Changeset 1554 for zzuf


Ignore:
Timestamp:
Jan 4, 2007, 2:09:04 AM (14 years ago)
Author:
Sam Hocevar
Message:
  • Implement -P / --protect.
Location:
zzuf/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • zzuf/trunk/doc/zzuf.1

    r1539 r1554  
    5656only useful if the \fB\-s\fR flag is used with an interval argument.
    5757.TP
    58 \fB\-h\fR, \fB\-\-help\fR
    59 Display a short help message and exit.
    60 .TP
    6158\fB\-i\fR, \fB\-\-stdin\fR
    6259Fuzz the application's standard input. By default \fBzzuf\fR only fuzzes files.
     
    6966Multiple \fB\-I\fR flags can be specified, in which case files matching any one
    7067of the regular expressions will be fuzzed. See also the \fB\-c\fR flag.
     68.TP
     69\fB\-P\fR, \fB\-\-protect\fR=\fIlist\fR
     70Protect a list of characters so that if they appear in input data that would
     71normally be fuzzed, they are left unmodified instead.
     72
     73Characters in \fIlist\fR can be expressed verbatim or through escape sequences.
     74The sequences interpreted by \fBzzuf\fR are:
     75.RS
     76.TP
     77\fB\\n\fR
     78new line
     79.TP
     80\fB\\r\fR
     81return
     82.TP
     83\fB\\t\fR
     84tabulation
     85.TP
     86\fB\\0\fR
     87the null character
     88.TP
     89\fB\\x\fR\fINN\fR
     90the byte whose hexadecimal value is \fINN\fR
     91.TP
     92\fB\\\\\fR
     93backslash ('\\')
     94.RE
     95.IP
     96You can use '\fB-\fR' to specify ranges. For instance, to protect all bytes
     97from '\fB\\x01\fR' to ' ', use \fB\-P \(dq\\x01- \(dq\fR.
    7198.TP
    7299\fB\-q\fR, \fB\-\-quiet\fR
     
    111138situations. See also the \fB\-B\fR flag.
    112139.TP
     140\fB\-h\fR, \fB\-\-help\fR
     141Display a short help message and exit.
     142.TP
    113143\fB\-v\fR, \fB\-\-version\fR
    114144Output version information and exit.
     
    180210fail in the presence of any mechanism that disables preloading. For instance
    181211setuid root binaries will not be fuzzed when run as an unprivileged user.
     212.PP
     213As of now, \fBzzuf\fR does not really support multithreaded applications. The
     214behaviour with multithreaded applications where more than one thread do file
     215descriptor operations is undefined.
    182216.SH AUTHOR
    183217.PP
  • zzuf/trunk/src/fuzz.c

    r1552 r1554  
    4343    unsigned int i, j, todo;
    4444
     45/*
    4546    debug("fuzz(%i, %lli@%li)", fd, (unsigned long long int)len,
    4647          (unsigned long int)pos);
     48*/
    4749
    4850    fuzz = _zz_getfuzz(fd);
     
    6971            {
    7072                unsigned int idx = _zz_rand(CHUNKBYTES);
    71                 uint8_t byte = (1 << _zz_rand(8));
     73                uint8_t bit = (1 << _zz_rand(8));
    7274
    73                 fuzz->data[idx] ^= byte;
     75                fuzz->data[idx] ^= bit;
    7476            }
    7577
     
    8486
    8587        for(j = start; j < stop; j++)
     88        {
     89            if(_zz_protect[aligned_buf[j]])
     90                continue;
     91
    8692            aligned_buf[j] ^= fuzz->data[j % CHUNKBYTES];
     93        }
    8794    }
    8895}
  • zzuf/trunk/src/libzzuf.c

    r1553 r1554  
    2828#include <unistd.h>
    2929#include <stdlib.h>
     30#include <string.h>
    3031#include <fcntl.h>
    3132#include <regex.h>
     
    4647int   _zz_signal   = 0;
    4748
     49/* Global tables */
     50int   _zz_protect[256];
     51
    4852/* Local variables */
    4953static regex_t * re_include = NULL;
     
    5155
    5256/* Local prototypes */
     57static void _zz_protect_init(char const *);
    5358static void _zz_fd_init(void);
    5459static void _zz_fd_fini(void);
     
    7580        _zz_ratio = 5.0f;
    7681
     82    tmp = getenv("ZZUF_PROTECT");
     83    if(tmp && *tmp)
     84        _zz_protect_init(tmp);
     85
    7786    tmp = getenv("ZZUF_INCLUDE");
    7887    if(tmp && *tmp)
     
