VirtualBox

source: vbox/trunk/include/iprt/fuzz.h@ 77379

Last change on this file since 77379 was 76585, checked in by vboxsync, 6 years ago

*: scm --fix-header-guard-endif

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 17.1 KB
Line 
1/** @file
2 * IPRT - Fuzzing framework
3 */
4
5/*
6 * Copyright (C) 2018-2019 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef IPRT_INCLUDED_fuzz_h
27#define IPRT_INCLUDED_fuzz_h
28#ifndef RT_WITHOUT_PRAGMA_ONCE
29# pragma once
30#endif
31
32#include <iprt/cdefs.h>
33#include <iprt/types.h>
34
35RT_C_DECLS_BEGIN
36
37/** @defgroup grp_rt_fuzz RTFuzz - Data fuzzing framework
38 * @ingroup grp_rt
39 * @sa grp_rt_test
40 * @{
41 */
42
43/** A fuzzer context handle. */
44typedef struct RTFUZZCTXINT *RTFUZZCTX;
45/** Pointer to a fuzzer context handle. */
46typedef RTFUZZCTX *PRTFUZZCTX;
47/** NIL fuzzer context handle. */
48#define NIL_RTFUZZCTX ((RTFUZZCTX)~(uintptr_t)0)
49/** A fuzzer input handle. */
50typedef struct RTFUZZINPUTINT *RTFUZZINPUT;
51/** Pointer to a fuzzer input handle. */
52typedef RTFUZZINPUT *PRTFUZZINPUT;
53/** NIL fuzzer input handle. */
54#define NIL_RTFUZZINPUT ((RTFUZZINPUT)~(uintptr_t)0)
55
56
57/** Fuzzing observer handle. */
58typedef struct RTFUZZOBSINT *RTFUZZOBS;
59/** Pointer to a fuzzing observer handle. */
60typedef RTFUZZOBS *PRTFUZZOBS;
61/** NIL fuzzing observer handle. */
62#define NIL_RTFUZZOBS ((RTFUZZOBS)~(uintptr_t)0)
63
64
65/** @name RTFUZZCTX_F_XXX - Flags for RTFuzzCtxCfgSetBehavioralFlags
66 * @{ */
67/** Adds all generated inputs automatically to the input corpus for the owning context. */
68#define RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS RT_BIT_32(0)
69/** All valid behavioral modification flags. */
70#define RTFUZZCTX_F_BEHAVIORAL_VALID (RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS)
71/** @} */
72
73/**
74 * Creates a new fuzzing context.
75 *
76 * @returns IPRT status code.
77 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
78 */
79RTDECL(int) RTFuzzCtxCreate(PRTFUZZCTX phFuzzCtx);
80
81/**
82 * Creates a new fuzzing context from the given state.
83 *
84 * @returns IPRT status code.
85 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
86 * @param pvState The pointer to the fuzzing state.
87 * @param cbState Size of the state buffer in bytes.
88 */
89RTDECL(int) RTFuzzCtxCreateFromState(PRTFUZZCTX phFuzzCtx, const void *pvState, size_t cbState);
90
91/**
92 * Creates a new fuzzing context loading the state from the given file.
93 *
94 * @returns IPRT status code.
95 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
96 * @param pszFilename File to load the fuzzing context from.
97 */
98RTDECL(int) RTFuzzCtxCreateFromStateFile(PRTFUZZCTX phFuzzCtx, const char *pszFilename);
99
100/**
101 * Retains a reference to the given fuzzing context.
102 *
103 * @returns New reference count on success.
104 * @param hFuzzCtx Handle of the fuzzing context.
105 */
106RTDECL(uint32_t) RTFuzzCtxRetain(RTFUZZCTX hFuzzCtx);
107
108/**
109 * Releases a reference from the given fuzzing context, destroying it when reaching 0.
110 *
111 * @returns New reference count on success, 0 if the fuzzing context got destroyed.
112 * @param hFuzzCtx Handle of the fuzzing context.
