Hello community, here is the log from the commit of package afl for openSUSE:Factory checked in at 2017-07-26 13:06:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/afl (Old) and /work/SRC/openSUSE:Factory/.afl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl" Wed Jul 26 13:06:26 2017 rev:36 rq:512611 version:2.49b Changes: -------- --- /work/SRC/openSUSE:Factory/afl/afl.changes 2017-07-09 13:04:18.118226739 +0200 +++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2017-07-26 13:06:34.211302863 +0200 @@ -1,0 +2,18 @@ +Wed Jul 26 06:47:03 UTC 2017 - meiss...@suse.com + +- Version 2.49b + - Added AFL_TMIN_EXACT to allow path constraint for crash minimization. + - Added dates for releases (retroactively for all of 2017). +- Version 2.48b + - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp. + - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin). + - Made it possible to point -o and -f to the same file in afl-tmin. +- Version 2.47b + - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk. +- Version 2.46b + - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not + want to abort on calloc() overflows. + - Made a minor fix to libtokencap. Reported by Daniel Stender. + - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk. + +------------------------------------------------------------------- Old: ---- afl-2.45b.tgz New: ---- afl-2.49b.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ afl.spec ++++++ --- /var/tmp/diff_new_pack.TK7BvP/_old 2017-07-26 13:06:36.798937799 +0200 +++ /var/tmp/diff_new_pack.TK7BvP/_new 2017-07-26 13:06:36.802937235 +0200 @@ -17,7 +17,7 @@ Name: afl -Version: 2.45b +Version: 2.49b Release: 0 Summary: American fuzzy lop is a security-oriented fuzzer License: Apache-2.0 ++++++ afl-2.45b.tgz -> afl-2.49b.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/afl-analyze.c new/afl-2.49b/afl-analyze.c --- old/afl-2.45b/afl-analyze.c 2016-08-03 19:52:58.000000000 +0200 +++ new/afl-2.49b/afl-analyze.c 2017-07-17 22:51:38.000000000 +0200 @@ -658,15 +658,15 @@ u8* use_dir = "."; - if (!access(use_dir, R_OK | W_OK | X_OK)) { + if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = getenv("TMPDIR"); if (!use_dir) use_dir = "/tmp"; - prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); - } + prog_in = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, getpid()); + } /* Set sane defaults... */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/afl-cmin new/afl-2.49b/afl-cmin --- old/afl-2.45b/afl-cmin 2017-01-24 23:00:28.000000000 +0100 +++ new/afl-2.49b/afl-cmin 2017-07-17 22:44:45.000000000 +0200 @@ -126,24 +126,28 @@ # Do a sanity check to discourage the use of /tmp, since we can't really # handle this safely from a shell script. -echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' -T1="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then -echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' -T2="$?" + echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' + T1="$?" -echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' -T3="$?" + echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' + T2="$?" -echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' -T4="$?" + echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' + T3="$?" -echo "$PWD" | grep -qE '^(/var)?/tmp/' -T5="$?" + echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' + T4="$?" + + echo "$PWD" | grep -qE '^(/var)?/tmp/' + T5="$?" + + if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then + echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 + exit 1 + fi -if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then - echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 - exit 1 fi # If @@ is specified, but there's no -f, let's come up with a temporary input diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/afl-plot new/afl-2.49b/afl-plot --- old/afl-2.45b/afl-plot 2017-02-19 21:22:17.000000000 +0100 +++ new/afl-2.49b/afl-plot 2017-07-17 22:45:08.000000000 +0200 @@ -38,16 +38,20 @@ fi -echo "$1" | grep -qE '^(/var)?