Changeset 1705 for zzuf


Ignore:
Timestamp:
Jan 25, 2007, 12:40:27 PM (13 years ago)
Author:
Sam Hocevar
Message:
  • Implemented -b/--bytes to restrict fuzzing to specific offsets.
Location:
zzuf/trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • zzuf/trunk/doc/zzuf.1

    r1698 r1705  
    33zzuf \- multiple purpose fuzzer
    44.SH SYNOPSIS
    5 \fBzzuf\fR [\fB\-AcdiMnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
    6 .br
    7                    [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR]
    8 .br
    9                    [\fB\-T\fR \fIseconds\fR] [\fB\-M\fR \fImegabytes\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
    10 .br
    11                    [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
     5\fBzzuf\fR [\fB\-AcdimnqSvx\fR] [\fB\-s\fR \fIseed\fR|\fB\-s\fR \fIstart:stop\fR] [\fB\-r\fR \fIratio\fR|\fB\-r\fR \fImin:max\fR]
     6.br
     7           [\fB\-D\fR \fIdelay\fR] [\fB\-F\fR \fIforks\fR] [\fB\-C\fR \fIcrashes\fR] [\fB\-B\fR \fIbytes\fR] [\fB\-T\fR \fIseconds\fR]
     8.br
     9           [\fB\-M\fR \fImegabytes\fR] [\fB\-b\fR \fIranges\fR] [\fB\-P\fR \fIprotect\fR] [\fB\-R\fR \fIrefuse\fR]
     10.br
     11           [\fB\-I\fR \fIinclude\fR] [\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fB\-\-\fR] [\fIARGS\fR]...]
    1212.br
    1313\fBzzuf \-h\fR | \fB\-\-help\fR
     
    4343if one instance of the application is expected to open the same file several
    4444times and you want to test a different seed each time.
     45.TP
     46\fB\-b\fR, \fB\-\-bytes\fR=\fIranges\fR
     47Restrict fuzzing to bytes whose offsets in the file are within \fIranges\fR.
     48
     49Range values start at zero and are inclusive. Use dashes between range values
     50and commas between ranges. If the right-hand part of a range is ommited, it
     51means end of file. For instance, to restrict fuzzing to bytes 0, 3, 4, 5 and
     52all bytes after offset 31, use \(oq\fB\-r0,3-5,31-\fR\(cq.
     53
     54This option is useful to preserve file headers or corrupt only a specific
     55portion of a file.
    4556.TP
    4657\fB\-B\fR, \fB\-\-max\-bytes\fR=\fIn\fR
     
    150161.IP
    151162You can use \(oq\fB\-\fR\(cq to specify ranges. For instance, to protect all
    152 bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(dq\\001\-/\(dq\fR\(cq.
     163bytes from \(oq\\001\(cq to \(oq/\(cq, use \(oq\fB\-P\ \(aq\\001\-/\(aq\fR\(cq.
    153164
    154165The statistical outcome of this option should not be overlooked: if characters
    155166are protected, the effect of the \(oq\fB\-r\fR\(cq flag will vary depending
    156167on the data being fuzzed. For instance, asking to fuzz 1% of input bits
    157 (\fB\-r\ 0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
     168(\fB\-r0.01\fR) and to protect lowercase characters (\fB\-P\ a\-z\fR) will
    158169result in an actual average fuzzing ratio of 0.9% with truly random data,
    1591700.3% with random ASCII data and 0.2% with standard English text.
     
    242253Fuzz 1% of the input bits of the \fBcat\fR program using seed 94324:
    243254.PP
    244 \fB    zzuf \-s 94324 \-r 0.01 cat /etc/motd\fR
     255\fB    zzuf \-s94324 \-r0.01 cat /etc/motd\fR
    245256.PP
    246257Fuzz the input of the \fBcat\fR program but do not fuzz newline characters
     
    262273\fBzzuf\fR:
    263274.PP
    264 \fB    zzuf \-c \-s 87423 \-r 0.01 vlc movie.avi\fR
    265 .br
    266 \fB    zzuf \-c \-s 87423 \-r 0.01 <movie.avi >fuzzy\-movie.avi\fR
     275\fB    zzuf \-c \-s87423 \-r0.01 vlc movie.avi\fR
     276.br
     277\fB    zzuf \-c \-s87423 \-r0.01 <movie.avi >fuzzy\-movie.avi\fR
    267278.br
    268279\fB    vlc fuzzy\-movie.avi\fR
    269280.PP
    270 Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r\ 0.001:0.02\fR)
    271 with seeds 0 to 9999 (\fB\-s\ 0:10000\fR), disabling its standard output
    272 messages (\fB\-q\fR), launching up to five simultaneous child processes
    273 (\fB\-F\ 5\fR) but wait at least half a second between launches
    274 (\fB\-D\ 0.5\fR), killing MPlayer if it takes more than one minute to
    275 read the file (\fB\-T\ 60\fR) and disabling its \fBSIGSEGV\fR signal handler
     281Fuzz between 0.1% and 2% of MPlayer's input bits (\fB\-r0.001:0.02\fR)
     282with seeds 0 to 9999 (\fB\-s0:10000\fR), preserving the AVI 4-byte header
     283by restricting fuzzing to offsets after 4 (\fB\-b4\-\fR), disabling its
     284standard output messages (\fB\-q\fR), launching up to five simultaneous child
     285processes (\fB\-F5\fR) but waiting at least half a second between launches
     286(\fB\-D0.5\fR), killing MPlayer if it takes more than one minute to
     287read the file (\fB\-T60\fR) and disabling its \fBSIGSEGV\fR signal handler
    276288(\fB\-S\fR):
    277289.PP
    278 \fB    zzuf \-c \-r 0.001:0.02 \-q \-s 0:10000 \-F 5 \-D 0.5 \-T 60 \-S \\\fR
     290\fB    zzuf \-c \-r0.001:0.02 \-s0:10000 \-b4\- \-q \-F5 \-D0.5 \-T60 \-S \\\fR
    279291.br
    280292\fB      mplayer \-\- \-benchmark \-vo null \-fps 1000 movie.avi\fR
     
    287299      (or: \fBjot -w \(aq<img src="hello.jpg#%d">\(aq 200 1 > hello.html\fR)
    288300.br
    289 \fB    zzuf -A -I \(aqhello[.]jpg\(aq -r 0.001 firefox hello.html\fR
     301\fB    zzuf -A -I \(aqhello[.]jpg\(aq -r0.001 firefox hello.html\fR
    290302.SH RESTRICTIONS
    291303.PP
  • zzuf/trunk/src/fuzz.c

    r1693 r1705  
    2525#endif
    2626#include <stdio.h>
     27#include <stdlib.h>
    2728#include <string.h>
    2829
     
    3637#define MAGIC2 0x783bc31f
    3738
    38 /* Fuzzing variables */
     39/* Per-offset byte protection */
     40static unsigned int *ranges = NULL;
     41static unsigned int ranges_static[512];
     42
     43/* Per-value byte protection */
    3944static int protect[256];
    4045static int refuse[256];
     
    4247/* Local prototypes */
    4348static void readchars(int *, char const *);
     49
     50void _zz_bytes(char const *list)
     51{
     52    char const *parser;
     53    unsigned int i, chunks;
     54
     55    /* Count commas */
     56    for(parser = list, chunks = 1; *parser; parser++)
     57        if(*parser == ',')
     58            chunks++;
     59
     60    /* TODO: free(ranges) if ranges != ranges_static */
     61    if(chunks >= 256)
     62        ranges = malloc((chunks + 1) * 2 * sizeof(unsigned int));
     63    else
     64        ranges = ranges_static;
     65
     66    /* Fill ranges list */
     67    for(parser = list, i = 0; i < chunks; i++)
     68    {
     69        char const *comma = strchr(parser, ',');
     70        char const *dash = strchr(parser, '-');
     71
     72        ranges[i * 2] = (dash == parser) ? 0 : atoi(parser);
     73        if(dash && (dash + 1 == comma || dash[1] == '\0'))
     74            ranges[i * 2 + 1] = ranges[i * 2]; /* special case */
     75        else if(dash && (!comma || dash < comma))
     76            ranges[i * 2 + 1] = atoi(dash + 1) + 1;
     77        else
     78            ranges[i * 2 + 1] = ranges[i * 2] + 1;
     79        parser = comma + 1;
     80    }
     81
     82    ranges[i * 2] = ranges[i * 2 + 1] = 0;
     83}
    4484
    4585void _zz_protect(char const *list)
     
    66106#endif
    67107
     108    aligned_buf = buf - pos;
    68109    fuzz = _zz_getfuzz(fd);
    69     aligned_buf = buf - pos;
    70110
    71111    for(i = pos / CHUNKBYTES;
     
    103143        for(j = start; j < stop; j++)
    104144        {
    105             uint8_t byte = aligned_buf[j];
     145            unsigned int *r;
     146            uint8_t byte;
     147
     148            if(!ranges)
     149                goto range_ok;
     150
     151            for(r = ranges; r[1]; r += 2)
     152                if(j >= r[0] && (r[0] == r[1] || j < r[1]))
     153                    goto range_ok;
     154
     155            continue; /* Not in a range */
     156
     157        range_ok:
     158            byte = aligned_buf[j];
    106159
    107160            if(protect[byte])
  • zzuf/trunk/src/fuzz.h

    r1693 r1705  
    1717 */
    1818
     19extern void _zz_bytes(char const *);
    1920extern void _zz_protect(char const *);
    2021extern void _zz_refuse(char const *);
  • zzuf/trunk/src/libzzuf.c

    r1701 r1705  
    7979        _zz_setautoinc();
    8080
     81    tmp = getenv("ZZUF_BYTES");
     82    if(tmp && *tmp)
     83        _zz_bytes(tmp);
     84
    8185    tmp = getenv("ZZUF_PROTECT");
    8286    if(tmp && *tmp)
  • zzuf/trunk/src/opts.c

    r1692 r1705  
    3434void _zz_opts_init(struct opts *opts)
    3535{
    36     opts->protect = opts->refuse = NULL;
     36    opts->bytes = opts->protect = opts->refuse = NULL;
    3737    opts->seed = DEFAULT_SEED;
    3838    opts->endseed = DEFAULT_SEED + 1;
  • zzuf/trunk/src/opts.h

    r1702 r1705  
    2020{
    2121    char const **newargv;
    22     char *protect, *refuse;
     22    char *bytes, *protect, *refuse;
    2323    uint32_t seed;
    2424    uint32_t endseed;
  • zzuf/trunk/src/zzuf.c

    r1704 r1705  
    126126    {
    127127#   if defined HAVE_REGEX_H
    128 #       define OPTSTR "AB:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV"
     128#       define OPTSTR "Ab:B:cC:dD:E:F:iI:mM:nP:qr:R:s:ST:vxhV"
    129129#   else
    130 #       define OPTSTR "AB:C:dD:F:imM:nP:qr:R:s:ST:vxhV"
     130#       define OPTSTR "Ab:B:C:dD:F:imM:nP:qr:R:s:ST:vxhV"
    131131#   endif
    132132#   if defined HAVE_GETOPT_LONG
     
    137137            /* Long option, needs arg, flag, short option */
    138138            { "autoinc",     0, NULL, 'A' },
     139            { "bytes",       1, NULL, 'b' },
    139140            { "max-bytes",   1, NULL, 'B' },
    140141#if defined HAVE_REGEX_H
     
    181182            setenv("ZZUF_AUTOINC", "1", 1);
    182183            break;
     184        case 'b': /* --bytes */
     185            opts->bytes = optarg;
     186            break;
    183187        case 'B': /* --max-bytes */
    184188            opts->maxbytes = atoi(optarg);
     
    297301    if(optind >= argc)
    298302    {
     303        if(opts->bytes)
     304            _zz_bytes(opts->bytes);
     305
     306        /* FIXME: protect and refuse are ignored */
     307
    299308        if(opts->endseed != opts->seed + 1)
    300309        {
     
    335344#endif
    336345
     346    if(opts->bytes)
     347        setenv("ZZUF_BYTES", opts->bytes, 1);
    337348    if(opts->protect)
    338349        setenv("ZZUF_PROTECT", opts->protect, 1);
     
    10211032#if defined HAVE_REGEX_H
    10221033    printf("Usage: zzuf [-AcdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n");
    1023     printf("                          [-D delay] [-F forks] [-C crashes] [-B bytes]\n");
    1024     printf("                          [-T seconds] [-M bytes] [-P protect] [-R refuse]\n");
    1025     printf("                          [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
    10261034#else
    10271035    printf("Usage: zzuf [-AdimnqSvx] [-s seed|-s start:stop] [-r ratio|-r min:max]\n");
    1028     printf("                         [-D delay] [-F forks] [-C crashes] [-B bytes]\n");
    1029     printf("                         [-T seconds] [-M bytes] [-P protect] [-R refuse]\n");
    1030     printf("                         [PROGRAM [--] [ARGS]...]\n");
     1036#endif
     1037    printf("                  [-D delay] [-F forks] [-C crashes] [-B bytes] [-T seconds]\n");
     1038    printf("                  [-M bytes] [-b ranges] [-P protect] [-R refuse]\n");
     1039#if defined HAVE_REGEX_H
     1040    printf("                  [-I include] [-E exclude] [PROGRAM [--] [ARGS]...]\n");
     1041#else
     1042    printf("                  [PROGRAM [--] [ARGS]...]\n");
    10311043#endif
    10321044#   if defined HAVE_GETOPT_LONG
     
    10421054#   if defined HAVE_GETOPT_LONG
    10431055    printf("  -A, --autoinc             increment seed each time a new file is opened\n");
     1056    printf("  -b, --bytes <ranges>      only fuzz bytes at offsets within <ranges>\n");
    10441057    printf("  -B, --max-bytes <n>       kill children that output more than <n> bytes\n");
    10451058#if defined HAVE_REGEX_H
     
    10771090#   else
    10781091    printf("  -A               increment seed each time a new file is opened\n");
     1092    printf("  -b <ranges>      only fuzz bytes at offsets within <ranges>\n");
    10791093    printf("  -B <n>           kill children that output more than <n> bytes\n");
    10801094#if defined HAVE_REGEX_H
Note: See TracChangeset for help on using the changeset viewer.