113 */
114RTDECL(uint32_t) RTFuzzCtxRelease(RTFUZZCTX hFuzzCtx);
115
116/**
117 * Exports the given fuzzing context state.
118 *
119 * @returns IPRT statuse code
120 * @param hFuzzCtx The fuzzing context to export.
121 * @param ppvState Where to store the buffer of the state on success, free with RTMemFree().
122 * @param pcbState Where to store the size of the context on success.
123 */
124RTDECL(int) RTFuzzCtxStateExport(RTFUZZCTX hFuzzCtx, void **ppvState, size_t *pcbState);
125
126/**
127 * Exports the given fuzzing context state to the given file.
128 *
129 * @returns IPRT status code.
130 * @param hFuzzCtx The fuzzing context to export.
131 * @param pszFilename The file to save the state to.
132 */
133RTDECL(int) RTFuzzCtxStateExportToFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
134
135/**
136 * Adds a new seed to the input corpus of the given fuzzing context.
137 *
138 * @returns IPRT status code.
139 * @param hFuzzCtx The fuzzing context handle.
140 * @param pvInput The pointer to the input buffer.
141 * @param cbInput Size of the input buffer.
142 */
143RTDECL(int) RTFuzzCtxCorpusInputAdd(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput);
144
145/**
146 * Adds a new seed to the input corpus of the given fuzzing context from the given file.
147 *
148 * @returns IPRT status code.
149 * @param hFuzzCtx The fuzzing context handle.
150 * @param pszFilename The filename to load the seed from.
151 */
152RTDECL(int) RTFuzzCtxCorpusInputAddFromFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
153
154/**
155 * Adds a new seed to the input corpus of the given fuzzing context from the given VFS file.
156 *
157 * @returns IPRT status code.
158 * @param hFuzzCtx The fuzzing context handle.
159 * @param hVfsFile The VFS file handle to load the seed from.
160 */
161RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFile(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile);
162
163/**
164 * Adds new seeds to the input corpus of the given fuzzing context from the given directory.
165 *
166 * Will only process regular files, i.e. ignores directories, symbolic links, devices, fifos
167 * and such.
168 *
169 * @returns IPRT status code.
170 * @param hFuzzCtx The fuzzing context handle.
171 * @param pszDirPath The directory to load seeds from.
172 */
173RTDECL(int) RTFuzzCtxCorpusInputAddFromDirPath(RTFUZZCTX hFuzzCtx, const char *pszDirPath);
174
175/**
176 * Restricts the maximum input size to generate by the fuzzing context.
177 *
178 * @returns IPRT status code
179 * @param hFuzzCtx The fuzzing context handle.
180 * @param cbMax Maximum input size in bytes.
181 */
182RTDECL(int) RTFuzzCtxCfgSetInputSeedMaximum(RTFUZZCTX hFuzzCtx, size_t cbMax);
183
184/**
185 * Returns the maximum input size of the given fuzzing context.
186 *
187 * @returns Maximum input size generated in bytes.
188 * @param hFuzzCtx The fuzzing context handle.
189 */
190RTDECL(size_t) RTFuzzCtxCfgGetInputSeedMaximum(RTFUZZCTX hFuzzCtx);
191
192/**
193 * Sets flags controlling the behavior of the fuzzing context.
194 *
195 * @returns IPRT status code.
196 * @param hFuzzCtx The fuzzing context handle.
197 * @param fFlags Flags controlling the fuzzing context, RTFUZZCTX_F_XXX.
198 */
199RTDECL(int) RTFuzzCtxCfgSetBehavioralFlags(RTFUZZCTX hFuzzCtx, uint32_t fFlags);
200
201/**
202 * Returns the current set behavioral flags for the given fuzzing context.
203 *
204 * @returns Behavioral flags of the given fuzzing context.
205 * @param hFuzzCtx The fuzzing context handle.
206 */
207RTDECL(uint32_t) RTFuzzCfgGetBehavioralFlags(RTFUZZCTX hFuzzCtx);
208
209/**
210 * Sets the temporary directory used by the fuzzing context.
211 *
212 * @returns IPRT status code.
