Changeset 1641 for zzuf/trunkTweet

Timestamp:

Jan 10, 2007, 6:17:26 PM (16 years ago)

Author:

Sam Hocevar

Message:

• Implemented memory limits. Probably breaks on other arches because of all the new functions.

Location:

zzuf/trunk

Files:

• doc/zzuf.1 (modified) (6 diffs)
• src/libzzuf.c (modified) (2 diffs)
• src/libzzuf.h (modified) (1 diff)
• src/load-mem.c (modified) (5 diffs)
• src/zzuf.c (modified) (10 diffs)

zzuf/trunk/doc/zzuf.1

@@ -3 +3 @@
 zzuf \- multiple purpose fuzzer
 .SH SYNOPSIS
-\fBzzuf\fR [\fB\-cdiMnqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR | \fB\-s\fR \fIstart:stop\fR]
+\fBzzuf\fR [\fB\-cdiMnqS\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR]
 .br
                 [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
 .br
-                [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
+                [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
 .br
                 [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fIARGS\fR]...]
@@ -99 +99 @@
 Instead of displaying the program's standard output, just print the MD5 digest
 of that output. The standard error channel is left untouched.
+.TP
+\fB\-M\fR, \fB\-\-max-memory\fR=\fImegabytes\fR
+Specify the maximum amount of memory, in megabytes, that children are allowed
+to allocate. This is useful to detect infinite loops that eat up a lot of
+memory. The value should set reasonably high so as not to interfer with normal
+program operation.
+
+\fBZzuf\fR uses the \fBsetrlimit\fR() call to set memory usage limitations and
+relies on the operating system's ability to enforce such limitations.
 .TP
 \fB\-n\fR, \fB\-\-network\fR
@@ -228 +237 @@
 .PP
 \fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
-\fB    zzuf \-c \-s 87423 \-r 0.01 cp movie.avi fuzzy\-movie.avi\fR
+\fB    zzuf \-c \-s 87423 \-r 0.01 <movie.avi >fuzzy\-movie.avi\fR
 \fB    vlc fuzzy\-movie.avi\fR
 .PP
@@ -241 +250 @@
 .SH RESTRICTIONS
 .PP
-Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR on most
-Unix systems, \fBDYLD_INSERT_LIBRARIES\fR on Mac OS X) to run its child
+Due to \fBzzuf\fR using shared object preloading (\fBLD_PRELOAD\fR,
+\fB_RLD_LIST\fB, \fBDYLD_INSERT_LIBRARIES\fR, etc.) to run its child
 processes, it will fail in the presence of any mechanism that disables
 preloading. For instance setuid root binaries will not be fuzzed when run
@@ -267 +276 @@
 descriptor operations is undefined.
 .SH NOTES
-In order to intercept file and network operations and signal handlers,
-\fBzzuf\fR diverts and reimplements the following functions, which can
-be private libc symbols, too:
+In order to intercept file and network operations, signal handlers and memory
+allocations, \fBzzuf\fR diverts and reimplements the following functions,
+which can be private libc symbols, too:
 .TP
 Unix file descriptor handling:
 \fBopen\fR(), \fBlseek\fR(), \fBread\fR(), \fBaccept\fR(), \fBsocket\fR(),
-\fBmmap\fR(), \fBmunmap\fR(), \fBclose\fR()
+\fBclose\fR()
 .TP
 Standard IO streams:
@@ -279 +288 @@
 \fBfread\fR(), \fBgetc\fR(), \fBfgetc\fR(), \fBfgets\fR(), \fBungetc\fR(),
 \fBfclose\fR()
+.TP
+Memory management:
+\fBmmap\fR(), \fBmunmap\fR(), \fBmalloc\fR(), \fBcalloc\fR(), \fBvalloc\fR(),
+\fBfree\fR(), \fBmemalign\fR(), \fBposix_memalign\fR(), \fBbrk\fR(),
+\fBsbrk\fR()
 .TP
 Linux-specific:

zzuf/trunk/src/libzzuf.c

@@ -45 +45 @@
 int   _zz_hasdebug = 0;
 int   _zz_signal   = 0;
+int   _zz_memory   = 0;
 int   _zz_network  = 0;
 
@@ -84 +85 @@
         _zz_signal = 1;
 
