Changeset 1672


Ignore:
Timestamp:
Jan 15, 2007, 12:41:03 AM (13 years ago)
Author:
Sam Hocevar
Message:
  • Support ranges with the -r flag.
Location:
zzuf/trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • zzuf/trunk/configure.ac

    r1654 r1672  
    3333AC_SUBST(GETOPT_LIBS)
    3434
     35AC_CHECK_LIB(m, log, [MATH_LIBS="-lm"])
     36AC_SUBST(MATH_LIBS)
    3537AC_CHECK_LIB(dl, dlopen, [DL_LIBS="-ldl"])
    3638AC_SUBST(DL_LIBS)
  • zzuf/trunk/doc/zzuf.1

    r1670 r1672  
    33zzuf \- multiple purpose fuzzer
    44.SH SYNOPSIS
    5 \fBzzuf\fR [\fB\-AcdiMnqSvx\fR] [\fB\-r\fR \fIratio\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR]
     5\fBzzuf\fR [\fB\-AcdiMnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fIstart:stop\fR]
    66.br
    77                   [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
     
    4141\fB\-A\fR, \fB\-\-autoinc\fR
    4242Increment random seed each time a new file is opened. This is only required
    43 if the same application is expected to open the same file several times and
    44 you want to test a different seed each time.
     43if one instance of the application is expected to open the same file several
     44times and you want to test a different seed each time.
    4545.TP
    4646\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
     
    166166.TP
    167167\fB\-r\fR, \fB\-\-ratio\fR=\fIratio\fR
     168.PD 0
     169.TP
     170\fB\-r\fR, \fB\-\-ratio\fR=\fIstart:stop\fR
     171.PD
    168172Specify the proportion of bits that will be randomly fuzzed. A value of 0
    169173will not fuzz anything. A value of 0.05 will fuzz 5% of the open files'
     
    171175the input files undiscernible from random data. The default fuzzing ratio
    172176is 0.004 (fuzz 0.4% of the files' bits).
     177
     178An interval can be specified. When doing so, \fBzzuf\fR will pick ratio
     179values from the interval. This is only meaningful if an interval is also
     180specified with the \fB\-s\fR flag.
    173181.TP
    174182\fB\-R\fR, \fB\-\-refuse\fR=\fIlist\fR
     
    259267\fB    vlc fuzzy\-movie.avi\fR
    260268.PP
    261 Fuzz 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.02\fR) with seeds 0 to 9999
    262 (\fB\-s\ 0:10000\fR), disabling its standard output messages (\fB\-q\fR),
    263 launching up to five simultaneous child processes (\fB\-F\ 5\fR) but wait at
    264 least half a second between launches (\fB\-D\ 0.5\fR), killing \fBMPlayer\fR
    265 if it takes more than one minute to read the file (\fB\-T\ 60\fR) and
    266 disabling its \fBSIGSEGV\fR signal handler (\fB\-S\fR):
    267 .PP
    268 \fB    zzuf \-c \-r 0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
     269Fuzz between 0.1% and 2% of \fBMPlayer\fR's input bits (\fB\-r\ 0.001:0.02\fR)
     270with seeds 0 to 9999 (\fB\-s\ 0:10000\fR), disabling its standard output
     271messages (\fB\-q\fR), launching up to five simultaneous child processes
     272(\fB\-F\ 5\fR) but wait at least half a second between launches
     273(\fB\-D\ 0.5\fR), killing \fBMPlayer\fR if it takes more than one minute to
     274read the file (\fB\-T\ 60\fR) and disabling its \fBSIGSEGV\fR signal handler
     275(\fB\-S\fR):
     276.PP
     277\fB    zzuf \-c \-r 0.001:0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
    269278.br
    270279\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
  • zzuf/trunk/src/Makefile.am

    r1657 r1672  
    66zzuf_SOURCES = zzuf.c $(COMMON) md5.c md5.h timer.c timer.h
    77zzuf_CFLAGS = -DLIBDIR=\"$(libdir)/zzuf\"
     8zzuf_LDFLAGS = @MATH_LIBS@
    89
    910pkglib_LTLIBRARIES = libzzuf.la
     