213 * @param hFuzzCtx The fuzzing context handle.
214 * @param pszPathTmp The directory for the temporary state.
215 */
216RTDECL(int) RTFuzzCtxCfgSetTmpDirectory(RTFUZZCTX hFuzzCtx, const char *pszPathTmp);
217
218/**
219 * Returns the current temporary directory.
220 *
221 * @returns Current temporary directory.
222 * @param hFuzzCtx The fuzzing context handle.
223 */
224RTDECL(const char *) RTFuzzCtxCfgGetTmpDirectory(RTFUZZCTX hFuzzCtx);
225
226/**
227 * Reseeds the PRNG of the given fuzzing context.
228 *
229 * @returns IPRT status code.
230 * @param hFuzzCtx The fuzzing context handle.
231 * @param uSeed The new seed.
232 */
233RTDECL(int) RTFuzzCtxReseed(RTFUZZCTX hFuzzCtx, uint64_t uSeed);
234
235/**
236 * Generates a new input from the given fuzzing context and returns it.
237 *
238 * @returns IPRT status code.
239 * @param hFuzzCtx The fuzzing context handle.
240 * @param phFuzzInput Where to store the handle to the fuzzed input on success.
241 */
242RTDECL(int) RTFuzzCtxInputGenerate(RTFUZZCTX hFuzzCtx, PRTFUZZINPUT phFuzzInput);
243
244/**
245 * Mutates a raw buffer.
246 *
247 * @returns IPRT status code.
248 * @param hFuzzCtx The fuzzing context handle.
249 * @param pvBuf Pointer to the buffer to mutate.
250 * @param cbBuf Size of the buffer iny bytes to mutate.
251 * @param phFuzzInput Where to store the handle to the fuzzed input on success.
252 */
253RTDECL(int) RTFuzzCtxMutateBuffer(RTFUZZCTX hFuzzCtx, void *pvBuf, size_t cbBuf,
254 PRTFUZZINPUT phFuzzInput);
255
256
257/**
258 * Retains a reference to the given fuzzing input handle.
259 *
260 * @returns New reference count on success.
261 * @param hFuzzInput The fuzzing input handle.
262 */
263RTDECL(uint32_t) RTFuzzInputRetain(RTFUZZINPUT hFuzzInput);
264
265/**
266 * Releases a reference from the given fuzzing input handle, destroying it when reaaching 0.
267 *
268 * @returns New reference count on success, 0 if the fuzzing input got destroyed.
269 * @param hFuzzInput The fuzzing input handle.
270 */
271RTDECL(uint32_t) RTFuzzInputRelease(RTFUZZINPUT hFuzzInput);
272
273/**
274 * Queries the data pointer and size of the given fuzzing input.
275 *
276 * @returns IPRT status code
277 * @param hFuzzInput The fuzzing input handle.
278 * @param ppv Where to store the pointer to the input data on success.
279 * @param pcb Where to store the size of the input data on success.
280 */
281RTDECL(int) RTFuzzInputQueryData(RTFUZZINPUT hFuzzInput, void **ppv, size_t *pcb);
282
283/**
284 * Queries the string of the MD5 digest for the given fuzzed input.
285 *
286 * @returns IPRT status code.
287 * @retval VERR_BUFFER_OVERFLOW if the size of the string buffer is not sufficient.
288 * @param hFuzzInput The fuzzing input handle.
289 * @param pszDigest Where to store the digest string and a closing terminator.
290 * @param cchDigest Size of the string buffer in characters (including the zero terminator).
291 */
292RTDECL(int) RTFuzzInputQueryDigestString(RTFUZZINPUT hFuzzInput, char *pszDigest, size_t cchDigest);
293
294/**
295 * Writes the given fuzzing input to the given file.
296 *
297 * @returns IPRT status code.
298 * @param hFuzzInput The fuzzing input handle.
299 * @param pszFilename The filename to store the input to.
300 */
301RTDECL(int) RTFuzzInputWriteToFile(RTFUZZINPUT hFuzzInput, const char *pszFilename);
302
303/**
304 * Adds the given fuzzed input to the input corpus of the owning context.
