not allocating paths anymore

2025-06-14 11:08:06 +00:00 · 2020-03-27 23:06:57 +01:00
parent 71f8cc9dd2
commit b7f3d180aa
4 changed files with 40 additions and 46 deletions
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -31,13 +31,13 @@
 void write_bitmap(afl_state_t *afl) {
-  u8 *fname;
+  u8 fname[PATH_MAX];
  s32 fd;
  if (!afl->bitmap_changed) return;
  afl->bitmap_changed = 0;
-  fname = alloc_printf("%s/fuzz_bitmap", afl->out_dir);
+  snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir);
  fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
  if (fd < 0) PFATAL("Unable to open '%s'", fname);
@ -45,7 +45,6 @@ void write_bitmap(afl_state_t *afl) {
  ck_write(fd, afl->virgin_bits, MAP_SIZE, fname);
  close(fd);
  ck_free(fname);
 }
@ -462,14 +461,15 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) {
 static void write_crash_readme(afl_state_t *afl) {
-  u8 *  fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
+  u8 fn[PATH_MAX];
  s32   fd;
  FILE *f;
  u8 val_buf[STRINGIFY_VAL_SIZE_MAX];
  sprintf(fn, "%s/crashes/README.txt", afl->out_dir);
  fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
  ck_free(fn);
  /* Do not die on errors here - that would be impolite. */
@ -520,11 +520,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
  if (unlikely(len == 0)) return 0;
-  u8 *fn = "";
+  u8 *queue_fn = "";
  u8  hnb;
  s32 fd;
  u8  keeping = 0, res;
  u8 fn[PATH_MAX];
  /* Update path frequency. */
  u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST);
@ -556,16 +558,16 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 #ifndef SIMPLE_FILES
-    fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths,
+    queue_fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths,
                      describe_op(afl, hnb));
 #else
-    fn = alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths);
+    queue_fn = alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths);
 #endif                                                    /* ^!SIMPLE_FILES */
-    add_to_queue(afl, fn, len, 0);
+    add_to_queue(afl, queue_fn, len, 0);
    if (hnb == 2) {
@ -584,9 +586,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
    if (unlikely(res == FAULT_ERROR))
      FATAL("Unable to execute target application");
-    fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+    fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
-    if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn);
+    if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", queue_fn);
-    ck_write(fd, mem, len, fn);
+    ck_write(fd, mem, len, queue_fn);
    close(fd);
    keeping = 1;
@ -642,12 +644,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 #ifndef SIMPLE_FILES
-      fn = alloc_printf("%s/hangs/id:%06llu,%s", afl->out_dir,
+      snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir,
                        afl->unique_hangs, describe_op(afl, 0));
 #else
-      fn = alloc_printf("%s/hangs/id_%06llu", afl->out_dir, afl->unique_hangs);
+      snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, afl->unique_hangs);
 #endif                                                    /* ^!SIMPLE_FILES */
@ -685,14 +687,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 #ifndef SIMPLE_FILES
-      fn = alloc_printf("%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir,
+      snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0));
                        afl->unique_crashes, afl->kill_signal,
                        describe_op(afl, 0));
 #else
-      fn = alloc_printf("%s/crashes/id_%06llu_%02u", afl->out_dir,
+      snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal);
                        afl->unique_crashes, afl->kill_signal);
 #endif                                                    /* ^!SIMPLE_FILES */
@ -729,8 +728,6 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
  ck_write(fd, mem, len, fn);
  close(fd);
  ck_free(fn);
  return keeping;
 }
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@ -349,6 +349,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
 void afl_state_deinit(afl_state_t *afl) {
  free(afl->out_buf);
  free(afl->out_scratch_buf);
  free(afl->eff_buf);
  free(afl->in_buf);
  free(afl->in_scratch_buf);
  free(afl->ex_buf);
  list_remove(&afl_states, afl);
 }
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -76,18 +76,17 @@ void bind_to_free_cpu(afl_state_t *afl) {
  while ((de = readdir(d))) {
-    u8 *  fn;
+    u8 fn[PATH_MAX];
    FILE *f;
    u8    tmp[MAX_LINE];
    u8    has_vmsize = 0;
    if (!isdigit(de->d_name[0])) continue;
-    fn = alloc_printf("/proc/%s/status", de->d_name);
+    snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name);
    if (!(f = fopen(fn, "r"))) {
      ck_free(fn);
      continue;
    }
@ -111,7 +110,6 @@ void bind_to_free_cpu(afl_state_t *afl) {
    }
    ck_free(fn);
    fclose(f);
  }
@ -369,9 +367,9 @@ void read_testcases(afl_state_t *afl) {
    struct stat st;
    u8 dfn[PATH_MAX];
    snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir, nl[i]->d_name);
    u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
    u8 *dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir,
                           nl[i]->d_name);
    u8 passed_det = 0;
@ -384,8 +382,6 @@ void read_testcases(afl_state_t *afl) {
    if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) {
      ck_free(fn2);
      ck_free(dfn);
      continue;
    }
@ -401,7 +397,6 @@ void read_testcases(afl_state_t *afl) {
       and probably very time-consuming. */
    if (!access(dfn, F_OK)) passed_det = 1;
    ck_free(dfn);
    add_to_queue(afl, fn2, st.st_size, passed_det);
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@ -30,18 +30,15 @@
 void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
-  u8 *fn = strrchr(q->fname, '/');
+  u8 fn[PATH_MAX];
  s32 fd;
-  fn = alloc_printf("%s/queue/.state/deterministic_done/%s", afl->out_dir,
+  snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir, strrchr(q->fname, '/') + 1);
                    fn + 1);
  fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
  if (fd < 0) PFATAL("Unable to create '%s'", fn);
  close(fd);
  ck_free(fn);
  q->passed_det = 1;
 }
@ -51,10 +48,13 @@ void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
 void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
-  u8 *fn = strrchr(q->fname, '/') + 1, *ldest;
+  u8 fn[PATH_MAX];
  u8 ldest[PATH_MAX];
-  ldest = alloc_printf("../../%s", fn);
+  u8 *fn_name = strrchr(q->fname, '/') + 1;
-  fn = alloc_printf("%s/queue/.state/variable_behavior/%s", afl->out_dir, fn);
+
  sprintf(ldest, "../../%s", fn_name);
  sprintf(fn, "%s/queue/.state/variable_behavior/%s", afl->out_dir, fn_name);
  if (symlink(ldest, fn)) {
@ -64,9 +64,6 @@ void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
  }
  ck_free(ldest);
  ck_free(fn);
  q->var_behavior = 1;
 }
@ -76,14 +73,13 @@ void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
 void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
-  u8 *fn;
+  u8 fn[PATH_MAX];
  if (state == q->fs_redundant) return;
  q->fs_redundant = state;
-  fn = strrchr(q->fname, '/');
+  sprintf(fn, "%s/queue/.state/redundant_edges/%s", afl->out_dir, strrchr(q->fname, '/') + 1);
  fn = alloc_printf("%s/queue/.state/redundant_edges/%s", afl->out_dir, fn + 1);
  if (state) {
@ -99,8 +95,6 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
  }
  ck_free(fn);
 }
 /* Append new test case to the queue. */
@ -114,6 +108,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
  q->depth = afl->cur_depth + 1;
  q->passed_det = passed_det;
  q->n_fuzz = 1;
  q->trace_mini = NULL;
  if (q->depth > afl->max_depth) afl->max_depth = q->depth;