    1112                     load-fd.c load-mem.c load-signal.c load-stream.c load.h
    1213libzzuf_la_LDFLAGS = -avoid-version -no-undefined
    13 libzzuf_la_LIBADD = @GETOPT_LIBS@ @DL_LIBS@
     14libzzuf_la_LIBADD = @GETOPT_LIBS@ @DL_LIBS@ @MATH_LIBS@
    1415
  • zzuf/trunk/src/fd.c

    r1671 r1672  
    2828#include <regex.h>
    2929#include <string.h>
     30#include <math.h>
    3031
    3132#include "debug.h"
     
    5556
    5657static int32_t seed = DEFAULT_SEED;
    57 static double  ratio = DEFAULT_RATIO;
     58static double  minratio = DEFAULT_RATIO;
     59static double  maxratio = DEFAULT_RATIO;
    5860static int     autoinc = 0;
    5961
     
    7577}
    7678
    77 void _zz_setratio(double r)
    78 {
    79     if(r < MIN_RATIO)
    80         r = MIN_RATIO;
    81     else if(r > MAX_RATIO)
    82         r = MAX_RATIO;
    83     ratio = r;
     79void _zz_setratio(double r0, double r1)
     80{
     81    minratio = r0 < MIN_RATIO ? MIN_RATIO : r0 > MAX_RATIO ? MAX_RATIO : r0;
     82    maxratio = r1 < MIN_RATIO ? MIN_RATIO : r1 > MAX_RATIO ? MAX_RATIO : r1;
     83    if(maxratio < minratio)
     84        maxratio = minratio;
     85}
     86
     87double _zz_getratio(void)
     88{
     89    uint8_t const shuffle[16] =
     90    { 0, 12, 2, 10,
     91      14, 8, 15, 7,
     92      9, 13, 3, 6,
     93      4, 1, 11, 5 };
     94    uint16_t rate;
     95    double min, max, cur;
     96
     97    rate = shuffle[seed & 0xf] << 12;
     98    rate |= (seed & 0xf0) << 4;
     99    rate |= (seed & 0xf00) >> 4;
     100    rate |= (seed & 0xf000) >> 12;
     101
     102    min = log(minratio);
     103    max = log(maxratio);
     104
     105    cur = min + (max - min) * rate / 0xffff;
     106
     107    return exp(cur);
    84108}
    85109
     
    189213    files[i].pos = 0;
    190214    files[i].fuzz.seed = seed;
    191     files[i].fuzz.ratio = ratio;
     215    files[i].fuzz.ratio = _zz_getratio();
    192216    files[i].fuzz.cur = -1;
    193217#ifdef HAVE_FGETLN
  • zzuf/trunk/src/fd.h

    r1671 r1672  
    2020extern void _zz_exclude(char const *);
    2121extern void _zz_setseed(int32_t);
    22 extern void _zz_setratio(double);
     22extern void _zz_setratio(double, double);
     23extern double _zz_getratio(void);
    2324extern void _zz_setautoinc(void);
    2425extern void _zz_fd_init(void);
  • zzuf/trunk/src/libzzuf.c

    r1663 r1672  
    5252void _zz_init(void)
    5353{
    54     char *tmp;
     54    char *tmp, *tmp2;
    5555
    5656    _zz_load_mem();
     
    6767        _zz_setseed(atol(tmp));
    6868
    69     tmp = getenv("ZZUF_RATIO");
    70     if(tmp && *tmp)
    71         _zz_setratio(atof(tmp));
     69    tmp = getenv("ZZUF_MINRATIO");
     70    tmp2 = getenv("ZZUF_MAXRATIO");
     71    if(tmp && *tmp && tmp2 && *tmp2)
     72        _zz_setratio(atof(tmp), atof(tmp2));
    7273
    7374    tmp = getenv("ZZUF_AUTOINC");
  • zzuf/trunk/src/zzuf.c

    r1671 r1672  
    7474    int fd[3]; /* 0 is debug, 1 is stderr, 2 is stdout */
    7575    int bytes, seed;
     76    double ratio;
    7677    int64_t date;
    7778    struct md5 *ctx;
     