/tmp/' -T1="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then -echo "$2" | grep -qE '^(/var)?/tmp/' -T2="$?" + echo "$1" | grep -qE '^(/var)?/tmp/' + T1="$?" -if [ "$T1" = "0" -o "$T2" = "0" ]; then + echo "$2" | grep -qE '^(/var)?/tmp/' + T2="$?" - echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 - exit 1 + if [ "$T1" = "0" -o "$T2" = "0" ]; then + + echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 + exit 1 + + fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/afl-tmin.c new/afl-2.49b/afl-tmin.c --- old/afl-2.45b/afl-tmin.c 2017-01-14 05:13:56.000000000 +0100 +++ new/afl-2.49b/afl-tmin.c 2017-07-18 18:05:19.000000000 +0200 @@ -73,6 +73,7 @@ static u8 crash_mode, /* Crash-centric mode? */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ + exact_mode, /* Require path match for crashes? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 @@ -157,7 +158,7 @@ static void remove_shm(void) { - unlink(prog_in); /* Ignore errors */ + if (prog_in) unlink(prog_in); /* Ignore errors */ shmctl(shm_id, IPC_RMID, NULL); } @@ -361,7 +362,7 @@ if (crash_mode) { - return 1; + if (!exact_mode) return 1; } else { @@ -370,7 +371,7 @@ } - } + } else /* Handle non-crashing inputs appropriately. */ @@ -670,15 +671,15 @@ u8* use_dir = "."; - if (!access(use_dir, R_OK | W_OK | X_OK)) { + if (access(use_dir, R_OK | W_OK | X_OK)) { use_dir = getenv("TMPDIR"); if (!use_dir) use_dir = "/tmp"; - prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); - } + prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); + } /* Set sane defaults... */ @@ -1101,6 +1102,8 @@ else use_argv = argv + optind; + exact_mode = !!getenv("AFL_TMIN_EXACT"); + SAYF("\n"); read_initial_file(); @@ -1122,8 +1125,8 @@ } else { - OKF("Program exits with a signal, minimizing in " cMGN "crash" cRST - " mode."); + OKF("Program exits with a signal, minimizing in " cMGN "%scrash" cRST + " mode.", exact_mode ? "EXACT " : ""); } @@ -1131,6 +1134,9 @@ ACTF("Writing output to '%s'...", out_file); + unlink(prog_in); + prog_in = NULL; + close(write_to_file(out_file, in_data, in_len)); OKF("We're done here. Have a nice day!\n"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/config.h new/afl-2.49b/config.h --- old/afl-2.45b/config.h 2017-07-04 22:47:24.000000000 +0200 +++ new/afl-2.49b/config.h 2017-07-19 01:28:15.000000000 +0200 @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.45b" +#define VERSION "2.49b" /****************************************************** * * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/dictionaries/json.dict new/afl-2.49b/dictionaries/json.dict --- old/afl-2.45b/dictionaries/json.dict 1970-01-01 01:00:00.000000000 +0100 +++ new/afl-2.49b/dictionaries/json.dict 2017-07-09 01:59:26.000000000 +0200 @@ -0,0 +1,52 @@ +# +# AFL dictionary for JSON +# ----------------------- +# +# Just the very basics. +# +# Inspired by a dictionary by Jakub Wilk <jw...