allow /tmp

afl-cmin.bash

@@ -134,7 +134,6 @@ Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
 AFL_PATH: path for the afl-showmap binary
 AFL_SKIP_BIN_CHECK: skip check for target binary
-AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp
 _EOF_
   exit 1
 fi
@@ -142,29 +141,29 @@ fi
 # Do a sanity check to discourage the use of /tmp, since we can't really
 # handle this safely from a shell script.
 
-if [ "$AFL_ALLOW_TMP" = "" ]; then
-
-  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
-
-  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-  T3="$?"
-
-  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-  T4="$?"
-
-  echo "$PWD" | grep -qE '^(/var)?/tmp/'
-  T5="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
-    exit 1
-  fi
-
-fi
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+#  T3="$?"
+#
+#  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+#  T4="$?"
+#
+#  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+#  T5="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+#    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+#    exit 1
+#  fi
+#
+#fi
 
 # If @@ is specified, but there's no -f, let's come up with a temporary input
 # file name.

afl-plot

@@ -35,9 +35,6 @@ an empty directory where this tool can write the resulting plots to.
 
 The program will put index.html and three PNG images in the output directory;
 you should be able to view it with any web browser of your choice.
-
-Environment variables used:
-AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories
 _EOF_
 
   exit 1
@@ -47,22 +44,22 @@ fi
 inputdir=`get_abs_path "$1"`
 outputdir=`get_abs_path "$2"`
 
-if [ "$AFL_ALLOW_TMP" = "" ]; then
-
-  echo "$inputdir" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
-
-  echo "$outputdir" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" ]; then
-
-    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
-    exit 1
-
-  fi
-
-fi
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$inputdir" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$outputdir" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" ]; then
+#
+#    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
+#    exit 1
+#
+#  fi
+#
+#fi
 
 if [ ! -f "$inputdir/plot_data" ]; then
 

docs/Changelog.md

@@ -44,6 +44,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - Unicornafl
     - Added powerPC support from unicorn/next
     - rust bindings!
+  - Allow running in /tmp (only unsafe with umask 0)
   - persistent mode shared memory testcase handover (instead of via
     files/stdin) - 10-100% performance increase
   - General support for 64 bit PowerPC, RiscV, Sparc etc.

src/afl-fuzz-init.c

@@ -2128,14 +2128,17 @@ void check_binary(afl_state_t *afl, u8 *fname) {
 
   /* Check for blatant user errors. */
 
-  if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) &&
-       !strchr(afl->fsrv.target_path + 5, '/')) ||
-      (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) &&
-       !strchr(afl->fsrv.target_path + 9, '/'))) {
+  /*  disabled. not a real-worl scenario where this is a problem.
+    if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) &&
+         !strchr(afl->fsrv.target_path + 5, '/')) ||
+        (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) &&
+         !strchr(afl->fsrv.target_path + 9, '/'))) {
 
-    FATAL("Please don't keep binaries in /tmp or /var/tmp");
+      FATAL("Please don't keep binaries in /tmp or /var/tmp");
 
-  }
+    }
+
+  */
 
   fd = open(afl->fsrv.target_path, O_RDONLY);
 

src/afl-fuzz-run.c

@@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) {
       s32         fd;
       struct stat st;
 
-      snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name);
+      snprintf(path, sizeof(path), "%s/%s", qd_path, namelist[o]->d_name);
       afl->syncing_case = next_min_accept;
       next_min_accept++;
       o--;