├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── bin ├── buildall ├── gcov ├── mkfs └── start ├── config-example.yml ├── fuzzers ├── btrfs │ ├── btrfs-extents.hh │ ├── btrfs.cc │ └── config.yml ├── ext4 │ ├── config.yml │ ├── ext4-extents.hh │ └── ext4.cc ├── f2fs │ ├── config.yml │ ├── f2fs-extents.hh │ └── f2fs.cc ├── gfs2 │ ├── config.yml │ ├── gfs2-extents.hh │ └── gfs2.cc ├── hfs │ ├── config.yml │ ├── hfs-extents.hh │ └── hfs.cc ├── hfsplus │ ├── config.yml │ ├── hfsplus-extents.hh │ └── hfsplus.cc ├── isofs │ ├── config.yml │ ├── isofs-extents.hh │ └── isofs.cc ├── net │ ├── config.yml │ └── net.cc ├── netlink │ ├── config.yml │ └── netlink.cc ├── nilfs2 │ ├── config.yml │ ├── nilfs2-extents.hh │ └── nilfs2.cc ├── ntfs │ ├── config.yml │ ├── ntfs-extents.hh │ └── ntfs.cc ├── ocfs2 │ ├── config.yml │ ├── ocfs2-extents.hh │ └── ocfs2.cc ├── reiserfs │ ├── config.yml │ ├── reiserfs-extents.hh │ └── reiserfs.cc ├── socket │ ├── config.yml │ └── socket.cc ├── udf │ ├── config.yml │ ├── udf-extents.hh │ └── udf.cc ├── usb │ ├── config.yml │ └── usb.cc ├── vfat │ ├── config.yml │ ├── vfat-extents.hh │ └── vfat.cc └── xfs │ ├── config.yml │ ├── xfs-extents.hh │ └── xfs.cc ├── include ├── crc32c.h ├── fs-fuzzer.hh ├── fuzzer.hh └── mount.hh ├── python └── kafl.py ├── satconfig.common ├── satconfig.kvm ├── satconfig.uml ├── src ├── afl-wrapper.cc └── standalone.cc └── templates ├── extents.hh └── init /.gitignore: -------------------------------------------------------------------------------- 1 | # Misc. temporary files 2 | .*.swp 3 | *.pyc 4 | 5 | # Each person should use their own config 6 | /config.yml 7 | 8 | # Misc. 9 | /fuzzers/*/afl-fuzz 10 | /fuzzers/*/bzImage.* 11 | /fuzzers/*/vmlinux.* 12 | /fuzzers/*/config.kvm 13 | /fuzzers/*/config.uml 14 | /fuzzers/*/*.exe 15 | /fuzzers/*/*.so 16 | /fuzzers/*/output 17 | 18 | # Runtime data 19 | /tmp/ 20 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | How to contribute 2 | ================= 3 | 4 | We are very happy for contributions :-) This can include changes to existing fuzzers, changes to any of the supporting scripts, new fuzzers, or simply running the fuzzers and fixing any bugs you encounter. We are still looking into the possibility of creating a repository of testcase corpora for each fuzzer, which would allow us to generate coverage reports for the kernel and do automatic regression testing on new kernel versions. 5 | 6 | If you are contributing a change to the official Oracle-maintained repository for the first time, please follow the instructions below to submit an Oracle Contributor Agreement. 7 | 8 | Once you have the Oracle Contributor Agreement in place, please send us a pull request on GitHub! 9 | 10 | 11 | Oracle Contributor Agreement 12 | ---------------------------- 13 | 14 | Oracle requires that contributors to all of its open-source projects sign the Oracle Contributor Agreement (OCA) and email or fax back the completed agreement. 15 | 16 | The OCA gives Oracle and the contributor joint copyright interests in the code. The contributor retains copyrights while also granting those rights to Oracle as the project sponsor. You need only sign the OCA once in order to cover all changes that you might contribute to any Oracle-sponsored open-source project, so if you have already signed the OCA then you do not need to sign it again in order to contribute to this project. 17 | 18 | The OCA protects the integrity of the code base, which in turn protects the development community and the project's users. Oracle acts on the community's behalf in the event of any legal challenge. In order to represent a code base against legal challenges, Oracle needs to have copyright ownership of all the code in that project. 19 | 20 | By accepting an OCA, Oracle promises that it will make your contributions available under a free or open-source software license for as long as Oracle continues to distribute them. 21 | 22 | You do not lose any rights to your contribution under the OCA. The OCA only asks you to share your rights. Unlike some contribution agreements that require you to transfer copyrights to another organization, the OCA does not take away your rights to your contributed intellectual property. When you agree to the OCA, you grant Oracle joint ownership in copyright, and a patent license for your contributions. You retain all rights, title, and interest in your contributions and may use them for any purpose you wish. Other than revoking the rights granted to Oracle, you still have the freedom to do whatever you want with your code. 23 | 24 | For the agreement form and more information, please see: 25 | 26 | http://www.oracle.com/technetwork/community/oca-486395.html 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 2 | 3 | The Universal Permissive License (UPL), Version 1.0 4 | 5 | Subject to the condition set forth below, permission is hereby granted to 6 | any person obtaining a copy of this software, associated documentation 7 | and/or data (collectively the "Software"), free of charge and under any 8 | and all copyright rights in the Software, and any and all patent rights 9 | owned or freely licensable by each licensor hereunder covering either (i) 10 | the unmodified Software as contributed to or provided by such licensor, 11 | or (ii) the Larger Works (as defined below), to deal in both 12 | 13 | (a) the Software, and 14 | 15 | (b) any piece of software and/or hardware listed in the lrgrwrks.txt file 16 | if one is included with the Software (each a “Larger Work” to which 17 | the Software is contributed by such licensors), 18 | 19 | without restriction, including without limitation the rights to copy, 20 | create derivative works of, display, perform, and distribute the Software 21 | and make, use, sell, offer for sale, import, export, have made, and have 22 | sold the Software and the Larger Work(s), and to sublicense the foregoing 23 | rights on either these or other terms. 24 | 25 | This license is subject to the following condition: 26 | 27 | The above copyright notice and either this complete permission notice or 28 | at a minimum a reference to the UPL must be included in all copies or 29 | substantial portions of the Software. 30 | 31 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 32 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 33 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN 34 | NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 35 | DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 36 | OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 37 | USE OR OTHER DEALINGS IN THE SOFTWARE. 38 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Introduction 2 | ============ 3 | 4 | kernel-fuzzing is a repository of fuzzers for the Linux kernel. Each fuzzer usually targets a specific subsystem and knows how to turn a small binary "testcase" (usually a few kilobytes or less in size) into a sequence of syscalls and arguments that will trigger some interesting code path in the kernel. 5 | 6 | The fuzzers were originally meant to be used with American Fuzzy Lop (AFL), but could in theory be used with any framework with a small amount of glue code. 7 | 8 | 9 | Getting started 10 | =============== 11 | 12 | Prerequisites 13 | ------------- 14 | 15 | - afl.git: You will need our patches for reading the kernel instrumentation feedback from /dev/afl or /dev/kcov. 16 | 17 | - linux.git: You will need our branch with the AFL patches and satconfig patches: 18 | 19 | $ git pull https://github.com/vegard/linux-2.6.git v4.6+kconfig-sat 20 | 21 | - kvm/qemu: KVM is required for certain fuzzers or if you just want to use KVM instead of UML. 22 | 23 | - gcc 5: gcc 5 or later is needed for building the kernel using our instrumentation plugin. On Ubuntu you can do: 24 | 25 | $ sudo add-apt-repository ppa:ubuntu-toolchain-r/test 26 | $ sudo apt-get update 27 | $ sudo apt-get install gcc-5 28 | 29 | - Python packages: jinja2 and yaml. On Ubuntu you can do: 30 | 31 | $ sudo apt-get install python-jinja2 32 | $ sudo apt-get install python-yaml 33 | 34 | 35 | Prepare the kernel branch 36 | ------------------------- 37 | 38 | 1. Check out the kernel version that you want to test 39 | 40 | 2. Merge the kernel branch into AFL. 41 | 42 | 3. Merge the satconfig branch: 43 | 44 | $ git pull https://github.com/vegard/linux-2.6.git v4.6+kconfig-sat 45 | 46 | 4. Set the 'linux_afl_rev' variable in config.yml to point to the resulting commit (can be a branch, a sha1, or even just 'HEAD') 47 | 48 | 49 | Set up config.yml 50 | ----------------- 51 | 52 | Have a look at config-example.yml. 53 | 54 | 55 | Launch a fuzzer 56 | --------------- 57 | 58 | 1. Start screen 59 | 60 | 2. Run the following command: 61 | 62 | $ bin/start --master ext4 0 63 | 64 | This should start a single ext4 fuzzer in the current screen window. 