) \ 133 OP_NUM(22) \ 134 OP_NUM(23) \ 135 OP_NUM(24) \ 136 OP_NUM(25) \ 137 OP_NUM(26) \ 138 OP_NUM(27) \ 139 OP_NUM(28) \ 140 OP_NUM(29) \ 141 OP_REG(sp) 142 143 #else 144 #error "Unsupported architecture for fuzzing on Fuchsia" 145 #endif 146 147 // Produces a CFI directive for the named or numbered register. 148 // The value used refers to an assembler immediate operand with the same name 149 // as the register (see ASM_OPERAND_REG). 150 #define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n" 151 #define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num) 152 153 // Produces an assembler immediate operand for the named or numbered register. 154 // This operand contains the offset of the register relative to the CFA. 155 #define ASM_OPERAND_REG(reg) \ 156 [reg] "i"(offsetof(zx_thread_state_general_regs_t, reg)), 157 #define ASM_OPERAND_NUM(num) \ 158 [x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num])), 159 160 // Trampoline to bridge from the assembly below to the static C++ crash 161 // callback. 162 __attribute__((noreturn)) 163 static void StaticCrashHandler() { 164 Fuzzer::StaticCrashSignalCallback(); 165 for (;;) { 166 _Exit(1); 167 } 168 } 169 170 // This trampoline function has the necessary CFI information to unwind 171 // and get a backtrace: 172 // * The stack contains a copy of all the registers at the point of crash, 173 // the code has CFI directives specifying how to restore them. 174 // * A call to StaticCrashHandler, which will print the stacktrace and exit 175 // the fuzzer, generating a crash artifact. 176 // 177 // The __attribute__((used)) is necessary because the function 178 // is never called; it's just a container around the assembly to allow it to 179 // use operands for compile-time computed constants. 180 __attribute__((used)) 181 void MakeTrampoline() { 182 __asm__( 183 ".cfi_endproc\n" 184 ".pushsection .text.CrashTrampolineAsm\n" 185 ".type CrashTrampolineAsm,STT_FUNC\n" 186 "CrashTrampolineAsm:\n" 187 ".cfi_startproc simple\n" 188 ".cfi_signal_frame\n" 189 #if defined(__x86_64__) 190 ".cfi_return_column rip\n" 191 ".cfi_def_cfa rsp, 0\n" 192 FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM) 193 "call %c[StaticCrashHandler]\n" 194 "ud2\n" 195 #elif defined(__aarch64__) 196 ".cfi_return_column 33\n" 197 ".cfi_def_cfa sp, 0\n" 198 FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM) 199 ".cfi_offset 33, %c[pc]\n" 200 ".cfi_offset 30, %c[lr]\n" 201 "bl %c[StaticCrashHandler]\n" 202 "brk 1\n" 203 #else 204 #error "Unsupported architecture for fuzzing on Fuchsia" 205 #endif 206 ".cfi_endproc\n" 207 ".size CrashTrampolineAsm, . - CrashTrampolineAsm\n" 208 ".popsection\n" 209 ".cfi_startproc\n" 210 : // No outputs 211 : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM) 212 #if defined(__aarch64__) 213 ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr) 214 #endif 215 [StaticCrashHandler] "i"(StaticCrashHandler)); 216 } 217 218 void CrashHandler() { 219 assert(SignalHandlerEvent != ZX_HANDLE_INVALID); 220 221 // This structure is used to ensure we close handles to objects we create in 222 // this handler. 223 struct ScopedHandle { 224 ~ScopedHandle() { _zx_handle_close(Handle); } 225 zx_handle_t Handle = ZX_HANDLE_INVALID; 226 }; 227 228 // Create the exception channel. We need to claim to be a "debugger" so the 229 // kernel will allow us to modify and resume dying threads (see below). Once 230 // the channel is set, we can signal the main thread to continue and wait 231 // for the exception to arrive. 