    8384static uint32_t seed = DEFAULT_SEED;
    8485static uint32_t endseed = DEFAULT_SEED + 1;
    85 static double ratio = DEFAULT_RATIO;
    86 static double endratio = DEFAULT_RATIO;
     86static double minratio = DEFAULT_RATIO;
     87static double maxratio = DEFAULT_RATIO;
    8788static int quiet = 0;
    8889static int maxbytes = -1;
     
    218219        case 'r': /* --ratio */
    219220            parser = strchr(optarg, ':');
    220             ratio = atof(optarg);
    221             endratio = parser ? atof(parser + 1) : ratio;
     221            minratio = atof(optarg);
     222            maxratio = parser ? atof(parser + 1) : minratio;
    222223            break;
    223224        case 'R': /* --refuse */
     
    258259#endif
    259260
     261    _zz_setratio(minratio, maxratio);
     262    _zz_setseed(seed);
     263
    260264    /* If asked to read from the standard input */
    261265    if(optind >= argc)
     
    268272            return EXIT_FAILURE;
    269273        }
    270 
    271         _zz_setseed(seed);
    272         _zz_setratio(ratio);
    273274
    274275        loop_stdin();
     
    381382    {
    382383        _zz_md5_fini(md5sum, ctx);
    383         fprintf(stderr, "zzuf[seed=%i]: %.02x%.02x%.02x%.02x%.02x%.02x"
    384                 "%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x\n",
    385                 seed, md5sum[0], md5sum[1], md5sum[2], md5sum[3],
     384        fprintf(stderr, "zzuf[s=%i,r=%g]: %.02x%.02x%.02x%.02x%.02x"
     385                "%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x\n",
     386                seed, minratio, md5sum[0], md5sum[1], md5sum[2], md5sum[3],
    386387                md5sum[4], md5sum[5], md5sum[6], md5sum[7],
    387388                md5sum[8], md5sum[9], md5sum[10], md5sum[11],
     
    507508            sprintf(buf, "%i", seed);
    508509            setenv("ZZUF_SEED", buf, 1);
    509             sprintf(buf, "%g", ratio);
    510             setenv("ZZUF_RATIO", buf, 1);
     510            sprintf(buf, "%g", minratio);
     511            setenv("ZZUF_MINRATIO", buf, 1);
     512            sprintf(buf, "%g", maxratio);
     513            setenv("ZZUF_MAXRATIO", buf, 1);
    511514
    512515            /* Run our process */
     
    519522    }
    520523
    521     if(verbose)
    522         fprintf(stderr, "zzuf[seed=%i]: launched %s\n", seed, newargv[0]);
    523 
    524524    /* We’re the parent, acknowledge spawn */
    525525    child_list[i].date = now;
     
    532532    child_list[i].bytes = 0;
    533533    child_list[i].seed = seed;
     534    child_list[i].ratio = _zz_getratio();
    534535    child_list[i].status = STATUS_RUNNING;
    535536    if(md5)
    536537        child_list[i].ctx = _zz_md5_init();
    537538
     539    if(verbose)
     540        fprintf(stderr, "zzuf[s=%i,r=%g]: launched %s\n",
     541                child_list[i].seed, child_list[i].ratio, newargv[0]);
     542
    538543    lastlaunch = now;
    539544    child_count++;
    540545    seed++;
     546
     547    _zz_setseed(seed);
    541548}
    542549
     
    553560        {
    554561            if(verbose)
    555                 fprintf(stderr, "zzuf[seed=%i]: data output exceeded,"
    556                                 " sending SIGTERM\n", child_list[i].seed);
     562                fprintf(stderr, "zzuf[s=%i,r=%g]: "
     563                        "data output exceeded, sending SIGTERM\n",
     564                        child_list[i].seed, child_list[i].ratio);
    557565            kill(child_list[i].pid, SIGTERM);
    558566            child_list[i].date = now;
     
