* Implemented -f/--fuzzing (fuzzing mode).
This commit is contained in:
Sam Hocevar
sam
parent
b4fbf4c088
commit
5e6b423865
22
doc/zzuf.1
22
doc/zzuf.1
@ -4,11 +4,11 @@ zzuf \- multiple purpose fuzzer
|
||||
.SH SYNOPSIS
|
||||
\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
|
||||
.br
|
||||
[\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
|
||||
[\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
|
||||
.br
|
||||
[\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
|
||||
[\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
|
||||
.br
|
||||
[\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
|
||||
[\fB\-b\fR \fIranges\fR] [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
|
||||
.br
|
||||
\fBzzuf \-h\fR | \fB\-\-help\fR
|
||||
.br
|
||||
@ -98,6 +98,22 @@ and do not want it to fuzz files in the \fB/etc\fR directory.
|
||||
Multiple \fB\-E\fR flags can be specified, in which case files matching any one
|
||||
of the regular expressions will be ignored.
|
||||
.TP
|
||||
\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
|
||||
Select how the input is fuzzed. Valid values for \fImode\fR are:
|
||||
.RS
|
||||
.TP
|
||||
\fBxor\fR
|
||||
randomly set and unset bits
|
||||
.TP
|
||||
\fBset\fR
|
||||
only set bits
|
||||
.TP
|
||||
\fBunset\fR
|
||||
only unset bits
|
||||
.RE
|
||||
.IP
|
||||
The default value for \fImode\fR is \fBxor\fR.
|
||||
.TP
|
||||
\fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
|
||||
Specify the number of simultaneous children that can be run.
|
||||
|
||||
|
||||
37
src/fuzz.c
37
src/fuzz.c
@ -36,6 +36,13 @@
|
||||
#define MAGIC1 0x33ea84f7
|
||||
#define MAGIC2 0x783bc31f
|
||||
|
||||
/* Fuzzing mode */
|
||||
static enum fuzzing
|
||||
{
|
||||
FUZZING_XOR = 0, FUZZING_SET, FUZZING_UNSET
|
||||
}
|
||||
fuzzing;
|
||||
|
||||
/* Per-offset byte protection */
|
||||
static unsigned int *ranges = NULL;
|
||||
static unsigned int ranges_static[512];
|
||||
@ -47,6 +54,16 @@ static int refuse[256];
|
||||
/* Local prototypes */
|
||||
static void readchars(int *, char const *);
|
||||
|
||||
extern void _zz_fuzzing(char const *mode)
|
||||
{
|
||||
if(!strcmp(mode, "xor"))
|
||||
fuzzing = FUZZING_XOR;
|
||||
else if(!strcmp(mode, "set"))
|
||||
fuzzing = FUZZING_SET;
|
||||
else if(!strcmp(mode, "unset"))
|
||||
fuzzing = FUZZING_UNSET;
|
||||
}
|
||||
|
||||
void _zz_bytes(char const *list)
|
||||
{
|
||||
char const *parser;
|
||||
@ -143,7 +160,7 @@ void _zz_fuzz(int fd, volatile uint8_t *buf, uint64_t len)
|
||||
for(j = start; j < stop; j++)
|
||||
{
|
||||
unsigned int *r;
|
||||
uint8_t byte;
|
||||
uint8_t byte, fuzzbyte;
|
||||
|
||||
if(!ranges)
|
||||
goto range_ok;
|
||||
@ -160,7 +177,23 @@ void _zz_fuzz(int fd, volatile uint8_t *buf, uint64_t len)
|
||||
if(protect[byte])
|
||||
continue;
|
||||
|
||||
byte ^= fuzz->data[j % CHUNKBYTES];
|
||||
fuzzbyte = fuzz->data[j % CHUNKBYTES];
|
||||
|
||||
if(!fuzzbyte)
|
||||
continue;
|
||||
|
||||
switch(fuzzing)
|
||||
{
|
||||
case FUZZING_XOR:
|
||||
byte ^= fuzzbyte;
|
||||
break;
|
||||
case FUZZING_SET:
|
||||
byte |= fuzzbyte;
|
||||
break;
|
||||
case FUZZING_UNSET:
|
||||
byte &= ~fuzzbyte;
|
||||
break;
|
||||
}
|
||||
|
||||
if(refuse[byte])
|
||||
continue;
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
* fuzz.h: fuzz functions
|
||||
*/
|
||||
|
||||
extern void _zz_fuzzing(char const *);
|
||||
extern void _zz_bytes(char const *);
|
||||
extern void _zz_protect(char const *);
|
||||
extern void _zz_refuse(char const *);
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
|
||||
void _zz_opts_init(struct opts *opts)
|
||||
{
|
||||
opts->bytes = opts->protect = opts->refuse = NULL;
|
||||
opts->fuzzing = opts->bytes = opts->protect = opts->refuse = NULL;
