Changeset 1532 for zzufTweet

Timestamp:

Jan 1, 2007, 10:35:54 PM (15 years ago)

Author:

Sam Hocevar

Message:

• Implemented signal handling.
• Updated documentation accordingly and improved a few parts.

Location:

zzuf/trunk

Files:

• doc/zzuf.1 (modified) (7 diffs)
• src/Makefile.am (modified) (1 diff)
• src/libzzuf.c (modified) (4 diffs)
• src/libzzuf.h (modified) (1 diff)
• src/load-signal.c (added)
• src/load.h (modified) (1 diff)
• src/zzuf.c (modified) (4 diffs)

zzuf/trunk/doc/zzuf.1

@@ -5 +5 @@
 .B zzuf
 [
-.B \-vqdhic
+.B \-cdhiqSv
 ] [
 .B \-r
@@ -87 +87 @@
 regular expression. This option supersedes anything that is specified by the
 .B \-\-exclude
-flag. Use this for instance if you do not know for sure what files your
-application is going to read, but do not want it to fuzz files in the
+flag. Use this for instance if you are unsure of what files your
+application is going to read and do not want it to fuzz files in the
 .B /etc
 directory.
@@ -120 +120 @@
 .B \-I
 flags can be specified, in which case files matching any one of the regular
-expressions will be fuzzed.
+expressions will be fuzzed. See also the
+.B \-c
+flag.
 .TP
 .B \-q, \-\-quiet
 Hide the output of the fuzzed application. This is useful if the application
-is very verbose but only its exit code is really useful to you.
+is very verbose but only its exit code or signaled status is really useful to
+you.
 .TP
 .B \-r, \-\-ratio <ratio>
@@ -153 +156 @@
 will run the application several times, each time with a different seed, and
 report the behaviour of each run.
+.TP
+.B \-S, \-\-signal
+Prevent children from installing signal handlers for signals that usually
+cause coredumps. These signals are
+.BR SIGABRT ,
+.BR SIGFPE ,
+.BR SIGILL ,
+.BR SIGQUIT ,
+.BR SIGSEGV ,
+.B SIGTRAP
+and, if available on the running platform,
+.BR SIGSYS ,
+.BR SIGEMT ,
+.BR SIGBUS ,
+.B SIGXCPU
+and
+.BR SIGXFSZ .
+Instead of calling the signal handler, the application will simply crash. If
+you do not want core dumps, you should set appropriate limits with the
+.B limit coredumpsize
+command. See your shell's documentation on how to set such limits.
 .TP
 .B \-T, \-\-max\-time <n>
@@ -188 +212 @@
 files from fuzzing (because
 .B convert
-will also open its own configuration files and we do not want
+will also open its own XML configuration files and we do not want
 .B zzuf
 to fuzz them):
@@ -216 +240 @@
 
 .fi
-Fuzz
+Fuzz 2% of
 .BR mplayer 's
-input with seeds 0 to 9999, launching up to 3 simultaneous child processes
-and killing
-.BR mplayer
-if it takes more than one minute to read the file:
+input bits
+.RB  ( \-r
+.BR 0.02 )
+with seeds 0 to 9999
+.RB ( \-s
+.BR 0:10000 ),
+disabling its standard output messages
+.RB ( \-q ),
+launching up to three simultaneous child processes
+.RB ( \-F
+.BR 3 ),
+killing
+.B mplayer
+if it takes more than one minute to read the file
+.RB ( \-T
+.BR 60 )
+and disabling its
+.B SIGSEGV
+signal handler
+.RB ( \-S ):
 .fn
 
@@ -240 +280 @@
 drop bytes from the input, to fuzz according to the file format, or to do
 all these complicated operations. They are planned, though.
+
+Due to
+.B zzuf
+using
+.B LD_PRELOAD
+to run its child processes, it will fail in the presence of any mechanism
+that disables preloading. For instance setuid root binaries will not be
+fuzzed.
 .RI
 .SH AUTHOR

zzuf/trunk/src/Makefile.am

@@ -6 +6 @@
 pkglib_LTLIBRARIES = libzzuf.la
 libzzuf_la_SOURCES = libzzuf.c libzzuf.h fuzz.c fuzz.h debug.c debug.h \
-                     load-fd.c load-stream.c load.h random.c random.h
+                     load-fd.c load-signal.c load-stream.c load.h \
+                     random.c random.h
 libzzuf_la_LDFLAGS = -module -avoid-version -no-undefined
 libzzuf_la_LIBADD = -ldl

zzuf/trunk/src/libzzuf.c

@@ -41 +41 @@
 int   _zz_ready    = 0;
 int   _zz_hasdebug = 0;
+float _zz_ratio    = 0.004f;
 int   _zz_seed     = 0;
-float _zz_ratio    = 0.004f;
+int   _zz_signal   = 0;
 
