ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 11:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed uaf and warnings

Browse Source
This commit is contained in:
Dominik Maier
2020-04-13 16:57:19 +02:00
parent dda096da03
commit 326ab632c3
12 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/afl-analyze.c
View File

@ -902,6 +902,12 @@ int main(int argc, char **argv, char **envp) {
if (mem_limit_given) FATAL("Multiple -m options not supported"); if (mem_limit_given) FATAL("Multiple -m options not supported");
mem_limit_given = 1; mem_limit_given = 1;
if (!optarg) {
FATAL("Bad syntax used for -m");
}
if (!strcmp(optarg, "none")) { if (!strcmp(optarg, "none")) {
mem_limit = 0; mem_limit = 0;
@ -938,6 +944,8 @@ int main(int argc, char **argv, char **envp) {
if (timeout_given) FATAL("Multiple -t options not supported"); if (timeout_given) FATAL("Multiple -t options not supported");
timeout_given = 1; timeout_given = 1;
if (!optarg) FATAL("Wrong usage of -t");
exec_tmout = atoi(optarg); exec_tmout = atoi(optarg);
if (exec_tmout < 10 || optarg[0] == '-') if (exec_tmout < 10 || optarg[0] == '-')

11
src/afl-common.c
View File

@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
*rsl = 0; *rsl = 0;
cp = alloc_printf("%s/afl-qemu-trace", own_copy); cp = alloc_printf("%s/afl-qemu-trace", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) { if (cp && !access(cp, X_OK)) {
if (cp != NULL) ck_free(cp); ck_free(cp);
cp = alloc_printf("%s/afl-wine-trace", own_copy); cp = alloc_printf("%s/afl-wine-trace", own_copy);
@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
} }
} else ck_free(own_copy);
} else {
ck_free(own_copy); ck_free(own_copy);
}
u8 *ncp = BIN_PATH "/afl-qemu-trace"; u8 *ncp = BIN_PATH "/afl-qemu-trace";
if (!access(ncp, X_OK)) { if (!access(ncp, X_OK)) {

1
src/afl-forkserver.c
View File

@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} }
len = status;
offset = 0; offset = 0;
while (offset < status && (u8)dict[offset] + offset < status) { while (offset < status && (u8)dict[offset] + offset < status) {

8
src/afl-fuzz-bitmap.c
View File

@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (unlikely(len == 0)) return 0; if (unlikely(len == 0)) return 0;
u8 *queue_fn = ""; u8 *queue_fn = "";
u8 hnb; u8 hnb = '\0';
s32 fd; s32 fd;
u8 keeping = 0, res; u8 keeping = 0, res;
@ -718,9 +718,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
// if the user wants to be informed on new crashes - do that // if the user wants to be informed on new crashes - do that
#if !TARGET_OS_IPHONE #if !TARGET_OS_IPHONE
if (system(afl->infoexec) == -1) // we dont care if system errors, but we dont want a
hnb += 0; // we dont care if system errors, but we dont want a // compiler warning either
// compiler warning either (void)(system(afl->infoexec)+1);
#else #else
WARNF("command execution unsupported"); WARNF("command execution unsupported");
#endif #endif

2
src/afl-fuzz-extras.c
View File

@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr);
if (!wptr) PFATAL("no mem for data");
while (*lptr) { while (*lptr) {
char *hexdigits = "0123456789abcdef"; char *hexdigits = "0123456789abcdef";

2
src/afl-fuzz-init.c
View File

@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
u32 l = strlen(argv[i]); u32 l = strlen(argv[i]);
if (!argv[i] || !buf) FATAL("null deref detected");
memcpy(buf, argv[i], l); memcpy(buf, argv[i], l);
buf += l; buf += l;

3
src/afl-fuzz-one.c
View File

@ -3593,7 +3593,6 @@ pacemaker_fuzzing:
} }
s32 temp_len_puppet; s32 temp_len_puppet;
cur_ms_lv = get_cur_time();
// for (; afl->swarm_now < swarm_num; ++afl->swarm_now) // for (; afl->swarm_now < swarm_num; ++afl->swarm_now)
{ {
@ -4167,8 +4166,6 @@ pacemaker_fuzzing:
afl->orig_hit_cnt_puppet))) { afl->orig_hit_cnt_puppet))) {
afl->key_puppet = 0; afl->key_puppet = 0;
cur_ms_lv = get_cur_time();
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
afl->orig_hit_cnt_puppet = 0; afl->orig_hit_cnt_puppet = 0;
afl->last_limit_time_start = 0; afl->last_limit_time_start = 0;

2
src/afl-fuzz-queue.c
View File

@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
} }
if (unlikely(!n_paths)) FATAL("Queue state corrupt");
fuzz_mu = fuzz_total / n_paths; fuzz_mu = fuzz_total / n_paths;
if (fuzz <= fuzz_mu) { if (fuzz <= fuzz_mu) {

8
src/afl-fuzz-redqueen.c
View File

@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
afl->stage_short = "colorization"; afl->stage_short = "colorization";
afl->stage_max = 1000; afl->stage_max = 1000;
struct range *rng; struct range *rng = NULL;
afl->stage_cur = 0; afl->stage_cur = 0;
while ((rng = pop_biggest_range(&ranges)) != NULL && while ((rng = pop_biggest_range(&ranges)) != NULL &&
afl->stage_cur < afl->stage_max) { afl->stage_cur < afl->stage_max) {
@ -141,6 +141,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
empty_range: empty_range:
ck_free(rng); ck_free(rng);
rng = NULL;
++afl->stage_cur; ++afl->stage_cur;
} }
@ -157,6 +158,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
rng = ranges; rng = ranges;
ranges = ranges->next; ranges = ranges->next;
ck_free(rng); ck_free(rng);
rng = NULL;
} }
@ -186,6 +188,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
} }
return 0; return 0;
checksum_fail: checksum_fail:
@ -196,9 +199,12 @@ checksum_fail:
rng = ranges; rng = ranges;
ranges = ranges->next; ranges = ranges->next;
ck_free(rng); ck_free(rng);
rng = NULL;
} }
// TODO: clang notices a _potential_ leak of mem pointed to by rng
return 1; return 1;
} }

1
src/afl-fuzz-stats.c
View File

@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
bitmap_cvg = afl->last_bitmap_cvg; bitmap_cvg = afl->last_bitmap_cvg;
stability = afl->last_stability; stability = afl->last_stability;
eps = afl->last_eps;
} else { } else {

10
src/afl-sharedmem.c
View File

@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0};
void afl_shm_deinit(sharedmem_t *shm) { void afl_shm_deinit(sharedmem_t *shm) {
// TODO: clang reports a potential UAF in this function/makro(?)
list_remove(&shm_list, shm); list_remove(&shm_list, shm);
#ifdef USEMMAP #ifdef USEMMAP
@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) {
} }
/* At exit, remove all leftover maps */
void afl_shm_atexit(void) {
LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); });
}
/* Configure shared memory. /* Configure shared memory.
Returns a pointer to shm->map for ease of use. Returns a pointer to shm->map for ease of use.
*/ */
@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
#endif #endif
list_append(&shm_list, shm); list_append(&shm_list, shm);
atexit(afl_shm_atexit);
return shm->map; return shm->map;

2
src/afl-showmap.c
View File

@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (!quiet_mode) OKF("Processed %u input files.", total_execs); if (!quiet_mode) OKF("Processed %u input files.", total_execs);
closedir(dir_in); closedir(dir_in);
closedir(dir_out); if (dir_out) closedir(dir_out);
} else { } else {