305 *
306 * @returns IPRT status code.
307 * @retval VERR_ALREADY_EXISTS if the input exists already.
308 * @param hFuzzInput The fuzzing input handle.
309 */
310RTDECL(int) RTFuzzInputAddToCtxCorpus(RTFUZZINPUT hFuzzInput);
311
312/**
313 * Removes the given fuzzed input from the input corpus of the owning context.
314 *
315 * @returns IPRT status code.
316 * @retval VERR_NOT_FOUND if the input is not part of the corpus.
317 * @param hFuzzInput The fuzzing input handle.
318 */
319RTDECL(int) RTFuzzInputRemoveFromCtxCorpus(RTFUZZINPUT hFuzzInput);
320
321
322/**
323 * Fuzzed binary input channel.
324 */
325typedef enum RTFUZZOBSINPUTCHAN
326{
327 /** Invalid. */
328 RTFUZZOBSINPUTCHAN_INVALID = 0,
329 /** File input. */
330 RTFUZZOBSINPUTCHAN_FILE,
331 /** Input over stdin. */
332 RTFUZZOBSINPUTCHAN_STDIN,
333 /** The binary is a fuzzing aware client using the
334 * specified protocol over stdin/stdout. */
335 RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT,
336 /** TCP server. */
337 RTFUZZOBSINPUTCHAN_TCP_SERVER,
338 /** TCP client. */
339 RTFUZZOBSINPUTCHAN_TCP_CLIENT,
340 /** UDP server. */
341 RTFUZZOBSINPUTCHAN_UDP_SERVER,
342 /** UDP client. */
343 RTFUZZOBSINPUTCHAN_UDP_CLIENT,
344 /** 32bit hack. */
345 RTFUZZOBSINPUTCHAN_32BIT_HACK = 0x7fffffff
346} RTFUZZOBSINPUTCHAN;
347
348/**
349 * Fuzzing observer statistics.
350 */
351typedef struct RTFUZZOBSSTATS
352{
353 /** Number of fuzzed inputs per second. */
354 uint32_t cFuzzedInputsPerSec;
355 /** Number of overall fuzzed inputs. */
356 uint32_t cFuzzedInputs;
357 /** Number of observed hangs. */
358 uint32_t cFuzzedInputsHang;
359 /** Number of observed crashes. */
360 uint32_t cFuzzedInputsCrash;
361} RTFUZZOBSSTATS;
362/** Pointer to a fuzzing observer statistics record. */
363typedef RTFUZZOBSSTATS *PRTFUZZOBSSTATS;
364
365/**
366 * Creates a new fuzzing observer.
367 *
368 * @returns IPRT status code.
369 * @param phFuzzObs Where to store the fuzzing observer handle on success.
370 */
371RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs);
372
373/**
374 * Destroys a previously created fuzzing observer.
375 *
376 * @returns IPRT status code.
377 * @param hFuzzObs The fuzzing observer handle.
378 */
379RTDECL(int) RTFuzzObsDestroy(RTFUZZOBS hFuzzObs);
380
381/**
382 * Queries the internal fuzzing context of the given observer.
383 *
384 * @returns IPRT status code.
385 * @param hFuzzObs The fuzzing observer handle.
386 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
387 *
388 * @note The fuzzing context handle should be released with RTFuzzCtxRelease() when not used anymore.
389 */
390RTDECL(int) RTFuzzObsQueryCtx(RTFUZZOBS hFuzzObs, PRTFUZZCTX phFuzzCtx);
391
392/**
393 * Queries the current statistics for the given fuzzing observer.
394 *
395 * @returns IPRT status code.
396 * @param hFuzzObs The fuzzing observer handle.
397 * @param pStats Where to store the statistics to.
398 */
399RTDECL(int) RTFuzzObsQueryStats(RTFUZZOBS hFuzzObs, PRTFUZZOBSSTATS pStats);
400
401/**
402 * Sets the temp directory for the given fuzzing observer.
403 *
404 * @returns IPRT status code.
