🌪️ Application fuzzer
License: Do What The F*ck You Want To Public License
About zzuf:
zzuf is a transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program's input. zzuf's behaviour is deterministic, making it easy to reproduce bugs.
For instructions and examples on how to use zzuf, see the manual page and the website at http://caca.zoy.org/wiki/zzuf.
Running zzuf on libxml2 on Ububtu x86_64 , always give below issue
zzuf -s 0:10000 -c -C 0 -q -T 3 objdump -x ./xmllint
zzuf[s=244,r=0.004]: signal 9 (memory exceeded?)
zzuf[s=455,r=0.004]: signal 9 (memory exceeded?)
zzuf[s=1163,r=0.004]: signal 9 (memory exceeded?)
It cannot be debugged further.
How to resolve this ?
Hi, I'm a package maintainer maintaining zzuf and via CI i have detected that the latest HEAD (192812e) is failing because of a FAIL in check-win32.
I'm running on Linux, i'm not fully sure if thats a win32-only test or not. If yes, maybe this test should simply be skipped if not running in win32, otherwise some investigation may be needed.
PASS: check-zzuf-A-autoinc
PASS: check-zzuf-f-fuzzing
PASS: check-zzuf-m-md5
PASS: check-zzuf-M-max-memory
PASS: check-zzuf-r-ratio
PASS: check-source
FAIL: check-win32
PASS: check-overflow
PASS: check-div0
PASS: check-utils
PASS: check-mmap
============================================================================
Testsuite summary for zzuf 0.15
============================================================================
# TOTAL: 11
# PASS: 10
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
Hi,
I recently build zzuf latest release (0.14) on debian testing, x64, with afl-clang (3.5.2/1.83b) with ASAN enabled, and got the following result:
test-suite log: https://gist.github.com/0x64616E69656C/be237dfcb949f0555927
Binary output: https://gist.github.com/0x64616E69656C/c6e75ed5a9fc5e4a57bc
Hey, first: thanks for this great project 😄
the last announced release is kind of old (zzuf-0.13.tar.gz (31 January 2010)). It would be cool if you could create a new release like 0.14.
I would highly appreciate if you can create a git tag for that, as github offers source tarballs for tags (which are great for downloading sources for packages).
Also you may want to update the ancient version provided at http://caca.zoy.org/wiki/zzuf
This would ease packaging zzuf 👍
cheers
anthraxx
How to compile zzuf with VisualStudio? Is there any more docs about the build steps?
Popped up in https://bugs.gentoo.org/show_bug.cgi?id=613130 where
user tried first example from tutorial:
zzuf hexdump -vn 32 /dev/zero
0000000 0000 0000 0000 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 0000 0000 0000 0000
0000020
Unfortunately /dev/zero is not handled nicely by (at leat) glibc-2.24:
// $ cat a.c
#include <stdio.h>
int main() {
FILE * f = fopen("/dev/zero", "r");
char b[15];
long o1 = ftell (f);
fread (b, 1, sizeof (b), f);
long o2 = ftell (f);
printf ("advanced at = %lu [%li/%li]\n", o2 - o1, o1, o2);
return 0;
}$ gcc a.c -o a && ./a
advanced at = 18446744073709551615 [0/-1]
zzuf has a few FIXMEs around this case:
src/libzzuf/lib-stream.c: /* FIXME: ftell() will return -1 on a pipe such as stdin */ \
src/libzzuf/lib-stream.c: /* FIXME: ftell() will return -1 on a pipe such as stdin */ \
src/libzzuf/lib-stream.c: /* FIXME: ftell() will return -1 on a pipe such as stdin */ \
src/libzzuf/lib-stream.c: /* FIXME: ftell() will return -1 on a pipe such as stdin */ \
I suggest tweaking tutorial to use normal file and adding a warnings into zzuf when
ZZ_FTELL returns negative values.
WDYT?
Thanks!
zzone.c: In function ‘main’: zzone.c:59:9: warning: ignoring return value of ‘fread’, declared with attribute warn_unused_result [-Wunused-result] fread(tmp, size, 1, stdin); ^~~~~~~~~~~~~~~~~~~~~~~~~~
libzzuf/debug.c: In function ‘mydebug’: libzzuf/debug.c:186:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(g_debug_fd, debug_buffer, debug_count); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ libzzuf/debug.c:327:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(g_debug_fd, debug_buffer, debug_count); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zzuf.c: In function ‘spawn_children’: zzuf.c:782:17: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write(fdout, buf, n); ^~~~~~~~~~~~~~~~~~~~ zzuf.c: In function ‘read_children’: zzuf.c:1166:17: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result] write((j < 2) ? STDERR_FILENO : STDOUT_FILENO, buf, ret); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc version gcc (GCC) 6.1.1 20160501
glibc version 2.23
autoconf version 2.69
This is with compiling zzuf 0.15 the latest release.
