"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "honggfuzz.h" between
honggfuzz-2.1.tar.gz and honggfuzz-2.2.tar.gz

About: honggfuzz is a security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with powerful analysis options.

honggfuzz.h  (honggfuzz-2.1):honggfuzz.h  (honggfuzz-2.2)
skipping to change at line 41 skipping to change at line 41
#include <stdbool.h> #include <stdbool.h>
#include <stdint.h> #include <stdint.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/queue.h> #include <sys/queue.h>
#include <sys/types.h> #include <sys/types.h>
#include <time.h> #include <time.h>
#include "libhfcommon/util.h" #include "libhfcommon/util.h"
#define PROG_NAME "honggfuzz" #define PROG_NAME "honggfuzz"
#define PROG_VERSION "2.1" #define PROG_VERSION "2.2"
/* Name of the template which will be replaced with the proper name of the file */ /* Name of the template which will be replaced with the proper name of the file */
#define _HF_FILE_PLACEHOLDER "___FILE___" #define _HF_FILE_PLACEHOLDER "___FILE___"
/* Default name of the report created with some architectures */ /* Default name of the report created with some architectures */
#define _HF_REPORT_FILE "HONGGFUZZ.REPORT.TXT" #define _HF_REPORT_FILE "HONGGFUZZ.REPORT.TXT"
/* Default stack-size of created threads. */ /* Default stack-size of created threads. */
#define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL) /* 2MB */ #define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL) /* 2MB */
skipping to change at line 73 skipping to change at line 73
/* Size (in bytes) for report data to be stored in stack before written to file */ /* Size (in bytes) for report data to be stored in stack before written to file */
#define _HF_REPORT_SIZE 32768 #define _HF_REPORT_SIZE 32768
/* Perf bitmap size */ /* Perf bitmap size */
#define _HF_PERF_BITMAP_SIZE_16M (1024U * 1024U * 16U) #define _HF_PERF_BITMAP_SIZE_16M (1024U * 1024U * 16U)
#define _HF_PERF_BITMAP_BITSZ_MASK 0x7FFFFFFULL #define _HF_PERF_BITMAP_BITSZ_MASK 0x7FFFFFFULL
/* Maximum number of PC guards (=trace-pc-guard) we support */ /* Maximum number of PC guards (=trace-pc-guard) we support */
#define _HF_PC_GUARD_MAX (1024ULL * 1024ULL * 64ULL) #define _HF_PC_GUARD_MAX (1024ULL * 1024ULL * 64ULL)
/* Maximum size of the input file in bytes (128 MiB) */ /* Maximum size of the input file in bytes (1 MiB) */
#define _HF_INPUT_MAX_SIZE (1024ULL * 1024ULL * 128ULL) #define _HF_INPUT_MAX_SIZE (1024ULL * 1024ULL)
/* Default maximum size of produced inputs */
#define _HF_INPUT_DEFAULT_SIZE (1024ULL * 8)
/* Per-thread bitmap */
#define _HF_PERTHREAD_BITMAP_FD 1018
/* FD used to report back used int/str constants from the fuzzed process */ /* FD used to report back used int/str constants from the fuzzed process */
#define _HF_CMP_BITMAP_FD 1019 #define _HF_CMP_BITMAP_FD 1019
/* FD used to log inside the child process */ /* FD used to log inside the child process */
#define _HF_LOG_FD 1020 #define _HF_LOG_FD 1020
/* FD used to represent the input file */ /* FD used to represent the input file */
