* Implemented -f/--fuzzing (fuzzing mode).

doc/zzuf.1

@@ -4,11 +4,11 @@ zzuf \- multiple purpose fuzzer
 .SH SYNOPSIS
 \fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
 .br
-           [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
+       [\fB\-f\fR \fIfuzzing\fR] [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
 .br
-           [\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
+       [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
 .br
-           [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
+       [\fB\-b\fR \fIranges\fR] [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
 .br
 \fBzzuf \-h\fR | \fB\-\-help\fR
 .br
@@ -98,6 +98,22 @@ and do not want it to fuzz files in the \fB/etc\fR directory.
 Multiple \fB\-E\fR flags can be specified, in which case files matching any one
 of the regular expressions will be ignored.
 .TP
+\fB\-f\fR, \fB\-\-fuzzing\fR=\fImode\fR
+Select how the input is fuzzed. Valid values for \fImode\fR are:
+.RS
+.TP
+\fBxor\fR
+randomly set and unset bits
+.TP
+\fBset\fR
+only set bits
+.TP
+\fBunset\fR
+only unset bits
+.RE
+.IP
+The default value for \fImode\fR is \fBxor\fR.
+.TP
 \fB\-F\fR, \fB\-\-max\-forks\fR=\fIforks\fR
 Specify the number of simultaneous children that can be run.
 

src/fuzz.c

@@ -36,6 +36,13 @@
 #define MAGIC1 0x33ea84f7
 #define MAGIC2 0x783bc31f
 
+/* Fuzzing mode */
+static enum fuzzing
+{
+    FUZZING_XOR = 0, FUZZING_SET, FUZZING_UNSET
+}
+fuzzing;
+
 /* Per-offset byte protection */
 static unsigned int *ranges = NULL;
 static unsigned int ranges_static[512];
@@ -47,6 +54,16 @@ static int refuse[256];
 /* Local prototypes */
 static void readchars(int *, char const *);
 
+extern void _zz_fuzzing(char const *mode)
+{
+    if(!strcmp(mode, "xor"))
+        fuzzing = FUZZING_XOR;
+    else if(!strcmp(mode, "set"))
+        fuzzing = FUZZING_SET;
+    else if(!strcmp(mode, "unset"))
+        fuzzing = FUZZING_UNSET;
+}
+
 void _zz_bytes(char const *list)
 {
     char const *parser;
@@ -143,7 +160,7 @@ void _zz_fuzz(int fd, volatile uint8_t *buf, uint64_t len)
         for(j = start; j < stop; j++)
         {
             unsigned int *r;
-            uint8_t byte;
+            uint8_t byte, fuzzbyte;
 
             if(!ranges)
                 goto range_ok;
@@ -160,7 +177,23 @@ void _zz_fuzz(int fd, volatile uint8_t *buf, uint64_t len)
             if(protect[byte])
                 continue;
 
-            byte ^= fuzz->data[j % CHUNKBYTES];
+            fuzzbyte = fuzz->data[j % CHUNKBYTES];
+
+            if(!fuzzbyte)
+                continue;
+
+            switch(fuzzing)
+            {
+            case FUZZING_XOR:
+                byte ^= fuzzbyte;
+                break;
+            case FUZZING_SET:
+                byte |= fuzzbyte;
+                break;
+            case FUZZING_UNSET:
+                byte &= ~fuzzbyte;
+                break;
+            }
 
             if(refuse[byte])
                 continue;

src/fuzz.h

@@ -16,6 +16,7 @@
  *  fuzz.h: fuzz functions
  */
 
+extern void _zz_fuzzing(char const *);
 extern void _zz_bytes(char const *);
 extern void _zz_protect(char const *);
 extern void _zz_refuse(char const *);

src/opts.c

@@ -33,7 +33,7 @@
 
 void _zz_opts_init(struct opts *opts)
 {
-    opts->bytes = opts->protect = opts->refuse = NULL;
+    opts->fuzzing = opts->bytes = opts->protect = opts->refuse = NULL;
     opts->seed = DEFAULT_SEED;
     opts->endseed = DEFAULT_SEED + 1;
     opts->minratio = opts->maxratio = DEFAULT_RATIO;

