| 1 | //===- FuzzerUtilDarwin.cpp - Misc utils ----------------------------------===// |
|---|
| 2 | // |
|---|
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
|---|
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
|---|
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
|---|
| 6 | // |
|---|
| 7 | //===----------------------------------------------------------------------===// |
|---|
| 8 | // Misc utils for Darwin. |
|---|
| 9 | //===----------------------------------------------------------------------===// |
|---|
| 10 | #include "FuzzerPlatform.h" |
|---|
| 11 | #if LIBFUZZER_APPLE |
|---|
| 12 | #include "FuzzerCommand.h" |
|---|
| 13 | #include "FuzzerIO.h" |
|---|
| 14 | #include <mutex> |
|---|
| 15 | #include <signal.h> |
|---|
| 16 | #include <spawn.h> |
|---|
| 17 | #include <stdlib.h> |
|---|
| 18 | #include <string.h> |
|---|
| 19 | #include <sys/wait.h> |
|---|
| 20 | #include <unistd.h> |
|---|
| 21 | |
|---|
| 22 | // There is no header for this on macOS so declare here |
|---|
| 23 | extern "C" char **environ; |
|---|
| 24 | |
|---|
| 25 | namespace fuzzer { |
|---|
| 26 | |
|---|
| 27 | static std::mutex SignalMutex; |
|---|
| 28 | // Global variables used to keep track of how signal handling should be |
|---|
| 29 | // restored. They should **not** be accessed without holding `SignalMutex`. |
|---|
| 30 | static int ActiveThreadCount = 0; |
|---|
| 31 | static struct sigaction OldSigIntAction; |
|---|
| 32 | static struct sigaction OldSigQuitAction; |
|---|
| 33 | static sigset_t OldBlockedSignalsSet; |
|---|
| 34 | |
|---|
| 35 | // This is a reimplementation of Libc's `system()`. On Darwin the Libc |
|---|
| 36 | // implementation contains a mutex which prevents it from being used |
|---|
| 37 | // concurrently. This implementation **can** be used concurrently. It sets the |
|---|
| 38 | // signal handlers when the first thread enters and restores them when the last |
|---|
| 39 | // thread finishes execution of the function and ensures this is not racey by |
|---|
| 40 | // using a mutex. |
|---|
| 41 | int ExecuteCommand(const Command &Cmd) { |
|---|
| 42 | std::string CmdLine = Cmd.toString(); |
|---|
| 43 | posix_spawnattr_t SpawnAttributes; |
|---|
| 44 | if (posix_spawnattr_init(&SpawnAttributes)) |
|---|
| 45 | return -1; |
|---|
| 46 | // Block and ignore signals of the current process when the first thread |
|---|
| 47 | // enters. |
|---|
| 48 | { |
|---|
| 49 | std::lock_guard<std::mutex> Lock(SignalMutex); |
|---|
| 50 | if (ActiveThreadCount == 0) { |
|---|
| 51 | static struct sigaction IgnoreSignalAction; |
|---|
| 52 | sigset_t BlockedSignalsSet; |
|---|
| 53 | memset(&IgnoreSignalAction, 0, sizeof(IgnoreSignalAction)); |
|---|
| 54 | IgnoreSignalAction.sa_handler = SIG_IGN; |
|---|
| 55 | |
|---|
| 56 | if (sigaction(SIGINT, &IgnoreSignalAction, &OldSigIntAction) == -1) { |
|---|
| 57 | Printf("Failed to ignore SIGINT\n" ); |
|---|
| 58 | (void)posix_spawnattr_destroy(&SpawnAttributes); |
|---|
| 59 | return -1; |
|---|
| 60 | } |
|---|
| 61 | if (sigaction(SIGQUIT, &IgnoreSignalAction, &OldSigQuitAction) == -1) { |
|---|
| 62 | Printf("Failed to ignore SIGQUIT\n" ); |
|---|
| 63 | // Try our best to restore the signal handlers. |
|---|
| 64 | (void)sigaction(SIGINT, &OldSigIntAction, NULL); |
|---|
| 65 | (void)posix_spawnattr_destroy(&SpawnAttributes); |
|---|
| 66 | return -1; |
|---|
| 67 | } |
|---|
| 68 | |
|---|
| 69 | (void)sigemptyset(&BlockedSignalsSet); |
|---|
| 70 | (void)sigaddset(&BlockedSignalsSet, SIGCHLD); |
|---|
| 71 | if (sigprocmask(SIG_BLOCK, &BlockedSignalsSet, &OldBlockedSignalsSet) == |
|---|
| 72 | -1) { |
|---|
| 73 | Printf("Failed to block SIGCHLD\n" ); |
|---|
| 74 | // Try our best to restore the signal handlers. |
|---|
| 75 | (void)sigaction(SIGQUIT, &OldSigQuitAction, NULL); |
|---|
| 76 | (void)sigaction(SIGINT, &OldSigIntAction, NULL); |
|---|
| 77 | (void)posix_spawnattr_destroy(&SpawnAttributes); |
|---|
| 78 | return -1; |
|---|
| 79 | } |
|---|
| 80 | } |
|---|
| 81 | ++ActiveThreadCount; |
|---|
| 82 | } |
|---|
| 83 | |
|---|
