| fuzz.c (294328) | fuzz.c (294332) |
|---|---|
| 1/* $OpenBSD: fuzz.c,v 1.3 2014/05/02 09:41:32 andre Exp $ */ | 1/* $OpenBSD: fuzz.c,v 1.8 2015/03/03 20:42:49 djm Exp $ */ |
| 2/* 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 5 unchanged lines hidden (view full) --- 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* Utility functions/framework for fuzz tests */ 19 20#include "includes.h" 21 22#include <sys/types.h> | 2/* 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES --- 5 unchanged lines hidden (view full) --- 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* Utility functions/framework for fuzz tests */ 19 20#include "includes.h" 21 22#include <sys/types.h> |
| 23#include <sys/uio.h> |
|
| 23 24#include <assert.h> 25#include <ctype.h> 26#include <stdio.h> 27#ifdef HAVE_STDINT_H 28# include <stdint.h> 29#endif 30#include <stdlib.h> 31#include <string.h> | 24 25#include <assert.h> 26#include <ctype.h> 27#include <stdio.h> 28#ifdef HAVE_STDINT_H 29# include <stdint.h> 30#endif 31#include <stdlib.h> 32#include <string.h> |
| 32#include <assert.h> | 33#include <signal.h> 34#include <unistd.h> |
| 33 34#include "test_helper.h" | 35 36#include "test_helper.h" |
| 37#include "atomicio.h" |
|
| 35 36/* #define FUZZ_DEBUG */ 37 38#ifdef FUZZ_DEBUG 39# define FUZZ_DBG(x) do { \ 40 printf("%s:%d %s: ", __FILE__, __LINE__, __func__); \ 41 printf x; \ 42 printf("\n"); \ --- 48 unchanged lines hidden (view full) --- 91 return "FUZZ_TRUNCATE_END"; 92 case FUZZ_BASE64: 93 return "FUZZ_BASE64"; 94 default: 95 abort(); 96 } 97} 98 | 38 39/* #define FUZZ_DEBUG */ 40 41#ifdef FUZZ_DEBUG 42# define FUZZ_DBG(x) do { \ 43 printf("%s:%d %s: ", __FILE__, __LINE__, __func__); \ 44 printf x; \ 45 printf("\n"); \ --- 48 unchanged lines hidden (view full) --- 94 return "FUZZ_TRUNCATE_END"; 95 case FUZZ_BASE64: 96 return "FUZZ_BASE64"; 97 default: 98 abort(); 99 } 100} 101 |
| 99void 100fuzz_dump(struct fuzz *fuzz) | 102static int 103fuzz_fmt(struct fuzz *fuzz, char *s, size_t n) |
| 101{ | 104{ |
| 102 u_char *p = fuzz_ptr(fuzz); 103 size_t i, j, len = fuzz_len(fuzz); | 105 if (fuzz == NULL) 106 return -1; |
| 104 105 switch (fuzz->strategy) { 106 case FUZZ_1_BIT_FLIP: | 107 108 switch (fuzz->strategy) { 109 case FUZZ_1_BIT_FLIP: |
| 107 fprintf(stderr, "%s case %zu of %zu (bit: %zu)\n", | 110 snprintf(s, n, "%s case %zu of %zu (bit: %zu)\n", |
| 108 fuzz_ntop(fuzz->strategy), 109 fuzz->o1, fuzz->slen * 8, fuzz->o1); | 111 fuzz_ntop(fuzz->strategy), 112 fuzz->o1, fuzz->slen * 8, fuzz->o1); |
| 110 break; | 113 return 0; |
| 111 case FUZZ_2_BIT_FLIP: | 114 case FUZZ_2_BIT_FLIP: |
| 112 fprintf(stderr, "%s case %llu of %llu (bits: %zu, %zu)\n", | 115 snprintf(s, n, "%s case %llu of %llu (bits: %zu, %zu)\n", |
| 113 fuzz_ntop(fuzz->strategy), 114 (((fuzz_ullong)fuzz->o2) * fuzz->slen * 8) + fuzz->o1, 115 ((fuzz_ullong)fuzz->slen * 8) * fuzz->slen * 8, 116 fuzz->o1, fuzz->o2); | 116 fuzz_ntop(fuzz->strategy), 117 (((fuzz_ullong)fuzz->o2) * fuzz->slen * 8) + fuzz->o1, 118 ((fuzz_ullong)fuzz->slen * 8) * fuzz->slen * 8, 119 fuzz->o1, fuzz->o2); |
| 117 break; | 120 return 0; |
| 118 case FUZZ_1_BYTE_FLIP: | 121 case FUZZ_1_BYTE_FLIP: |
| 119 fprintf(stderr, "%s case %zu of %zu (byte: %zu)\n", | 122 snprintf(s, n, "%s case %zu of %zu (byte: %zu)\n", |