#define _HF_INPUT_FD 1021 #define _HF_INPUT_FD 1021
/* FD used to pass coverage feedback from the fuzzed process */ /* FD used to pass coverage feedback from the fuzzed process */
#define _HF_COV_BITMAP_FD 1022 #define _HF_COV_BITMAP_FD 1022
#define _HF_BITMAP_FD _HF_COV_BITMAP_FD /* Old name for _HF_COV_BITMAP_FD */ #define _HF_BITMAP_FD _HF_COV_BITMAP_FD /* Old name for _HF_COV_BITMAP_FD */
/* FD used to pass data to a persistent process */ /* FD used to pass data to a persistent process */
skipping to change at line 105 skipping to change at line 110
static const uint8_t HFReadyTag = 'R'; static const uint8_t HFReadyTag = 'R';
/* Maximum number of active fuzzing threads */ /* Maximum number of active fuzzing threads */
#define _HF_THREAD_MAX 1024U #define _HF_THREAD_MAX 1024U
/* Persistent-binary signature - if found within file, it means it's a persisten t mode binary */ /* Persistent-binary signature - if found within file, it means it's a persisten t mode binary */
#define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF" #define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF"
/* HF NetDriver signature - if found within file, it means it's a NetDriver-base d binary */ /* HF NetDriver signature - if found within file, it means it's a NetDriver-base d binary */
#define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF" #define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF"
/* printf() nonmonetary separator. According to MacOSX's man it's supported ther
e as well */
#define _HF_NONMON_SEP "'"
typedef enum { typedef enum {
_HF_DYNFILE_NONE = 0x0, _HF_DYNFILE_NONE = 0x0,
_HF_DYNFILE_INSTR_COUNT = 0x1, _HF_DYNFILE_INSTR_COUNT = 0x1,
_HF_DYNFILE_BRANCH_COUNT = 0x2, _HF_DYNFILE_BRANCH_COUNT = 0x2,
_HF_DYNFILE_BTS_EDGE = 0x10, _HF_DYNFILE_BTS_EDGE = 0x10,
_HF_DYNFILE_IPT_BLOCK = 0x20, _HF_DYNFILE_IPT_BLOCK = 0x20,
_HF_DYNFILE_SOFT = 0x40, _HF_DYNFILE_SOFT = 0x40,
} dynFileMethod_t; } dynFileMethod_t;
typedef struct { typedef struct {
uint64_t cpuInstrCnt; uint64_t cpuInstrCnt;
uint64_t cpuBranchCnt; uint64_t cpuBranchCnt;
uint64_t bbCnt; uint64_t bbCnt;
uint64_t newBBCnt; uint64_t newBBCnt;
uint64_t softCntPc; uint64_t softCntPc;
uint64_t softCntEdge; uint64_t softCntEdge;
uint64_t softCntCmp; uint64_t softCntCmp;
} hwcnt_t; } hwcnt_t;
typedef struct {
uint32_t capacity;
uint32_t* pChunks;
uint32_t nChunks;
} bitmap_t;
/* Memory map struct */
typedef struct __attribute__((packed)) {
uint64_t start; // region start addr
uint64_t end; // region end addr
uint64_t base; // region base addr
char module[NAME_MAX]; // bin/DSO name
uint64_t bbCnt;
uint64_t newBBCnt;
} memMap_t;
/* Trie node data struct */
typedef struct __attribute__((packed)) {
bitmap_t* pBM;
} trieData_t;
/* Trie node struct */
typedef struct node {
char key;
trieData_t data;
struct node* next;
struct node* prev;
struct node* children;
struct node* parent;
} node_t;
/* EOF Sanitizer coverage specific data structures */
typedef enum { typedef enum {
_HF_STATE_UNSET = 0, _HF_STATE_UNSET = 0,
_HF_STATE_STATIC, _HF_STATE_STATIC,