A contribution I got by e-mail:
[src/common/fd.c:274]: (error) Common realloc mistake: 'fds' nulled but not freed upon failure
[src/common/fd.c:295]: (error) Common realloc mistake: 'files' nulled but not freed upon failure
[src/libzzuf/debug.c:85]: (error) va_list 'args' was opened but not closed by va_end().
[src/libzzuf/debug.c:115]: (error) va_list 'args' was opened but not closed by va_end().
[src/zzat.c:468]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:470]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:472]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:474]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:420]: (error) Memory leak: tmp
[test/bug-memory.c:27]: (error) Memory leak: tmp
[test/zzone.c:51]: (error) Memory leak: buf
[test/zzone.c:51]: (error) Memory leak: tmp
[src/zzuf.c:668] -> [src/zzuf.c:670]: (performance) Variable 'tmp' is reassigned a value before the old one has been used.
[src/zzat.c:509]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzuf.c:742]: (warning) sprintf format string requires 1 parameter but 2 are given.
[src/zzat.c:497]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:489]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:505]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:519]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:521]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:515]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:481]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:477]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:501]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:485]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:493]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:525]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
[src/zzat.c:527]: (error) Common realloc mistake: 'retbuf' nulled but not freed upon failure
Running zzuf on my target produces zzuf[s=0,r=0.004]: signal 11 (SIGSEGV) for every seed value provided. Running the application with the modified file though normally and in lldb I can see no evidence of a segfault. Is there a way to debug this false positive? Running the application with valgrind -q the only suspicious behavior I can see is Conditional jump or move depends on uninitialised value(s) and Use of uninitialised value of size 8.
This occurs on OS X 10.11.2 if it matters.
A 64-bit version of zzuf cannot fuzz a 32-bit executable by default because its libzzuf.so is 64-bit, too, so it cannot be injected into a 32-bit executable.
We should tweak the build system so that a 32-bit libzzuf.so is built, too.
When http://caca.zoy.org/wiki/zzuf is clicked in the README.md "503 - Service Not Available" error message is shown.
common/fd.c:383]: (warning) Opposite inner 'if' condition leads to a dead code block.
Source code is
if (fd >= 0 && fd < maxfd && fds[fd] != -1)
{
if (fd == -1)
++create_lock;
Inner if can never be executed. Suggest code rework.
Running make check with the latest git version fails. Are you able to confirm all the tests pass? Thanks!
====================================
zzuf 0.14: test/test-suite.log
====================================
*** running zzuf utils test suite with seed 71699164 ***
*** file ./file-00, ratio 0.0 ***
*** should be bb7df04e1b0a2570657527a7e108ae23 ***
fread(1,100) fseek(50,SEEK_SET) fread( ok
*** file ./file-00, ratio 0.001 ***
zzuf ................................. acf6010b20a4df8c57d98f1e5d2b5d4f
fread(1,100) fseek(50,SEEK_SET) fread( 5636115577f5c01e7a0c505290ed14b9 FAILED
*** file ./file-ff, ratio 0.001 ***
zzuf ................................. 2cabb491ae3876972abbf98255412456
fread(1,100) fseek(50,SEEK_SET) fread( 49e8adf556fd4f7f8bf82004b3daf065 FAILED
fread(1,100) fseek(50,SEEK_SET) fread( 5754abdd0ff4b62df2d779c5d89d3967 FAILED
fread(1,100) fseek(50,SEEK_SET) fread( 0a542672d3ee896b8c2d1520f4b69a4e FAILED
fread(1,100) fseek(50,SEEK_SET) fread( 31bf96d54e4791ca9fcbba09d1bd9050 FAILED
Hello,
I am new to zzuf and relatively new to GitHub, so I hope this question is being asked in the right place; what changes do I make to buildosx in order for it to run successfully in this environment:
gcc -v
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 6.1.0 (clang-602.0.53) (based on LLVM 3.6.0svn)
Target: x86_64-apple-darwin14.4.0
Thread model: posix
The following error is occurring:
echo 'i686-apple-darwin10-gcc-4.2.1 not found, please fix build script'
i686-apple-darwin10-gcc-4.2.1 not found, please fix build script
Thanks!
