Changeset 4393Tweet

Timestamp:

Apr 19, 2010, 10:51:58 PM (13 years ago)

Author:

Sam Hocevar

Message:

New operating mode "copy". It uses temporary files instead of preloading
libzzuf into the process.

Location:

zzuf/trunk

Files:

• doc/zzuf.1.in (modified) (2 diffs)
• src/myfork.c (modified) (6 diffs)
• src/opts.c (modified) (3 diffs)
• src/opts.h (modified) (2 diffs)
• src/zzuf.c (modified) (12 diffs)

zzuf/trunk/doc/zzuf.1.in

@@ -11 +11 @@
 [\fB\-b\fR \fIranges\fR] [\fB\-p\fR \fIports\fR] [\fB\-P\fR \fIprotect\fR]
 [\fB\-R\fR \fIrefuse\fR] [\fB\-l\fR \fIlist\fR] [\fB\-I\fR \fIinclude\fR]
-[\fB\-E\fR \fIexclude\fR] [\fIPROGRAM\fR [\fIARGS\fR]...]
+[\fB\-E\fR \fIexclude\fR] [\fB\-O\fR \fIopmode\fR]
+[\fIPROGRAM\fR [\fIARGS\fR]...]
 .br
 \fBzzuf \-h\fR | \fB\-\-help\fR
@@ -194 +195 @@
 Only INET (IPv4) and INET6 (IPv6) connections are fuzzed. Other protocol
 families are not yet supported.
+.TP
+\fB\-O\fR, \fB\-\-opmode\fR=\fImode\fR
+Use operating mode \fImode\fR. Valid values for \fImode\fR are:
+.RS
+.TP
+\fBpreload\fR
+override functions by preloading libzzuf into the executable using the
+system's dynamic linker
+.TP
+\fBcopy\fR
+temporarily copy files that need to be fuzzed
+.RE
+.IP
+The default value for \fImode\fR is \fBpreload\fR. \fBcopy\fR is useful on
+platforms that do not support dynamic linker injection, for instance when
+fuzzing a Cocoa application on Mac OS X.
 .TP
 \fB\-p\fR, \fB\-\-ports\fR=\fIranges\fR

zzuf/trunk/src/myfork.c

@@ -70 +70 @@
 #endif
 
-static int run_process(struct opts *, int[][2]);
+static int run_process(struct child *child, struct opts *, int[][2]);
 
 #if defined HAVE_WINDOWS_H
@@ -101 +101 @@
     }
 
-    pid = run_process(opts, pipes);
+    pid = run_process(child, opts, pipes);
     if(pid < 0)
     {
         /* FIXME: close pipes */
-        fprintf(stderr, "error launching `%s'\n", opts->newargv[0]);
+        fprintf(stderr, "error launching `%s'\n", child->newargv[0]);
         return -1;
     }
@@ -133 +133 @@
 #endif
 
-static int run_process(struct opts *opts, int pipes[][2])
+static int run_process(struct child *child, struct opts *opts, int pipes[][2])
 {
     char buf[64];
@@ -242 +242 @@
     }
 
-    setenv(PRELOAD, libpath, 1);
+    /* Only preload the library in preload mode */
+    if (opts->opmode == OPMODE_PRELOAD)
+        setenv(PRELOAD, libpath, 1);
     free(libpath);
 
-    if(execvp(opts->newargv[0], opts->newargv))
-    {
-        perror(opts->newargv[0]);
+    if(execvp(child->newargv[0], child->newargv))
+    {
+        perror(child->newargv[0]);
         exit(EXIT_FAILURE);
     }
@@ -266 +268 @@
                     &sinfo.hStdOutput, 0, TRUE, DUPLICATE_SAME_ACCESS);
     sinfo.dwFlags = STARTF_USESTDHANDLES;
-    ret = CreateProcess(NULL, opts->newargv[0], NULL, NULL, FALSE,
+    ret = CreateProcess(NULL, child->newargv[0], NULL, NULL, FALSE,
                         CREATE_SUSPENDED, NULL, NULL, &sinfo, &pinfo);
     if(!ret)
@@ -272 +274 @@
 
