shithub: fuzz

Info  •  Files  •  Log  •  Branches

merge

--- a/README.md

+++ b/README.md

@@ -47,50 +47,50 @@

 If not specified, state is known to be working.

--Fd2path

--exits

--abort

--Access

--Bind

--Chdir

--Close

--Create

--Dup

--Fork

--Rfork

--Fauth

--Fversion catches bad args, for future work

--Mount

--Umount

--Noted catches that not notified

--Open

--Fd2path catches that it is getting bad input

--Pread catches a general protection violation

--Pwrite catches general protect viol

--Read catches general protection violation

--Readn catches general protection violation

--Remove

--Sbrk

--*sbrk

--Oseek

--Swek

--*seek

--Segattach catches general protection violation

--Segbrk catches general protection violation

--Segdetach catches general protection violation

--Segflush catches general protection violation

--Segfree catches general protection violation

--Semrelease

--Semacquire

--Sleep

--Tsemacquire

--Wait

--Waitpid

--Write catches general protection violation

--Rendezvous catches general protection violation

--Dirstat

--Dirfstat

--Getpid

--Getppid

--Rerrstr

--Sysname

+- Fd2path

+- exits

+- abort

+- Access

+- Bind

+- Chdir

+- Close

+- Create

+- Dup

+- Fork

+- Rfork

+- Fauth

+- Fversion catches bad args, for future work

+- Mount

+- Umount

+- Noted catches that not notified

+- Open

+- Fd2path catches that it is getting bad input

+- Pread catches a general protection violation

+- Pwrite catches general protect viol

+- Read catches general protection violation

+- Readn catches general protection violation

+- Remove

+- Sbrk

+- *sbrk

+- Oseek

+- Swek

+- *seek

+- Segattach catches general protection violation

+- Segbrk catches general protection violation

+- Segdetach catches general protection violation

+- Segflush catches general protection violation

+- Segfree catches general protection violation

+- Semrelease

+- Semacquire

+- Sleep

+- Tsemacquire

+- Wait

+- Waitpid

+- Write catches general protection violation

+- Rendezvous catches general protection violation

+- Dirstat

+- Dirfstat

+- Getpid

+- Getppid

+- Rerrstr

+- Sysname

--- a/fuzz.man

+++ b/fuzz.man

@@ -6,6 +6,10 @@

 .SH SYNOPSIS

 .B fuzz

 [

+.B -s

+.I seed

+]

+[

 .B -n

 .I rounds

 ]

@@ -19,6 +23,10 @@

 .PD

 .TP

+.B -s \fIseed

+Use a specific \fIseed\fR for number generation.

+

+.TP

 .B -n \fIrounds

 Perform fuzzing for \fIrounds\fR iterations.

@@ -33,6 +41,11 @@

 To fuzz the read and write system calls for two rounds:

 .EX

 fuzz -n 2 read write

+.EE

+

+To fuzz the close system call for 5 rounds using a particular seed:

+.EX

+fuzz -s '-750199259' -n 5 close

 .EE

 .PP

--- a/inlist.c

+++ b/inlist.c

@@ -54,7 +54,7 @@

 void mk_longS(List *l)

 {

     t_type *tt = malloc(sizeof(t_type));

-    tt->var = nil;

+    tt->var = malloc(1 * sizeof(t_type));

     tt->t = t_longS;

     ladd(l, tt);

--- a/input.c

+++ b/input.c

@@ -180,8 +180,8 @@

 			hjsync();

 			// execute the call

-			//errstr(	*(char**)((t_type*)lget(&(sc->inputs), 0))->var,

-			//	*(uint*)((t_type*)lget(&(sc->inputs), 1))->var );

+			errstr(	*(char**)((t_type*)lget(&(sc->inputs), 0))->var,

+				*(uint*)((t_type*)lget(&(sc->inputs), 1))->var );

 			break;

 		case sc_exec :			//	exec(char* : char*[]);

@@ -247,7 +247,7 @@

 		case sc_fstat :			//	fstat(int : uchar* : int);

 			// mutate the input

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

-			mut_ucharstar((unsigned char**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

+			*(unsigned char**)(((t_type*)lget(&(sc->inputs), 1))->var) = mut_ucharstar();

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

 			// log the variables

@@ -265,7 +265,7 @@

 		case sc_fwstat :		//	fwstat(int : uchar* : int);

 			// mutate the input

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

-			mut_ucharstar((unsigned char**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

+			*(unsigned char**)(((t_type*)lget(&(sc->inputs), 1))->var) = mut_ucharstar();

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

 			// log the variables

@@ -683,7 +683,7 @@

 			break;

 		case sc_semacquire :		//	semacquire(long* : int);

 			// mutate the input

-			mut_longstar((long**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

+			*(long**)(((t_type*)lget(&(sc->inputs), 0))->var) = mut_longstar();

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

 			// log the variables

@@ -699,7 +699,7 @@

 			break;

 		case sc_semrelease :		//	semrelease(long* : long);