_HF_STATE_DYNAMIC_DRY_RUN, _HF_STATE_DYNAMIC_DRY_RUN,
_HF_STATE_DYNAMIC_MAIN, _HF_STATE_DYNAMIC_MAIN,
_HF_STATE_DYNAMIC_MINIMIZE, _HF_STATE_DYNAMIC_MINIMIZE,
} fuzzState_t; } fuzzState_t;
struct dynfile_t { typedef enum {
HF_MAYBE = -1,
HF_NO = 0,
HF_YES = 1,
} tristate_t;
struct _dynfile_t {
size_t size; size_t size;
uint64_t cov[4]; uint64_t cov[4];
size_t idx;
int fd;
uint64_t timeExecUSecs;
char path[PATH_MAX]; char path[PATH_MAX];
TAILQ_ENTRY(dynfile_t) pointers; struct _dynfile_t* src;
uint8_t data[]; uint32_t refs;
uint8_t* data;
TAILQ_ENTRY(_dynfile_t) pointers;
}; };
typedef struct _dynfile_t dynfile_t;
struct strings_t { struct strings_t {
size_t len; size_t len;
TAILQ_ENTRY(strings_t) pointers; TAILQ_ENTRY(strings_t) pointers;
char s[]; char s[];
}; };
typedef struct { typedef struct {
bool pcGuardMap[_HF_PC_GUARD_MAX]; uint8_t pcGuardMap[_HF_PC_GUARD_MAX];
uint8_t bbMapPc[_HF_PERF_BITMAP_SIZE_16M]; uint8_t bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M]; uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
uint64_t pidFeedbackPc[_HF_THREAD_MAX]; uint64_t pidNewPC[_HF_THREAD_MAX];
uint64_t pidFeedbackEdge[_HF_THREAD_MAX]; uint64_t pidNewEdge[_HF_THREAD_MAX];
uint64_t pidFeedbackCmp[_HF_THREAD_MAX]; uint64_t pidNewCmp[_HF_THREAD_MAX];
uint64_t guardNb; uint64_t guardNb;
uint64_t pidTotalPC[_HF_THREAD_MAX];
uint64_t pidTotalEdge[_HF_THREAD_MAX];
uint64_t pidTotalCmp[_HF_THREAD_MAX];
} feedback_t; } feedback_t;
typedef struct { typedef struct {
uint32_t cnt; uint32_t cnt;
struct { struct {
uint8_t val[32]; uint8_t val[32];
uint32_t len; uint32_t len;
} valArr[1024 * 16]; } valArr[1024 * 16];
} cmpfeedback_t; } cmpfeedback_t;
skipping to change at line 211 skipping to change at line 202
uint32_t threadsActiveCnt; uint32_t threadsActiveCnt;
pthread_t mainThread; pthread_t mainThread;
pid_t mainPid; pid_t mainPid;
pthread_t threads[_HF_THREAD_MAX]; pthread_t threads[_HF_THREAD_MAX];
} threads; } threads;
struct { struct {
const char* inputDir; const char* inputDir;
const char* outputDir; const char* outputDir;
DIR* inputDirPtr; DIR* inputDirPtr;
size_t fileCnt; size_t fileCnt;
size_t testedFileCnt;
const char* fileExtn; const char* fileExtn;
bool fileCntDone; size_t maxFileSz;
size_t newUnitsAdded; size_t newUnitsAdded;
char workDir[PATH_MAX]; char workDir[PATH_MAX];
const char* crashDir; const char* crashDir;
const char* covDirNew; const char* covDirNew;
bool saveUnique; bool saveUnique;
size_t dynfileqMaxSz;
size_t dynfileqCnt; size_t dynfileqCnt;
pthread_rwlock_t dynfileq_mutex; pthread_rwlock_t dynfileq_mutex;
struct dynfile_t* dynfileqCurrent; dynfile_t* dynfileqCurrent;
TAILQ_HEAD(dyns_t, dynfile_t) dynfileq; dynfile_t* dynfileq2Current;
TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
bool exportFeedback; bool exportFeedback;
} io; } io;
struct { struct {
int argc; int argc;
const char* const* cmdline; const char* const* cmdline;
bool nullifyStdio; bool nullifyStdio;
bool fuzzStdin; bool fuzzStdin;
const char* externalCommand; const char* externalCommand;