     /* Get the child process's entry point address */
-    epaddr = (void *)get_entry_point(opts->newargv[0],
+    epaddr = (void *)get_entry_point(child->newargv[0],
                                      pinfo.dwProcessId);
     if(!epaddr)

zzuf/trunk/src/opts.c

@@ -33 +33 @@
 void _zz_opts_init(struct opts *opts)
 {
+    opts->opmode = OPMODE_PRELOAD;
     opts->fuzzing = opts->bytes = opts->list = opts->ports = NULL;
     opts->allow = NULL;
@@ -52 +53 @@
     opts->lastlaunch = 0;
 
-    opts->newargv = NULL;
     opts->maxchild = 1;
     opts->nchild = 0;
@@ -62 +62 @@
 void _zz_opts_fini(struct opts *opts)
 {
+    int i;
+
     if(opts->child)
+    {
+        for(i = 0; i < opts->maxchild; i++)
+            if (opts->child[i].newargv)
+                free(opts->child[i].newargv);
         free(opts->child);
-    if(opts->newargv)
-        free(opts->newargv);
+    }
 }
 

zzuf/trunk/src/opts.h

@@ -17 +17 @@
 struct opts
 {
+    enum opmode
+    {
+        OPMODE_PRELOAD,
+        OPMODE_COPY,
+    } opmode;
     char **oldargv;
-    char **newargv;
+    int oldargc;
     char *fuzzing, *bytes, *list, *ports, *protect, *refuse, *allow;
     uint32_t seed;
@@ -55 +60 @@
         int64_t date;
         struct md5 *ctx;
+        char **newargv;
     } *child;
 };

zzuf/trunk/src/zzuf.c

@@ -154 +154 @@
 #endif
 #define OPTSTR "+" OPTSTR_REGEX OPTSTR_RLIMIT_MEM OPTSTR_RLIMIT_CPU \
-                "a:Ab:B:C:dD:e:f:F:ij:l:mnp:P:qr:R:s:St:U:vxhV"
+                "a:Ab:B:C:dD:e:f:F:ij:l:mnO:p:P:qr:R:s:St:U:vxhV"
 #define MOREINFO "Try `%s --help' for more information.\n"
         int option_index = 0;
@@ -183 +183 @@
             { "max-memory",   1, NULL, 'M' },
             { "network",      0, NULL, 'n' },
+            { "opmode",       1, NULL, 'O' },
             { "ports",        1, NULL, 'p' },
             { "protect",      1, NULL, 'P' },
@@ -257 +258 @@
         case 'F':
             fprintf(stderr, "%s: `-F' is deprecated, use `-j'\n", argv[0]);
+            _zz_opts_fini(opts);
             return EXIT_FAILURE;
         case 'i': /* --stdin */
@@ -294 +296 @@
             setenv("ZZUF_NETWORK", "1", 1);
             network = 1;
+            break;
+        case 'O': /* --opmode */
+            if(myoptarg[0] == '=')
+                myoptarg++;
+            if (!strcmp(myoptarg, "preload"))
+                opts->opmode = OPMODE_PRELOAD;
+            else if (!strcmp(myoptarg, "copy"))
+                opts->opmode = OPMODE_COPY;
+            else
+            {
+                fprintf(stderr, "%s: invalid operating mode -- `%s'\n",
+                        argv[0], myoptarg);
+                _zz_opts_fini(opts);
+                return EXIT_FAILURE;
+            }
             break;
         case 'p': /* --ports */
@@ -386 +403 @@
     _zz_setseed(opts->seed);
 