@jwilk.net> +# + +"0" +",0" +":0" +"0:" +"-1.2e+3" + +"true" +"false" +"null" + +"\"\"" +",\"\"" +":\"\"" +"\"\":" + +"{}" +",{}" +":{}" +"{\"\":0}" +"{{}}" + +"[]" +",[]" +":[]" +"[0]" +"[[]]" + +"''" +"\\" +"\\b" +"\\f" +"\\n" +"\\r" +"\\t" +"\\u0000" +"\\x00" +"\\0" +"\\uD800\\uDC00" +"\\uDBFF\\uDFFF" + +"\"\":0" +"//" +"/**/" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/docs/ChangeLog new/afl-2.49b/docs/ChangeLog --- old/afl-2.45b/docs/ChangeLog 2017-07-04 22:47:17.000000000 +0200 +++ new/afl-2.49b/docs/ChangeLog 2017-07-19 01:27:57.000000000 +0200 @@ -16,9 +16,44 @@ is 2.41b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. --------------- -Version 2.45b: --------------- +--------------------------- +Version 2.49b (2017-07-18): +--------------------------- + + - Added AFL_TMIN_EXACT to allow path constraint for crash minimization. + + - Added dates for releases (retroactively for all of 2017). + +--------------------------- +Version 2.48b (2017-07-17): +--------------------------- + + - Added AFL_ALLOW_TMP to permit some scripts to run in /tmp. + + - Fixed cwd handling in afl-analyze (similar to the quirk in afl-tmin). + + - Made it possible to point -o and -f to the same file in afl-tmin. + +--------------------------- +Version 2.47b (2017-07-14): +--------------------------- + + - Fixed cwd handling in afl-tmin. Spotted by Jakub Wilk. + +--------------------------- +Version 2.46b (2017-07-10): +--------------------------- + + - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not + want to abort on calloc() overflows. + + - Made a minor fix to libtokencap. Reported by Daniel Stender. + + - Added a small JSON dictionary, inspired on a dictionary done by Jakub Wilk. + +--------------------------- +Version 2.45b (2017-07-04): +--------------------------- - Added strstr, strcasestr support to libtokencap. Contributed by Daniel Hodson. @@ -27,9 +62,9 @@ - There are definitely no bugs in afl-showmap -c now. --------------- -Version 2.44b: --------------- +--------------------------- +Version 2.44b (2017-06-28): +--------------------------- - Added a visual indicator of ASAN / MSAN mode when compiling. Requested by Jakub Wilk. @@ -42,31 +77,31 @@ - Added a note about allocator_may_return_null=1 not always working with ASAN. Spotted by Jakub Wilk. --------------- -Version 2.43b: --------------- +--------------------------- +Version 2.43b (2017-06-16): +--------------------------- - Added AFL_NO_ARITH to aid in the fuzzing of text-based formats. Requested by Jakub Wilk. --------------- -Version 2.42b: --------------- +--------------------------- +Version 2.42b (2017-06-02): +--------------------------- - Renamed the R() macro to avoid a problem with llvm_mode in the latest versions of LLVM. Fix suggested by Christian Holler. --------------- -Version 2.41b: --------------- +--------------------------- +Version 2.41b (2017-04-12): +--------------------------- - Addressed a major user complaint related to timeout detection. Timing out inputs are now binned as "hangs" only if they exceed a far more generous time limit than the one used to reject slow paths. --------------- -Version 2.40b: --------------- +--------------------------- +Version 2.40b (2017-04-02): +--------------------------- - Fixed a minor oversight in the insertion strategy for dictionary words. Spotted by Andrzej Jackowski. @@ -75,9 +110,9 @@ - Adjusted color rules for "is it done yet?" indicators. --------------- -Version 2.39b: --------------- +--------------------------- +Version 2.39b (2017-02-02): +--------------------------- - Improved error reporting in afl-cmin. Suggested by floyd. @@ -85,16 +120,16 @@ - Added a mention of afl-monitor. --------------- -Version 2.38b: --------------- +--------------------------- +Version 2.38b (2017-01-22): +--------------------------- - Added -mllvm -sanitizer-coverage-block-threshold=0 to trace-pc-guard mode, as suggested by Kostya Serebryany. --------------- -Version 2.37b: --------------- +--------------------------- +Version 2.37b (2017-01-22): +--------------------------- - Fixed a typo. Spotted by Jakub Wilk. @@ -108,9 +143,9 @@ Note that for some reason, this mode doesn't perform as well as "vanilla" afl-clang-fast / afl-clang. --------------- -Version 2.36b: --------------- +--------------------------- +Version 