    565573        {
    566574            if(verbose)
    567                 fprintf(stderr, "zzuf[seed=%i]: running time exceeded,"
    568                                 " sending SIGTERM\n", child_list[i].seed);
     575                fprintf(stderr, "zzuf[s=%i,r=%g]: "
     576                        "running time exceeded, sending SIGTERM\n",
     577                        child_list[i].seed, child_list[i].ratio);
    569578            kill(child_list[i].pid, SIGTERM);
    570579            child_list[i].date = now;
     
    580589        {
    581590            if(verbose)
    582                 fprintf(stderr, "zzuf[seed=%i]: not responding,"
    583                                 " sending SIGKILL\n", child_list[i].seed);
     591                fprintf(stderr, "zzuf[s=%i,r=%g]: "
     592                        "not responding, sending SIGKILL\n",
     593                        child_list[i].seed, child_list[i].ratio);
    584594            kill(child_list[i].pid, SIGKILL);
    585595            child_list[i].status = STATUS_SIGKILL;
     
    605615        if(checkexit && WIFEXITED(status) && WEXITSTATUS(status))
    606616        {
    607             fprintf(stderr, "zzuf[seed=%i]: exit %i\n",
    608                     child_list[i].seed, WEXITSTATUS(status));
     617            fprintf(stderr, "zzuf[s=%i,r=%g]: exit %i\n",
     618                    child_list[i].seed, child_list[i].ratio,
     619                    WEXITSTATUS(status));
    609620            crashes++;
    610621        }
     
    613624                       && child_list[i].status == STATUS_SIGTERM))
    614625        {
    615             fprintf(stderr, "zzuf[seed=%i]: signal %i%s%s\n",
    616                     child_list[i].seed, WTERMSIG(status),
    617                     sig2str(WTERMSIG(status)),
     626            fprintf(stderr, "zzuf[s=%i,r=%g]: signal %i%s%s\n",
     627                    child_list[i].seed, child_list[i].ratio,
     628                    WTERMSIG(status), sig2str(WTERMSIG(status)),
    618629                      (WTERMSIG(status) == SIGKILL && maxmem >= 0) ?
    619630                      " (memory exceeded?)" : "");
     
    628639        {
    629640            _zz_md5_fini(md5sum, child_list[i].ctx);
    630             fprintf(stderr, "zzuf[seed=%i]: %.02x%.02x%.02x%.02x%.02x%.02x"
    631                     "%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x\n",
    632                     child_list[i].seed, md5sum[0], md5sum[1], md5sum[2],
    633                     md5sum[3], md5sum[4], md5sum[5], md5sum[6], md5sum[7],
    634                     md5sum[8], md5sum[9], md5sum[10], md5sum[11], md5sum[12],
    635                     md5sum[13], md5sum[14], md5sum[15]);
     641            fprintf(stderr, "zzuf[s=%i,r=%g]: %.02x%.02x%.02x%.02x%.02x"
     642                    "%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x%.02x\n",
     643                    child_list[i].seed, child_list[i].ratio, md5sum[0],
     644                    md5sum[1], md5sum[2], md5sum[3], md5sum[4], md5sum[5],
     645                    md5sum[6], md5sum[7], md5sum[8], md5sum[9], md5sum[10],
     646                    md5sum[11], md5sum[12], md5sum[13], md5sum[14], md5sum[15]);
    636647        }
    637648        child_list[i].status = STATUS_FREE;
     