232 ScopedHandle Channel; 233 zx_handle_t Self = _zx_process_self(); 234 ExitOnErr(_zx_task_create_exception_channel( 235 Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle), 236 "_zx_task_create_exception_channel"); 237 238 ExitOnErr(_zx_object_signal(SignalHandlerEvent, 0, ZX_USER_SIGNAL_0), 239 "_zx_object_signal"); 240 241 // This thread lives as long as the process in order to keep handling 242 // crashes. In practice, the first crashed thread to reach the end of the 243 // StaticCrashHandler will end the process. 244 while (true) { 245 zx_wait_item_t WaitItems[] = { 246 { 247 .handle = SignalHandlerEvent, 248 .waitfor = ZX_SIGNAL_HANDLE_CLOSED, 249 .pending = 0, 250 }, 251 { 252 .handle = Channel.Handle, 253 .waitfor = ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED, 254 .pending = 0, 255 }, 256 }; 257 auto Status = _zx_object_wait_many( 258 WaitItems, sizeof(WaitItems) / sizeof(WaitItems[0]), ZX_TIME_INFINITE); 259 if (Status != ZX_OK || (WaitItems[1].pending & ZX_CHANNEL_READABLE) == 0) { 260 break; 261 } 262 263 zx_exception_info_t ExceptionInfo; 264 ScopedHandle Exception; 265 ExitOnErr(_zx_channel_read(Channel.Handle, 0, &ExceptionInfo, 266 &Exception.Handle, sizeof(ExceptionInfo), 1, 267 nullptr, nullptr), 268 "_zx_channel_read"); 269 270 // Ignore informational synthetic exceptions. 271 if (ZX_EXCP_THREAD_STARTING == ExceptionInfo.type || 272 ZX_EXCP_THREAD_EXITING == ExceptionInfo.type || 273 ZX_EXCP_PROCESS_STARTING == ExceptionInfo.type) { 274 continue; 275 } 276 277 // At this point, we want to get the state of the crashing thread, but 278 // libFuzzer and the sanitizers assume this will happen from that same 279 // thread via a POSIX signal handler. "Resurrecting" the thread in the 280 // middle of the appropriate callback is as simple as forcibly setting the 281 // instruction pointer/program counter, provided we NEVER EVER return from 282 // that function (since otherwise our stack will not be valid). 283 ScopedHandle Thread; 284 ExitOnErr(_zx_exception_get_thread(Exception.Handle, &Thread.Handle), 285 "_zx_exception_get_thread"); 286 287 zx_thread_state_general_regs_t GeneralRegisters; 288 ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS, 289 &GeneralRegisters, 290 sizeof(GeneralRegisters)), 291 "_zx_thread_read_state"); 292 293 // To unwind properly, we need to push the crashing thread's register state 294 // onto the stack and jump into a trampoline with CFI instructions on how 295 // to restore it. 296 #if defined(__x86_64__) 297 uintptr_t StackPtr = 298 (GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) & 299 -(uintptr_t)16; 300 __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters, 301 sizeof(GeneralRegisters)); 302 GeneralRegisters.rsp = StackPtr; 303 GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm); 304 305 #elif defined(__aarch64__) 306 uintptr_t StackPtr = 307 (GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)16; 308 __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters, 309 sizeof(GeneralRegisters)); 310 GeneralRegisters.sp = StackPtr; 311 GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm); 312 313 #else 314 #error "Unsupported architecture for fuzzing on Fuchsia" 315 #endif 316 317 // Now force the crashing thread's state. 318 ExitOnErr( 319 _zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS, 320 &GeneralRegisters, sizeof(GeneralRegisters)), 321 "_zx_thread_write_state"); 322 323 // Set the exception to HANDLED so it resumes the thread on close. 324 uint32_t ExceptionState = ZX_EXCEPTION_STATE_HANDLED; 325 ExitOnErr(_zx_object_set_property(Exception.Handle, ZX_PROP_EXCEPTION_STATE, 326 &ExceptionState, sizeof(ExceptionState)), 327 "zx_object_set_property"); 328 } 329 } 330 331 void StopSignalHandler() { 332 _zx_handle_close(SignalHandlerEvent); 333 if (SignalHandler.joinable()) { 334 SignalHandler.join(); 335 } 336 } 337 338 } // namespace 339 340 // Platform specific functions. 