+    tmp = getenv("ZZUF_MEMORY");
+    if(tmp && *tmp == '1')
+        _zz_memory = 1;
+
     tmp = getenv("ZZUF_NETWORK");
     if(tmp && *tmp == '1')

zzuf/trunk/src/libzzuf.h

@@ -40 +40 @@
 extern int   _zz_hasdebug;
 extern int   _zz_signal;
+extern int   _zz_memory;
 extern int   _zz_network;
 

zzuf/trunk/src/load-mem.c

@@ -23 +23 @@
 /* Use this to get mmap64() on glibc systems */
 #define _LARGEFILE64_SOURCE
+/* Use this to get posix_memalign */
+#define _XOPEN_SOURCE 600
 
 #if defined HAVE_STDINT_H
@@ -32 +34 @@
 #include <string.h>
 #include <dlfcn.h>
-
+#include <errno.h>
+#include <signal.h>
+
+#include <malloc.h>
 #include <unistd.h>
 #include <sys/mman.h>
@@ -46 +51 @@
 
 /* Library functions that we divert */
-static void *  (*mmap_orig)    (void *start, size_t length, int prot,
-                                int flags, int fd, off_t offset);
+static void *  (*calloc_orig)   (size_t nmemb, size_t size);
+static void *  (*malloc_orig)   (size_t size);
+static void    (*free_orig)     (void *ptr);
+static void *  (*valloc_orig)   (size_t size);
+static void *  (*memalign_orig) (size_t boundary, size_t size);
+static int     (*posix_memalign_orig) (void **memptr, size_t alignment,
+                                       size_t size);
+static void *  (*realloc_orig)  (void *ptr, size_t size);
+static int     (*brk_orig)      (void *end_data_segment);
+static void *  (*sbrk_orig)     (intptr_t increment);
+
+static void *  (*mmap_orig)     (void *start, size_t length, int prot,
+                                 int flags, int fd, off_t offset);
+/* TODO */
+/* static void *  (*mremap_orig)   (void *old_address, size_t old_size,
+                                 size_t new_size, int flags); */
 #ifdef HAVE_MMAP64
-static void *  (*mmap64_orig)  (void *start, size_t length, int prot,
-                                int flags, int fd, off64_t offset);
-#endif
-static int     (*munmap_orig)  (void *start, size_t length);
+static void *  (*mmap64_orig)   (void *start, size_t length, int prot,
+                                 int flags, int fd, off64_t offset);
+#endif
+static int     (*munmap_orig)   (void *start, size_t length);
 #ifdef HAVE_MAP_FD
 static kern_return_t (*map_fd_orig) (int fd, vm_offset_t offset,
@@ -61 +80 @@
 void _zz_load_mem(void)
 {
+    LOADSYM(calloc);
+    LOADSYM(malloc);
+    LOADSYM(free);
+    LOADSYM(realloc);
+    LOADSYM(valloc);
+    LOADSYM(memalign);
+    LOADSYM(posix_memalign);
+    LOADSYM(brk);
+    LOADSYM(sbrk);
+
     LOADSYM(mmap);
 #ifdef HAVE_MMAP64
@@ -69 +98 @@
     LOADSYM(map_fd);
 #endif
+}
+
+/* 32k of ugly static memory for programs that call us *before* we’re
+ * initialised */
+uint64_t dummy_buffer[4096];
+
+void *calloc(size_t nmemb, size_t size)
+{
+    void *ret;
+    if(!_zz_ready)
+    {
+        /* Calloc says we must zero the data */
+        int i = (nmemb * size + 7) / 8;
+        while(i--)
+            dummy_buffer[i] = 0;
+        return dummy_buffer;
+    }
+    ret = calloc_orig(nmemb, size);
+    if(ret == NULL && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+void *malloc(size_t size)
+{
+    void *ret;
+    if(!_zz_ready)
+        return dummy_buffer;
+    ret = malloc_orig(size);
+    if(ret == NULL && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+void free(void *ptr)
+{
+    if(ptr == dummy_buffer)
+        return;
+    if(!_zz_ready)
+        LOADSYM(free);
+    free_orig(ptr);
+}
+
+void *realloc(void *ptr, size_t size)
+{
+    void *ret;
+    if(ptr == dummy_buffer)
+        return ptr;
+    if(!_zz_ready)
+        LOADSYM(realloc);
+    ret = realloc_orig(ptr, size);
+    if(ret == NULL && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+void *valloc(size_t size)
+{
+    void *ret;
+    if(!_zz_ready)
+        LOADSYM(valloc);
+    ret = valloc_orig(size);
+    if(ret == NULL && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+void *memalign(size_t boundary, size_t size)
+{
+    void *ret;
+    if(!_zz_ready)
+        LOADSYM(memalign);
+    ret = memalign_orig(boundary, size);
+    if(ret == NULL && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+int posix_memalign(void **memptr, size_t alignment, size_t size)
+{
+    int ret;
+    if(!_zz_ready)
+        LOADSYM(posix_memalign);
+    ret = posix_memalign_orig(memptr, alignment, size);
+    if(ret == ENOMEM && _zz_memory)
+        raise(SIGKILL);
+    return ret;
+}
+
+int brk(void *end_data_segment)
+{
+    int ret;
+    if(!_zz_ready)
+        LOADSYM(brk);
+    ret = brk_orig(end_data_segment);
+    if(ret == -1 && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
+}
+
+void *sbrk(intptr_t increment)
+{
+    void *ret;
+    if(!_zz_ready)
+        LOADSYM(sbrk);
+    ret = sbrk_orig(increment);
+    if(ret == (void *)-1 && _zz_memory && errno == ENOMEM)
+        raise(SIGKILL);
+    return ret;
 }
 