    112121{
    113122    _zz_fd_fini();
     123}
     124
     125/* Byte list stuff */
     126static void _zz_protect_init(char const *list)
     127{
     128    static char const hex[] = "0123456789abcdef0123456789ABCDEF";
     129    char const *tmp;
     130    int a, b;
     131
     132    memset(_zz_protect, 0, 256 * sizeof(int));
     133
     134    for(tmp = list, a = b = -1; *tmp; tmp++)
     135    {
     136        int new;
     137
     138        if(*tmp == '\\' && tmp[1] == '\0')
     139            new = '\\';
     140        else if(*tmp == '\\')
     141        {
     142            tmp++;
     143            if(*tmp == 'n')
     144                new = '\n';
     145            else if(*tmp == 'r')
     146                new = '\r';
     147            else if(*tmp == 't')
     148                new = '\t';
     149            else if(*tmp == '0')
     150                new = '\0';
     151            else if((*tmp == 'x' || *tmp == 'X')
     152                     && tmp[1] && strchr(hex, tmp[1])
     153                     && tmp[2] && strchr(hex, tmp[2]))
     154            {
     155                new = ((strchr(hex, tmp[1]) - hex) & 0xf) << 4;
     156                new |= (strchr(hex, tmp[2]) - hex) & 0xf;
     157                tmp += 2;
     158            }
     159            else
     160                new = (unsigned char)*tmp; /* XXX: OK for \\, but what else? */
     161        }
     162        else
     163            new = (unsigned char)*tmp;
     164
     165        if(a != -1 && b == '-' && a <= new)
     166        {
     167            while(a <= new)
     168                _zz_protect[a++] = 1;
     169            a = b = -1;
     170        }
     171        else
     172        {
     173            if(a != -1)
     174                _zz_protect[a] = 1;
     175            a = b;
     176            b = new;
     177        }
     178    }
     179
     180    if(a != -1)
     181        _zz_protect[a] = 1;
     182    if(b != -1)
     183        _zz_protect[b] = 1;
    114184}
    115185
  • zzuf/trunk/src/libzzuf.h

    r1553 r1554  
    4040extern int   _zz_signal;
    4141
     42/* Internal tables */
     43extern int   _zz_protect[256];
     44
    4245/* Library initialisation shit */
    4346extern void _zz_init(void) __attribute__((constructor));
  • zzuf/trunk/src/zzuf.c

    r1546 r1554  
    111111            { "stdin",     0, NULL, 'i' },
    112112            { "include",   1, NULL, 'I' },
     113            { "protect",   1, NULL, 'P' },
    113114            { "quiet",     0, NULL, 'q' },
    114115            { "ratio",     1, NULL, 'r' },
     
    118119            { "version",   0, NULL, 'v' },
    119120        };
    120         int c = getopt_long(argc, argv, "B:cdE:F:hiI:qr:s:ST:v",
     121        int c = getopt_long(argc, argv, "B:cdE:F:hiI:P:qr:s:ST:v",
    121122                            long_options, &option_index);
    122123#   else
    123124#       define MOREINFO "Try `%s -h' for more information.\n"
    124         int c = getopt(argc, argv, "B:cdE:F:hiI:qr:s:ST:v");
     125        int c = getopt(argc, argv, "B:cdE:F:hiI:P:qr:s:ST:v");
    125126#   endif
    126127        if(c == -1)
     
    167168        case 'T': /* --max-time */
    168169            maxtime = atof(optarg);
     170            break;
     171        case 'P': /* --protect */
     172            setenv("ZZUF_PROTECT", optarg, 1);
    169173            break;
    170174        case 'q': /* --quiet */
     
    542546static void usage(void)
    543547{
    544     printf("Usage: zzuf [ -vqdhic ] [ -r ratio ] [ -s seed | -s start:stop ]\n");
    545     printf("                        [ -F children ] [ -B bytes ] [ -T seconds ]\n");
    546     printf("                        [ -I include ] [ -E exclude ] COMMAND [ARGS]...\n");
     548    printf("Usage: zzuf [ -qdic ] [ -r ratio ] [ -s seed | -s start:stop ]\n");
     549    printf("                      [ -F children ] [ -B bytes ] [ -T seconds ] [ -P protect ]\n");
     550    printf("                      [ -I include ] [ -E exclude ] COMMAND [ARGS]...\n");
     551    printf("       zzuf -h\n");
     552    printf("       zzuf -v\n");
    547553    printf("Run COMMAND and randomly fuzz its input.\n");
    548554    printf("\n");
     
    554560    printf("  -E, --exclude <regex>    do not fuzz files matching <regex>\n");
    555561    printf("  -F, --fork <count>       number of concurrent children (default 1)\n");
    556     printf("  -h, --help               display this help and exit\n");
    557562    printf("  -i, --stdin              fuzz standard input\n");
    558563    printf("  -I, --include <regex>    only fuzz files matching <regex>\n");
     564    printf("  -P, --protect <list>     protect bytes and characters in <list>\n");
    559565    printf("  -q, --quiet              do not print children's messages\n");
    560566    printf("  -r, --ratio <ratio>      bit fuzzing ratio (default 0.004)\n");
     
    563569    printf("  -S, --signal             prevent children from diverting crashing signals\n");
    564570    printf("  -T, --max-time <n>       kill children that run for more than <n> seconds\n");
     571    printf("  -h, --help               display this help and exit\n");
    565572    printf("  -v, --version            output version information and exit\n");
    566573#   else
     
    570577    printf("  -E <regex>       do not fuzz files matching <regex>\n");
    571578    printf("  -F <count>       number of concurrent forks (default 1)\n");
    572     printf("  -h               display this help and exit\n");
    573579    printf("  -i               fuzz standard input\n");
    574580    printf("  -I <regex>       only fuzz files matching <regex>\n");
     581    printf("  -P <list>        protect bytes and characters in <list>\n");
    575582    printf("  -q               do not print the fuzzed application's messages\n");
    576583    printf("  -r <ratio>       bit fuzzing ratio (default 0.004)\n");
     
    579586    printf("  -S               prevent children from diverting crashing signals\n");
    580587    printf("  -T <n>           kill children that run for more than <n> seconds\n");
     588    printf("  -h               display this help and exit\n");
    581589    printf("  -v               output version information and exit\n");
    582590#   endif
Note: See TracChangeset for help on using the changeset viewer.