2.36b (2017-01-14): +--------------------------- - Fixed a cosmetic bad free() bug when aborting -S sessions. Spotted by Johannes S. @@ -2603,8 +2638,8 @@ - Fixed the handling of gcc -pipe, thanks to anonymous reporter. --------------- -Version 0.21b: --------------- +--------------------------- +Version 0.21b (2013-11-12): +--------------------------- - Initial public release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/docs/INSTALL new/afl-2.49b/docs/INSTALL --- old/afl-2.45b/docs/INSTALL 2016-08-21 18:45:31.000000000 +0200 +++ new/afl-2.49b/docs/INSTALL 2017-07-18 21:44:31.000000000 +0200 @@ -140,7 +140,7 @@ Do *not* specify --with-as=/usr/gnu/bin/as - this will produce a GCC binary that ignores the -B flag and you will be back to square one. -Note that Solaris reportedly comes withe crash reporting enabled, which causes +Note that Solaris reportedly comes with crash reporting enabled, which causes problems with crashes being misinterpreted as hangs, similarly to the gotchas for Linux and MacOS X. AFL does not auto-detect crash reporting on this particular platform, but you may need to run the following command: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/docs/env_variables.txt new/afl-2.49b/docs/env_variables.txt --- old/afl-2.45b/docs/env_variables.txt 2017-06-16 20:03:30.000000000 +0200 +++ new/afl-2.49b/docs/env_variables.txt 2017-07-18 17:41:40.000000000 +0200 @@ -194,6 +194,10 @@ minimization and normally deleted at exit. The files can be found in the <out_dir>/.traces/*. + - AFL_ALLOW_TMP permits this and some other scripts to run in /tmp. This is + a modest security risk on multi-user systems with rogue users, but should + be safe on dedicated fuzzing boxes. + 6) Settings for afl-tmin ------------------------ @@ -201,6 +205,11 @@ searched for afl-qemu-trace. In addition to this, TMPDIR may be used if a temporary file can't be created in the current working directory. +You can specify AFL_TMIN_EXACT if you want afl-tmin to require execution paths +to match when minimizing crashes. This will make minimization less useful, but +may prevent the tool from "jumping" from one crashing condition to another in +very buggy software. You probably want to combine it with the -e flag. + 7) Settings for libdislocator.so -------------------------------- @@ -217,6 +226,10 @@ - AFL_LD_VERBOSE causes the library to output some diagnostic messages that may be useful for pinpointing the cause of any observed issues. + - AFL_LD_NO_CALLOC_OVER inhibits abort() on calloc() overflows. Most + of the common allocators check for that internally and return NULL, so + it's a security risk only in more exotic setups. + 8) Settings for libtokencap.so ------------------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/docs/perf_tips.txt new/afl-2.49b/docs/perf_tips.txt --- old/afl-2.45b/docs/perf_tips.txt 2017-01-13 22:02:41.000000000 +0100 +++ new/afl-2.49b/docs/perf_tips.txt 2017-07-18 02:31:34.000000000 +0200 @@ -94,7 +94,11 @@ when it decides that the input file is a compressed archive. Some programs may also intentionally call sleep(), usleep(), or nanosleep(); -vim is a good example of that. +vim is a good example of that. Other programs may attempt fsync() and so on. +There are third-party libraries that make it easy to get rid of such code, +e.g.: + + https://launchpad.net/libeatmydata In programs that are slow due to unavoidable initialization overhead, you may want to try the LLVM deferred forkserver mode (see llvm_mode/README.llvm), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/experimental/crash_triage/triage_crashes.sh new/afl-2.49b/experimental/crash_triage/triage_crashes.sh --- old/afl-2.45b/experimental/crash_triage/triage_crashes.sh 2015-04-08 07:38:29.000000000 +0200 +++ new/afl-2.49b/experimental/crash_triage/triage_crashes.sh 2017-07-17 22:46:13.000000000 +0200 @@ -40,18 +40,24 @@ DIR="$1" BIN="$2" -echo "$DIR" | grep -qE '^(/var)?