| 120 fuzz_ntop(fuzz->strategy), 121 fuzz->o1, fuzz->slen, fuzz->o1); | 123 fuzz_ntop(fuzz->strategy), 124 fuzz->o1, fuzz->slen, fuzz->o1); |
| 122 break; | 125 return 0; |
| 123 case FUZZ_2_BYTE_FLIP: | 126 case FUZZ_2_BYTE_FLIP: |
| 124 fprintf(stderr, "%s case %llu of %llu (bytes: %zu, %zu)\n", | 127 snprintf(s, n, "%s case %llu of %llu (bytes: %zu, %zu)\n", |
| 125 fuzz_ntop(fuzz->strategy), 126 (((fuzz_ullong)fuzz->o2) * fuzz->slen) + fuzz->o1, 127 ((fuzz_ullong)fuzz->slen) * fuzz->slen, 128 fuzz->o1, fuzz->o2); | 128 fuzz_ntop(fuzz->strategy), 129 (((fuzz_ullong)fuzz->o2) * fuzz->slen) + fuzz->o1, 130 ((fuzz_ullong)fuzz->slen) * fuzz->slen, 131 fuzz->o1, fuzz->o2); |
| 129 break; | 132 return 0; |
| 130 case FUZZ_TRUNCATE_START: | 133 case FUZZ_TRUNCATE_START: |
| 131 fprintf(stderr, "%s case %zu of %zu (offset: %zu)\n", | 134 snprintf(s, n, "%s case %zu of %zu (offset: %zu)\n", |
| 132 fuzz_ntop(fuzz->strategy), 133 fuzz->o1, fuzz->slen, fuzz->o1); | 135 fuzz_ntop(fuzz->strategy), 136 fuzz->o1, fuzz->slen, fuzz->o1); |
| 134 break; | 137 return 0; |
| 135 case FUZZ_TRUNCATE_END: | 138 case FUZZ_TRUNCATE_END: |
| 136 fprintf(stderr, "%s case %zu of %zu (offset: %zu)\n", | 139 snprintf(s, n, "%s case %zu of %zu (offset: %zu)\n", |
| 137 fuzz_ntop(fuzz->strategy), 138 fuzz->o1, fuzz->slen, fuzz->o1); | 140 fuzz_ntop(fuzz->strategy), 141 fuzz->o1, fuzz->slen, fuzz->o1); |
| 139 break; | 142 return 0; |
| 140 case FUZZ_BASE64: 141 assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1); | 143 case FUZZ_BASE64: 144 assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1); |
| 142 fprintf(stderr, "%s case %llu of %llu (offset: %zu char: %c)\n", | 145 snprintf(s, n, "%s case %llu of %llu (offset: %zu char: %c)\n", |
| 143 fuzz_ntop(fuzz->strategy), 144 (fuzz->o1 * (fuzz_ullong)64) + fuzz->o2, 145 fuzz->slen * (fuzz_ullong)64, fuzz->o1, 146 fuzz_b64chars[fuzz->o2]); | 146 fuzz_ntop(fuzz->strategy), 147 (fuzz->o1 * (fuzz_ullong)64) + fuzz->o2, 148 fuzz->slen * (fuzz_ullong)64, fuzz->o1, 149 fuzz_b64chars[fuzz->o2]); |
| 147 break; | 150 return 0; |
| 148 default: | 151 default: |
| 152 return -1; |
|
| 149 abort(); 150 } | 153 abort(); 154 } |
| 155} |
|
| 151 | 156 |
| 152 fprintf(stderr, "fuzz context %p len = %zu\n", fuzz, len); | 157static void 158dump(u_char *p, size_t len) 159{ 160 size_t i, j; 161 |
| 153 for (i = 0; i < len; i += 16) { 154 fprintf(stderr, "%.4zd: ", i); 155 for (j = i; j < i + 16; j++) { 156 if (j < len) 157 fprintf(stderr, "%02x ", p[j]); 158 else 159 fprintf(stderr, " "); 160 } --- 5 unchanged lines hidden (view full) --- 166 else 167 fprintf(stderr, "."); 168 } 169 } 170 fprintf(stderr, "\n"); 171 } 172} 173 | 162 for (i = 0; i < len; i += 16) { 163 fprintf(stderr, "%.4zd: ", i); 164 for (j = i; j < i + 16; j++) { 165 if (j < len) 166 fprintf(stderr, "%02x ", p[j]); 167 else 168 fprintf(stderr, " "); 169 } --- 5 unchanged lines hidden (view full) --- 175 else 176 fprintf(stderr, "."); 177 } 178 } 179 fprintf(stderr, "\n"); 180 } 181} 182 |