|
||||
opts->seed = DEFAULT_SEED;
|
||||
opts->endseed = DEFAULT_SEED + 1;
|
||||
opts->minratio = opts->maxratio = DEFAULT_RATIO;
|
||||
|
||||
@ -20,7 +20,7 @@ struct opts
|
||||
{
|
||||
char **oldargv;
|
||||
char **newargv;
|
||||
char *bytes, *protect, *refuse;
|
||||
char *fuzzing, *bytes, *protect, *refuse;
|
||||
uint32_t seed;
|
||||
uint32_t endseed;
|
||||
double minratio;
|
||||
|
||||
22
src/zzuf.c
22
src/zzuf.c
@ -130,9 +130,9 @@ int main(int argc, char *argv[])
|
||||
for(;;)
|
||||
{
|
||||
# if defined HAVE_REGEX_H
|
||||
# define OPTSTR "Ab:B:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV"
|
||||
# define OPTSTR "Ab:B:cC:dD:E:f:F:iI:mM:nP:qr:R:s:ST:vxhV"
|
||||
# else
|
||||
# define OPTSTR "Ab:B:C:dD:F:imM:nP:qr:R:s:ST:vxhV"
|
||||
# define OPTSTR "Ab:B:C:dD:f:F:imM:nP:qr:R:s:ST:vxhV"
|
||||
# endif
|
||||
# if defined HAVE_GETOPT_LONG
|
||||
# define MOREINFO "Try `%s --help' for more information.\n"
|
||||
@ -152,6 +152,7 @@ int main(int argc, char *argv[])
|
||||
#if defined HAVE_REGEX_H
|
||||
{ "exclude", 1, NULL, 'E' },
|
||||
#endif
|
||||
{ "fuzzing", 1, NULL, 'f' },
|
||||
{ "max-forks", 1, NULL, 'F' },
|
||||
{ "stdin", 0, NULL, 'i' },
|
||||
#if defined HAVE_REGEX_H
|
||||
@ -219,6 +220,9 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
case 'f': /* --fuzzing */
|
||||
opts->fuzzing = optarg;
|
||||
break;
|
||||
case 'F': /* --max-forks */
|
||||
opts->maxchild = atoi(optarg) > 1 ? atoi(optarg) : 1;
|
||||
break;
|
||||
@ -343,6 +347,8 @@ int main(int argc, char *argv[])
|
||||
setenv("ZZUF_EXCLUDE", exclude, 1);
|
||||
#endif
|
||||
|
||||
if(opts->fuzzing)
|
||||
setenv("ZZUF_FUZZING", opts->fuzzing, 1);
|
||||
if(opts->bytes)
|
||||
setenv("ZZUF_BYTES", opts->bytes, 1);
|
||||
if(opts->protect)
|
||||
@ -393,6 +399,8 @@ static void loop_stdin(struct opts *opts)
|
||||
if(opts->md5)
|
||||
ctx = _zz_md5_init();
|
||||
|
||||
if(opts->fuzzing)
|
||||
_zz_fuzzing(opts->fuzzing);
|
||||
if(opts->bytes)
|
||||
_zz_bytes(opts->bytes);
|
||||
if(opts->protect)
|
||||
@ -1048,12 +1056,12 @@ static void usage(void)
|
||||
#else
|
||||
printf("Usage: zzuf [-AdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n");
|
||||
#endif
|
||||
printf(" [-D delay] [-F forks] [-C crashes] [-B bytes] [-T seconds]\n");
|
||||
printf(" [-M bytes] [-b ranges] [-P protect] [-R refuse]\n");
|
||||
printf(" [-f fuzzing] [-D delay] [-F forks] [-C crashes] [-B bytes]\n");
|
||||
printf(" [-T seconds] [-M bytes] [-b ranges] [-P protect] [-R refuse]\n");
|
||||
#if defined HAVE_REGEX_H
|
||||
printf(" [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
|
||||
printf(" [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
|
||||
#else
|
||||
printf(" [PROGRAM [--] [ARGS]...]\n");
|
||||
printf(" [PROGRAM [--] [ARGS]...]\n");
|
||||
#endif
|
||||
# if defined HAVE_GETOPT_LONG
|
||||
printf(" zzuf -h | --help\n");
|
||||
@ -1078,6 +1086,7 @@ static void usage(void)
|
||||
#if defined HAVE_REGEX_H
|
||||
printf(" -E, --exclude <regex> do not fuzz files matching <regex>\n");
|
||||
#endif
|
||||
printf(" -f, --fuzzing <mode> use fuzzing mode <mode> ([xor] set unset)\n");
|
||||
printf(" -F, --max-forks <n> number of concurrent children (default 1)\n");
|
||||
printf(" -i, --stdin fuzz standard input\n");
|
||||
#if defined HAVE_REGEX_H
|
||||
@ -1114,6 +1123,7 @@ static void usage(void)
|
||||
#if defined HAVE_REGEX_H
|
||||
printf(" -E <regex> do not fuzz files matching <regex>\n");
|
||||
#endif
|
||||
printf(" -f <mode> use fuzzing mode <mode>\n");
|
||||
printf(" -F <n> number of concurrent forks (default 1)\n");
|
||||
printf(" -i fuzz standard input\n");
|
||||
#if defined HAVE_REGEX_H
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user