The program in the examples section of manual page getpwuid_r() crashes in _zz_fuzz when run with zzuf ./a.out nathan. Compiled with gcc -g test.c with gcc 7.5.0 on openSUSE 15.2 in Windows Subsystem for Linux.
Guessing from the Valgrind results, it seems zzuf is attempting to fuzz read-only memory.
Versions:
zzuf version: e598eef
gcc version: gcc (SUSE Linux) 7.5.0
gdb version: GNU gdb (GDB; openSUSE Leap 15.2) 8.3.1
valgrind version: 3.15.0
uname: Linux 4.4.0-19041-Microsoft #488-Microsoft Mon Sep 01 13:43:00 PST 2020 x86_64 x86_64 x86_64 GNU/Linux
Windows version: Windows 10 2004 (OS Build 19041.630)
Debug output (zzuf --debug --debug ./a.out nathan):
** zzuf debug ** libzzuf initialised for PID 29860
** zzuf debug ** ... fuzz(3, @0, 0)
** zzuf debug ** ... after: stream([3], NULL + 0 "" + 0 "")
** zzuf debug ** fopen("/etc/passwd", "rme") = [3]
** zzuf debug ** ... before: stream([3], NULL + 0 "" + 0 "")
** zzuf debug ** ... fuzz(3, @0, 1)
** zzuf debug ** ... fuzz(3, @0, 765)
zzuf[s=0,r=0.004]: signal 11 (SIGSEGV)
gdb backtrace (gdb -ex "set follow-fork-mode child" -ex 'set pagination off' -ex 'run' -ex 'bt full' --args zzuf ./a.out nathan |& tee zzuf-backtrace ):
Thread 2.1 "a.out" received signal SIGSEGV, Segmentation fault.
[Switching to process 7714]
0x00007fffff13ee78 in _zz_fuzz (fd=3, buf=0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"..., len=765) at common/fuzz.c:168
168 aligned_buf[j] = byte;
#0 0x00007fffff13ee78 in _zz_fuzz (fd=3, buf=0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"..., len=765) at common/fuzz.c:168
byte = 108 'l'
fuzzbyte = 2 '\002'
j = 2
start = 0
stop = 765
i = 0
pos = 0
aligned_buf = 0x7fffff7ee000 "man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin\nmessagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash\nroot:x:0:0:root:/root:/b"...
fuzz = 0x7fffff3e76c0 <static_files+32>
#1 0x00007fffff13bd49 in fgets_unlocked (s=0x602290 "", size=1024, stream=0x6026a0) at libzzuf/lib-stream.c:874
chr = 109
newcnt = 764
i = 0
fd = 3
oldpos = 0
oldcnt = 0
newpos = 1
ret = 0x602290 ""
__func__ = "fgets_unlocked"
#2 0x00007ffffe6139ee in _nss_compat_getpwnam_r () from /lib64/libnss_compat.so.2
No symbol table info available.
#3 0x00007ffffee385cf in getpwnam_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
No symbol table info available.
#4 0x0000000000400864 in main (argc=2, argv=0x7ffffffee168) at test.c:32
pwd = {pw_name = 0x7ffffffee168 "\a\345\376\377\377\177", pw_passwd = 0x7ffffeb611d1 <dlopen@@GLIBC_2.2.5+65> "\205\300u+H\213D$\020H\213L$(dH3\f%(", pw_uid = 1, pw_gid = 0, pw_gecos = 0x40091d <__libc_csu_init+77> "H\203\303\001H9\335u\352H\203\304\b[]A\\A]A^A_\303ff.\017\037\204", pw_dir = 0x7fffff7e04f0 "", pw_shell = 0x0}
result = 0x7
buf = 0x602290 ""
bufsize = 1024
s = 0
Valgrind results (valgrind --trace-children=yes zzuf ./a.out nathan):
==7727== Process terminating with default action of signal 11 (SIGSEGV)
==7727== Bad permissions for mapped region at address 0x4027002
==7727== at 0x4E49E78: _zz_fuzz (fuzz.c:168)
==7727== by 0x4E46D48: fgets_unlocked (lib-stream.c:874)
==7727== by 0x5DF79ED: _nss_compat_getpwnam_r (in /lib64/libnss_compat-2.26.so)
==7727== by 0x51C55CE: getpwnam_r@@GLIBC_2.2.5 (in /lib64/libc-2.26.so)
==7727== by 0x400863: main (test.c:32)
==7727==
With source image https://downloads.openmicroscopy.org/images/OME-TIFF/2016-06/bioformats-artificial/single-channel.ome.tif, these give different output on Ubuntu Xenial with zzuf from master and libtiff-tools from Xenial:
ubuntu@ubuntu-xenial:~$ zzuf -O null tiffinfo corpus/single-channel.ome.tif
TIFF Directory at offset 0x8 (8)
Image Width: 439 Image Length: 167
Resolution: 0, 0 pixels/cm
Bits/Sample: 8
Sample Format: signed integer
Compression Scheme: None
Photometric Interpretation: min-is-black
Samples/Pixel: 1
Rows/Strip: 1
Planar Configuration: single image plane
ImageDescription: <?xml version="1.0" encoding="UTF-8"?><!-- Warning: this comment is an OME-XML metadata block, which contains crucial dimensional parameters and other important metadata. Please edit cautiously (if at all), and back up the original data before doing so. For more information, see the OME-TIFF web site: http://www.openmicroscopy.org/site/support/ome-model/ome-tiff/. --><OME xmlns="http://www.openmicroscopy.org/Schemas/OME/2016-06" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Creator="OME Bio-Formats 5.2.0-m4" UUID="urn:uuid:ea4f0aa6-eb9b-47a7-a3a8-14b87b8cbc76" xsi:schemaLocation="http://www.openmicroscopy.org/Schemas/OME/2016-06 http://www.openmicroscopy.org/Schemas/OME/2016-06/ome.xsd"><Image ID="Image:0" Name="single-channel"><Pixels BigEndian="true" DimensionOrder="XYZCT" ID="Pixels:0" SizeC="1" SizeT="1" SizeX="439" SizeY="167" SizeZ="1" Type="int8"><Channel ID="Channel:0:0" SamplesPerPixel="1"><LightPath/></Channel><TiffData FirstC="0" FirstT="0" FirstZ="0" IFD="0" PlaneCount="1"><UUID FileName="single-channel.ome.tif">urn:uuid:ea4f0aa6-eb9b-47a7-a3a8-14b87b8cbc76</UUID></TiffData></Pixels></Image></OME>
Software: OME Bio-Formats 5.2.0-m4
ubuntu@ubuntu-xenial:~$ zzuf -r 0 -c tiffinfo corpus/single-channel.ome.tif
TIFFFetchNormalTag: Warning, ASCII value for tag "ImageDescription" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFF Directory at offset 0x8 (8)
Image Width: 439 Image Length: 167
Resolution: 0, 0 pixels/cm
Bits/Sample: 8
Sample Format: signed integer
Compression Scheme: None
Photometric Interpretation: min-is-black
Samples/Pixel: 1
Rows/Strip: 1
Planar Configuration: single image plane
ImageDescription: <?xml version="1.0" encoding="UTF-8"?><!-- Warning: this comment is an OME-XML metadata block, which contains crucial dimensional parameters and other important metadata. Please edit cautiously (if at all), and back up the original data before doing so. For more information, see the OME-TIFF web site: http://www.openmicroscopy.org/site/support/ome-model/ome-tiff/. --><OME xmlns="http://www.openmicroscopy.org/Schemas/OME/2016-06" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Creator="OME Bio-Formats 5.2.0-m4" UUID="urn:uuid:ea4f0aa6-eb9b-47a7-a3a8-14b87b8cbc76" xsi:schemaLocation="http://www.openmicroscopy.org/Schemas/OME/2016-06 http://www.openmicroscopy.org/Schemas/OME/2016-06/ome.xsd"><Image ID="Image:0" Name="single-channel"><Pixels BigEndian="true" DimensionOrder="XYZCT" ID="Pixels:0" SizeC="1" SizeT="1" SizeX="439" SizeY="167" SizeZ="1" Type="int8"><Channel ID="Channel:0:0" SamplesPerPixel="1"><LightPath/></Channel><TiffData FirstC="0" FirstT="0" FirstZ="0" IFD="0" PlaneCount="1"><UUID FileName="single-channel.ome.tif">urn:uuid:ea4f0aa6-eb9b-47a7-a3a8-14b87b8cbc76</UUID></TiffData></Pixels></Image
Software: OME Bio-Formats 5.2.0-m4
Notice that ImageDescription has been truncated by eight bytes, leading to a warning from tiffinfo. This does not occur with zzuf 0.12.
How would I cross compile this for iOS?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.