zzuf/trunk/src/zzuf.c

@@ -37 +37 @@
 #include <time.h>
 #include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
 
 #include "libzzuf.h"
@@ -81 +83 @@
 static int md5 = 0;
 static int checkexit = 0;
+static int maxmem = -1;
 static double maxtime = -1.0;
 
@@ -120 +123 @@
             { "include",     1, NULL, 'I' },
             { "md5",         0, NULL, 'm' },
+            { "max-memory",  1, NULL, 'M' },
             { "network",     0, NULL, 'n' },
             { "protect",     1, NULL, 'P' },
@@ -132 +136 @@
             { "version",     0, NULL, 'v' },
         };
-        int c = getopt_long(argc, argv, "B:cC:dE:F:iI:mnP:qr:R:s:ST:xhv",
+        int c = getopt_long(argc, argv, "B:cC:dE:F:iI:mM:nP:qr:R:s:ST:xhv",
                             long_options, &option_index);
 #   else
 #       define MOREINFO "Try `%s -h' for more information.\n"
-        int c = getopt(argc, argv, "B:cC:dE:F:iI:mnP:qr:R:s:ST:xhv");
+        int c = getopt(argc, argv, "B:cC:dE:F:iI:mM:nP:qr:R:s:ST:xhv");
 #   endif
         if(c == -1)
@@ -181 +185 @@
         case 'm': /* --md5 */
             md5 = 1;
+            break;
+        case 'M': /* --max-memory */
+            setenv("ZZUF_MEMORY", "1", 1);
+            maxmem = atoi(optarg);
             break;
         case 'n': /* --network */
@@ -425 +433 @@
         case 0:
             /* We’re the child */
+            if(maxmem >= 0)
+            {
+                struct rlimit rlim;
+                rlim.rlim_cur = maxmem * 1000000;
+                rlim.rlim_max = maxmem * 1000000;
+                setrlimit(RLIMIT_AS, &rlim);
+            }
+
             for(j = 0; j < 3; j++)
             {
@@ -529 +545 @@
         else if(WIFSIGNALED(status))
         {
-            fprintf(stdout, "zzuf[seed=%i]: signal %i\n",
-                    child_list[i].seed, WTERMSIG(status));
+            fprintf(stdout, "zzuf[seed=%i]: signal %i%s\n",
+                    child_list[i].seed, WTERMSIG(status),
+                      (WTERMSIG(status) == SIGKILL && maxmem >= 0) ?
+                      " (memory exceeded?)" : "");
             crashes++;
         }
@@ -667 +685 @@
     printf("Usage: zzuf [-cdimnqSx] [-r ratio] [-s seed | -s start:stop]\n");
     printf("                        [-F forks] [-C crashes] [-B bytes] [-T seconds]\n");
-    printf("                        [-P protect] [-R refuse]\n");
+    printf("                        [-M bytes] [-P protect] [-R refuse]\n");
     printf("                        [-I include] [-E exclude] [PROGRAM [ARGS]...]\n");
 #   ifdef HAVE_GETOPT_LONG
@@ -689 +707 @@
     printf("  -I, --include <regex>    only fuzz files matching <regex>\n");
     printf("  -m, --md5                compute the output's MD5 hash\n");
+    printf("  -M, --max-memory <n>     maximum child virtual memory size in MB\n");
     printf("  -n, --network            fuzz network input\n");
     printf("  -P, --protect <list>     protect bytes and characters in <list>\n");
@@ -711 +730 @@
     printf("  -I <regex>       only fuzz files matching <regex>\n");
     printf("  -m               compute the output's MD5 hash\n");
+    printf("  -M               maximum child virtual memory size in MB\n");
     printf("  -n               fuzz network input\n");
     printf("  -P <list>        protect bytes and characters in <list>\n");