 /* Local variables */
@@ -58 +59 @@
 
     tmp = getenv("ZZUF_DEBUG");
-    if(tmp && *tmp)
+    if(tmp && *tmp == '1')
         _zz_hasdebug = 1;
 
@@ -87 +88 @@
     }
 
+    tmp = getenv("ZZUF_SIGNAL");
+    if(tmp && *tmp == '1')
+        _zz_signal = 1;
+
     _zz_fd_init();
 
@@ -94 +99 @@
 
     _zz_load_fd();
+    _zz_load_signal();
     _zz_load_stream();
 

zzuf/trunk/src/libzzuf.h

@@ -32 +32 @@
 extern int       _zz_ready;
 extern int       _zz_hasdebug;
+extern float     _zz_ratio;
 extern int       _zz_seed;
-extern float     _zz_ratio;
+extern int       _zz_signal;
 
 /* Library initialisation shit */

zzuf/trunk/src/load.h

@@ -28 +28 @@
 
 extern void _zz_load_fd(void);
+extern void _zz_load_signal(void);
 extern void _zz_load_stream(void);
 

zzuf/trunk/src/zzuf.c

@@ -97 +97 @@
         {
             /* Long option, needs arg, flag, short option */
+            { "max-bytes", 1, NULL, 'B' },
+            { "cmdline",   0, NULL, 'c' },
+            { "debug",     0, NULL, 'd' },
+            { "exclude",   1, NULL, 'E' },
+            { "fork",      1, NULL, 'F' },
+            { "help",      0, NULL, 'h' },
+            { "stdin",     0, NULL, 'i' },
             { "include",   1, NULL, 'I' },
-            { "exclude",   1, NULL, 'E' },
-            { "cmdline",   0, NULL, 'c' },
-            { "stdin",     0, NULL, 'i' },
+            { "quiet",     0, NULL, 'q' },
+            { "ratio",     1, NULL, 'r' },
             { "seed",      1, NULL, 's' },
-            { "ratio",     1, NULL, 'r' },
-            { "fork",      1, NULL, 'F' },
-            { "max-bytes", 1, NULL, 'B' },
+            { "signal",    0, NULL, 'S' },
             { "max-time",  1, NULL, 'T' },
-            { "quiet",     0, NULL, 'q' },
-            { "debug",     0, NULL, 'd' },
-            { "help",      0, NULL, 'h' },
             { "version",   0, NULL, 'v' },
         };
-        int c = getopt_long(argc, argv, "B:cdE:F:hiI:qr:s:T:v",
+        int c = getopt_long(argc, argv, "B:cdE:F:hiI:qr:s:ST:v",
                             long_options, &option_index);
 #   else
 #       define MOREINFO "Try `%s -h' for more information.\n"
-        int c = getopt(argc, argv, "B:cdE:F:hiI:qr:s:T:v");
+        int c = getopt(argc, argv, "B:cdE:F:hiI:qr:s:ST:v");
 #   endif
         if(c == -1)
@@ -163 +164 @@
         case 'q': /* --quiet */
             quiet = 1;
+            break;
+        case 'S': /* --signal */
+            setenv("ZZUF_SIGNAL", "1", 1);
             break;
         case 'd': /* --debug */
@@ -529 +533 @@
     printf("  -s, --seed <seed>        random seed (default 0)\n");
     printf("      --seed <start:stop>  specify a seed range\n");
+    printf("  -S, --signal             prevent children from diverting crashing signals\n");
     printf("  -T, --max-time <n>       kill children that run for more than <n> seconds\n");
     printf("  -v, --version            output version information and exit\n");
@@ -544 +549 @@
     printf("  -s <seed>        random seed (default 0)\n");
     printf("     <start:stop>  specify a seed range\n");
+    printf("  -S               prevent children from diverting crashing signals\n");
     printf("  -T <n>           kill children that run for more than <n> seconds\n");
     printf("  -v               output version information and exit\n");