341 void SetSignalHandler(const FuzzingOptions &Options) { 342 // Make sure information from libFuzzer and the sanitizers are easy to 343 // reassemble. `__sanitizer_log_write` has the added benefit of ensuring the 344 // DSO map is always available for the symbolizer. 345 // A uint64_t fits in 20 chars, so 64 is plenty. 346 char Buf[64]; 347 memset(Buf, 0, sizeof(Buf)); 348 snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid()); 349 if (EF->__sanitizer_log_write) 350 __sanitizer_log_write(Buf, sizeof(Buf)); 351 Printf("%s", Buf); 352 353 // Set up alarm handler if needed. 354 if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) { 355 std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1); 356 T.detach(); 357 } 358 359 // Options.HandleInt and Options.HandleTerm are not supported on Fuchsia 360 361 // Early exit if no crash handler needed. 362 if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll && 363 !Options.HandleFpe && !Options.HandleAbrt) 364 return; 365 366 // Set up the crash handler and wait until it is ready before proceeding. 367 ExitOnErr(_zx_event_create(0, &SignalHandlerEvent), "_zx_event_create"); 368 369 SignalHandler = std::thread(CrashHandler); 370 zx_status_t Status = _zx_object_wait_one(SignalHandlerEvent, ZX_USER_SIGNAL_0, 371 ZX_TIME_INFINITE, nullptr); 372 ExitOnErr(Status, "_zx_object_wait_one"); 373 374 std::atexit(StopSignalHandler); 375 } 376 377 void SleepSeconds(int Seconds) { 378 _zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds))); 379 } 380 381 unsigned long GetPid() { 382 zx_status_t rc; 383 zx_info_handle_basic_t Info; 384 if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info, 385 sizeof(Info), NULL, NULL)) != ZX_OK) { 386 Printf("libFuzzer: unable to get info about self: %s\n", 387 _zx_status_get_string(rc)); 388 exit(1); 389 } 390 return Info.koid; 391 } 392 393 size_t GetPeakRSSMb() { 394 zx_status_t rc; 395 zx_info_task_stats_t Info; 396 if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info, 397 sizeof(Info), NULL, NULL)) != ZX_OK) { 398 Printf("libFuzzer: unable to get info about self: %s\n", 399 _zx_status_get_string(rc)); 400 exit(1); 401 } 402 return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20; 403 } 404 405 template <typename Fn> 406 class RunOnDestruction { 407 public: 408 explicit RunOnDestruction(Fn fn) : fn_(fn) {} 409 ~RunOnDestruction() { fn_(); } 410 411 private: 412 Fn fn_; 413 }; 414 415 template <typename Fn> 416 RunOnDestruction<Fn> at_scope_exit(Fn fn) { 417 return RunOnDestruction<Fn>(fn); 418 } 419 420 static fdio_spawn_action_t clone_fd_action(int localFd, int targetFd) { 421 return { 422 .action = FDIO_SPAWN_ACTION_CLONE_FD, 423 .fd = 424 { 425 .local_fd = localFd, 426 .target_fd = targetFd, 427 }, 428 }; 429 } 430 431 int ExecuteCommand(const Command &Cmd) { 432 zx_status_t rc; 433 434 // Convert arguments to C array 435 auto Args = Cmd.getArguments(); 436 size_t Argc = Args.size(); 437 assert(Argc != 0); 438 std::unique_ptr<const char *[]> Argv(new const char *[Argc + 1]); 439 for (size_t i = 0; i < Argc; ++i) 440 Argv[i] = Args[i].c_str(); 441 Argv[Argc] = nullptr; 442 443 // Determine output. On Fuchsia, the fuzzer is typically run as a component 444 // that lacks a mutable working directory. Fortunately, when this is the case 445 // a mutable output directory must be specified using "-artifact_prefix=...", 446 // so write the log file(s) there. 447 // However, we don't want to apply this logic for absolute paths. 