-    /* If asked to read from the standard input */
-    if(myoptind >= argc)
-    {
-        if(opts->verbose)
-        {
-            finfo(stderr, opts, opts->seed);
-            fprintf(stderr, "reading from stdin\n");
-        }
-
-        if(opts->endseed != opts->seed + 1)
-        {
-            fprintf(stderr, "%s: seed ranges are incompatible with "
-                            "stdin fuzzing\n", argv[0]);
-            printf(MOREINFO, argv[0]);
-            _zz_opts_fini(opts);
-            return EXIT_FAILURE;
-        }
-
-        loop_stdin(opts);
-
-        _zz_opts_fini(opts);
-        return EXIT_SUCCESS;
-    }
-
-    /* If asked to launch programs */
-#if defined HAVE_REGEX_H
-    if(cmdline)
-    {
-        int dashdash = 0;
-
-        for(i = myoptind + 1; i < argc; i++)
-        {
-            if(dashdash)
-                include = merge_file(include, argv[i]);
-            else if(!strcmp("--", argv[i]))
-                dashdash = 1;
-            else if(argv[i][0] != '-')
-                include = merge_file(include, argv[i]);
-        }
-    }
-
-    if(include)
-        setenv("ZZUF_INCLUDE", include, 1);
-    if(exclude)
-        setenv("ZZUF_EXCLUDE", exclude, 1);
-#endif
-
-    setenv("ZZUF_DEBUG", debug ? debug > 1 ? "2" : "1" : "0", 1);
-    setenv("ZZUF_DEBUGFD", DEBUG_FILENO_STR, 1);
-
-    if(opts->fuzzing)
-        setenv("ZZUF_FUZZING", opts->fuzzing, 1);
-    if(opts->bytes)
-        setenv("ZZUF_BYTES", opts->bytes, 1);
-    if(opts->list)
-        setenv("ZZUF_LIST", opts->list, 1);
-    if(opts->ports)
-        setenv("ZZUF_PORTS", opts->ports, 1);
-    if(opts->allow && opts->allow[0] == '!')
-        setenv("ZZUF_DENY", opts->allow, 1);
-    else if(opts->allow)
-        setenv("ZZUF_ALLOW", opts->allow, 1);
-    if(opts->protect)
-        setenv("ZZUF_PROTECT", opts->protect, 1);
-    if(opts->refuse)
-        setenv("ZZUF_REFUSE", opts->refuse, 1);
-#if defined HAVE_SETRLIMIT && defined ZZUF_RLIMIT_MEM
-    if(opts->maxmem >= 0)
-    {
-        char buf[32];
-        snprintf(buf, 32, "%i", opts->maxmem);
-        setenv("ZZUF_MEMORY", buf, 1);
-    }
-#endif
-
-    /* Allocate memory for children handling */
-    opts->child = malloc(opts->maxchild * sizeof(struct child));
-    for(i = 0; i < opts->maxchild; i++)
-        opts->child[i].status = STATUS_FREE;
-    opts->nchild = 0;
-
-    /* Create new argv */
-    opts->oldargv = argv;
-    opts->newargv = malloc((argc - myoptind + 1) * sizeof(char *));
-    memcpy(opts->newargv, argv + myoptind, (argc - myoptind) * sizeof(char *));
-    opts->newargv[argc - myoptind] = (char *)NULL;
-
-    /* Main loop */
-    while(opts->nchild || opts->seed < opts->endseed)
-    {
-        /* Spawn new children, if necessary */
-        spawn_children(opts);
-
-        /* Cleanup dead or dying children */
-        clean_children(opts);
-
-        /* Read data from children */
-        read_children(opts);
-
-        if(opts->maxcrashes && opts->crashes >= opts->maxcrashes
-            && opts->nchild == 0)
-        {
-            if(opts->verbose)
-                fprintf(stderr,
-                        "zzuf: maximum crash count reached, exiting\n");
-            break;
-        }
-
-        if(opts->maxtime && _zz_time() - opts->starttime >= opts->maxtime
-            && opts->nchild == 0)
-        {
-            if(opts->verbose)
-                fprintf(stderr,
-                        "zzuf: maximum running time reached, exiting\n");
-            break;
-        }
-    }
-
-    /* Clean up */
-    _zz_opts_fini(opts);
-
-    return opts->crashes ? EXIT_FAILURE : EXIT_SUCCESS;
-}
-
-static void loop_stdin(struct opts *opts)
-{
-    uint8_t md5sum[16];
-    struct md5 *ctx = NULL;
-    int total = 0;
-
-    if(opts->md5)
-        ctx = _zz_md5_init();
-
     if(opts->fuzzing)
         _zz_fuzzing(opts->fuzzing);
@@ -530 +414 @@
         _zz_refuse(opts->refuse);
 