| 183void 184fuzz_dump(struct fuzz *fuzz) 185{ 186 char buf[256]; 187 188 if (fuzz_fmt(fuzz, buf, sizeof(buf)) != 0) { 189 fprintf(stderr, "%s: fuzz invalid\n", __func__); 190 abort(); 191 } 192 fputs(buf, stderr); 193 fprintf(stderr, "fuzz original %p len = %zu\n", fuzz->seed, fuzz->slen); 194 dump(fuzz->seed, fuzz->slen); 195 fprintf(stderr, "fuzz context %p len = %zu\n", fuzz, fuzz_len(fuzz)); 196 dump(fuzz_ptr(fuzz), fuzz_len(fuzz)); 197} 198 199#ifdef SIGINFO 200static struct fuzz *last_fuzz; 201 202static void 203siginfo(int unused __attribute__((__unused__))) 204{ 205 char buf[256]; 206 207 test_info(buf, sizeof(buf)); 208 atomicio(vwrite, STDERR_FILENO, buf, strlen(buf)); 209 if (last_fuzz != NULL) { 210 fuzz_fmt(last_fuzz, buf, sizeof(buf)); 211 atomicio(vwrite, STDERR_FILENO, buf, strlen(buf)); 212 } 213} 214#endif 215 |
|
| 174struct fuzz * 175fuzz_begin(u_int strategies, const void *p, size_t l) 176{ 177 struct fuzz *ret = calloc(sizeof(*ret), 1); 178 179 assert(p != NULL); 180 assert(ret != NULL); 181 ret->seed = malloc(l); 182 assert(ret->seed != NULL); 183 memcpy(ret->seed, p, l); 184 ret->slen = l; 185 ret->strategies = strategies; 186 187 assert(ret->slen < SIZE_MAX / 8); 188 assert(ret->strategies <= (FUZZ_MAX|(FUZZ_MAX-1))); 189 190 FUZZ_DBG(("begin, ret = %p", ret)); 191 192 fuzz_next(ret); | 216struct fuzz * 217fuzz_begin(u_int strategies, const void *p, size_t l) 218{ 219 struct fuzz *ret = calloc(sizeof(*ret), 1); 220 221 assert(p != NULL); 222 assert(ret != NULL); 223 ret->seed = malloc(l); 224 assert(ret->seed != NULL); 225 memcpy(ret->seed, p, l); 226 ret->slen = l; 227 ret->strategies = strategies; 228 229 assert(ret->slen < SIZE_MAX / 8); 230 assert(ret->strategies <= (FUZZ_MAX|(FUZZ_MAX-1))); 231 232 FUZZ_DBG(("begin, ret = %p", ret)); 233 234 fuzz_next(ret); |
| 235 236#ifdef SIGINFO 237 last_fuzz = ret; 238 signal(SIGINFO, siginfo); 239#endif 240 |
|
| 193 return ret; 194} 195 196void 197fuzz_cleanup(struct fuzz *fuzz) 198{ 199 FUZZ_DBG(("cleanup, fuzz = %p", fuzz)); | 241 return ret; 242} 243 244void 245fuzz_cleanup(struct fuzz *fuzz) 246{ 247 FUZZ_DBG(("cleanup, fuzz = %p", fuzz)); |
| 248#ifdef SIGINFO 249 last_fuzz = NULL; 250 signal(SIGINFO, SIG_DFL); 251#endif |
|
| 200 assert(fuzz != NULL); 201 assert(fuzz->seed != NULL); 202 assert(fuzz->fuzzed != NULL); 203 free(fuzz->seed); 204 free(fuzz->fuzzed); 205 free(fuzz); 206} 207 --- 113 unchanged lines hidden (view full) --- 321 } 322 323 FUZZ_DBG(("done, fuzz = %p, strategy = %s, strategies = 0x%lx, " 324 "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy), 325 (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen)); 326} 327 328int | 252 assert(fuzz != NULL); 253 assert(fuzz->seed != NULL); 254 assert(fuzz->fuzzed != NULL); 255 free(fuzz->seed); 256 free(fuzz->fuzzed); 257 free(fuzz); 258} 259 --- 113 unchanged lines hidden (view full) --- 373 } 374 375 FUZZ_DBG(("done, fuzz = %p, strategy = %s, strategies = 0x%lx, " 376 "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy), 377 (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen)); 378} 379 380int |
| 381fuzz_matches_original(struct fuzz *fuzz) 382{ 383 if (fuzz_len(fuzz) != fuzz->slen) 384 return 0; 385 return memcmp(fuzz_ptr(fuzz), fuzz->seed, fuzz->slen) == 0; 386} 387 388int |
|
| 329fuzz_done(struct fuzz *fuzz) 330{ 331 FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz, 332 (u_long)fuzz->strategies)); 333 334 return fuzz_strategy_done(fuzz) && fuzz->strategies == 0; 335} 336 --- 42 unchanged lines hidden --- | 389fuzz_done(struct fuzz *fuzz) 390{ 391 FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz, 392 (u_long)fuzz->strategies)); 393 394 return fuzz_strategy_done(fuzz) && fuzz->strategies == 0; 395} 396 --- 42 unchanged lines hidden --- |