448 int FdOut = STDOUT_FILENO; 449 bool discardStdout = false; 450 bool discardStderr = false; 451 452 if (Cmd.hasOutputFile()) { 453 std::string Path = Cmd.getOutputFile(); 454 if (Path == getDevNull()) { 455 // On Fuchsia, there's no "/dev/null" like-file, so we 456 // just don't copy the FDs into the spawned process. 457 discardStdout = true; 458 } else { 459 bool IsAbsolutePath = Path.length() > 1 && Path[0] == '/'; 460 if (!IsAbsolutePath && Cmd.hasFlag("artifact_prefix")) 461 Path = Cmd.getFlagValue("artifact_prefix") + "/" + Path; 462 463 FdOut = open(Path.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0); 464 if (FdOut == -1) { 465 Printf("libFuzzer: failed to open %s: %s\n", Path.c_str(), 466 strerror(errno)); 467 return ZX_ERR_IO; 468 } 469 } 470 } 471 auto CloseFdOut = at_scope_exit([FdOut]() { 472 if (FdOut != STDOUT_FILENO) 473 close(FdOut); 474 }); 475 476 // Determine stderr 477 int FdErr = STDERR_FILENO; 478 if (Cmd.isOutAndErrCombined()) { 479 FdErr = FdOut; 480 if (discardStdout) 481 discardStderr = true; 482 } 483 484 // Clone the file descriptors into the new process 485 std::vector<fdio_spawn_action_t> SpawnActions; 486 SpawnActions.push_back(clone_fd_action(STDIN_FILENO, STDIN_FILENO)); 487 488 if (!discardStdout) 489 SpawnActions.push_back(clone_fd_action(FdOut, STDOUT_FILENO)); 490 if (!discardStderr) 491 SpawnActions.push_back(clone_fd_action(FdErr, STDERR_FILENO)); 492 493 // Start the process. 494 char ErrorMsg[FDIO_SPAWN_ERR_MSG_MAX_LENGTH]; 495 zx_handle_t ProcessHandle = ZX_HANDLE_INVALID; 496 rc = fdio_spawn_etc(ZX_HANDLE_INVALID, 497 FDIO_SPAWN_CLONE_ALL & (~FDIO_SPAWN_CLONE_STDIO), Argv[0], 498 Argv.get(), nullptr, SpawnActions.size(), 499 SpawnActions.data(), &ProcessHandle, ErrorMsg); 500 501 if (rc != ZX_OK) { 502 Printf("libFuzzer: failed to launch '%s': %s, %s\n", Argv[0], ErrorMsg, 503 _zx_status_get_string(rc)); 504 return rc; 505 } 506 auto CloseHandle = at_scope_exit([&]() { _zx_handle_close(ProcessHandle); }); 507 508 // Now join the process and return the exit status. 509 if ((rc = _zx_object_wait_one(ProcessHandle, ZX_PROCESS_TERMINATED, 510 ZX_TIME_INFINITE, nullptr)) != ZX_OK) { 511 Printf("libFuzzer: failed to join '%s': %s\n", Argv[0], 512 _zx_status_get_string(rc)); 513 return rc; 514 } 515 516 zx_info_process_t Info; 517 if ((rc = _zx_object_get_info(ProcessHandle, ZX_INFO_PROCESS, &Info, 518 sizeof(Info), nullptr, nullptr)) != ZX_OK) { 519 Printf("libFuzzer: unable to get return code from '%s': %s\n", Argv[0], 520 _zx_status_get_string(rc)); 521 return rc; 522 } 523 524 return static_cast<int>(Info.return_code); 525 } 526 527 bool ExecuteCommand(const Command &BaseCmd, std::string *CmdOutput) { 528 auto LogFilePath = TempPath("SimPopenOut", ".txt"); 529 Command Cmd(BaseCmd); 530 Cmd.setOutputFile(LogFilePath); 531 int Ret = ExecuteCommand(Cmd); 532 *CmdOutput = FileToString(LogFilePath); 533 RemoveFile(LogFilePath); 534 return Ret == 0; 535 } 536 537 const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt, 538 size_t PattLen) { 539 return memmem(Data, DataLen, Patt, PattLen); 540 } 541 542 // In fuchsia, accessing /dev/null is not supported. There's nothing 543 // similar to a file that discards everything that is written to it. 544 // The way of doing something similar in fuchsia is by using 545 // fdio_null_create and binding that to a file descriptor. 546 void DiscardOutput(int Fd) { 547 fdio_t *fdio_null = fdio_null_create(); 548 if (fdio_null == nullptr) return; 549 int nullfd = fdio_bind_to_fd(fdio_null, -1, 0); 550 if (nullfd < 0) return; 551 dup2(nullfd, Fd); 552 } 553 554 } // namespace fuzzer 555 556 #endif // LIBFUZZER_FUCHSIA 557