+    /* Needed for stdin mode and for copy opmode. */
     _zz_fd_init();
+
+    /*
+     * Mode 1: asked to read from the standard input
+     */
+    if(myoptind >= argc)
+    {
+        if(opts->verbose)
+        {
+            finfo(stderr, opts, opts->seed);
+            fprintf(stderr, "reading from stdin\n");
+        }
+
+        if(opts->endseed != opts->seed + 1)
+        {
+            fprintf(stderr, "%s: seed ranges are incompatible with "
+                            "stdin fuzzing\n", argv[0]);
+            printf(MOREINFO, argv[0]);
+            _zz_opts_fini(opts);
+            return EXIT_FAILURE;
+        }
+
+        loop_stdin(opts);
+    }
+    /*
+     * Mode 2: asked to launch programs
+     */
+    else
+    {
+#if defined HAVE_REGEX_H
+        if(cmdline)
+        {
+            int dashdash = 0;
+
+            for(i = myoptind + 1; i < argc; i++)
+            {
+                if(dashdash)
+                    include = merge_file(include, argv[i]);
+                else if(!strcmp("--", argv[i]))
+                    dashdash = 1;
+                else if(argv[i][0] != '-')
+                    include = merge_file(include, argv[i]);
+            }
+        }
+
+        if(include)
+            setenv("ZZUF_INCLUDE", include, 1);
+        if(exclude)
+            setenv("ZZUF_EXCLUDE", exclude, 1);
+#endif
+
+        setenv("ZZUF_DEBUG", debug ? debug > 1 ? "2" : "1" : "0", 1);
+        setenv("ZZUF_DEBUGFD", DEBUG_FILENO_STR, 1);
+
+        if(opts->fuzzing)
+            setenv("ZZUF_FUZZING", opts->fuzzing, 1);
+        if(opts->bytes)
+            setenv("ZZUF_BYTES", opts->bytes, 1);
+        if(opts->list)
+            setenv("ZZUF_LIST", opts->list, 1);
+        if(opts->ports)
+            setenv("ZZUF_PORTS", opts->ports, 1);
+        if(opts->allow && opts->allow[0] == '!')
+            setenv("ZZUF_DENY", opts->allow, 1);
+        else if(opts->allow)
+            setenv("ZZUF_ALLOW", opts->allow, 1);
+        if(opts->protect)
+            setenv("ZZUF_PROTECT", opts->protect, 1);
+        if(opts->refuse)
+            setenv("ZZUF_REFUSE", opts->refuse, 1);
+#if defined HAVE_SETRLIMIT && defined ZZUF_RLIMIT_MEM
+        if(opts->maxmem >= 0)
+        {
+            char buf[32];
+            snprintf(buf, 32, "%i", opts->maxmem);
+            setenv("ZZUF_MEMORY", buf, 1);
+        }
+#endif
+
+        /* Allocate memory for children handling */
+        opts->child = malloc(opts->maxchild * sizeof(struct child));
+        for(i = 0; i < opts->maxchild; i++)
+            opts->child[i].status = STATUS_FREE;
+        opts->nchild = 0;
+
+        /* Create new argv */
+        opts->oldargc = argc;
+        opts->oldargv = argv;
+        for(i = 0; i < opts->maxchild; i++)
+        {
+            int len = argc - myoptind;
+            opts->child[i].newargv = malloc((len + 1) * sizeof(char *));
+            memcpy(opts->child[i].newargv, argv + myoptind,
+                   len * sizeof(char *));
+            opts->child[i].newargv[len] = (char *)NULL;
+        }
+
+        /* Main loop */
+        while(opts->nchild || opts->seed < opts->endseed)
+        {
+            /* Spawn new children, if necessary */
+            spawn_children(opts);
+
+            /* Cleanup dead or dying children */
+            clean_children(opts);
+
+            /* Read data from children */
+            read_children(opts);
+
+            if(opts->maxcrashes && opts->crashes >= opts->maxcrashes
+                && opts->nchild == 0)
+            {
+                if(opts->verbose)
+                    fprintf(stderr,
+                            "zzuf: maximum crash count reached, exiting\n");
+                break;
+            }
+
+            if(opts->maxtime && _zz_time() - opts->starttime >= opts->maxtime
+                && opts->nchild == 0)
+            {
+                if(opts->verbose)
+                    fprintf(stderr,
+                            "zzuf: maximum running time reached, exiting\n");
+                break;
+            }
+        }
+    }
+
+    /* Clean up */
+    _zz_fd_fini();
+    _zz_opts_fini(opts);
+
+    return opts->crashes ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+static void loop_stdin(struct opts *opts)
+{
+    uint8_t md5sum[16];
+    struct md5 *ctx = NULL;
+    int total = 0;
+
+    if(opts->md5)
+        ctx = _zz_md5_init();
+
     _zz_register(0);
 
