Version 2 (modified by Sam Hocevar, 15 years ago) (diff)

memory functions

zzuf internals

This document is an attempt at explaining how zzuf works and how it can be extended to support more functions.

Architecture overview

The zzuf software consists in two parts:

  • The zzuf executable
  • The libzzuf shared library

Here is the global workflow when zzuf fuzzes a process:

  • zzuf reads options from the command line.
  • zzuf writes fuzzing information to the environment
  • zuff preloads libzzuf into the called process and executes it
  • libzzuf reads fuzzing information from the envronment
  • libzzuf diverts standard function calls with its own ones
  • the called process runs normally, but any diverted call goes through libzzuf first

Writing function diversions

Diverted functions are declared using the NEW macro. The address of the original function is stored into a global function pointer using the ORIG macro. The LOADSYM macro takes care of retrieving its address and storing it into the pointer.

For instance, this is how the memalign function is declared in its libc header, malloc.h:

void *memalign(size_t boundary, size_t size);

And here is how memalign is diverted:

#include <malloc.h>

#include "libzzuf.h"
#include "lib-load.h"

/* ... */

#if defined HAVE_MEMALIGN
static void * (*ORIG(memalign)) (size_t boundary, size_t size);
#endif

/* ... */

#if defined HAVE_MEMALIGN
void *NEW(memalign)(size_t boundary, size_t size)
{
    void *ret;
    LOADSYM(memalign);
    ret = ORIG(memalign)(boundary, size);
    /* ... */
    return ret;
}
#endif

Memory functions

Functions such as malloc need to be diverted by zzuf in order to monitor global memory usage and detect severe memory leaks.

This creates a bootstrapping problem on some platforms: the diverted calloc calls the real calloc, which needs to be loaded using dlsym. On Linux, dlsym calls calloc, resulting in an infinite loop. To avoid this, we declare a private static buffer that memory allocation functions can use if the original function is not yet loaded.

Standard file descriptor functions

FILE * functions