1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - sample argv fuzzing wrapper
3*08b48e0bSAndroid Build Coastguard Worker ------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Copyright 2015 Google Inc. All rights reserved.
8*08b48e0bSAndroid Build Coastguard Worker
9*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
10*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
11*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
12*08b48e0bSAndroid Build Coastguard Worker
13*08b48e0bSAndroid Build Coastguard Worker http://www.apache.org/licenses/LICENSE-2.0
14*08b48e0bSAndroid Build Coastguard Worker
15*08b48e0bSAndroid Build Coastguard Worker This file shows a simple way to fuzz command-line parameters with stock
16*08b48e0bSAndroid Build Coastguard Worker afl-fuzz. To use, add:
17*08b48e0bSAndroid Build Coastguard Worker
18*08b48e0bSAndroid Build Coastguard Worker #include "/path/to/argv-fuzz-inl.h"
19*08b48e0bSAndroid Build Coastguard Worker
20*08b48e0bSAndroid Build Coastguard Worker ...to the file containing main(), ideally placing it after all the
21*08b48e0bSAndroid Build Coastguard Worker standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
22*08b48e0bSAndroid Build Coastguard Worker main().
23*08b48e0bSAndroid Build Coastguard Worker
24*08b48e0bSAndroid Build Coastguard Worker This will cause the program to read NUL-delimited input from stdin and
25*08b48e0bSAndroid Build Coastguard Worker put it in argv[]. Two subsequent NULs terminate the array. Empty
26*08b48e0bSAndroid Build Coastguard Worker params are encoded as a lone 0x02. Lone 0x02 can't be generated, but
27*08b48e0bSAndroid Build Coastguard Worker that shouldn't matter in real life.
28*08b48e0bSAndroid Build Coastguard Worker
29*08b48e0bSAndroid Build Coastguard Worker If you would like to always preserve argv[0], use this instead:
30*08b48e0bSAndroid Build Coastguard Worker AFL_INIT_SET0("prog_name");
31*08b48e0bSAndroid Build Coastguard Worker
32*08b48e0bSAndroid Build Coastguard Worker To enable persistent fuzzing, use the AFL_INIT_ARGV_PERSISTENT macro with
33*08b48e0bSAndroid Build Coastguard Worker buf as argument, or use AFL_INIT_SET0_PERSISTENT("prog_name", buf)
34*08b48e0bSAndroid Build Coastguard Worker to preserver argv[0]. buf is a pointer to a buffer containing
35*08b48e0bSAndroid Build Coastguard Worker the input data for the current test case being processed defined as:
36*08b48e0bSAndroid Build Coastguard Worker unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF;
37*08b48e0bSAndroid Build Coastguard Worker */
38*08b48e0bSAndroid Build Coastguard Worker
39*08b48e0bSAndroid Build Coastguard Worker #ifndef _HAVE_ARGV_FUZZ_INL
40*08b48e0bSAndroid Build Coastguard Worker #define _HAVE_ARGV_FUZZ_INL
41*08b48e0bSAndroid Build Coastguard Worker
42*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
43*08b48e0bSAndroid Build Coastguard Worker #include <unistd.h>
44*08b48e0bSAndroid Build Coastguard Worker
45*08b48e0bSAndroid Build Coastguard Worker #define AFL_INIT_ARGV() \
46*08b48e0bSAndroid Build Coastguard Worker do { \
47*08b48e0bSAndroid Build Coastguard Worker \
48*08b48e0bSAndroid Build Coastguard Worker argv = afl_init_argv(&argc); \
49*08b48e0bSAndroid Build Coastguard Worker \
50*08b48e0bSAndroid Build Coastguard Worker } while (0)
51*08b48e0bSAndroid Build Coastguard Worker
52*08b48e0bSAndroid Build Coastguard Worker #define AFL_INIT_SET0(_p) \
53*08b48e0bSAndroid Build Coastguard Worker do { \
54*08b48e0bSAndroid Build Coastguard Worker \
55*08b48e0bSAndroid Build Coastguard Worker argv = afl_init_argv(&argc); \
56*08b48e0bSAndroid Build Coastguard Worker argv[0] = (_p); \
57*08b48e0bSAndroid Build Coastguard Worker if (!argc) argc = 1; \
58*08b48e0bSAndroid Build Coastguard Worker \
59*08b48e0bSAndroid Build Coastguard Worker } while (0)
60*08b48e0bSAndroid Build Coastguard Worker
61*08b48e0bSAndroid Build Coastguard Worker #define AFL_INIT_ARGV_PERSISTENT(persistent_buff) \
62*08b48e0bSAndroid Build Coastguard Worker do { \
63*08b48e0bSAndroid Build Coastguard Worker \
64*08b48e0bSAndroid Build Coastguard Worker argv = afl_init_argv_persistent(&argc, persistent_buff); \
65*08b48e0bSAndroid Build Coastguard Worker \
66*08b48e0bSAndroid Build Coastguard Worker } while (0)
67*08b48e0bSAndroid Build Coastguard Worker
68*08b48e0bSAndroid Build Coastguard Worker #define AFL_INIT_SET0_PERSISTENT(_p, persistent_buff) \
