2.48b

legend-issue · Jul 29, 2017 · d660439 · d660439
1 parent 108f653
commit d660439
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 36 deletions.
diff --git a/afl-analyze.c b/afl-analyze.c
@@ -658,15 +658,15 @@ static void set_up_environment(void) {
 
     u8* use_dir = ".";
 
-    if (!access(use_dir, R_OK | W_OK | X_OK)) {
+    if (access(use_dir, R_OK | W_OK | X_OK)) {
 
       use_dir = getenv("TMPDIR");
       if (!use_dir) use_dir = "/tmp";
 
-      prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid());
-
     }
 
+    prog_in = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, getpid());
+
   }
 
   /* Set sane defaults... */

diff --git a/afl-cmin b/afl-cmin
@@ -126,24 +126,28 @@ fi
 # Do a sanity check to discourage the use of /tmp, since we can't really
 # handle this safely from a shell script.
 
-echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-T1="$?"
+if [ "$AFL_ALLOW_TMP" = "" ]; then
 
-echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-T2="$?"
+  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+  T1="$?"
 
-echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-T3="$?"
+  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+  T2="$?"
 
-echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-T4="$?"
+  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+  T3="$?"
 
-echo "$PWD" | grep -qE '^(/var)?/tmp/'
-T5="$?"
+  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+  T4="$?"
+
+  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+  T5="$?"
+
+  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+    exit 1
+  fi
 
-if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-  echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
-  exit 1
 fi
 
 # If @@ is specified, but there's no -f, let's come up with a temporary input

diff --git a/afl-plot b/afl-plot
@@ -38,16 +38,20 @@ _EOF_
 
 fi
 
-echo "$1" | grep -qE '^(/var)?/tmp/'
-T1="$?"
+if [ "$AFL_ALLOW_TMP" = "" ]; then
 
-echo "$2" | grep -qE '^(/var)?/tmp/'
-T2="$?"
+  echo "$1" | grep -qE '^(/var)?/tmp/'
+  T1="$?"
 
-if [ "$T1" = "0" -o "$T2" = "0" ]; then
+  echo "$2" | grep -qE '^(/var)?/tmp/'
+  T2="$?"
 
-  echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
-  exit 1
+  if [ "$T1" = "0" -o "$T2" = "0" ]; then
+
+    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
+    exit 1
+
+  fi
 
 fi
 

diff --git a/afl-tmin.c b/afl-tmin.c
@@ -157,7 +157,7 @@ static inline u8 anything_set(void) {
 
 static void remove_shm(void) {
 
-  unlink(prog_in); /* Ignore errors */
+  if (prog_in) unlink(prog_in); /* Ignore errors */
   shmctl(shm_id, IPC_RMID, NULL);
 
 }
@@ -1131,6 +1131,9 @@ int main(int argc, char** argv) {
 
   ACTF("Writing output to '%s'...", out_file);
 
+  unlink(prog_in);
+  prog_in = NULL;
+
   close(write_to_file(out_file, in_data, in_len));
 
   OKF("We're done here. Have a nice day!\n");

diff --git a/config.h b/config.h
@@ -21,7 +21,7 @@
 
 /* Version string: */
 
-#define VERSION             "2.47b"
+#define VERSION             "2.48b"
 
 /******************************************************
  *                                                    *

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -16,6 +16,14 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.41b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.48b:
+--------------
+
+  - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp.
+
+  - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin).
+
 --------------
 Version 2.47b:
 --------------
@@ -31,6 +39,8 @@ Version 2.46b:
 
   - Made a minor fix to libtokencap. Reported by Daniel Stender.
 
+  - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk.
+
 --------------
 Version 2.45b:
 --------------

diff --git a/docs/env_variables.txt b/docs/env_variables.txt
@@ -194,6 +194,10 @@ The corpus minimization script offers very little customization:
     minimization and normally deleted at exit. The files can be found in the
     <out_dir>/.traces/*.
 
+  - AFL_ALLOW_TMP permits this and some other scripts to run in /tmp. This is
+    a modest security risk on multi-user systems with rogue users, but should
+    be safe on dedicated fuzzing boxes.
+
 6) Settings for afl-tmin
 ------------------------
 

diff --git a/experimental/crash_triage/triage_crashes.sh b/experimental/crash_triage/triage_crashes.sh
@@ -40,18 +40,24 @@ fi
 DIR="$1"
 BIN="$2"
 
-echo "$DIR" | grep -qE '^(/var)?/tmp/'
-T1="$?"
 
-echo "$BIN" | grep -qE '^(/var)?/tmp/'
-T2="$?"
+if [ "$AFL_ALLOW_TMP" = "" ]; then
+
+  echo "$DIR" | grep -qE '^(/var)?/tmp/'
+  T1="$?"
+
+  echo "$BIN" | grep -qE '^(/var)?/tmp/'
+  T2="$?"
+
+  if [ "$T1" = "0" -o "$T2" = "0" ]; then
+    echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
+    exit 1
+  fi
 
-if [ "$T1" = "0" -o "$T2" = "0" ]; then
-  echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
-  exit 1
 fi
 
-if [ "$GDB" = "" ]; then
+if
+ [ "$GDB" = "" ]; then
   GDB=gdb
 fi
 

diff --git a/experimental/distributed_fuzzing/sync_script.sh b/experimental/distributed_fuzzing/sync_script.sh
@@ -41,9 +41,13 @@ SYNC_DIR='/home/bob/sync_dir'
 # Interval (seconds) between sync attempts
 SYNC_INTERVAL=$((30 * 60))
 
-if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then
-  echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
-  exit 1
+if [ "$AFL_ALLOW_TMP" = "" ]; then
+
+  if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then
+    echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
+    exit 1
+  fi
+
 fi
 
 rm -rf .sync_tmp 2>/dev/null