src/opts.h

@@ -20,7 +20,7 @@ struct opts
 {
     char **oldargv;
     char **newargv;
-    char *bytes, *protect, *refuse;
+    char *fuzzing, *bytes, *protect, *refuse;
     uint32_t seed;
     uint32_t endseed;
     double minratio;

src/zzuf.c

@@ -130,9 +130,9 @@ int main(int argc, char *argv[])
     for(;;)
     {
 #   if defined HAVE_REGEX_H
-#       define OPTSTR "Ab:B:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV"
+#       define OPTSTR "Ab:B:cC:dD:E:f:F:iI:mM:nP:qr:R:s:ST:vxhV"
 #   else
-#       define OPTSTR "Ab:B:C:dD:F:imM:nP:qr:R:s:ST:vxhV"
+#       define OPTSTR "Ab:B:C:dD:f:F:imM:nP:qr:R:s:ST:vxhV"
 #   endif
 #   if defined HAVE_GETOPT_LONG
 #       define MOREINFO "Try `%s --help' for more information.\n"
@@ -152,6 +152,7 @@ int main(int argc, char *argv[])
 #if defined HAVE_REGEX_H
             { "exclude",     1, NULL, 'E' },
 #endif
+            { "fuzzing",     1, NULL, 'f' },
             { "max-forks",   1, NULL, 'F' },
             { "stdin",       0, NULL, 'i' },
 #if defined HAVE_REGEX_H
@@ -219,6 +220,9 @@ int main(int argc, char *argv[])
             }
             break;
 #endif
+        case 'f': /* --fuzzing */
+            opts->fuzzing = optarg;
+            break;
         case 'F': /* --max-forks */
             opts->maxchild = atoi(optarg) > 1 ? atoi(optarg) : 1;
             break;
@@ -343,6 +347,8 @@ int main(int argc, char *argv[])
         setenv("ZZUF_EXCLUDE", exclude, 1);
 #endif
 
+    if(opts->fuzzing)
+        setenv("ZZUF_FUZZING", opts->fuzzing, 1);
     if(opts->bytes)
         setenv("ZZUF_BYTES", opts->bytes, 1);
     if(opts->protect)
@@ -393,6 +399,8 @@ static void loop_stdin(struct opts *opts)
     if(opts->md5)
         ctx = _zz_md5_init();
 
+    if(opts->fuzzing)
+        _zz_fuzzing(opts->fuzzing);
     if(opts->bytes)
         _zz_bytes(opts->bytes);
     if(opts->protect)
@@ -1048,12 +1056,12 @@ static void usage(void)
 #else
     printf("Usage: zzuf [-AdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n");
 #endif
-    printf("                  [-D delay] [-F forks] [-C crashes] [-B bytes] [-T seconds]\n");
+    printf("              [-f fuzzing] [-D delay] [-F forks] [-C crashes] [-B bytes]\n");
-    printf("                  [-M bytes] [-b ranges] [-P protect] [-R refuse]\n");
+    printf("              [-T seconds] [-M bytes] [-b ranges] [-P protect] [-R refuse]\n");
 #if defined HAVE_REGEX_H
-    printf("                  [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
+    printf("              [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
 #else
-    printf("                  [PROGRAM [--] [ARGS]...]\n");
+    printf("              [PROGRAM [--] [ARGS]...]\n");
 #endif
 #   if defined HAVE_GETOPT_LONG
     printf("       zzuf -h | --help\n");
@@ -1078,6 +1086,7 @@ static void usage(void)
 #if defined HAVE_REGEX_H
     printf("  -E, --exclude <regex>     do not fuzz files matching <regex>\n");
 #endif
+    printf("  -f, --fuzzing <mode>      use fuzzing mode <mode> ([xor] set unset)\n");
     printf("  -F, --max-forks <n>       number of concurrent children (default 1)\n");
     printf("  -i, --stdin               fuzz standard input\n");
 #if defined HAVE_REGEX_H
@@ -1114,6 +1123,7 @@ static void usage(void)
 #if defined HAVE_REGEX_H
     printf("  -E <regex>       do not fuzz files matching <regex>\n");
 #endif
+    printf("  -f <mode>        use fuzzing mode <mode>\n");
     printf("  -F <n>           number of concurrent forks (default 1)\n");
     printf("  -i               fuzz standard input\n");
 #if defined HAVE_REGEX_H