const char* postExternalCommand; const char* postExternalCommand;
const char* feedbackMutateCommand; const char* feedbackMutateCommand;
skipping to change at line 249 skipping to change at line 243
bool clearEnv; bool clearEnv;
char* env_ptrs[128]; char* env_ptrs[128];
char env_vals[128][4096]; char env_vals[128][4096];
sigset_t waitSigSet; sigset_t waitSigSet;
} exe; } exe;
struct { struct {
time_t timeStart; time_t timeStart;
time_t runEndTime; time_t runEndTime;
time_t tmOut; time_t tmOut;
time_t lastCovUpdate; time_t lastCovUpdate;
int64_t timeOfLongestUnitInMilliseconds; int64_t timeOfLongestUnitUSecs;
bool tmoutVTALRM; bool tmoutVTALRM;
} timing; } timing;
struct { struct {
const char* dictionaryFile; struct {
TAILQ_HEAD(strq_t, strings_t) dictq; uint8_t val[256];
size_t len;
} dictionary[1024];
size_t dictionaryCnt; size_t dictionaryCnt;
const char* dictionaryFile;
size_t mutationsMax; size_t mutationsMax;
unsigned mutationsPerRun; unsigned mutationsPerRun;
size_t maxFileSz; size_t maxInputSz;
} mutate; } mutate;
struct { struct {
bool useScreen; bool useScreen;
char cmdline_txt[65]; char cmdline_txt[65];
int64_t lastDisplayMillis; int64_t lastDisplayUSecs;
} display; } display;
struct { struct {
bool useVerifier; bool useVerifier;
bool exitUponCrash; bool exitUponCrash;
const char* reportFile; const char* reportFile;
pthread_mutex_t report_mutex; pthread_mutex_t report_mutex;
size_t dynFileIterExpire; size_t dynFileIterExpire;
bool only_printable; bool only_printable;
bool minimize; bool minimize;
bool switchingToFDM; bool switchingToFDM;
skipping to change at line 291 skipping to change at line 288
feedback_t* covFeedbackMap; feedback_t* covFeedbackMap;
int covFeedbackFd; int covFeedbackFd;
pthread_mutex_t covFeedback_mutex; pthread_mutex_t covFeedback_mutex;
cmpfeedback_t* cmpFeedbackMap; cmpfeedback_t* cmpFeedbackMap;
int cmpFeedbackFd; int cmpFeedbackFd;
bool cmpFeedback; bool cmpFeedback;
const char* blacklistFile; const char* blacklistFile;
uint64_t* blacklist; uint64_t* blacklist;
size_t blacklistCnt; size_t blacklistCnt;
bool skipFeedbackOnTimeout; bool skipFeedbackOnTimeout;
uint64_t maxCov[4];
dynFileMethod_t dynFileMethod; dynFileMethod_t dynFileMethod;
hwcnt_t hwCnts;
} feedback; } feedback;
struct { struct {
size_t mutationsCnt; size_t mutationsCnt;
size_t crashesCnt; size_t crashesCnt;
size_t uniqueCrashesCnt; size_t uniqueCrashesCnt;
size_t verifiedCrashesCnt; size_t verifiedCrashesCnt;
size_t blCrashesCnt; size_t blCrashesCnt;
size_t timeoutedCnt; size_t timeoutedCnt;
} cnts; } cnts;
struct { struct {
bool enabled; bool enabled;
int serverSocket; int serverSocket;
int clientSocket; int clientSocket;
} socketFuzzer; } socketFuzzer;
/* For the Linux code */ /* For the Linux code */
struct { struct {
int exeFd; int exeFd;
hwcnt_t hwCnts;
uint64_t dynamicCutOffAddr; uint64_t dynamicCutOffAddr;
bool disableRandomization; bool disableRandomization;
void* ignoreAddr; void* ignoreAddr;
const char* symsBlFile; const char* symsBlFile;
char** symsBl; char** symsBl;
size_t symsBlCnt; size_t symsBlCnt;