| 84 | // NOTE: Do not introduce any new `return` statements past this |
|---|
| 85 | // point. It is important that `ActiveThreadCount` always be decremented |
|---|
| 86 | // when leaving this function. |
|---|
| 87 | |
|---|
| 88 | // Make sure the child process uses the default handlers for the |
|---|
| 89 | // following signals rather than inheriting what the parent has. |
|---|
| 90 | sigset_t DefaultSigSet; |
|---|
| 91 | (void)sigemptyset(&DefaultSigSet); |
|---|
| 92 | (void)sigaddset(&DefaultSigSet, SIGQUIT); |
|---|
| 93 | (void)sigaddset(&DefaultSigSet, SIGINT); |
|---|
| 94 | (void)posix_spawnattr_setsigdefault(&SpawnAttributes, &DefaultSigSet); |
|---|
| 95 | // Make sure the child process doesn't block SIGCHLD |
|---|
| 96 | (void)posix_spawnattr_setsigmask(&SpawnAttributes, &OldBlockedSignalsSet); |
|---|
| 97 | short SpawnFlags = POSIX_SPAWN_SETSIGDEF | POSIX_SPAWN_SETSIGMASK; |
|---|
| 98 | (void)posix_spawnattr_setflags(&SpawnAttributes, SpawnFlags); |
|---|
| 99 | |
|---|
| 100 | pid_t Pid; |
|---|
| 101 | char **Environ = environ; // Read from global |
|---|
| 102 | const char *CommandCStr = CmdLine.c_str(); |
|---|
| 103 | char *const Argv[] = { |
|---|
| 104 | strdup("sh" ), |
|---|
| 105 | strdup("-c" ), |
|---|
| 106 | strdup(CommandCStr), |
|---|
| 107 | NULL |
|---|
| 108 | }; |
|---|
| 109 | int ErrorCode = 0, ProcessStatus = 0; |
|---|
| 110 | // FIXME: We probably shouldn't hardcode the shell path. |
|---|
| 111 | ErrorCode = posix_spawn(&Pid, "/bin/sh" , NULL, &SpawnAttributes, |
|---|
| 112 | Argv, Environ); |
|---|
| 113 | (void)posix_spawnattr_destroy(&SpawnAttributes); |
|---|
| 114 | if (!ErrorCode) { |
|---|
| 115 | pid_t SavedPid = Pid; |
|---|
| 116 | do { |
|---|
| 117 | // Repeat until call completes uninterrupted. |
|---|
| 118 | Pid = waitpid(SavedPid, &ProcessStatus, /*options=*/0); |
|---|
| 119 | } while (Pid == -1 && errno == EINTR); |
|---|
| 120 | if (Pid == -1) { |
|---|
| 121 | // Fail for some other reason. |
|---|
| 122 | ProcessStatus = -1; |
|---|
| 123 | } |
|---|
| 124 | } else if (ErrorCode == ENOMEM || ErrorCode == EAGAIN) { |
|---|
| 125 | // Fork failure. |
|---|
| 126 | ProcessStatus = -1; |
|---|
| 127 | } else { |
|---|
| 128 | // Shell execution failure. |
|---|
| 129 | ProcessStatus = W_EXITCODE(127, 0); |
|---|
| 130 | } |
|---|
| 131 | for (unsigned i = 0, n = sizeof(Argv) / sizeof(Argv[0]); i < n; ++i) |
|---|
| 132 | free(Argv[i]); |
|---|
| 133 | |
|---|
| 134 | // Restore the signal handlers of the current process when the last thread |
|---|
| 135 | // using this function finishes. |
|---|
| 136 | { |
|---|
| 137 | std::lock_guard<std::mutex> Lock(SignalMutex); |
|---|
| 138 | --ActiveThreadCount; |
|---|
| 139 | if (ActiveThreadCount == 0) { |
|---|
| 140 | bool FailedRestore = false; |
|---|
| 141 | if (sigaction(SIGINT, &OldSigIntAction, NULL) == -1) { |
|---|
| 142 | Printf("Failed to restore SIGINT handling\n" ); |
|---|
| 143 | FailedRestore = true; |
|---|
| 144 | } |
|---|
| 145 | if (sigaction(SIGQUIT, &OldSigQuitAction, NULL) == -1) { |
|---|
| 146 | Printf("Failed to restore SIGQUIT handling\n" ); |
|---|
| 147 | FailedRestore = true; |
|---|
| 148 | } |
|---|
| 149 | if (sigprocmask(SIG_BLOCK, &OldBlockedSignalsSet, NULL) == -1) { |
|---|
| 150 | Printf("Failed to unblock SIGCHLD\n" ); |
|---|
| 151 | FailedRestore = true; |
|---|
| 152 | } |
|---|
| 153 | if (FailedRestore) |
|---|
| 154 | ProcessStatus = -1; |
|---|
| 155 | } |
|---|
| 156 | } |
|---|
| 157 | return ProcessStatus; |
|---|
| 158 | } |
|---|
| 159 | |
|---|
| 160 | void DiscardOutput(int Fd) { |
|---|
| 161 | FILE* Temp = fopen("/dev/null" , "w" ); |
|---|
| 162 | if (!Temp) |
|---|
| 163 | return; |
|---|
| 164 | dup2(fileno(Temp), Fd); |
|---|
| 165 | fclose(Temp); |
|---|
| 166 | } |
|---|
| 167 | |
|---|
| 168 | void SetThreadName(std::thread &thread, const std::string &name) { |
|---|
| 169 | // TODO ? |
|---|
| 170 | // Darwin allows to set the name only on the current thread it seems |
|---|
| 171 | } |
|---|
| 172 | |
|---|
| 173 | } // namespace fuzzer |
|---|
| 174 | |
|---|
| 175 | #endif // LIBFUZZER_APPLE |
|---|
| 176 | |
|---|