 			// mutate the input

-			mut_longstar((long**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

+			*(long**)(((t_type*)lget(&(sc->inputs), 0))->var) = mut_longstar();

 			mut_long((long*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

 			// log the variables

@@ -730,7 +730,7 @@

 		case sc_stat :			//	stat(char* : uchar* : int);

 			// mutate the input

 			*(char**)(((t_type*)lget(&(sc->inputs), 0))->var) = mut_charstar();

-			mut_ucharstar((unsigned char**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

+			*(unsigned char**)(((t_type*)lget(&(sc->inputs), 1))->var) = mut_ucharstar();

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

 			// log the variables

@@ -747,7 +747,7 @@

 			break;

 		case sc_tsemacquire :		//	tsemacquire(long* : ulong);

 			// mutate the input

-			mut_longstar((long**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

+			*(long**)(((t_type*)lget(&(sc->inputs), 0))->var) = mut_longstar();

 			mut_ulong((ulong*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

 			// log the variables

@@ -822,7 +822,7 @@

 		case sc_wstat :			//	wstat(char* : uchar* : int);

 			// mutate the input

 			*(char**)(((t_type*)lget(&(sc->inputs), 0))->var) = mut_charstar();

-			mut_ucharstar((unsigned char**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

+			*(unsigned char**)(((t_type*)lget(&(sc->inputs), 1))->var) = mut_ucharstar();

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

 			// log the variables

--- a/main.c

+++ b/main.c

@@ -12,7 +12,7 @@

 void

 usage(void)

 {

-	fprint(2, "usage: %s [-n rounds] calls\n", argv0);

+	fprint(2, "usage: %s [-s seed] [-n rounds] calls\n", argv0);

 	exits("usage");

 }

@@ -70,6 +70,7 @@

 	List tofuzz = mklist() ; // List of syscall table ID's to fuzz

 	char* arg;

 	stdout = Bfdopen(1, OWRITE);

+	long fuzz_seed = truerand();

 	ARGBEGIN{

 		case 'n':

@@ -79,6 +80,13 @@

 				usage();

 			nrounds = atoi(arg);

 			break;

+		case 's':

+			// Seed to fuzz from

+			arg = ARGF();

+			if(arg == nil)

+				usage();

+			fuzz_seed = atol(arg);

+			break;

 		default:

 			usage();

 	}ARGEND

@@ -121,7 +129,6 @@

 			sysfatal("Error: Invalid system call: %s", *argv);

 	}

-	int fuzz_seed = truerand();

 	srand(fuzz_seed);

 	dolog("== Seed Value: %d ==\n", fuzz_seed);

--- a/mutate.c

+++ b/mutate.c

@@ -52,7 +52,7 @@

 char*

 mut_charstar()

 {

-	int size = (rng() % (256 + 1 - 2) + 2);

+	int size = (rng() % (64 + 1 - 2) + 2);

 	char* val = calloc(size, sizeof(char));

 	int i;

 	for(i = 0; i < size - 1; i++)

@@ -117,24 +117,17 @@

 	}*/

 }

-void

-mut_ucharstar(unsigned char** in_val, int *round)

+unsigned char*

+mut_ucharstar()

 {

-    // if not round 1, free the previously malloc-ed memory

-    if(*round != ROUND_NUM)

-        free(*in_val);

-

-    const int MAX_SIZE = 2048;

-    int size = rng() % MAX_SIZE + 1;

-

-    *in_val = malloc(sizeof(char) * size);

-

-    int i;

-    for(i = 0; i < size; i++)

-    {

-        (*in_val)[i] = rng() % 255;

-    }

-    (*in_val)[size - 1] = '\0';

+	int size = (rng() % (64 + 1 - 2) + 2);

+	unsigned char* val = calloc(size, sizeof(char));

+	int i;

+	for(i = 0; i < size - 1; i++)

+	{

+	    val[i] = rng() % 255;

+	}    

+	return val;

 }

 int

@@ -189,22 +182,12 @@

     }

 }

-void

-mut_longstar(long** in_val, int *round)

+long*

+mut_longstar()

 {

-    if(*round == ROUND_NUM)

-    {

-	// TODO -- check that this is correct

-	in_val = (long**) malloc(sizeof(long*));

-	*in_val = (long*) malloc(sizeof(long));

-	**in_val = (rng() << 16) | rng();

-    }

-    else

-    {

-        **in_val = **in_val << (rng() % (4 + 1 - 0) + 0);

-	// Segfaults when fuzzing sleep ↓

-        **in_val = **in_val |= (rng() % (15 + 1 - 0 ) + 0);

-    }

+	long* val = (long*) malloc(sizeof(long));

+	*val = (rng() << 16) | rng();

+	return val;

 }

 void

--- a/mutate.h

+++ b/mutate.h

@@ -11,7 +11,7 @@

 char* mut_charstar(void);

-void mut_ucharstar(unsigned char**, int*);

+unsigned char* mut_ucharstar(void);

 int mut_charstararr(char***);

@@ -19,7 +19,7 @@

 void mut_long(long*, int*);

-void mut_longstar(long**, int*);

+long* mut_longstar(void);

 void mut_ulong(unsigned long*, int*);