69*08b48e0bSAndroid Build Coastguard Worker do { \
70*08b48e0bSAndroid Build Coastguard Worker \
71*08b48e0bSAndroid Build Coastguard Worker argv = afl_init_argv_persistent(&argc, persistent_buff); \
72*08b48e0bSAndroid Build Coastguard Worker argv[0] = (_p); \
73*08b48e0bSAndroid Build Coastguard Worker if (!argc) argc = 1; \
74*08b48e0bSAndroid Build Coastguard Worker \
75*08b48e0bSAndroid Build Coastguard Worker } while (0)
76*08b48e0bSAndroid Build Coastguard Worker
77*08b48e0bSAndroid Build Coastguard Worker #define MAX_CMDLINE_LEN 100000
78*08b48e0bSAndroid Build Coastguard Worker #define MAX_CMDLINE_PAR 50000
79*08b48e0bSAndroid Build Coastguard Worker
afl_init_argv(int * argc)80*08b48e0bSAndroid Build Coastguard Worker static char **afl_init_argv(int *argc) {
81*08b48e0bSAndroid Build Coastguard Worker
82*08b48e0bSAndroid Build Coastguard Worker static char in_buf[MAX_CMDLINE_LEN];
83*08b48e0bSAndroid Build Coastguard Worker static char *ret[MAX_CMDLINE_PAR];
84*08b48e0bSAndroid Build Coastguard Worker
85*08b48e0bSAndroid Build Coastguard Worker char *ptr = in_buf;
86*08b48e0bSAndroid Build Coastguard Worker int rc = 0;
87*08b48e0bSAndroid Build Coastguard Worker
88*08b48e0bSAndroid Build Coastguard Worker ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2);
89*08b48e0bSAndroid Build Coastguard Worker if (num < 1) { _exit(1); }
90*08b48e0bSAndroid Build Coastguard Worker in_buf[num] = '\0';
91*08b48e0bSAndroid Build Coastguard Worker in_buf[num + 1] = '\0';
92*08b48e0bSAndroid Build Coastguard Worker
93*08b48e0bSAndroid Build Coastguard Worker while (*ptr && rc < MAX_CMDLINE_PAR) {
94*08b48e0bSAndroid Build Coastguard Worker
95*08b48e0bSAndroid Build Coastguard Worker ret[rc] = ptr;
96*08b48e0bSAndroid Build Coastguard Worker if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
97*08b48e0bSAndroid Build Coastguard Worker rc++;
98*08b48e0bSAndroid Build Coastguard Worker
99*08b48e0bSAndroid Build Coastguard Worker while (*ptr)
100*08b48e0bSAndroid Build Coastguard Worker ptr++;
101*08b48e0bSAndroid Build Coastguard Worker ptr++;
102*08b48e0bSAndroid Build Coastguard Worker
103*08b48e0bSAndroid Build Coastguard Worker }
104*08b48e0bSAndroid Build Coastguard Worker
105*08b48e0bSAndroid Build Coastguard Worker *argc = rc;
106*08b48e0bSAndroid Build Coastguard Worker
107*08b48e0bSAndroid Build Coastguard Worker return ret;
108*08b48e0bSAndroid Build Coastguard Worker
109*08b48e0bSAndroid Build Coastguard Worker }
110*08b48e0bSAndroid Build Coastguard Worker
afl_init_argv_persistent(int * argc,unsigned char * persistent_buff)111*08b48e0bSAndroid Build Coastguard Worker static char **afl_init_argv_persistent(int *argc,
112*08b48e0bSAndroid Build Coastguard Worker unsigned char *persistent_buff) {
113*08b48e0bSAndroid Build Coastguard Worker
114*08b48e0bSAndroid Build Coastguard Worker static char *ret[MAX_CMDLINE_PAR];
115*08b48e0bSAndroid Build Coastguard Worker
116*08b48e0bSAndroid Build Coastguard Worker unsigned char *ptr = persistent_buff;
117*08b48e0bSAndroid Build Coastguard Worker int rc = 0;
118*08b48e0bSAndroid Build Coastguard Worker
119*08b48e0bSAndroid Build Coastguard Worker while (*ptr && rc < MAX_CMDLINE_PAR) {
120*08b48e0bSAndroid Build Coastguard Worker
121*08b48e0bSAndroid Build Coastguard Worker ret[rc] = (char *)ptr;
122*08b48e0bSAndroid Build Coastguard Worker if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
123*08b48e0bSAndroid Build Coastguard Worker rc++;
124*08b48e0bSAndroid Build Coastguard Worker
125*08b48e0bSAndroid Build Coastguard Worker while (*ptr)
126*08b48e0bSAndroid Build Coastguard Worker ptr++;
127*08b48e0bSAndroid Build Coastguard Worker ptr++;
128*08b48e0bSAndroid Build Coastguard Worker
129*08b48e0bSAndroid Build Coastguard Worker }
130*08b48e0bSAndroid Build Coastguard Worker
131*08b48e0bSAndroid Build Coastguard Worker *argc = rc;
132*08b48e0bSAndroid Build Coastguard Worker
133*08b48e0bSAndroid Build Coastguard Worker return ret;
134*08b48e0bSAndroid Build Coastguard Worker
135*08b48e0bSAndroid Build Coastguard Worker }
136*08b48e0bSAndroid Build Coastguard Worker
137*08b48e0bSAndroid Build Coastguard Worker #undef MAX_CMDLINE_LEN
138*08b48e0bSAndroid Build Coastguard Worker #undef MAX_CMDLINE_PAR
139*08b48e0bSAndroid Build Coastguard Worker
140*08b48e0bSAndroid Build Coastguard Worker #endif /* !_HAVE_ARGV_FUZZ_INL */
141*08b48e0bSAndroid Build Coastguard Worker
142