/tmp/' -T1="$?" -echo "$BIN" | grep -qE '^(/var)?/tmp/' -T2="$?" +if [ "$AFL_ALLOW_TMP" = "" ]; then + + echo "$DIR" | grep -qE '^(/var)?/tmp/' + T1="$?" + + echo "$BIN" | grep -qE '^(/var)?/tmp/' + T2="$?" + + if [ "$T1" = "0" -o "$T2" = "0" ]; then + echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 + exit 1 + fi -if [ "$T1" = "0" -o "$T2" = "0" ]; then - echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 - exit 1 fi -if [ "$GDB" = "" ]; then +if + [ "$GDB" = "" ]; then GDB=gdb fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/experimental/distributed_fuzzing/sync_script.sh new/afl-2.49b/experimental/distributed_fuzzing/sync_script.sh --- old/afl-2.45b/experimental/distributed_fuzzing/sync_script.sh 2016-02-04 06:30:21.000000000 +0100 +++ new/afl-2.49b/experimental/distributed_fuzzing/sync_script.sh 2017-07-17 22:46:32.000000000 +0200 @@ -41,9 +41,13 @@ # Interval (seconds) between sync attempts SYNC_INTERVAL=$((30 * 60)) -if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then - echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 - exit 1 +if [ "$AFL_ALLOW_TMP" = "" ]; then + + if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then + echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2 + exit 1 + fi + fi rm -rf .sync_tmp 2>/dev/null diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/libdislocator/libdislocator.so.c new/afl-2.49b/libdislocator/libdislocator.so.c --- old/afl-2.45b/libdislocator/libdislocator.so.c 2017-01-13 21:47:39.000000000 +0100 +++ new/afl-2.49b/libdislocator/libdislocator.so.c 2017-07-09 01:30:10.000000000 +0200 @@ -73,7 +73,8 @@ static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */ static u8 alloc_verbose, /* Additional debug messages */ - hard_fail; /* abort() when max_mem exceeded? */ + hard_fail, /* abort() when max_mem exceeded? */ + no_calloc_over; /* abort() on calloc() overflows? */ static __thread size_t total_mem; /* Currently allocated mem */ @@ -153,9 +154,17 @@ /* Perform some sanity checks to detect obvious issues... */ - if (elem_cnt && len / elem_cnt != elem_len) + if (elem_cnt && len / elem_cnt != elem_len) { + + if (no_calloc_over) { + DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt); + return NULL; + } + FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt); + } + ret = __dislocator_alloc(len); DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret, @@ -254,5 +263,6 @@ alloc_verbose = !!getenv("AFL_LD_VERBOSE"); hard_fail = !!getenv("AFL_LD_HARD_FAIL"); + no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/afl-2.45b/libtokencap/libtokencap.so.c new/afl-2.49b/libtokencap/libtokencap.so.c --- old/afl-2.45b/libtokencap/libtokencap.so.c 2017-06-28 19:27:14.000000000 +0200 +++ new/afl-2.49b/libtokencap/libtokencap.so.c 2017-07-10 22:52:22.000000000 +0200 @@ -243,7 +243,7 @@ #undef strstr -const char* strstr(const char* haystack, const char* needle) { +char* strstr(const char* haystack, const char* needle) { if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, strlen(haystack), 1); @@ -257,7 +257,7 @@ while(*n && *h && *n == *h) n++, h++; - if(!*n) return haystack; + if(!*n) return (char*)haystack; } while (*(haystack++)); @@ -268,7 +268,7 @@ #undef strcasestr -const char* strcasestr(const char* haystack, const char* needle) { +char* strcasestr(const char* haystack, const char* needle) { if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, strlen(haystack), 1); @@ -283,7 +283,7 @@ while(*n && *h && tolower(*n) == tolower(*h)) n++, h++; - if(!*n) return haystack; + if(!*n) return (char*)haystack; } while(*(haystack++));