405 * @param hFuzzObs The fuzzing observer handle.
406 * @param pszTmp The temp directory path.
407 */
408RTDECL(int) RTFuzzObsSetTmpDirectory(RTFUZZOBS hFuzzObs, const char *pszTmp);
409
410/**
411 * Sets the directory to store results to.
412 *
413 * @returns IPRT status code.
414 * @param hFuzzObs The fuzzing observer handle.
415 * @param pszResults The path to store the results.
416 */
417RTDECL(int) RTFuzzObsSetResultDirectory(RTFUZZOBS hFuzzObs, const char *pszResults);
418
419/**
420 * Sets the binary to run for each fuzzed input.
421 *
422 * @returns IPRT status code.
423 * @param hFuzzObs The fuzzing observer handle.
424 * @param pszBinary The binary path.
425 * @param enmInputChan The input channel to use.
426 */
427RTDECL(int) RTFuzzObsSetTestBinary(RTFUZZOBS hFuzzObs, const char *pszBinary, RTFUZZOBSINPUTCHAN enmInputChan);
428
429/**
430 * Sets additional arguments to run the binary with.
431 *
432 * @returns IPRT status code.
433 * @param hFuzzObs The fuzzing observer handle.
434 * @param papszArgs Pointer to the array of arguments.
435 * @param cArgs Number of arguments.
436 */
437RTDECL(int) RTFuzzObsSetTestBinaryArgs(RTFUZZOBS hFuzzObs, const char * const *papszArgs, unsigned cArgs);
438
439/**
440 * Starts fuzzing the set binary.
441 *
442 * @returns IPRT status code.
443 * @param hFuzzObs The fuzzing observer handle.
444 * @param cProcs Number of processes to run simulteanously,
445 * 0 will create as many processes as there are CPUs available.
446 */
447RTDECL(int) RTFuzzObsExecStart(RTFUZZOBS hFuzzObs, uint32_t cProcs);
448
449/**
450 * Stops the fuzzing process.
451 *
452 * @returns IPRT status code.
453 * @param hFuzzObs The fuzzing observer handle.
454 */
455RTDECL(int) RTFuzzObsExecStop(RTFUZZOBS hFuzzObs);
456
457
458/**
459 * A fuzzing master program.
460 *
461 * @returns Program exit code.
462 *
463 * @param cArgs The number of arguments.
464 * @param papszArgs The argument vector. (Note that this may be
465 * reordered, so the memory must be writable.)
466 */
467RTR3DECL(RTEXITCODE) RTFuzzCmdMaster(unsigned cArgs, char **papszArgs);
468
469
470/**
471 * Client input consumption callback.
472 *
473 * @returns IPRT status code.
474 * @retval VINF_SUCCESS the fuzzed code accepted the input.
475 * @retval VERR_* the client rejected the input while parsing it.
476 * @param pvBuf The buffer containing the input data.
477 * @param cbBuf Size of the buffer in bytes.
478 * @param pvUser Opaque user data.
479 */
480typedef DECLCALLBACK(int) FNFUZZCLIENTCONSUME(const void *pvBuf, size_t cbBuf, void *pvUser);
481/** Pointer to a client consumption callback. */
482typedef FNFUZZCLIENTCONSUME *PFNFUZZCLIENTCONSUME;
483
484/**
485 * A fuzzing client program for more efficient fuzzing.
486 *
487 * @returns Program exit code.
488 *
489 * @param cArgs The number of arguments.
490 * @param papszArgs The argument vector. (Note that this may be
491 * reordered, so the memory must be writable.)
492 * @param pfnConsume Input data consumption callback.
493 * @param pvUser Opaque user data to pass to the callback.
494 */
495RTR3DECL(RTEXITCODE) RTFuzzCmdFuzzingClient(unsigned cArgs, char **papszArgs, PFNFUZZCLIENTCONSUME pfnConsume, void *pvUser);
496/** @} */
497
498RT_C_DECLS_END
499
500#endif /* !IPRT_INCLUDED_fuzz_h */
501
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette