- Timestamp:
- Jan 25, 2007, 12:40:27 PM (15 years ago)
- Location:
- zzuf/trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
zzuf/trunk/doc/zzuf.1
r1698 r1705 3 3 zzuf \- multiple purpose fuzzer 4 4 .SH SYNOPSIS 5 \fBzzuf\fR [\fB\-Acdi MnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]6 .br 7 [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]8 .br 9 [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]10 .br 11 5 \fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR] 6 .br 7 [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR] 8 .br 9 [\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR] 10 .br 11 [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...] 12 12 .br 13 13 \fBzzuf \-h\fR | \fB\-\-help\fR … … 43 43 if one instance of the application is expected to open the same file several 44 44 times and you want to test a different seed each time. 45 .TP 46 \fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR 47 Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR. 48 49 Range values start at zero and are inclusive. Use dashes between range values 50 and commas between ranges. If the right-hand part of a range is ommited, it 51 means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and 52 all bytes after offset 31, use \(oq\fB\-r0,3-5,31-\fR\(cq. 53 54 This option is useful to preserve file headers or corrupt only a specific 55 portion of a file. 45 56 .TP 46 57 \fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR … … 150 161 .IP 151 162 You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all 152 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \( dq\\001\-/\(dq\fR\(cq.163 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq. 153 164 154 165 The statistical outcome of this option should not be overlooked: if characters 155 166 are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending 156 167 on the data being fuzzed. For instance, asking to fuzz 1% of input bits 157 (\fB\-r \0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will168 (\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will 158 169 result in an actual average fuzzing ratio of 0.9% with truly random data, 159 170 0.3% with random ASCII data and 0.2% with standard English text. … … 242 253 Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324: 243 254 .PP 244 \fB zzuf \-s 94324 \-r0.01 cat /etc/motd\fR255 \fB zzuf \-s94324 \-r0.01 cat /etc/motd\fR 245 256 .PP 246 257 Fuzz the input of the \fBcat\fR program but do not fuzz newline characters … … 262 273 \fBzzuf\fR: 263 274 .PP 264 \fB zzuf \-c \-s 87423 \-r0.01 vlc movie.avi\fR265 .br 266 \fB zzuf \-c \-s 87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR275 \fB zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR 276 .br 277 \fB zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR 267 278 .br 268 279 \fB vlc fuzzy\-movie.avi\fR 269 280 .PP 270 Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r\ 0.001:0.02\fR) 271 with seeds 0 to 9999 (\fB\-s\ 0:10000\fR), disabling its standard output 272 messages (\fB\-q\fR), launching up to five simultaneous child processes 273 (\fB\-F\ 5\fR) but wait at least half a second between launches 274 (\fB\-D\ 0.5\fR), killing MPlayer if it takes more than one minute to 275 read the file (\fB\-T\ 60\fR) and disabling its \fBSIGSEGV\fR signal handler 281 Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR) 282 with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header 283 by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its 284 standard output messages (\fB\-q\fR), launching up to five simultaneous child 285 processes (\fB\-F5\fR) but waiting at least half a second between launches 286 (\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to 287 read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler 276 288 (\fB\-S\fR): 277 289 .PP 278 \fB zzuf \-c \-r 0.001:0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T60 \-S \\\fR290 \fB zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-F5 \-D0.5 \-T60 \-S \\\fR 279 291 .br 280 292 \fB mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR … … 287 299 (or: \fBjot -w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR) 288 300 .br 289 \fB zzuf -A -I \(aqhello[.]jpg\(aq -r 301 \fB zzuf -A -I \(aqhello[.]jpg\(aq -r0.001 firefox hello.html\fR 290 302 .SH RESTRICTIONS 291 303 .PP -
zzuf/trunk/src/fuzz.c
r1693 r1705 25 25 #endif 26 26 #include <stdio.h> 27 #include <stdlib.h> 27 28 #include <string.h> 28 29 … … 36 37 #define MAGIC2 0x783bc31f 37 38 38 /* Fuzzing variables */ 39 /* Per-offset byte protection */ 40 static unsigned int *ranges = NULL; 41 static unsigned int ranges_static[512]; 42 43 /* Per-value byte protection */ 39 44 static int protect[256]; 40 45 static int refuse[256]; … … 42 47 /* Local prototypes */ 43 48 static void readchars(int *, char const *); 49 50 void _zz_bytes(char const *list) 51 { 52 char const *parser; 53 unsigned int i, chunks; 54 55 /* Count commas */ 56 for(parser = list, chunks = 1; *parser; parser++) 57 if(*parser == ',') 58 chunks++; 59 60 /* TODO: free(ranges) if ranges != ranges_static */ 61 if(chunks >= 256) 62 ranges = malloc((chunks + 1) * 2 * sizeof(unsigned int)); 63 else 64 ranges = ranges_static; 65 66 /* Fill ranges list */ 67 for(parser = list, i = 0; i < chunks; i++) 68 { 69 char const *comma = strchr(parser, ','); 70 char const *dash = strchr(parser, '-'); 71 72 ranges[i * 2] = (dash == parser) ? 0 : atoi(parser); 73 if(dash && (dash + 1 == comma || dash[1] == '\0')) 74 ranges[i * 2 + 1] = ranges[i * 2]; /* special case */ 75 else if(dash && (!comma || dash < comma)) 76 ranges[i * 2 + 1] = atoi(dash + 1) + 1; 77 else 78 ranges[i * 2 + 1] = ranges[i * 2] + 1; 79 parser = comma + 1; 80 } 81 82 ranges[i * 2] = ranges[i * 2 + 1] = 0; 83 } 44 84 45 85 void _zz_protect(char const *list) … … 66 106 #endif 67 107 108 aligned_buf = buf - pos; 68 109 fuzz = _zz_getfuzz(fd); 69 aligned_buf = buf - pos;70 110 71 111 for(i = pos / CHUNKBYTES; … … 103 143 for(j = start; j < stop; j++) 104 144 { 105 uint8_t byte = aligned_buf[j]; 145 unsigned int *r; 146 uint8_t byte; 147 148 if(!ranges) 149 goto range_ok; 150 151 for(r = ranges; r[1]; r += 2) 152 if(j >= r[0] && (r[0] == r[1] || j < r[1])) 153 goto range_ok; 154 155 continue; /* Not in a range */ 156 157 range_ok: 158 byte = aligned_buf[j]; 106 159 107 160 if(protect[byte]) -
zzuf/trunk/src/fuzz.h
r1693 r1705 17 17 */ 18 18 19 extern void _zz_bytes(char const *); 19 20 extern void _zz_protect(char const *); 20 21 extern void _zz_refuse(char const *); -
zzuf/trunk/src/libzzuf.c
r1701 r1705 79 79 _zz_setautoinc(); 80 80 81 tmp = getenv("ZZUF_BYTES"); 82 if(tmp && *tmp) 83 _zz_bytes(tmp); 84 81 85 tmp = getenv("ZZUF_PROTECT"); 82 86 if(tmp && *tmp) -
zzuf/trunk/src/opts.c
r1692 r1705 34 34 void _zz_opts_init(struct opts *opts) 35 35 { 36 opts-> protect = opts->refuse = NULL;36 opts->bytes = opts->protect = opts->refuse = NULL; 37 37 opts->seed = DEFAULT_SEED; 38 38 opts->endseed = DEFAULT_SEED + 1; -
zzuf/trunk/src/opts.h
r1702 r1705 20 20 { 21 21 char const **newargv; 22 char * protect, *refuse;22 char *bytes, *protect, *refuse; 23 23 uint32_t seed; 24 24 uint32_t endseed; -
zzuf/trunk/src/zzuf.c
r1704 r1705 126 126 { 127 127 # if defined HAVE_REGEX_H 128 # define OPTSTR "A B:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV"128 # define OPTSTR "Ab:B:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV" 129 129 # else 130 # define OPTSTR "A B:C:dD:F:imM:nP:qr:R:s:ST:vxhV"130 # define OPTSTR "Ab:B:C:dD:F:imM:nP:qr:R:s:ST:vxhV" 131 131 # endif 132 132 # if defined HAVE_GETOPT_LONG … … 137 137 /* Long option, needs arg, flag, short option */ 138 138 { "autoinc", 0, NULL, 'A' }, 139 { "bytes", 1, NULL, 'b' }, 139 140 { "max-bytes", 1, NULL, 'B' }, 140 141 #if defined HAVE_REGEX_H … … 181 182 setenv("ZZUF_AUTOINC", "1", 1); 182 183 break; 184 case 'b': /* --bytes */ 185 opts->bytes = optarg; 186 break; 183 187 case 'B': /* --max-bytes */ 184 188 opts->maxbytes = atoi(optarg); … … 297 301 if(optind >= argc) 298 302 { 303 if(opts->bytes) 304 _zz_bytes(opts->bytes); 305 306 /* FIXME: protect and refuse are ignored */ 307 299 308 if(opts->endseed != opts->seed + 1) 300 309 { … … 335 344 #endif 336 345 346 if(opts->bytes) 347 setenv("ZZUF_BYTES", opts->bytes, 1); 337 348 if(opts->protect) 338 349 setenv("ZZUF_PROTECT", opts->protect, 1); … … 1021 1032 #if defined HAVE_REGEX_H 1022 1033 printf("Usage: zzuf [-AcdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n"); 1023 printf(" [-D delay] [-F forks] [-C crashes] [-B bytes]\n");1024 printf(" [-T seconds] [-M bytes] [-P protect] [-R refuse]\n");1025 printf(" [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");1026 1034 #else 1027 1035 printf("Usage: zzuf [-AdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n"); 1028 printf(" [-D delay] [-F forks] [-C crashes] [-B bytes]\n"); 1029 printf(" [-T seconds] [-M bytes] [-P protect] [-R refuse]\n"); 1030 printf(" [PROGRAM [--] [ARGS]...]\n"); 1036 #endif 1037 printf(" [-D delay] [-F forks] [-C crashes] [-B bytes] [-T seconds]\n"); 1038 printf(" [-M bytes] [-b ranges] [-P protect] [-R refuse]\n"); 1039 #if defined HAVE_REGEX_H 1040 printf(" [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n"); 1041 #else 1042 printf(" [PROGRAM [--] [ARGS]...]\n"); 1031 1043 #endif 1032 1044 # if defined HAVE_GETOPT_LONG … … 1042 1054 # if defined HAVE_GETOPT_LONG 1043 1055 printf(" -A, --autoinc increment seed each time a new file is opened\n"); 1056 printf(" -b, --bytes <ranges> only fuzz bytes at offsets within <ranges>\n"); 1044 1057 printf(" -B, --max-bytes <n> kill children that output more than <n> bytes\n"); 1045 1058 #if defined HAVE_REGEX_H … … 1077 1090 # else 1078 1091 printf(" -A increment seed each time a new file is opened\n"); 1092 printf(" -b <ranges> only fuzz bytes at offsets within <ranges>\n"); 1079 1093 printf(" -B <n> kill children that output more than <n> bytes\n"); 1080 1094 #if defined HAVE_REGEX_H
Note: See TracChangeset
for help on using the changeset viewer.