diff --git a/afl-analyze.c b/afl-analyze.c index fd0a5226..b5a91c97 100644 --- a/afl-analyze.c +++ b/afl-analyze.c @@ -658,15 +658,15 @@ static void set_up_environment(void) { u8* use_dir = "."; - if (!access(use_dir, R_OK | W_OK | X_OK)) { + if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = getenv("TMPDIR"); if (!use_dir) use_dir = "/tmp"; - prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); - } + prog_in = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, getpid()); + } /* Set sane defaults... */ diff --git a/afl-cmin b/afl-cmin index 70e5dac2..bc3494e0 100755 --- a/afl-cmin +++ b/afl-cmin @@ -126,24 +126,28 @@ fi # Do a sanity check to discourage the use of /tmp, since we can't really # handle this safely from a shell script. -echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' -T1="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then -echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' -T2="$?" + echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' + T1="$?" -echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' -T3="$?" + echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' + T2="$?" -echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' -T4="$?" + echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' + T3="$?" -echo "$PWD" | grep -qE '^(/var)?/tmp/' -T5="$?" + echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' + T4="$?" + + echo "$PWD" | grep -qE '^(/var)?/tmp/' + T5="$?" + + if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then + echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 + exit 1 + fi -if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then - echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 - exit 1 fi # If @@ is specified, but there's no -f, let's come up with a temporary input diff --git a/afl-plot b/afl-plot index 3bd93590..25ffde64 100755 --- a/afl-plot +++ b/afl-plot @@ -38,16 +38,20 @@ _EOF_ fi -echo "$1" | grep -qE '^(/var)?/tmp/' -T1="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then -echo "$2" | grep -qE '^(/var)?/tmp/' -T2="$?" + echo "$1" | grep -qE '^(/var)?/tmp/' + T1="$?" -if [ "$T1" = "0" -o "$T2" = "0" ]; then + echo "$2" | grep -qE '^(/var)?/tmp/' + T2="$?" - echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 - exit 1 + if [ "$T1" = "0" -o "$T2" = "0" ]; then + + echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 + exit 1 + + fi fi diff --git a/afl-tmin.c b/afl-tmin.c index 3b3177b2..62ec85f2 100644 --- a/afl-tmin.c +++ b/afl-tmin.c @@ -157,7 +157,7 @@ static inline u8 anything_set(void) { static void remove_shm(void) { - unlink(prog_in); /* Ignore errors */ + if (prog_in) unlink(prog_in); /* Ignore errors */ shmctl(shm_id, IPC_RMID, NULL); } @@ -1131,6 +1131,9 @@ int main(int argc, char** argv) { ACTF("Writing output to '%s'...", out_file); + unlink(prog_in); + prog_in = NULL; + close(write_to_file(out_file, in_data, in_len)); OKF("We're done here. Have a nice day!\n"); diff --git a/config.h b/config.h index f1d80eb4..4d071ca1 100644 --- a/config.h +++ b/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.47b" +#define VERSION "2.48b" /****************************************************** * * diff --git a/docs/ChangeLog b/docs/ChangeLog index b9e2208b..386cdb64 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,14 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.41b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.48b: +-------------- + + - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp. + + - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin). + -------------- Version 2.47b: -------------- @@ -31,6 +39,8 @@ Version 2.46b: - Made a minor fix to libtokencap. Reported by Daniel Stender. + - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk. + -------------- Version 2.45b: -------------- diff --git a/docs/env_variables.txt b/docs/env_variables.txt index 50571ebd..82a80b33 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -194,6 +194,10 @@ The corpus minimization script offers very little customization: minimization and normally deleted at exit. The files can be found in the /.traces/*. + - AFL_ALLOW_TMP permits this and some other scripts to run in /tmp. This is + a modest security risk on multi-user systems with rogue users, but should + be safe on dedicated fuzzing boxes. + 6) Settings for afl-tmin ------------------------ diff --git a/experimental/crash_triage/triage_crashes.sh b/experimental/crash_triage/triage_crashes.sh index 9dddefdd..516804c6 100755 --- a/experimental/crash_triage/triage_crashes.sh +++ b/experimental/crash_triage/triage_crashes.sh @@ -40,18 +40,24 @@ fi DIR="$1" BIN="$2" -echo "$DIR" | grep -qE '^(/var)?/tmp/' -T1="$?" -echo "$BIN" | grep -qE '^(/var)?/tmp/' -T2="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then + + echo "$DIR" | grep -qE '^(/var)?/tmp/' + T1="$?" + + echo "$BIN" | grep -qE '^(/var)?/tmp/' + T2="$?" + + if [ "$T1" = "0" -o "$T2" = "0" ]; then + echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 + exit 1 + fi -if [ "$T1" = "0" -o "$T2" = "0" ]; then - echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 - exit 1 fi -if [ "$GDB" = "" ]; then +if + [ "$GDB" = "" ]; then GDB=gdb fi diff --git a/experimental/distributed_fuzzing/sync_script.sh b/experimental/distributed_fuzzing/sync_script.sh index 29bcba64..2d5e0635 100755 --- a/experimental/distributed_fuzzing/sync_script.sh +++ b/experimental/distributed_fuzzing/sync_script.sh @@ -41,9 +41,13 @@ SYNC_DIR='/home/bob/sync_dir' # Interval (seconds) between sync attempts SYNC_INTERVAL=$((30 * 60)) -if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then - echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 - exit 1 +if [ "$AFL_ALLOW_TMP" = "" ]; then + + if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then + echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 + exit 1 + fi + fi rm -rf .sync_tmp 2>/dev/null