    795806    printf("Mandatory arguments to long options are mandatory for short options too.\n");
    796807#   ifdef HAVE_GETOPT_LONG
    797     printf("  -A, --autoinc            increment seed each time a new file is opened\n");
    798     printf("  -B, --max-bytes <n>      kill children that output more than <n> bytes\n");
    799     printf("  -c, --cmdline            only fuzz files specified in the command line\n");
    800     printf("  -C, --max-crashes <n>    stop after <n> children have crashed (default 1)\n");
    801     printf("  -d, --debug              print debug messages\n");
    802     printf("  -D, --delay              delay between forks\n");
    803     printf("  -E, --exclude <regex>    do not fuzz files matching <regex>\n");
    804     printf("  -F, --max-forks <n>      number of concurrent children (default 1)\n");
    805     printf("  -i, --stdin              fuzz standard input\n");
    806     printf("  -I, --include <regex>    only fuzz files matching <regex>\n");
    807     printf("  -m, --md5                compute the output's MD5 hash\n");
    808     printf("  -M, --max-memory <n>     maximum child virtual memory size in MB\n");
    809     printf("  -n, --network            fuzz network input\n");
    810     printf("  -P, --protect <list>     protect bytes and characters in <list>\n");
    811     printf("  -q, --quiet              do not print children's messages\n");
    812     printf("  -r, --ratio <ratio>      bit fuzzing ratio (default 0.004)\n");
    813     printf("  -R, --refuse <list>      refuse bytes and characters in <list>\n");
    814     printf("  -s, --seed <seed>        random seed (default 0)\n");
    815     printf("      --seed <start:stop>  specify a seed range\n");
    816     printf("  -S, --signal             prevent children from diverting crashing signals\n");
    817     printf("  -T, --max-time <n>       kill children that run for more than <n> seconds\n");
    818     printf("  -v, --verbose            print information during the run\n");
    819     printf("  -x, --check-exit         report processes that exit with a non-zero status\n");
    820     printf("  -h, --help               display this help and exit\n");
    821     printf("  -V, --version            output version information and exit\n");
     808    printf("  -A, --autoinc             increment seed each time a new file is opened\n");
     809    printf("  -B, --max-bytes <n>       kill children that output more than <n> bytes\n");
     810    printf("  -c, --cmdline             only fuzz files specified in the command line\n");
     811    printf("  -C, --max-crashes <n>     stop after <n> children have crashed (default 1)\n");
     812    printf("  -d, --debug               print debug messages\n");
     813    printf("  -D, --delay               delay between forks\n");
     814    printf("  -E, --exclude <regex>     do not fuzz files matching <regex>\n");
     815    printf("  -F, --max-forks <n>       number of concurrent children (default 1)\n");
     816    printf("  -i, --stdin               fuzz standard input\n");
     817    printf("  -I, --include <regex>     only fuzz files matching <regex>\n");
     818    printf("  -m, --md5                 compute the output's MD5 hash\n");
     819    printf("  -M, --max-memory <n>      maximum child virtual memory size in MB\n");
     820    printf("  -n, --network             fuzz network input\n");
     821    printf("  -P, --protect <list>      protect bytes and characters in <list>\n");
     822    printf("  -q, --quiet               do not print children's messages\n");
     823    printf("  -r, --ratio <ratio>       bit fuzzing ratio (default %g)\n", DEFAULT_RATIO);
     824    printf("      --ratio <start:stop>  specify a ratio range\n");
     825    printf("  -R, --refuse <list>       refuse bytes and characters in <list>\n");
     826    printf("  -s, --seed <seed>         random seed (default %i)\n", DEFAULT_SEED);
     827    printf("      --seed <start:stop>   specify a seed range\n");
     828    printf("  -S, --signal              prevent children from diverting crashing signals\n");
     829    printf("  -T, --max-time <n>        kill children that run for more than <n> seconds\n");
     830    printf("  -v, --verbose             print information during the run\n");
     831    printf("  -x, --check-exit          report processes that exit with a non-zero status\n");
     832    printf("  -h, --help                display this help and exit\n");
     833    printf("  -V, --version             output version information and exit\n");
    822834#   else
    823835    printf("  -A               increment seed each time a new file is opened\n");
     
    836848    printf("  -P <list>        protect bytes and characters in <list>\n");
    837849    printf("  -q               do not print the fuzzed application's messages\n");
    838     printf("  -r <ratio>       bit fuzzing ratio (default 0.004)\n");
     850    printf("  -r <ratio>       bit fuzzing ratio (default %g)\n", DEFAULT_RATIO);
     851    printf("     <start:stop>  specify a ratio range\n");
    839852    printf("  -R <list>        refuse bytes and characters in <list>\n");
    840     printf("  -s <seed>        random seed (default 0)\n");
     853    printf("  -s <seed>        random seed (default %i)\n", DEFAULT_SEED);
    841854    printf("     <start:stop>  specify a seed range\n");
    842855    printf("  -S               prevent children from diverting crashing signals\n");
Note: See TracChangeset for help on using the changeset viewer.