@@ -579 +608 @@
 
     _zz_unregister(0);
-    _zz_fd_fini();
 }
 
@@ -666 +694 @@
             break;
 
+    /* Prepare required files, if necessary */
+    if (opts->opmode == OPMODE_COPY)
+    {
+        char tmpname[4096];
+        char *tmpdir;
+        FILE *fpin;
+        int j, k = 0, fdout;
+
+        tmpdir = getenv("TEMP");
+        if (!tmpdir || !*tmpdir)
+            tmpdir = "/tmp";
+
+        for (j = optind + 1; j < opts->oldargc; j++)
+        {
+            fpin = fopen(opts->oldargv[j], "r");
+            if (!fpin)
+                continue;
+
+            sprintf(tmpname, "%s/zzuf.%i.XXXXXX", tmpdir, (int)getpid());
+            fdout = mkstemp(tmpname);
+            if (fdout < 0)
+            {
+                fclose(fpin);
+                continue;
+            }
+
+            opts->child[i].newargv[j - optind] = strdup(tmpname);
+
+            _zz_register(k);
+            while(!feof(fpin))
+            {
+                uint8_t buf[BUFSIZ];
+                size_t n = fread(buf, 1, BUFSIZ, fpin);
+                if (n <= 0)
+                    break;
+                _zz_fuzz(k, buf, n);
+                _zz_addpos(k, n);
+                write(fdout, buf, n);
+            }
+            _zz_unregister(k);
+
+            fclose(fpin);
+            close(fdout);
+
+            k++;
+        }
+    }
+
+    /* Launch process */
     if (myfork(&opts->child[i], opts) < 0)
     {
-        fprintf(stderr, "error launching `%s'\n", opts->newargv[0]);
+        fprintf(stderr, "error launching `%s'\n", opts->child[i].newargv[0]);
         opts->seed++;
+        /* FIXME: clean up OPMODE_COPY files here */
         return;
     }
@@ -685 +763 @@
     {
         finfo(stderr, opts, opts->child[i].seed);
-        fprintf(stderr, "launched `%s'\n", opts->newargv[0]);
+        fprintf(stderr, "launched `%s'\n", opts->child[i].newargv[0]);
     }
 
@@ -814 +892 @@
             if(opts->child[i].fd[j] >= 0)
                 close(opts->child[i].fd[j]);
+
+        if (opts->opmode == OPMODE_COPY)
+        {
+            for (j = optind + 1; j < opts->oldargc; j++)
+            {
+                if (opts->child[i].newargv[j - optind] != opts->oldargv[j])
+                {
+                    unlink(opts->child[i].newargv[j - optind]);
+                    free(opts->child[i].newargv[j - optind]);
+                    opts->child[i].newargv[j - optind] = opts->oldargv[j];
+                }
+            }
+        }
 
         if(opts->md5)
@@ -976 +1067 @@
     printf(                                                " [-I include] [-E exclude]");
 #endif
+    printf("              [-O mode]\n");
     printf("\n");
     printf("              [PROGRAM [--] [ARGS]...]\n");
@@ -1009 +1101 @@
 #endif
     printf("  -n, --network             fuzz network input\n");
+    printf("  -O, --opmode <mode>       use operating mode <mode> ([preload] copy)\n");
     printf("  -p, --ports <list>        only fuzz network destination ports in <list>\n");
     printf("  -P, --protect <list>      protect bytes and characters in <list>\n");