const char* symsWlFile; const char* symsWlFile;
char** symsWl; char** symsWl;
size_t symsWlCnt; size_t symsWlCnt;
uintptr_t cloneFlags; uintptr_t cloneFlags;
tristate_t useNetNs;
bool kernelOnly; bool kernelOnly;
bool useClone; bool useClone;
} linux; } arch_linux;
/* For the NetBSD code */ /* For the NetBSD code */
struct { struct {
void* ignoreAddr; void* ignoreAddr;
const char* symsBlFile; const char* symsBlFile;
char** symsBl; char** symsBl;
size_t symsBlCnt; size_t symsBlCnt;
const char* symsWlFile; const char* symsWlFile;
char** symsWl; char** symsWl;
size_t symsWlCnt; size_t symsWlCnt;
} netbsd; } arch_netbsd;
} honggfuzz_t; } honggfuzz_t;
typedef enum { typedef enum {
_HF_RS_UNKNOWN = 0, _HF_RS_UNKNOWN = 0,
_HF_RS_WAITING_FOR_INITIAL_READY = 1, _HF_RS_WAITING_FOR_INITIAL_READY = 1,
_HF_RS_WAITING_FOR_READY = 2, _HF_RS_WAITING_FOR_READY = 2,
_HF_RS_SEND_DATA = 3, _HF_RS_SEND_DATA = 3,
} runState_t; } runState_t;
typedef struct { typedef struct {
honggfuzz_t* global; honggfuzz_t* global;
pid_t pid; pid_t pid;
int64_t timeStartedMillis; int64_t timeStartedUSecs;
char origFileName[PATH_MAX];
char crashFileName[PATH_MAX]; char crashFileName[PATH_MAX];
uint64_t pc; uint64_t pc;
uint64_t backtrace; uint64_t backtrace;
uint64_t access; uint64_t access;
int exception; int exception;
char report[_HF_REPORT_SIZE]; char report[_HF_REPORT_SIZE];
bool mainWorker; bool mainWorker;
unsigned mutationsPerRun; unsigned mutationsPerRun;
uint8_t* dynamicFile; dynfile_t* dynfile;
size_t dynamicFileSz; bool staticFileTryMore;
int dynamicFileFd;
uint32_t fuzzNo; uint32_t fuzzNo;
int persistentSock; int persistentSock;
bool waitingForReady; bool waitingForReady;
runState_t runState; runState_t runState;
bool tmOutSignaled; bool tmOutSignaled;
char* args[_HF_ARGS_MAX + 1]; char* args[_HF_ARGS_MAX + 1];
int perThreadCovFeedbackFd;
unsigned triesLeft;
dynfile_t* current;
#if !defined(_HF_ARCH_DARWIN) #if !defined(_HF_ARCH_DARWIN)
timer_t timerId; timer_t timerId;
#endif // !defined(_HF_ARCH_DARWIN) #endif // !defined(_HF_ARCH_DARWIN)
hwcnt_t hwCnts;
struct { struct {
/* For Linux code */ /* For Linux code */
uint8_t* perfMmapBuf; uint8_t* perfMmapBuf;
uint8_t* perfMmapAux; uint8_t* perfMmapAux;
hwcnt_t hwCnts;
int cpuInstrFd; int cpuInstrFd;
int cpuBranchFd; int cpuBranchFd;
int cpuIptBtsFd; int cpuIptBtsFd;
} linux; } arch_linux;
struct { struct {
/* For NetBSD code */ /* For NetBSD code */
uint8_t* perfMmapBuf; uint8_t* perfMmapBuf;
uint8_t* perfMmapAux; uint8_t* perfMmapAux;
hwcnt_t hwCnts;
int cpuInstrFd; int cpuInstrFd;
int cpuBranchFd; int cpuBranchFd;
int cpuIptBtsFd; int cpuIptBtsFd;
} netbsd; } arch_netbsd;
} run_t; } run_t;
/* /*
* Go-style defer scoped implementation * Go-style defer scoped implementation
* *
* When compiled with clang, use: -fblocks -lBlocksRuntime * When compiled with clang, use: -fblocks -lBlocksRuntime
* *
* Example of use: * Example of use:
* *
* { * {
 End of changes. 35 change blocks. 
63 lines changed or deleted 63 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)