search

google / AFL

american fuzzy lop - a security-oriented fuzzer
https://lcamtuf.coredump.cx/afl/
Apache License 2.0
3.67k stars 631 forks source link

Several potential bugs of memory/File Descriptor leak #147

Open ash1852 opened 3 years ago

ash1852 commented 3 years ago

hello,I found several bugs of memory/file descriptor leak,would you help me to check if these bugs are true?thanks.

==============================================================================

step 1 : In file AFL/alloc-inl.h , function DFL_ck_alloc_nozero line 115 : Allocate memory to ret

step 2 : In file AFL/alloc-inl.h, function DFL_ck_alloc_nozero line 116 : Select the true branch at this point (ret!=null is true)

step 3 : In file AFL/alloc-inl.h , function DFL_ck_alloc line 136 : Function DFL_ck_alloc_nozero executes and stores the return value to mem

step 4 : In file AFL/afl-showmap.c , function get_qemu_argv line 603: Function DFL_ck_alloc executes and stores the return value to cp

step 5 : In file AFL/afl-showmap.c , function get_qemu_argv line 606 : Select the false branch at this point (access(cp,1)==0 is false)

step 6 : In file AFL/afl-showmap.c , function get_qemu_argv line 615 : Select the true branch at this point (access("/usr/local/bin/afl-qemu-trace",1)!=0 is false), the allocated memory cp is leaked

==============================================================================

step 1 : In file AFL/alloc-inl.h , function DFL_ck_alloc_nozero line 108 : Allocate memory to ret

step 2 : In file AFL/alloc-inl.h , function DFL_ck_alloc_nozero line 109 : Select the true branch at this point (ret!=null is true)

step 3 : In file AFL/alloc-inl.h , function DFL_ck_alloc line 129 : Function DFL_ck_alloc_nozero executes and stores the return value to mem

step 4 : In file AFL/afl-analyze.c , function get_qemu_argv line 930 : Function DFL_ck_alloc executes and stores the return value to cp

step 5 : In file AFL/afl-analyze.c , function get_qemu_argv line 933 : Select the false branch at this point (access(cp,1)==0 is false)

step 6 : In file AFL/afl-analyze.c , function get_qemu_argv line 942 : Select the true branch at this point (access("/usr/local/bin/afl-qemu-trace",1)==0 is true), the allocated memory is leaked

===============================================================================

step 1 : In file AFL/afl-fuzz.c , function write_stats_file line 3430: Function open executes and stores the return value to fd

step 2 : In file AFL/afl-fuzz.c , function write_stats_file line 3432: Select the false branch at this point (fd<0 is false)

step 3 : In file AFL/afl-fuzz.c , function write_stats_file line 3438 : Select the true branch at this point (f!=null is true) but did not close it

==============================================================================

step 1 : In file AFL/afl-showmap.c, function write_results line 182/187/193 : Function executes and stores the return value to fd

step 2 : In file AFL/afl-showmap.c , function write_results line 183/188/194 : Select the false branch at this point (fd<0 is false)

step 3 : In file AFL/afl-showmap.c , function write_results line 199 : Select the false branch at this point (binary_mode!=0 is false)

step 4 : In file AFL/afl-showmap.c , function write_results line 211 : Select the false branch at this point (f==null is false)

step 5 : In file AFL/afl-showmap.c , function write_results line 213 : Select the true branch at this point (i<65536 is true)

step 6 : In file AFL/afl-showmap.c , function write_results line 215: Select the false branch at this point (trace_bits[i]==0 is false)

step 7 : In file AFL/afl-showmap.c, function write_results line 218 : Select the true branch at this point (cmin_mode!=0 is true)

step 8 : In file AFL/afl-showmap.c , function write_results line 220/221 : Select the true branch at this point (child_timed_out!=0 is true or (!caa && child_crashed != cco)is true) but did not close fd