65 | 66 | 3. If the fuzzer stops or crashes, you can resume it later with: 67 | 68 | $ bin/start --resume --master ext4 0 69 | 70 | 4. If you want to start additional fuzzers, create a new screen window and run e.g.: 71 | 72 | $ bin/start ext4 1 73 | 74 | 5. If you want to run many fuzzers in parallel, it is advised that you bind each fuzzer to a single, specific CPU: 75 | 76 | $ taskset -c 0 bin/start --master ext4 0 77 | $ taskset -c 1 bin/start ext4 1 78 | ... 79 | 80 | 81 | How to contribute 82 | ================= 83 | 84 | Please see [CONTRIBUTING](./CONTRIBUTING.md). 85 | -------------------------------------------------------------------------------- /bin/buildall: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | # 4 | # kernel-fuzzing.git 5 | # Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 6 | # 7 | # Licensed under the Universal Permissive License v1.0 as shown at 8 | # http://oss.oracle.com/licenses/upl. 9 | # 10 | 11 | import os 12 | import sys 13 | 14 | HERE = os.path.dirname(__file__) 15 | sys.path.insert(0, os.path.join(HERE, '..', 'python')) 16 | 17 | import kafl 18 | 19 | def main(): 20 | for name, fuzzer in sorted(kafl.all_fuzzers.items()): 21 | print name 22 | 23 | # Build fuzzer 24 | fuzzer.build_so() 25 | fuzzer.build_exe() 26 | 27 | if __name__ == '__main__': 28 | main() 29 | -------------------------------------------------------------------------------- /bin/gcov: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | # 4 | # kernel-fuzzing.git 5 | # Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 6 | # 7 | # Licensed under the Universal Permissive License v1.0 as shown at 8 | # http://oss.oracle.com/licenses/upl. 9 | # 10 | 11 | import argparse 12 | import glob 13 | import logging 14 | import os 15 | import random 16 | import shutil 17 | import subprocess 18 | import sys 19 | import tempfile 20 | 21 | import kafl 22 | 23 | def main(): 24 | parser = argparse.ArgumentParser() 25 | parser.add_argument('--dry-run', '-n', action='store_true') 26 | parser.add_argument('--skip-vmlinux', action='store_true') 27 | 28 | logging.basicConfig(level=logging.DEBUG) 29 | 30 | args = parser.parse_args() 31 | 32 | if not args.dry_run: 33 | for fuzzer in kafl.all_fuzzers.values(): 34 | fuzzer.build_exe() 35 | 36 | tmpdir = os.path.join('tmp', '.gcov') 37 | 38 | # Start with a clean slate 39 | if not args.skip_vmlinux and not args.dry_run: 40 | shutil.rmtree(tmpdir) 41 | kafl.mkdirp(tmpdir) 42 | 43 | # Compile kernel 44 | linux_dir = os.path.join(tmpdir, 'linux') 45 | if not args.skip_vmlinux and not args.dry_run: 46 | logging.debug("Checking out kernel sources in %s", linux_dir) 47 | 48 | kafl.mkdirp(linux_dir) 49 | kafl.git_export(kafl.config['linux_repo'], kafl.config['linux_gcov_rev'], linux_dir) 50 | 51 | shutil.copyfile(kafl.config['linux_gcov_config'], 52 | os.path.join(linux_dir, '.config')) 53 | kafl.make(linux_dir, ['silentoldconfig']) 54 | kafl.make(linux_dir, ['-j64']) 55 | 56 | guest_init = os.path.join(tmpdir, 'init') 57 | 58 | def write_init(testcases): 59 | commands = [ 60 | ['cd', os.path.abspath(tmpdir)], 61 | ] 62 | 63 | for exe, testcase in sorted(testcases): 64 | # Protect the testcase from being modified 65 | commands.append(['echo', '@@@', 'test', exe, testcase]) 66 | commands.append(['cp', os.path.abspath(testcase), '.cur_input']) 67 | commands.append([os.path.abspath(exe), '.cur_input']) 68 | 69 | commands.append(['echo', '@@@', 'success']) 70 | kafl.write_init(guest_init, commands) 71 | 72 | # Gather the testcases we'll be running 73 | testcases = [] 74 | for fuzzer in kafl.all_fuzzers.values(): 75 | exe = os.path.join(fuzzer.path, fuzzer.name + '.exe') 76 | for testcase in glob.glob(os.path.join(fuzzer.path, 'output', '*', 'queue', '*')): 77 | testcases.append((exe, testcase)) 78 | 79 | vmlinux_command = [ 80 | os.path.join(linux_dir, 'vmlinux'), 81 | 'mem=2048M', 82 | 'rootfstype=hostfs', 'rw', 83 | 'oops=panic', 'panic_on_warn=1', 'panic=-1', 84 | 'init=' + os.path.abspath(guest_init), 85 | ] 86 | 87 | if args.dry_run: 88 | print ' '.join(vmlinux_command) 89 | else: 90 | kafl.mkdirp('crashes') 91 | 92 | # Run as many testcases as we can per boot; if something crashes, we 93 | # skip the failing testcase and continue where we left off. At the 94 | # end, we rerun everything that didn't fail in a single boot. 95 | todo = set(testcases) 96 | good_testcases = set() 97 | bad_testcases = set() 98 | 99 | while todo: 100 | logging.info("%u todo", len(todo)) 101 | 102 | # Grab 20 testcases at random and add a timeout to the command 103 | # so that in case one of them gets rally stuck we can always 104 | # recover without losing too much time 105 | if len(todo) <= 200: 106 | todo_now = list(todo) 107 | else: 108 | todo_now = random.sample(todo, 200) 109 | write_init(todo_now) 110 | 111 | p = subprocess.Popen( 112 | [ 113 | 'timeout', '%u' % (5 + .2 * len(todo_now)), 114 | ] + vmlinux_command, 115 | stdin=open('/dev/null'), 116 | stdout=open('vmlinux.log', 'w+'), 117 | ) 118 | logging.info("Running vmlinux as pid %d", p.pid) 119 | p.wait() 120 | 121 | success = False 122 | results = [] 123 | with open('vmlinux.log') as f: 124 | for line in f: 125 | if line.startswith('@@@ '): 126 | tokens = line.rstrip().split()[1:] 127 | if tokens[0] == 'success': 128 | success = True 129 | elif tokens[0] == 'test': 130 | results.append(tuple(tokens[1:])) 131 | 132 | todo -= set(results) 133 | if success: 134 | continue 135 | 136 | # The last one is bad 137 | bad_testcase = results[-1] 138 | 139 | logging.info("Removing %s as it seems to have caused a kernel crash", bad_testcase) 140 | good_testcases |= set(results[:-1]) 141 | bad_testcases.add(bad_testcase) 142 | 143 | # Simplify the filename 144 | components = bad_testcase[1].split('/') 145 | 146 | crash_log = os.path.join('crashes', components[1], components[3], components[5] + '.txt') 147 | kafl.mkdirp(os.path.dirname(crash_log)) 148 | os.rename('vmlinux.log', crash_log) 149 | 150 | logging.info("Running %u good testcases", len(good_testcases)) 151 | write_init(good_testcases) 152 | p = subprocess.Popen(vmlinux_command, stdin=open('/dev/null'), stdout=open('vmlinux.log', 'w+')) 153 | p.wait() 154 | 155 | gcov_command = [ 156 | 'gcovr', 157 | '--root=.', 158 | '--xml', 159 | '--xml-pretty', 160 | '--output=' + os.path.abspath('linux-coverage.xml'), 161 | '.', 162 | ] 163 | 164 | if args.dry_run: 165 | print ' '.join(gcov_command) 166 | else: 167 | subprocess.check_call(gcov_command, cwd=linux_dir) 168 | 169 | if __name__ == '__main__': 170 | main() 171 | -------------------------------------------------------------------------------- /bin/mkfs: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | # 4 | # kernel-fuzzing.git 5 | # Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 6 | # 7 | # Licensed under the Universal Permissive License v1.0 as shown at 8 | # http://oss.oracle.com/licenses/upl. 9 | # 10 | 11 | import argparse 12 | import errno 13 | import os 14 | import shutil 15 | import subprocess 16 | import sys 17 | 18 | import jinja2 19 | 20 | def mkdirp(path): 21 | try: 22 | os.makedirs(path) 23 | except OSError as e: 24 | if e.errno != errno.EEXIST: 25 | raise 26 | 27 | def mount(fstype, path, mntpoint, options=[]): 28 | subprocess.check_call(['mount', '-o', ','.join(['loop'] + options), '-t', fstype, path, mntpoint]) 29 | 30 | def umount(mntpoint): 31 | subprocess.check_call(['umount', mntpoint]) 32 | 33 | def add_some_files(mntpoint): 34 | # This just creates a bunch of files at the given mount point. 35 | # Hopefully these files will allow more interesting things to 36 | # happen to the filesystem during fuzzing. 37 | 38 | foo = os.path.join(mntpoint, 'foo') 39 | subprocess.check_call(['mkdir', foo]) 40 | 41 | bar = os.path.join(foo, 'bar') 42 | subprocess.check_call(['mkdir', bar]) 43 | 44 | baz = os.path.join(bar, 'baz') 45 | with open(baz, 'w') as f: 46 | print >>f, 'hello world' 47 | 48 | # set an extended attribute 49 | xattr = os.path.join(bar, 'xattr') 50 | with open(xattr, 'w') as f: 51 | pass 52 | subprocess.call(['setfattr', '-n', 'user.mime_type', '-v', 'text/plain', xattr]) 53 | 54 | acl = os.path.join(bar, 'acl') 55 | with open(acl, 'w') as f: 56 | pass 57 | subprocess.call(['setfacl', '-m', 'u:nobody:r', acl]) 58 | 59 | # Get some unicode in there 60 | utf = os.path.join(bar, 'æøå') 61 | with open(utf, 'w') as f: 62 | print >>f, 'xyz' 63 | 64 | # special files 65 | fifo = os.path.join(bar, 'fifo') 66 | subprocess.call(['mknod', fifo, 'p']) 67 | 68 | # hard link 69 | hardlink = os.path.join(bar, 'hln') 70 | subprocess.call(['ln', baz, hardlink]) 71 | 72 | # soft link 73 | softlink = os.path.join(bar, 'sln') 74 | subprocess.call(['ln', '-s', baz, softlink]) 75 | 76 | def index_from(container, index, val): 77 | for i in range(index, len(container)): 78 | if container[i] == val: 79 | return i - index 80 | 81 | raise ValueError("asdf") 82 | 83 | def analyze(paths, chunksize=64): 84 | zeros = '\x00' * chunksize 85 | 86 | # Read the images in chunks of 64 bytes; we will only fuzz 87 | # chunks which are non-zero to start with. 88 | bitmap = {} 89 | for path in paths: 90 | with open(path) as f: 91 | offset = 0 92 | while True: 93 | data = f.read(chunksize) 94 | if len(data) == 0: 95 | break 96 | 97 | val = int(data != zeros) 98 | bitmap[offset] = bitmap.get(offset, 0) | val 99 | offset = offset + 1 100 | 101 | # linearise bitmap 102 | bitmap = [val for offset, val in sorted(bitmap.iteritems())] 103 | 104 | print "calculating extents" 105 | 106 | # calculate extents 107 | extents = [] 108 | 109 | i = 0 110 | while True: 111 | try: 112 | j = i + index_from(bitmap, i, 1) 113 | except ValueError, e: 114 | # No 1 found, so there are no more chunks to encode 115 | break 116 | 117 | try: 118 | n = index_from(bitmap, j, 0) 119 | except ValueError, e: 120 | # No 0 found, so everything until the end is a chunk 121 | n = len(bitmap) - j 122 | 123 | extents.append((j * chunksize, n * chunksize)) 124 | i = j + n 125 | 126 | return sum(bitmap) * chunksize, len(bitmap) * chunksize, extents 127 | 128 | class Filesystem(object): 129 | def __init__(self, name, size, requires_loop=False): 130 | self.name = name 131 | self.size = size 132 | self.requires_loop = requires_loop 133 | 134 | # Derived attributes 135 | self.mkfs_exe = 'mkfs.' + name 136 | self.mkfs_args = [] 137 | 138 | self.mount_options = [] 139 | 140 | def mkfs(self, path, extra_args=[]): 141 | subprocess.check_call([ 142 | 'dd', 143 | 'if=/dev/zero', 144 | 'of=' + path, 145 | 'bs=1K', 'count=%uK' % self.size, 146 | 'status=none', 147 | ]) 148 | 149 | if self.requires_loop: 150 | # attach file to loop device 151 | device = subprocess.check_output([ 152 | 'losetup', '-f', '--show', path 153 | ]).splitlines()[0] 154 | else: 155 | device = path 156 | 157 | subprocess.check_call([self.mkfs_exe] + self.mkfs_args + extra_args + [device]) 158 | 159 | if self.requires_loop: 160 | # detach loop device 161 | subprocess.check_call([ 162 | 'losetup', '-d', device 163 | ]) 164 | 165 | bfs = Filesystem('bfs', 32, requires_loop=True) 166 | 167 | btrfs = Filesystem('btrfs', 256) 168 | 169 | ext4 = Filesystem('ext4', 16) 170 | ext4.mkfs_args = ['-F', '-q'] 171 | 172 | f2fs = Filesystem('f2fs', 128) 173 | 174 | hfs = Filesystem('hfs', 64) 175 | hfs.mkfs_args = ['-h'] 176 | 177 | hfsplus = Filesystem('hfsplus', 64) 178 | 179 | isofs = Filesystem('isofs', 16) 180 | isofs.mkfs_exe = 'mkisofs' 181 | 182 | gfs2 = Filesystem('gfs2', 11) 183 | gfs2.mkfs_args = ['-O'] 184 | gfs2.mount_options = ['localflocks'] 185 | 186 | nilfs2 = Filesystem('nilfs2', 4) 187 | nilfs2.mount_options = ['nogc'] 188 | 189 | ntfs = Filesystem('ntfs', 4) 190 | ntfs.mkfs_args = ['-F', '-f'] 191 | 192 | ocfs2 = Filesystem('ocfs2', 64) 193 | ocfs2.mkfs_args = ['--fs-features=local', '--quiet'] 194 | 195 | reiserfs = Filesystem('reiserfs', 64) 196 | reiserfs.mkfs_args = ['-f', '-f'] 197 | 198 | udf = Filesystem('udf', 16) 199 | udf.mkfs_exe = 'mkudffs' 200 | 201 | vfat = Filesystem('vfat', 64) 202 | 203 | xfs = Filesystem('xfs', 16) 204 | 205 | filesystems = { 206 | 'bfs': (bfs, [ 207 | [], 208 | ]), 209 | 'btrfs': (btrfs, [ 210 | [], 211 | ]), 212 | 'ext4': (ext4, [ 213 | ['-E', 'mmp_update_interval=1'], 214 | ['-E', 'stride=3'], 215 | ['-E', 'stripe_width=3'], 216 | ['-O', 'uninit_bg', '-E', 'lazy_itable_init=1'], 217 | ['-E', 'lazy_journal_init=1'], 218 | ['-O', 'flex_bg', '-E', 'packed_meta_blocks=1'], 219 | # These seem to make the testcases very large (100K+) 220 | #['-g', str(256 + 2 * 8)], 221 | #['-O', 'bigalloc', '-g', str(256 + 2 * 8)], 222 | #['-O', 'flex_bg', '-G', '1'], 223 | ['-i', '1024'], 224 | ['-i', '67108864'], 225 | ['-I', '128'], 226 | ['-I', '1024'], 227 | ['-j'], 228 | ['-m', '50'], 229 | ['-r', '0'], 230 | ['-t', 'small'], 231 | ['-t', 'largefile4'], 232 | ]), 233 | 'f2fs': (f2fs, [ 234 | [], 235 | ]), 236 | 'hfs': (hfs, [ 237 | [], 238 | ]), 239 | 'hfsplus': (hfsplus, [ 240 | [], 241 | ]), 242 | 'isofs': (isofs, [ 243 | # mkisofs needs to be run by hand, use --extra-inputs 244 | ]), 245 | 'nilfs2': (nilfs2, [ 246 | ['-B', '32'], 247 | ]), 248 | 'ntfs': (ntfs, [ 249 | [], 250 | ]), 251 | 'ocfs2': (ocfs2, [ 252 | [], 253 | ['-J', 'block32'], 254 | ['-J', 'block64'], 255 | ['-T', 'mail'], 256 | ['--fs-features=local,sparse'], 257 | ['--fs-features=local,unwritten'], 258 | ['--fs-features=local,inline-data'], 259 | ['--fs-features=local,extended-slotmap'], 260 | ['--fs-features=local,nometaecc'], 261 | ['--fs-features=local,refcount'], 262 | ['--fs-features=local,xattr'], 263 | ['--fs-features=local,usrquota'], 264 | ['--fs-features=local,grpquota'], 265 | ['--fs-features=local,indexed-dirs'], 266 | ['--fs-features=local,discontig-bg'], 267 | ]), 268 | 'gfs2': (gfs2, [ 269 | #['-t', 'foo:bar'], 270 | #['-p', 'lock_nolock'], 271 | ['-D', '-j', '1', '-J', '8', '-o', 'align=0', '-b', '512', '-p', 'lock_nolock', '-r', '32'], 272 | ]), 273 | 'reiserfs': (reiserfs, [ 274 | ['--format', '3.5'], 275 | ['--format', '3.6'], 276 | ]), 277 | 'udf': (udf, [ 278 | [], 279 | ]), 280 | 'vfat': (vfat, [ 281 | [], 282 | ]), 283 | 'xfs': (xfs, [ 284 | [], 285 | ['-K'], 286 | ['-i', 'size=2048'], 287 | ['-i', 'maxpct=0'], 288 | ['-i', 'align=0'], 289 | ['-i', 'attr=1'], 290 | ['-l', 'version=1'], 291 | ['-l', 'lazy-count=1'], 292 | ['-n', 'version=ci'], 293 | ]), 294 | } 295 | 296 | def main(): 297 | parser = argparse.ArgumentParser() 298 | parser.add_argument('--mountpoint', default='mnt') 299 | parser.add_argument('--chunksize', type=int, default=64) 300 | parser.add_argument('--extra-inputs', nargs='*') 301 | parser.add_argument('fstype', choices=filesystems.keys()) 302 | 303 | args = parser.parse_args() 304 | 305 | fs, all_mkfs_args = filesystems.get(args.fstype) 306 | 307 | template_env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates')) 308 | extents_template = template_env.get_template('extents.hh') 309 | 310 | input_dir = os.path.join('fuzzers', fs.name, 'input') 311 | if os.path.exists(input_dir): 312 | shutil.rmtree(input_dir) 313 | mkdirp(input_dir) 314 | 315 | images = [] 316 | for i, mkfs_args in enumerate(all_mkfs_args): 317 | image = os.path.join(input_dir, '%02u.image' % i) 318 | print image 319 | 320 | fs.mkfs(image, mkfs_args) 321 | mkdirp(args.mountpoint) 322 | try: 323 | #shutil.copyfile(image, image + '.orig') 324 | mount(fs.name, image, args.mountpoint, fs.mount_options) 325 | add_some_files(args.mountpoint) 326 | finally: 327 | # Whatever happened, we should always unmount it 328 | umount(args.mountpoint) 329 | 330 | images.append(image) 331 | 332 | images.extend(args.extra_inputs) 333 | 334 | # Here, .compactimage is the image with the all-0 chunks removed; 335 | # extents.h will contain the list of extents 336 | print "minimizing image" 337 | in_size, out_size, extents = analyze(images, chunksize=args.chunksize) 338 | 339 | print sum(length for offset, length in extents), in_size 340 | assert sum(length for offset, length in extents) == in_size 341 | 342 | print "afl test-case size: %u KiB" % (in_size / 1024) 343 | 344 | with open('fuzzers/%s/%s-extents.hh' % (fs.name, fs.name), 'w') as f: 345 | print >>f, extents_template.render({ 346 | 'name': fs.name, 347 | 'in_size': in_size, 348 | 'out_size': out_size, 349 | 'extents': extents, 350 | }) 351 | 352 | # Compress images 353 | for image in images: 354 | smallimage = image + '.small' 355 | with open(image) as fin: 356 | with open(smallimage, 'w') as fout: 357 | for offset, length in extents: 358 | fin.seek(offset) 359 | fout.write(fin.read(length)) 360 | 361 | os.unlink(image) 362 | 363 | if __name__ == '__main__': 364 | main() 365 | -------------------------------------------------------------------------------- /bin/start: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | # 4 | # kernel-fuzzing.git 5 | # Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 6 | # 7 | # Licensed under the Universal Permissive License v1.0 as shown at 8 | # http://oss.oracle.com/licenses/upl. 9 | # 10 | 11 | import argparse 12 | import glob 13 | import logging 14 | import os 15 | import re 16 | import shutil 17 | import subprocess 18 | import sys 19 | import time 20 | 21 | HERE = os.path.dirname(__file__) 22 | sys.path.insert(0, os.path.join(HERE, '..', 'python')) 23 | 24 | import kafl 25 | 26 | def clean(path): 27 | if os.path.exists(path): 28 | shutil.rmtree(path) 29 | 30 | os.mkdir(path) 31 | 32 | def main(): 33 | parser = argparse.ArgumentParser() 34 | 35 | parser.add_argument('--dry-run', '-n', action='store_true') 36 | parser.add_argument('--use-guest-screen', action='store_true') 37 | parser.add_argument('--strace', action='store_true') 38 | 39 | # VM options 40 | vm_group = parser.add_mutually_exclusive_group() 41 | vm_group.add_argument('--uml', action='store_const', dest='vm', const='uml', 42 | help='Start fuzzer in UML instance') 43 | vm_group.add_argument('--kvm', action='store_const', dest='vm', const='kvm', 44 | help='Start fuzzer in KVM instance') 45 | 46 | # AFL-related options 47 | parser.add_argument('--master', action='store_true') 48 | parser.add_argument('--resume', '-r', action='store_true') 49 | parser.add_argument('--timeout', '-t', type=int, default=None) 50 | parser.add_argument('fuzzer', help='e.g. vfat') 51 | parser.add_argument('name', help='e.g. 0') 52 | 53 | logging.basicConfig(level=logging.DEBUG) 54 | 55 | args = parser.parse_args() 56 | 57 | linux_repo = kafl.config['linux_repo'] 58 | linux_afl_rev = kafl.config['linux_afl_rev'] 59 | 60 | if not args.dry_run and not os.getenv('STY'): 61 | logging.error('Need to run inside an existing screen session') 62 | sys.exit(1) 63 | 64 | fuzzer = kafl.all_fuzzers.get(args.fuzzer) 65 | if not fuzzer: 66 | logging.error('Unknown fuzzer: %s', args.fuzzer) 67 | sys.exit(1) 68 | 69 | vm = args.vm or fuzzer.config.get('vm') or 'uml' 70 | 71 | vmlinux = os.path.join(fuzzer.path, 'vmlinux.' + vm) 72 | if not os.path.exists(vmlinux): 73 | kafl.KernelBuilder(kafl.config, fuzzer, vm).build() 74 | 75 | if not os.path.exists(os.path.join(fuzzer.path, 'afl-fuzz')): 76 | kafl.AFLBuilder(kafl.config, fuzzer).build() 77 | 78 | tmpdir = os.path.join('tmp', args.fuzzer, args.name) 79 | kafl.mkdirp(tmpdir) 80 | 81 | # Build fuzzer 82 | fuzzer.build_so() 83 | fuzzer.build_exe() 84 | 85 | # Write guest init 86 | guest_init = os.path.join(tmpdir, 'init') 87 | 88 | kafl.mkdirp(os.path.join(fuzzer.path, 'output', '%s_%s' % (args.fuzzer, args.name))) 89 | 90 | init_commands = [] 91 | 92 | screen_command = [] 93 | if args.use_guest_screen: 94 | screen_command = ['screen', '-t', 'afl-fuzz'] 95 | 96 | strace_command = [] 97 | if args.strace: 98 | strace_command = ['strace', '-o', 'strace.log'] 99 | 100 | init_commands.extend([ 101 | ['cd', os.path.abspath(fuzzer.path)], 102 | screen_command + 103 | strace_command + 104 | ['./afl-fuzz'] + (['-t', args.timeout] if args.timeout else []) + [ 105 | '-i', '-' if args.resume else 'input', 106 | '-o', 'output', 107 | '-M' if args.master else '-S', 108 | '%s_%s' % (args.fuzzer, args.name), 109 | '--', './%s.so' % args.fuzzer, '@@', 110 | ], 111 | ]) 112 | 113 | kafl.write_init(guest_init, vm, init_commands) 114 | 115 | if vm == 'uml': 116 | def afl_cmd(*args): 117 | return [ 118 | #'screen', '-t', '%s/%s' % (args.fuzzer, args.name), 119 | vmlinux, 120 | 'mem=2048M', 121 | 'rootfstype=hostfs', 'rw' 122 | ] + list(args) + [ 123 | 'init=' + os.path.abspath(guest_init), 124 | ] 125 | elif vm == 'kvm': 126 | kvm_exe = kafl.config.get('kvm', 'kvm') 127 | bzImage = os.path.join(fuzzer.path, 'bzImage.' + vm) 128 | 129 | def afl_cmd(*args): 130 | kvm_args = ( 131 | 'rootfstype=9p', 132 | 'root=/dev/root', 133 | 'rootflags=trans=virtio,version=9p2000.L', 134 | 'rw', 135 | 'console=ttyS0', 136 | 'init=%s' % os.path.abspath(guest_init), 137 | ) 138 | 139 | return [ 140 | kvm_exe, 141 | '-kernel', bzImage, 142 | '-append', ' '.join(args + kvm_args), 143 | '-fsdev', 'local,id=fsdev0,path=/,security_model=none', 144 | '-device', 'virtio-9p-pci,fsdev=fsdev0,mount_tag=/dev/root', 145 | '-serial', 'stdio', 146 | '-display', 'none' 147 | '-no-reboot', 148 | ] 149 | 150 | if args.dry_run: 151 | print ' '.join(afl_cmd()) 152 | return 153 | 154 | # Save terminal settings so we can restore them if UML crashes 155 | with kafl.TerminalSaver(): 156 | retcode = subprocess.call(afl_cmd( 157 | #'ignore_console_loglevel', 158 | 'loglevel=2', 159 | 'oops=panic', 160 | 'panic=0', 161 | 'panic_on_warn=1', 162 | )) 163 | 164 | return 165 | #if retcode == 0: 166 | # return 167 | 168 | # Re-run standalone to try to reproduce crash 169 | crashes = os.path.join('crashes', args.fuzzer) 170 | kafl.mkdirp(crashes) 171 | 172 | # XXX: Yeah, it's racy... 173 | crash = os.path.join(crashes, time.strftime('%Y-%m-%d %H:%M:%S')) 174 | kafl.mkdirp(crash) 175 | 176 | shutil.copy(os.path.join(fuzzer.path, '%s.exe' % args.fuzzer), crash) 177 | 178 | commands = [ 179 | ['cd', os.path.abspath(fuzzer.path)], 180 | ] 181 | 182 | output_dir = os.path.join(fuzzer.path, 'output', '%s_%s' % (args.fuzzer, args.name)) 183 | all_testcases = glob.glob(os.path.join(output_dir, '.old_input.*')) 184 | all_testcases.append(os.path.join(output_dir, '.cur_input')) 185 | all_testcases.sort(key=lambda x: os.stat(x).st_mtime) 186 | 187 | for testcase in all_testcases: 188 | target = os.path.join(crash, os.path.basename(testcase).lstrip('.')) 189 | 190 | shutil.copy(testcase, target) 191 | commands.append(['./%s.exe' % args.fuzzer, os.path.relpath(target, fuzzer.path)]) 192 | 193 | commands.append(['sleep', '5']) 194 | 195 | kafl.write_init(guest_init, vm, commands) 196 | 197 | stdout = os.path.join(crash, 'stdout.txt') 198 | with TerminalSaver(): 199 | retcode = subprocess.call(['timeout', '30'] + afl_cmd('ignore_console_loglevel'), 200 | stdout=open(stdout, 'w')) 201 | 202 | print "Output to %s" % crash 203 | 204 | # Run addr2line on all the addresses in the log 205 | with open(os.path.join(crash, 'debuginfo.txt'), 'w') as f: 206 | for addr in set(re.findall(r'\b([0-9a-f]{8}|[0-9a-f]{16})\b', open(stdout).read())): 207 | print >>f, '%s:' % addr 208 | for line in subprocess.check_output(['addr2line', '-e', vmlinux, '-i', addr]).splitlines(): 209 | print >>f, line 210 | print >>f 211 | 212 | if __name__ == '__main__': 213 | main() 214 | -------------------------------------------------------------------------------- /config-example.yml: -------------------------------------------------------------------------------- 1 | # 2 | # (Path to) compiler command (default: system compiler) 3 | # 4 | cc: gcc-5 5 | 6 | # 7 | # (Path to) kvm command (default: 'kvm'); may be called qemu-kvm or 8 | # qemu-system-x86_64 on some systems 9 | # 10 | kvm: /usr/bin/kvm 11 | 12 | # 13 | # Path to linux bare .git directory 14 | # 15 | linux_repo: /home/vegard/linux/.git 16 | 17 | # 18 | # Linux revision to use for testing (must include AFL patches and satconfig patches) 19 | # 20 | linux_afl_rev: HEAD 21 | 22 | # 23 | # Path to afl bare .git directory 24 | # 25 | afl_repo: /home/vegard/git/afl/.git 26 | 27 | # 28 | # AFL revision to use 29 | # 30 | afl_rev: HEAD 31 | -------------------------------------------------------------------------------- /fuzzers/btrfs/btrfs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _btrfs_extents[] = { 4 | { 65536, 320 }, 5 | { 66048, 64 }, 6 | { 66304, 192 }, 7 | { 68352, 512 }, 8 | { 131072, 192 }, 9 | { 134912, 448 }, 10 | { 139136, 320 }, 11 | { 143104, 256 }, 12 | { 1118208, 256 }, 13 | { 1120512, 128 }, 14 | { 1120704, 64 }, 15 | { 1120960, 256 }, 16 | { 1121408, 256 }, 17 | { 1121856, 64 }, 18 | { 1121984, 128 }, 19 | { 1122304, 448 }, 20 | { 1126144, 448 }, 21 | { 1130304, 320 }, 22 | { 1134528, 192 }, 23 | { 1138688, 128 }, 24 | { 4194304, 384 }, 25 | { 4195520, 320 }, 26 | { 4196096, 192 }, 27 | { 4196416, 64 }, 28 | { 4196544, 128 }, 29 | { 4196800, 640 }, 30 | { 4197504, 320 }, 31 | { 4197952, 64 }, 32 | { 4198080, 128 }, 33 | { 4198400, 128 }, 34 | { 4202496, 448 }, 35 | { 4206016, 1024 }, 36 | { 4210112, 768 }, 37 | { 4214592, 1152 }, 38 | { 4216704, 2624 }, 39 | { 4222400, 1728 }, 40 | { 4224640, 2560 }, 41 | { 4231168, 192 }, 42 | { 4235072, 576 }, 43 | { 4236480, 320 }, 44 | { 4237056, 192 }, 45 | { 4237376, 64 }, 46 | { 4237504, 128 }, 47 | { 4237760, 640 }, 48 | { 4238464, 320 }, 49 | { 4238912, 64 }, 50 | { 4239040, 128 }, 51 | { 67108864, 320 }, 52 | { 67109376, 64 }, 53 | { 67109632, 192 }, 54 | { 67111680, 512 }, 55 | }; 56 | 57 | const fs_extents btrfs_extents = { 58 | 21376, 59 | 268435456, 60 | 51, 61 | _btrfs_extents, 62 | }; 63 | -------------------------------------------------------------------------------- /fuzzers/btrfs/btrfs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "crc32c.h" 10 | #include "fs-fuzzer.hh" 11 | 12 | #include "btrfs-extents.hh" 13 | 14 | static class btrfs_fuzzer: 15 | public fs_fuzzer 16 | { 17 | public: 18 | btrfs_fuzzer(): 19 | fs_fuzzer("btrfs", 0, 0, btrfs_extents) 20 | { 21 | } 22 | 23 | void fix_checksums(int fd) 24 | { 25 | uint8_t buf[4096]; 26 | pread(fd, buf, sizeof(buf), 1 << 16); 27 | 28 | uint32_t crc = ~crc32c(-1, buf + 32, sizeof(buf) - 32); 29 | memcpy(buf, &crc, sizeof(crc)); 30 | 31 | pwrite(fd, buf, sizeof(buf), 1 << 16); 32 | } 33 | } btrfs_fuzzer; 34 | 35 | fuzzer *fuzzer = &btrfs_fuzzer; 36 | -------------------------------------------------------------------------------- /fuzzers/btrfs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/btrfs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | BTRFS_FS: y 6 | BTRFS_FS_POSIX_ACL: y 7 | BTRFS_FS_CHECK_INTEGRITY: y 8 | BTRFS_FS_RUN_SANITY_TESTS: n 9 | BTRFS_DEBUG: n 10 | BTRFS_ASSERT: y 11 | -------------------------------------------------------------------------------- /fuzzers/ext4/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/ext4/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | EXT4_FS: y 6 | EXT4_USE_FOR_EXT2: y 7 | EXT4_FS_POSIX_ACL: y 8 | EXT4_FS_SECURITY: y 9 | EXT4_ENCRYPTION: y 10 | EXT4_DEBUG: n 11 | JBD2_DEBUG: n 12 | -------------------------------------------------------------------------------- /fuzzers/ext4/ext4-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _ext4_extents[] = { 4 | { 1024, 384 }, 5 | { 2048, 64 }, 6 | { 3072, 64 }, 7 | { 4096, 64 }, 8 | { 4352, 832 }, 9 | { 5248, 64 }, 10 | { 6144, 64 }, 11 | { 6400, 128 }, 12 | { 7168, 64 }, 13 | { 8192, 64 }, 14 | { 9216, 64 }, 15 | { 10240, 64 }, 16 | { 11264, 64 }, 17 | { 12288, 64 }, 18 | { 13312, 64 }, 19 | { 14336, 64 }, 20 | { 15360, 64 }, 21 | { 16384, 64 }, 22 | { 17408, 64 }, 23 | { 18432, 64 }, 24 | { 19456, 64 }, 25 | { 20480, 64 }, 26 | { 21504, 64 }, 27 | { 22528, 64 }, 28 | { 23552, 64 }, 29 | { 24576, 64 }, 30 | { 25600, 64 }, 31 | { 26624, 64 }, 32 | { 27648, 64 }, 33 | { 28672, 64 }, 34 | { 29696, 64 }, 35 | { 30720, 64 }, 36 | { 31744, 64 }, 37 | { 32768, 64 }, 38 | { 33792, 64 }, 39 | { 34816, 64 }, 40 | { 35840, 64 }, 41 | { 36864, 64 }, 42 | { 37888, 64 }, 43 | { 38912, 64 }, 44 | { 39936, 64 }, 45 | { 40960, 64 }, 46 | { 41984, 64 }, 47 | { 43008, 64 }, 48 | { 44032, 64 }, 49 | { 45056, 64 }, 50 | { 46080, 64 }, 51 | { 47104, 64 }, 52 | { 48128, 64 }, 53 | { 49152, 64 }, 54 | { 50176, 64 }, 55 | { 51200, 64 }, 56 | { 52224, 64 }, 57 | { 53248, 64 }, 58 | { 54272, 64 }, 59 | { 55296, 64 }, 60 | { 56320, 64 }, 61 | { 57344, 64 }, 62 | { 58368, 64 }, 63 | { 59392, 64 }, 64 | { 60416, 64 }, 65 | { 61440, 64 }, 66 | { 62464, 64 }, 67 | { 63488, 64 }, 68 | { 64512, 64 }, 69 | { 65536, 64 }, 70 | { 66560, 64 }, 71 | { 67584, 576 }, 72 | { 68608, 1088 }, 73 | { 69760, 64 }, 74 | { 70400, 128 }, 75 | { 70656, 64 }, 76 | { 70912, 128 }, 77 | { 71680, 64 }, 78 | { 72704, 64 }, 79 | { 73728, 64 }, 80 | { 74752, 64 }, 81 | { 75776, 64 }, 82 | { 76800, 64 }, 83 | { 77824, 64 }, 84 | { 78848, 64 }, 85 | { 79872, 64 }, 86 | { 80896, 64 }, 87 | { 81920, 64 }, 88 | { 82944, 64 }, 89 | { 83968, 64 }, 90 | { 84224, 832 }, 91 | { 85248, 896 }, 92 | { 99328, 64 }, 93 | { 100288, 128 }, 94 | { 100480, 64 }, 95 | { 101120, 192 }, 96 | { 101376, 64 }, 97 | { 101504, 64 }, 98 | { 101632, 64 }, 99 | { 101760, 896 }, 100 | { 106496, 192 }, 101 | { 107520, 64 }, 102 | { 107648, 64 }, 103 | { 110592, 64 }, 104 | { 110720, 64 }, 105 | { 111616, 192 }, 106 | { 112640, 192 }, 107 | { 113664, 192 }, 108 | { 114624, 256 }, 109 | { 115648, 256 }, 110 | { 116736, 192 }, 111 | { 117760, 192 }, 112 | { 267264, 64 }, 113 | { 268288, 64 }, 114 | { 269312, 64 }, 115 | { 270336, 64 }, 116 | { 271360, 64 }, 117 | { 272384, 64 }, 118 | { 273408, 64 }, 119 | { 274432, 64 }, 120 | { 275456, 64 }, 121 | { 276480, 64 }, 122 | { 277504, 64 }, 123 | { 278528, 64 }, 124 | { 279552, 64 }, 125 | { 331776, 64 }, 126 | { 332800, 64 }, 127 | { 333824, 64 }, 128 | { 334848, 64 }, 129 | { 335872, 64 }, 130 | { 336896, 64 }, 131 | { 337920, 64 }, 132 | { 338944, 64 }, 133 | { 339968, 64 }, 134 | { 340992, 64 }, 135 | { 342016, 64 }, 136 | { 343040, 64 }, 137 | { 344064, 64 }, 138 | { 345088, 256 }, 139 | { 362496, 128 }, 140 | { 624640, 256 }, 141 | { 625664, 64 }, 142 | { 626624, 64 }, 143 | { 1148928, 128 }, 144 | { 2197504, 256 }, 145 | { 2198528, 64 }, 146 | { 2199488, 64 }, 147 | { 4294656, 256 }, 148 | { 8389632, 128 }, 149 | { 8389824, 192 }, 150 | { 8390656, 64 }, 151 | { 8391680, 128 }, 152 | { 8392640, 128 }, 153 | { 8392960, 1792 }, 154 | { 8456192, 128 }, 155 | { 8457088, 320 }, 156 | { 8457472, 1856 }, 157 | { 8460288, 192 }, 158 | { 8460544, 64 }, 159 | { 8460672, 1216 }, 160 | { 8462336, 64 }, 161 | { 8463360, 64 }, 162 | { 8463488, 64 }, 163 | { 8464128, 192 }, 164 | { 8464384, 64 }, 165 | { 8465408, 64 }, 166 | { 8465664, 960 }, 167 | { 8467456, 128 }, 168 | { 8468480, 384 }, 169 | { 8469504, 384 }, 170 | { 8470400, 384 }, 171 | { 8471424, 320 }, 172 | { 8472512, 320 }, 173 | { 8473536, 256 }, 174 | { 8474624, 192 }, 175 | { 8475648, 192 }, 176 | { 8476672, 64 }, 177 | { 8655872, 64 }, 178 | { 8656896, 128 }, 179 | { 8657920, 64 }, 180 | { 8658880, 128 }, 181 | { 8659904, 64 }, 182 | { 8720384, 64 }, 183 | { 8721408, 128 }, 184 | { 8722432, 64 }, 185 | { 8723392, 128 }, 186 | { 8724416, 64 }, 187 | { 8913920, 64 }, 188 | { 8914944, 64 }, 189 | { 9504768, 64 }, 190 | { 9507840, 64 }, 191 | { 9962496, 64 }, 192 | { 9963520, 64 }, 193 | { 15729664, 64 }, 194 | }; 195 | 196 | const fs_extents ext4_extents = { 197 | 28352, 198 | 16777216, 199 | 190, 200 | _ext4_extents, 201 | }; 202 | -------------------------------------------------------------------------------- /fuzzers/ext4/ext4.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | #include 11 | 12 | #include "fs-fuzzer.hh" 13 | #include "ext4-extents.hh" 14 | 15 | static class ext4_fuzzer: 16 | public fs_fuzzer 17 | { 18 | public: 19 | ext4_fuzzer(): 20 | fs_fuzzer("ext4", 0, "errors=remount-ro", ext4_extents) 21 | { 22 | } 23 | 24 | void info() 25 | { 26 | char command[1024]; 27 | snprintf(command, sizeof(command), "dumpe2fs -fx %s", filename); 28 | system(command); 29 | } 30 | 31 | void fix_checksums(int fd) 32 | { 33 | /* disable RO_COMPAT_GDT_CSUM and RO_COMPAT_METADATA_CSUM */ 34 | uint32_t s_feature_ro_compat; 35 | pread(fd, &s_feature_ro_compat, sizeof(s_feature_ro_compat), 0x400 + 0x64); 36 | s_feature_ro_compat &= ~0x0410; 37 | pwrite(fd, &s_feature_ro_compat, sizeof(s_feature_ro_compat), 0x400 + 0x64); 38 | } 39 | } ext4_fuzzer; 40 | 41 | fuzzer *fuzzer = &ext4_fuzzer; 42 | -------------------------------------------------------------------------------- /fuzzers/f2fs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/f2fs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | F2FS_FS_SECURITY: y 6 | F2FS_CHECK_FS: n 7 | F2FS_FS_ENCRYPTION: y 8 | F2FS_IO_TRACE: n 9 | -------------------------------------------------------------------------------- /fuzzers/f2fs/f2fs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _f2fs_extents[] = { 4 | { 1024, 128 }, 5 | { 2112, 320 }, 6 | { 5120, 128 }, 7 | { 6208, 320 }, 8 | { 2097152, 192 }, 9 | { 2101184, 256 }, 10 | { 2101696, 704 }, 11 | { 2105344, 128 }, 12 | { 2109376, 192 }, 13 | { 2113472, 128 }, 14 | { 2117568, 256 }, 15 | { 2121664, 64 }, 16 | { 2125760, 256 }, 17 | { 2129856, 64 }, 18 | { 4194304, 192 }, 19 | { 4198336, 256 }, 20 | { 4198848, 704 }, 21 | { 4202496, 192 }, 22 | { 4206528, 64 }, 23 | { 10485760, 64 }, 24 | { 125829120, 64 }, 25 | { 125831488, 64 }, 26 | { 125833216, 64 }, 27 | { 125835584, 64 }, 28 | { 125837312, 64 }, 29 | { 125839680, 64 }, 30 | { 125841408, 64 }, 31 | { 125843776, 64 }, 32 | { 125845504, 64 }, 33 | { 125847872, 64 }, 34 | { 125849600, 64 }, 35 | { 125851968, 64 }, 36 | { 125853696, 128 }, 37 | { 125856064, 64 }, 38 | { 125857792, 128 }, 39 | { 125860160, 64 }, 40 | { 125861888, 128 }, 41 | { 125864256, 64 }, 42 | { 125865984, 128 }, 43 | { 125868352, 128 }, 44 | { 125870080, 128 }, 45 | { 125872448, 128 }, 46 | { 125874176, 192 }, 47 | { 125876544, 128 }, 48 | { 127926272, 64 }, 49 | { 127930304, 128 }, 50 | { 127934400, 64 }, 51 | { 130023424, 128 }, 52 | { 130027456, 192 }, 53 | { 130031552, 192 }, 54 | { 130035648, 192 }, 55 | { 130039744, 192 }, 56 | { 130043840, 192 }, 57 | { 130047936, 192 }, 58 | { 130052032, 192 }, 59 | { 130056128, 192 }, 60 | { 130060224, 192 }, 61 | { 130064320, 192 }, 62 | { 130068416, 192 }, 63 | { 130068800, 64 }, 64 | { 130072512, 192 }, 65 | { 130072896, 64 }, 66 | { 130076608, 192 }, 67 | { 130076992, 64 }, 68 | { 130080704, 64 }, 69 | { 132120576, 128 }, 70 | { 132120896, 64 }, 71 | { 132124608, 192 }, 72 | { 132124992, 64 }, 73 | { 132128704, 192 }, 74 | { 132129088, 64 }, 75 | { 132132800, 192 }, 76 | { 132133184, 64 }, 77 | { 132136896, 192 }, 78 | { 132137280, 64 }, 79 | { 132140992, 192 }, 80 | { 132141376, 64 }, 81 | { 132145088, 192 }, 82 | { 132145472, 64 }, 83 | { 132149184, 192 }, 84 | { 132149568, 64 }, 85 | { 132153280, 192 }, 86 | { 132153664, 64 }, 87 | { 132157376, 192 }, 88 | { 132157760, 64 }, 89 | { 132161472, 192 }, 90 | { 132161856, 64 }, 91 | { 132165568, 192 }, 92 | { 132165952, 64 }, 93 | { 132169664, 64 }, 94 | }; 95 | 96 | const fs_extents f2fs_extents = { 97 | 12992, 98 | 134217728, 99 | 90, 100 | _f2fs_extents, 101 | }; 102 | -------------------------------------------------------------------------------- /fuzzers/f2fs/f2fs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "f2fs-extents.hh" 11 | 12 | static class f2fs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | f2fs_fuzzer(): 17 | fs_fuzzer("f2fs", 0, 0, f2fs_extents) 18 | { 19 | } 20 | } f2fs_fuzzer; 21 | 22 | fuzzer *fuzzer = &f2fs_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/gfs2/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/gfs2/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | GFS2_FS: y 6 | GFS2_FS_LOCKING_DLM: n 7 | -------------------------------------------------------------------------------- /fuzzers/gfs2/gfs2.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "gfs2-extents.hh" 11 | 12 | static class gfs2_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | gfs2_fuzzer(): 17 | fs_fuzzer("gfs2", 0, 0, gfs2_extents) 18 | { 19 | } 20 | } gfs2_fuzzer; 21 | 22 | fuzzer *fuzzer = &gfs2_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/hfs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/hfs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | HFS_FS: y 6 | -------------------------------------------------------------------------------- /fuzzers/hfs/hfs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _hfs_extents[] = { 4 | { 1024, 192 }, 5 | { 1536, 128 }, 6 | { 7168, 64 }, 7 | { 7360, 64 }, 8 | { 7616, 64 }, 9 | { 530944, 64 }, 10 | { 531136, 64 }, 11 | { 531392, 1280 }, 12 | { 532928, 576 }, 13 | { 1054720, 64 }, 14 | { 1060864, 64 }, 15 | { 67107840, 192 }, 16 | }; 17 | 18 | const fs_extents hfs_extents = { 19 | 2816, 20 | 67108864, 21 | 12, 22 | _hfs_extents, 23 | }; 24 | -------------------------------------------------------------------------------- /fuzzers/hfs/hfs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "hfs-extents.hh" 11 | 12 | static class hfs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | hfs_fuzzer(): 17 | fs_fuzzer("hfs", 0, 0, hfs_extents) 18 | { 19 | } 20 | } hfs_fuzzer; 21 | 22 | fuzzer *fuzzer = &hfs_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/hfsplus/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/hfsplus/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | HFSPLUS_FS: y 6 | HFSPLUS_FS_POSIX_ACL: y 7 | -------------------------------------------------------------------------------- /fuzzers/hfsplus/hfsplus-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _hfsplus_extents[] = { 4 | { 1024, 384 }, 5 | { 4096, 64 }, 6 | { 6080, 64 }, 7 | { 8192, 64 }, 8 | { 8384, 64 }, 9 | { 12224, 64 }, 10 | { 532480, 64 }, 11 | { 532672, 64 }, 12 | { 536512, 704 }, 13 | { 537280, 320 }, 14 | { 537728, 128 }, 15 | { 537984, 128 }, 16 | { 538240, 128 }, 17 | { 538496, 192 }, 18 | { 538752, 128 }, 19 | { 539008, 192 }, 20 | { 539264, 320 }, 21 | { 540608, 64 }, 22 | { 1056768, 64 }, 23 | { 1060864, 64 }, 24 | { 1061056, 64 }, 25 | { 1068992, 192 }, 26 | { 1077184, 64 }, 27 | { 1585152, 64 }, 28 | { 1589248, 64 }, 29 | { 67107840, 384 }, 30 | }; 31 | 32 | const fs_extents hfsplus_extents = { 33 | 4096, 34 | 67108864, 35 | 26, 36 | _hfsplus_extents, 37 | }; 38 | -------------------------------------------------------------------------------- /fuzzers/hfsplus/hfsplus.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "hfsplus-extents.hh" 11 | 12 | static class hfsplus_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | hfsplus_fuzzer(): 17 | fs_fuzzer("hfsplus", 0, 0, hfsplus_extents) 18 | { 19 | } 20 | } hfsplus_fuzzer; 21 | 22 | fuzzer *fuzzer = &hfsplus_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/isofs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/isofs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | ISO9660_FS: y 6 | JOLIET: y 7 | ZISOFS: y 8 | NLS_UTF8: y 9 | -------------------------------------------------------------------------------- /fuzzers/isofs/isofs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _isofs_extents[] = { 4 | { 32768, 1408 }, 5 | { 34816, 1408 }, 6 | { 36864, 64 }, 7 | { 38912, 64 }, 8 | { 40960, 64 }, 9 | { 43008, 64 }, 10 | { 45056, 64 }, 11 | { 47104, 384 }, 12 | { 49152, 320 }, 13 | { 51200, 320 }, 14 | { 53248, 256 }, 15 | { 55296, 256 }, 16 | { 57344, 128 }, 17 | { 59392, 256 }, 18 | { 61440, 128 }, 19 | { 63488, 128 }, 20 | { 65536, 128 }, 21 | { 65728, 256 }, 22 | { 67584, 128 }, 23 | { 67776, 64 }, 24 | { 67904, 64 }, 25 | { 69632, 64 }, 26 | { 69760, 128 }, 27 | { 71680, 128 }, 28 | { 71872, 128 }, 29 | { 72064, 64 }, 30 | { 73728, 64 }, 31 | { 75776, 64 }, 32 | { 98304, 128 }, 33 | { 98496, 256 }, 34 | { 100352, 128 }, 35 | { 100544, 64 }, 36 | { 100672, 64 }, 37 | { 102400, 64 }, 38 | { 102528, 128 }, 39 | { 104448, 128 }, 40 | { 104640, 128 }, 41 | { 104832, 64 }, 42 | { 106496, 64 }, 43 | { 108544, 64 }, 44 | { 131072, 192 }, 45 | { 133120, 64 }, 46 | { 524288, 64 }, 47 | { 526336, 128 }, 48 | { 526528, 256 }, 49 | { 528384, 64 }, 50 | { 530432, 192 }, 51 | { 532480, 128 }, 52 | { 534528, 192 }, 53 | { 536576, 128 }, 54 | { 538624, 192 }, 55 | { 540672, 128 }, 56 | { 542720, 192 }, 57 | { 544768, 64 }, 58 | { 548864, 64 }, 59 | { 552960, 128 }, 60 | { 555008, 128 }, 61 | { 557056, 128 }, 62 | { 559104, 64 }, 63 | { 561152, 64 }, 64 | { 563200, 64 }, 65 | { 565248, 64 }, 66 | { 567296, 64 }, 67 | { 569344, 64 }, 68 | { 571392, 64 }, 69 | { 573440, 64 }, 70 | { 575488, 64 }, 71 | { 577536, 64 }, 72 | { 579584, 64 }, 73 | { 581632, 64 }, 74 | { 583680, 64 }, 75 | { 585728, 64 }, 76 | { 587776, 64 }, 77 | { 589824, 64 }, 78 | { 591872, 64 }, 79 | { 593920, 64 }, 80 | { 595968, 64 }, 81 | { 598016, 64 }, 82 | { 600064, 64 }, 83 | { 602112, 64 }, 84 | { 604160, 64 }, 85 | { 606208, 64 }, 86 | { 608256, 64 }, 87 | { 610304, 64 }, 88 | { 612352, 64 }, 89 | { 614400, 64 }, 90 | { 616448, 64 }, 91 | { 618496, 64 }, 92 | { 620544, 64 }, 93 | { 622592, 64 }, 94 | { 624640, 64 }, 95 | { 626688, 64 }, 96 | { 628736, 64 }, 97 | { 630784, 64 }, 98 | { 632832, 64 }, 99 | { 634880, 64 }, 100 | { 636928, 64 }, 101 | { 638976, 64 }, 102 | { 641024, 64 }, 103 | { 643072, 64 }, 104 | { 645120, 64 }, 105 | { 647168, 64 }, 106 | { 649216, 64 }, 107 | { 651264, 64 }, 108 | { 653312, 64 }, 109 | { 655360, 64 }, 110 | { 657408, 64 }, 111 | { 659456, 64 }, 112 | { 661504, 64 }, 113 | { 663552, 64 }, 114 | { 665600, 64 }, 115 | { 667648, 64 }, 116 | { 669696, 64 }, 117 | { 671744, 64 }, 118 | { 673792, 64 }, 119 | { 675840, 64 }, 120 | { 677888, 64 }, 121 | { 679936, 64 }, 122 | { 681984, 64 }, 123 | { 684032, 64 }, 124 | { 686080, 64 }, 125 | { 688128, 64 }, 126 | { 690176, 64 }, 127 | { 692224, 64 }, 128 | { 694272, 64 }, 129 | { 696320, 64 }, 130 | { 698368, 64 }, 131 | { 700416, 64 }, 132 | { 702464, 64 }, 133 | { 704512, 64 }, 134 | { 706560, 64 }, 135 | { 708608, 64 }, 136 | { 710656, 64 }, 137 | { 712704, 64 }, 138 | { 714752, 64 }, 139 | { 716800, 64 }, 140 | { 718848, 64 }, 141 | { 720896, 64 }, 142 | { 722944, 64 }, 143 | { 724992, 64 }, 144 | { 727040, 64 }, 145 | { 729088, 64 }, 146 | { 731136, 64 }, 147 | { 733184, 64 }, 148 | { 735232, 64 }, 149 | { 737280, 64 }, 150 | { 739328, 64 }, 151 | { 741376, 64 }, 152 | { 743424, 64 }, 153 | { 745472, 64 }, 154 | { 747520, 64 }, 155 | { 749568, 64 }, 156 | { 751616, 64 }, 157 | { 753664, 64 }, 158 | { 755712, 64 }, 159 | { 757760, 64 }, 160 | { 759808, 64 }, 161 | { 761856, 64 }, 162 | { 763904, 64 }, 163 | { 765952, 64 }, 164 | { 768000, 64 }, 165 | { 770048, 64 }, 166 | { 772096, 64 }, 167 | { 774144, 64 }, 168 | { 776192, 64 }, 169 | { 778240, 64 }, 170 | { 780288, 64 }, 171 | { 782336, 64 }, 172 | { 784384, 64 }, 173 | { 786432, 64 }, 174 | { 788480, 64 }, 175 | { 790528, 64 }, 176 | { 792576, 64 }, 177 | { 794624, 64 }, 178 | { 796672, 64 }, 179 | { 798720, 64 }, 180 | { 800768, 64 }, 181 | { 802816, 64 }, 182 | { 804864, 64 }, 183 | { 806912, 64 }, 184 | { 808960, 64 }, 185 | { 811008, 64 }, 186 | { 813056, 64 }, 187 | { 815104, 64 }, 188 | { 817152, 64 }, 189 | { 819200, 64 }, 190 | { 821248, 64 }, 191 | { 823296, 64 }, 192 | { 825344, 64 }, 193 | { 827392, 64 }, 194 | { 829440, 64 }, 195 | { 831488, 64 }, 196 | { 833536, 64 }, 197 | { 835584, 64 }, 198 | { 837632, 64 }, 199 | { 839680, 64 }, 200 | { 841728, 64 }, 201 | { 843776, 64 }, 202 | { 845824, 64 }, 203 | { 847872, 64 }, 204 | { 849920, 64 }, 205 | { 851968, 64 }, 206 | { 854016, 64 }, 207 | { 856064, 64 }, 208 | { 858112, 64 }, 209 | { 860160, 64 }, 210 | { 862208, 64 }, 211 | { 864256, 64 }, 212 | { 866304, 64 }, 213 | { 868352, 64 }, 214 | }; 215 | 216 | const fs_extents isofs_extents = { 217 | 20032, 218 | 870400, 219 | 210, 220 | _isofs_extents, 221 | }; 222 | -------------------------------------------------------------------------------- /fuzzers/isofs/isofs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "isofs-extents.hh" 11 | 12 | static class isofs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | isofs_fuzzer(): 17 | fs_fuzzer("isofs", MS_RDONLY | MS_SILENT, 0, isofs_extents) 18 | { 19 | } 20 | } isofs_fuzzer; 21 | 22 | fuzzer *fuzzer = &isofs_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/net/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [net/, drivers/net/] 2 | config: 3 | TUN: y 4 | ETHERNET: y 5 | INET: y 6 | IPV6: y 7 | IP_DCCP: y 8 | IP_SCTP: y 9 | RDS: y 10 | TIPC: y 11 | ATM: y 12 | L2TP: y 13 | DECNET: y 14 | LLC2: y 15 | IPX: y 16 | ATALK: y 17 | X25: y 18 | LAPB: y 19 | PHONET: y 20 | -------------------------------------------------------------------------------- /fuzzers/net/net.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include "fuzzer.hh" 28 | 29 | class net_fuzzer: 30 | public fuzzer 31 | { 32 | public: 33 | int tunfd; 34 | struct sockaddr tun_hwaddr; 35 | 36 | ssize_t rlen; 37 | char buffer[8192]; 38 | 39 | net_fuzzer() 40 | { 41 | tunfd = open("/dev/net/tun", O_RDWR); 42 | if (tunfd == -1) 43 | error(1, errno, "open()"); 44 | 45 | { 46 | struct ifreq ifr; 47 | memset(&ifr, 0, sizeof(ifr)); 48 | ifr.ifr_flags = IFF_TAP | IFF_NO_PI; 49 | strncpy(ifr.ifr_name, "afl0", IFNAMSIZ); 50 | if (ioctl(tunfd, TUNSETIFF, (void *) &ifr) < 0) 51 | error(1, errno, "ioctl()"); 52 | } 53 | 54 | /* Bring interface up; otherwise out packets will simply 55 | * get dropped. */ 56 | int ret = system("ip link set dev afl0 up"); 57 | if (ret != 0) 58 | error(1, 0, "ip link"); 59 | 60 | /* Get device's MAC address so we can insert it into 61 | * the packets we send. */ 62 | { 63 | struct ifreq ifr; 64 | memset(&ifr, 0, sizeof(ifr)); 65 | if (ioctl(tunfd, SIOCGIFHWADDR, &ifr) < 0) 66 | error(1, errno, "ioctl(SIOCGIFHWADDR)"); 67 | 68 | tun_hwaddr = ifr.ifr_hwaddr; 69 | } 70 | } 71 | 72 | int setup(const char *path) 73 | { 74 | int infd = open(path, O_RDONLY); 75 | if (infd == -1) 76 | error(1, errno, "open()"); 77 | 78 | rlen = read(infd, buffer, sizeof(buffer)); 79 | if (rlen < 0) 80 | error(1, errno, "read()"); 81 | if (rlen == 0) 82 | return 1; 83 | 84 | close(infd); 85 | return 0; 86 | } 87 | 88 | void run() 89 | { 90 | /* Overwrite the target MAC so it won't just get dropped 91 | * as PACKET_OTHERHOST. */ 92 | memcpy(&buffer[0], &tun_hwaddr.sa_data[0], 6); 93 | 94 | write(tunfd, buffer, rlen); 95 | /* Ignore errors */ 96 | } 97 | } net_fuzzer; 98 | 99 | fuzzer *fuzzer = &net_fuzzer; 100 | -------------------------------------------------------------------------------- /fuzzers/netlink/config.yml: -------------------------------------------------------------------------------- 1 | instrument: 2 | - crypto/ 3 | - drivers/connector/ 4 | - drivers/infiniband/ 5 | - drivers/net/ 6 | - drivers/scsi/ 7 | - kernel/audit.o 8 | - kernel/auditfilter.o 9 | - kernel/auditsc.o 10 | - kernel/audit_fsnotify.o 11 | - kernel/audit_tree.o 12 | - kernel/audit_watch.o 13 | - lib/kobject.o 14 | - lib/kobject_uevent.o 15 | - net/ 16 | - security/selinux/ 17 | config: 18 | # we should have a network device 19 | VETH: y 20 | IP_ADVANCED_ROUTER: y 21 | IP_MULTICAST: y 22 | IP_FIB_TRIE_STATS: y 23 | FIB_RULES: y 24 | # things that provide netlink interfaces 25 | FSNOTIFY: y 26 | KOBJECT_UEVENT: y 27 | DLM: y 28 | CRYPTO_USER: y 29 | CONNECTOR: y 30 | SECURITY_SELINUX: y 31 | # needs PCI/HAS_IOMEM, so it won't work on UML 32 | #INFINIBAND: y 33 | #INFINIBAND_IPOIB: y 34 | # needs HAS_IOMEM 35 | #W1: y 36 | AUDIT: y 37 | QUOTA_NETLINK_INTERFACE: y 38 | SCSI_NETLINK: y 39 | SCSI_ISCSI_ATTRS: y 40 | BONDING: y 41 | NET: y 42 | L2TP: y 43 | L2TP_V3: y 44 | OPENVSWITCH: y 45 | NFC: y 46 | VLAN_8021Q: y 47 | TIPC: y 48 | BRIDGE: y 49 | IEEE802154: y 50 | NETLINK_DIAG: y 51 | HSR: y 52 | NETFILTER_NETLINK: y 53 | NETFILTER_NETLINK_ACCT: y 54 | NETFILTER_NETLINK_QUEUE: y 55 | NETFILTER_NETLINK_LOG: y 56 | NF_CT_NETLINK: y 57 | NF_CT_NETLINK_TIMEOUT: y 58 | NF_CT_NETLINK_HELPER: y 59 | PHONET: y 60 | INET: y 61 | IRDA: y 62 | XFRM: y 63 | XFRM_USER: y 64 | XFRM_STATISTICS: y 65 | XFRM_ALGO: y 66 | XFRM_IPCOMP: y 67 | -------------------------------------------------------------------------------- /fuzzers/netlink/netlink.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include "fuzzer.hh" 25 | 26 | struct params { 27 | /* For socket() */ 28 | int type; 29 | int protocol; 30 | 31 | /* For sendmsg() */ 32 | struct sockaddr_nl name; 33 | struct msghdr msg; 34 | int flags; 35 | } __attribute__((packed)); 36 | 37 | static void write_example(const char *pathname, struct params *p, const char *buf, size_t count) 38 | { 39 | int fd = open(pathname, O_WRONLY | O_CREAT | O_TRUNC, 0644); 40 | if (fd == -1) 41 | error(1, errno, "open()"); 42 | 43 | if (write(fd, p, sizeof(*p)) != sizeof(*p)) 44 | error(1, errno, "write()"); 45 | 46 | ssize_t len = write(fd, buf, count); 47 | if (len < 0 || (size_t) len != count) 48 | error(1, errno, "write()"); 49 | 50 | close(fd); 51 | } 52 | 53 | #define example(_num, _protocol, _buf) \ 54 | do { \ 55 | struct params p; \ 56 | memset(&p, 0, sizeof(p)); \ 57 | p.type = SOCK_RAW; \ 58 | p.protocol = _protocol; \ 59 | p.name.nl_family = AF_NETLINK; \ 60 | p.msg.msg_namelen = sizeof(p.name); \ 61 | \ 62 | const char buf[] = _buf; \ 63 | char filename[PATH_MAX]; \ 64 | snprintf(filename, sizeof(filename), "%s/%u", dir, _num); \ 65 | write_example(filename, &p, buf, sizeof(buf)); \ 66 | } while (0) 67 | 68 | static void write_examples(const char *dir) 69 | { 70 | /* ip link delete eth0 */ 71 | example(0, NETLINK_ROUTE, " \0\0\0\21\0\5\0H\361^V\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0"); 72 | 73 | /* iw wlan0 info */ 74 | example(1, NETLINK_GENERIC, " \0\0\0\20\0\5\0t\364^Vkk\0\0\3\1\0\0\f\0\2\0nl80211\0"); 75 | example(2, NETLINK_GENERIC, "\34\0\0\0\32\0\5\0u\364^Vkk\0\0\5\0\0\0\10\0\3\0\3\0\0\0"); 76 | 77 | /* ip route del */ 78 | example(3, NETLINK_ROUTE, "\34\0\0\0\31\0\5\0x\367^V\0\0\0\0\2\0\0\0\376\0\377\0\0\0\0\0"); 79 | 80 | /* ip link set eth0 name foobar */ 81 | example(4, NETLINK_ROUTE, ",\0\0\0\20\0\5\0\305\367^V\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\v\0\3\0foobar\0\0"); 82 | 83 | /* ip rule add */ 84 | example(5, NETLINK_ROUTE, "\34\0\0\0 \0\5\6\3\370^V\0\0\0\0\2\0\0\0\376\3\0\1\0\0\0\0"); 85 | 86 | /* ip l2tp */ 87 | example(6, NETLINK_GENERIC, " \0\0\0\20\0\1\0;\370^V\0\0\0\0\3\0\0\0\t\0\2\0l2tp\0\0\0\0"); 88 | 89 | /* ip l2tp add tunnel remote 10.10.10.10 local 127.0.0.1 tunnel_id 1 peer_tunnel_id 2 udp_sport 2 udp_dport 3 */ 90 | example(7, NETLINK_GENERIC, "T\0\0\0\33\0\5\0\252\370^V\0\0\0\0\1\1\0\0\10\0\t\0\1\0\0\0\10\0\n\0\2\0\0\0\5\0\7\0\3\0\0\0\6\0\2\0\0\0\0\0\10\0\30\0\177\0\0\1\10\0\31\0\n\n\n\n\6\0\32\0\2\0\0\0\6\0\33\0\3\0\0\0"); 91 | 92 | /* ip link add type veth */ 93 | example(8, NETLINK_ROUTE, ",\0\0\0\20\0\5\6\353\370^V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\22\0\10\0\1\0veth"); 94 | } 95 | 96 | class netlink_fuzzer: 97 | public fuzzer 98 | { 99 | public: 100 | struct params p; 101 | char buffer[1024]; 102 | ssize_t len; 103 | 104 | netlink_fuzzer() 105 | { 106 | /* XXX: global state */ 107 | //setuid(10023); 108 | } 109 | 110 | ~netlink_fuzzer() 111 | { 112 | } 113 | 114 | void generate(const char *path) 115 | { 116 | write_examples(path); 117 | } 118 | 119 | int setup(const char *path) 120 | { 121 | int fd = open(path, O_RDONLY); 122 | if (fd == -1) 123 | error(1, errno, "open()"); 124 | 125 | if (read(fd, &p, sizeof(p)) != sizeof(p)) { 126 | close(fd); 127 | return -1; 128 | } 129 | 130 | len = read(fd, buffer, sizeof(buffer)); 131 | close(fd); 132 | if (len < 0) 133 | return -1; 134 | 135 | return 0; 136 | } 137 | 138 | void cleanup() 139 | { 140 | } 141 | 142 | void run() 143 | { 144 | int sock = socket(AF_NETLINK, p.type, p.protocol); 145 | if (sock == -1) 146 | return; 147 | 148 | p.msg.msg_name = &p.name; 149 | 150 | struct iovec iov = { 151 | .iov_base = &buffer[0], 152 | .iov_len = (size_t) len, 153 | }; 154 | p.msg.msg_iov = &iov; 155 | p.msg.msg_iovlen = 1; 156 | p.msg.msg_control = 0; 157 | 158 | sendmsg(sock, &p.msg, p.flags); 159 | close(sock); 160 | } 161 | } netlink_fuzzer; 162 | 163 | fuzzer *fuzzer = &netlink_fuzzer; 164 | -------------------------------------------------------------------------------- /fuzzers/nilfs2/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/nilfs2/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | NILFS2_FS: y 6 | -------------------------------------------------------------------------------- /fuzzers/nilfs2/nilfs2-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _nilfs2_extents[] = { 4 | { 1024, 192 }, 5 | { 4096, 320 }, 6 | { 8192, 64 }, 7 | { 12288, 4160 }, 8 | { 20608, 64 }, 9 | { 20736, 128 }, 10 | { 21376, 64 }, 11 | { 21504, 64 }, 12 | { 21632, 64 }, 13 | { 21760, 64 }, 14 | { 21888, 64 }, 15 | { 24576, 64 }, 16 | { 24768, 256 }, 17 | { 25152, 64 }, 18 | { 25344, 64 }, 19 | { 25536, 64 }, 20 | { 25728, 64 }, 21 | { 25920, 64 }, 22 | { 26112, 64 }, 23 | { 26304, 64 }, 24 | { 26496, 64 }, 25 | { 26688, 64 }, 26 | { 26880, 64 }, 27 | { 27072, 64 }, 28 | { 27264, 64 }, 29 | { 27456, 64 }, 30 | { 27648, 64 }, 31 | { 27840, 64 }, 32 | { 28032, 64 }, 33 | { 28224, 64 }, 34 | { 28416, 64 }, 35 | { 28672, 64 }, 36 | { 32768, 4160 }, 37 | { 40960, 256 }, 38 | { 45056, 384 }, 39 | { 49152, 576 }, 40 | { 53248, 64 }, 41 | { 57344, 128 }, 42 | { 61440, 192 }, 43 | { 65536, 64 }, 44 | { 69632, 64 }, 45 | { 73728, 64 }, 46 | { 77824, 4160 }, 47 | { 86144, 64 }, 48 | { 86272, 128 }, 49 | { 86912, 64 }, 50 | { 87040, 64 }, 51 | { 87168, 64 }, 52 | { 87296, 64 }, 53 | { 87424, 64 }, 54 | { 87552, 1024 }, 55 | { 90112, 64 }, 56 | { 90304, 448 }, 57 | { 90880, 64 }, 58 | { 91072, 64 }, 59 | { 91264, 64 }, 60 | { 91456, 64 }, 61 | { 91648, 64 }, 62 | { 91840, 64 }, 63 | { 92032, 64 }, 64 | { 92224, 64 }, 65 | { 92416, 64 }, 66 | { 92608, 64 }, 67 | { 92800, 64 }, 68 | { 92992, 64 }, 69 | { 93184, 64 }, 70 | { 93376, 64 }, 71 | { 93568, 64 }, 72 | { 93760, 64 }, 73 | { 93952, 64 }, 74 | { 94208, 128 }, 75 | { 98304, 4160 }, 76 | { 102912, 64 }, 77 | { 103936, 64 }, 78 | { 104448, 64 }, 79 | { 104960, 64 }, 80 | { 105472, 64 }, 81 | { 106496, 448 }, 82 | { 110592, 64 }, 83 | { 114688, 64 }, 84 | { 118784, 64 }, 85 | { 122880, 64 }, 86 | { 126976, 64 }, 87 | { 131072, 128 }, 88 | { 135168, 128 }, 89 | { 137216, 128 }, 90 | { 139264, 384 }, 91 | { 4190208, 192 }, 92 | }; 93 | 94 | const fs_extents nilfs2_extents = { 95 | 26368, 96 | 4194304, 97 | 88, 98 | _nilfs2_extents, 99 | }; 100 | -------------------------------------------------------------------------------- /fuzzers/nilfs2/nilfs2.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "nilfs2-extents.hh" 11 | 12 | static class nilfs2_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | nilfs2_fuzzer(): 17 | fs_fuzzer("nilfs2", 0, 0, nilfs2_extents) 18 | { 19 | } 20 | } nilfs2_fuzzer; 21 | 22 | fuzzer *fuzzer = &nilfs2_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/ntfs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/ntfs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | NTFS_FS: y 6 | NTFS_DEBUG: n 7 | NTFS_RW: y 8 | -------------------------------------------------------------------------------- /fuzzers/ntfs/ntfs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _ntfs_extents[] = { 4 | { 0, 4160 }, 5 | { 8192, 64 }, 6 | { 16384, 512 }, 7 | { 17344, 448 }, 8 | { 17856, 64 }, 9 | { 18368, 448 }, 10 | { 18880, 64 }, 11 | { 19392, 576 }, 12 | { 20416, 576 }, 13 | { 21440, 576 }, 14 | { 22464, 448 }, 15 | { 22976, 64 }, 16 | { 23488, 576 }, 17 | { 24512, 448 }, 18 | { 25024, 64 }, 19 | { 25536, 768 }, 20 | { 26560, 576 }, 21 | { 27584, 704 }, 22 | { 28608, 384 }, 23 | { 29120, 64 }, 24 | { 29632, 384 }, 25 | { 30144, 64 }, 26 | { 30656, 384 }, 27 | { 31168, 64 }, 28 | { 31680, 384 }, 29 | { 32192, 64 }, 30 | { 32704, 256 }, 31 | { 33216, 64 }, 32 | { 33728, 256 }, 33 | { 34240, 64 }, 34 | { 34752, 256 }, 35 | { 35264, 64 }, 36 | { 35776, 256 }, 37 | { 36288, 64 }, 38 | { 36800, 256 }, 39 | { 37312, 64 }, 40 | { 37824, 256 }, 41 | { 38336, 64 }, 42 | { 38848, 256 }, 43 | { 39360, 64 }, 44 | { 39872, 256 }, 45 | { 40384, 64 }, 46 | { 40896, 704 }, 47 | { 41920, 448 }, 48 | { 42432, 64 }, 49 | { 42944, 448 }, 50 | { 43456, 64 }, 51 | { 43968, 128 }, 52 | { 44480, 64 }, 53 | { 44992, 128 }, 54 | { 45504, 64 }, 55 | { 46016, 128 }, 56 | { 46528, 64 }, 57 | { 47040, 128 }, 58 | { 47552, 64 }, 59 | { 48064, 128 }, 60 | { 48576, 64 }, 61 | { 49088, 128 }, 62 | { 49600, 64 }, 63 | { 50112, 128 }, 64 | { 50624, 64 }, 65 | { 51136, 128 }, 66 | { 51648, 64 }, 67 | { 52160, 128 }, 68 | { 52672, 64 }, 69 | { 53184, 128 }, 70 | { 53696, 64 }, 71 | { 54208, 128 }, 72 | { 54720, 64 }, 73 | { 55232, 128 }, 74 | { 55744, 64 }, 75 | { 56256, 128 }, 76 | { 56768, 64 }, 77 | { 57280, 128 }, 78 | { 57792, 64 }, 79 | { 58304, 128 }, 80 | { 58816, 64 }, 81 | { 59328, 128 }, 82 | { 59840, 64 }, 83 | { 60352, 128 }, 84 | { 60864, 64 }, 85 | { 61376, 128 }, 86 | { 61888, 64 }, 87 | { 62400, 128 }, 88 | { 62912, 64 }, 89 | { 63424, 128 }, 90 | { 63936, 64 }, 91 | { 64448, 128 }, 92 | { 64960, 64 }, 93 | { 65472, 128 }, 94 | { 65984, 64 }, 95 | { 66496, 128 }, 96 | { 67008, 64 }, 97 | { 67520, 128 }, 98 | { 68032, 64 }, 99 | { 68544, 128 }, 100 | { 69056, 64 }, 101 | { 69568, 128 }, 102 | { 70080, 64 }, 103 | { 70592, 128 }, 104 | { 71104, 64 }, 105 | { 71616, 128 }, 106 | { 72128, 64 }, 107 | { 72640, 128 }, 108 | { 73152, 64 }, 109 | { 73664, 128 }, 110 | { 74176, 64 }, 111 | { 74688, 128 }, 112 | { 75200, 64 }, 113 | { 75712, 128 }, 114 | { 76224, 64 }, 115 | { 76736, 128 }, 116 | { 77248, 64 }, 117 | { 77760, 128 }, 118 | { 78272, 64 }, 119 | { 78784, 128 }, 120 | { 79296, 64 }, 121 | { 79808, 128 }, 122 | { 80320, 64 }, 123 | { 80832, 128 }, 124 | { 81344, 64 }, 125 | { 81856, 576 }, 126 | { 82880, 1600 }, 127 | { 84928, 576 }, 128 | { 85952, 448 }, 129 | { 86464, 64 }, 130 | { 86976, 448 }, 131 | { 87488, 64 }, 132 | { 88000, 448 }, 133 | { 88512, 64 }, 134 | { 89024, 576 }, 135 | { 90048, 64 }, 136 | { 536576, 256 }, 137 | { 540672, 64 }, 138 | { 544768, 1344 }, 139 | { 546240, 64 }, 140 | { 546752, 64 }, 141 | { 547264, 64 }, 142 | { 547776, 64 }, 143 | { 548288, 64 }, 144 | { 548800, 128 }, 145 | { 548992, 64 }, 146 | { 549120, 128 }, 147 | { 549312, 64 }, 148 | { 549440, 128 }, 149 | { 549632, 64 }, 150 | { 549760, 128 }, 151 | { 549952, 64 }, 152 | { 550080, 128 }, 153 | { 550272, 256 }, 154 | { 550592, 64 }, 155 | { 550720, 128 }, 156 | { 550912, 64 }, 157 | { 551040, 128 }, 158 | { 551232, 64 }, 159 | { 552960, 128 }, 160 | { 557056, 256 }, 161 | { 819200, 256 }, 162 | { 823296, 131840 }, 163 | { 955328, 64 }, 164 | { 955840, 64 }, 165 | { 956352, 64 }, 166 | { 956864, 64 }, 167 | { 957376, 64 }, 168 | { 957888, 64 }, 169 | { 958400, 64 }, 170 | { 2093056, 512 }, 171 | { 2094016, 448 }, 172 | { 2094528, 64 }, 173 | { 2095040, 448 }, 174 | { 2095552, 64 }, 175 | { 2096064, 576 }, 176 | { 2097088, 1048640 }, 177 | { 4193792, 512 }, 178 | }; 179 | 180 | const fs_extents ntfs_extents = { 181 | 1217024, 182 | 4194304, 183 | 174, 184 | _ntfs_extents, 185 | }; 186 | -------------------------------------------------------------------------------- /fuzzers/ntfs/ntfs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "ntfs-extents.hh" 11 | 12 | static class ntfs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | ntfs_fuzzer(): 17 | fs_fuzzer("ntfs", 0, 0, ntfs_extents) 18 | { 19 | } 20 | } ntfs_fuzzer; 21 | 22 | fuzzer *fuzzer = &ntfs_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/ocfs2/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/ocfs2/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | OCFS2_FS: y 6 | OCFS2_FS_O2CB: y 7 | OCFS2_FS_USERSPACE_CLUSTER: y 8 | OCFS2_FS_STATS: y 9 | OCFS2_DEBUG_MASKLOG: n 10 | OCFS2_DEBUG_FS: n 11 | -------------------------------------------------------------------------------- /fuzzers/ocfs2/ocfs2-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _ocfs2_extents[] = { 4 | { 0, 2176 }, 5 | { 2240, 256 }, 6 | { 4096, 768 }, 7 | { 8192, 128 }, 8 | { 9216, 128 }, 9 | { 9408, 128 }, 10 | { 10240, 128 }, 11 | { 10432, 448 }, 12 | { 11264, 128 }, 13 | { 11456, 64 }, 14 | { 12288, 256 }, 15 | { 13312, 128 }, 16 | { 13504, 64 }, 17 | { 14336, 128 }, 18 | { 14528, 64 }, 19 | { 15360, 256 }, 20 | { 16384, 128 }, 21 | { 16576, 64 }, 22 | { 17408, 256 }, 23 | { 18432, 256 }, 24 | { 19456, 256 }, 25 | { 20480, 128 }, 26 | { 20672, 64 }, 27 | { 21504, 128 }, 28 | { 21696, 64 }, 29 | { 22528, 128 }, 30 | { 22720, 64 }, 31 | { 23552, 128 }, 32 | { 23744, 64 }, 33 | { 548864, 128 }, 34 | { 549888, 192 }, 35 | { 550912, 320 }, 36 | { 551936, 320 }, 37 | { 552960, 128 }, 38 | { 553152, 64 }, 39 | { 553984, 128 }, 40 | { 554176, 128 }, 41 | { 555008, 128 }, 42 | { 555200, 192 }, 43 | { 556032, 128 }, 44 | { 556224, 64 }, 45 | { 557056, 128 }, 46 | { 557248, 64 }, 47 | { 557824, 64 }, 48 | { 558016, 320 }, 49 | { 558848, 64 }, 50 | { 559040, 192 }, 51 | { 559296, 64 }, 52 | { 560128, 128 }, 53 | { 560320, 64 }, 54 | { 561152, 128 }, 55 | { 561344, 192 }, 56 | { 562176, 128 }, 57 | { 562368, 64 }, 58 | { 563200, 128 }, 59 | { 563392, 64 }, 60 | { 563968, 64 }, 61 | { 564160, 192 }, 62 | { 564416, 64 }, 63 | { 564992, 64 }, 64 | { 565184, 192 }, 65 | { 565440, 64 }, 66 | { 566272, 128 }, 67 | { 566464, 64 }, 68 | { 567296, 128 }, 69 | { 567488, 64 }, 70 | { 568320, 64 }, 71 | { 569344, 128 }, 72 | { 570368, 64 }, 73 | { 571392, 128 }, 74 | { 571584, 64 }, 75 | { 572416, 64 }, 76 | { 573440, 64 }, 77 | { 574464, 128 }, 78 | { 574656, 64 }, 79 | { 575488, 64 }, 80 | { 4743168, 128 }, 81 | { 6840320, 4224 }, 82 | { 6844608, 64 }, 83 | { 6845440, 256 }, 84 | { 6846464, 128 }, 85 | { 6846656, 64 }, 86 | { 6847488, 128 }, 87 | { 6847680, 192 }, 88 | { 6848512, 128 }, 89 | { 6848704, 64 }, 90 | { 6849536, 128 }, 91 | { 6849728, 64 }, 92 | { 6850304, 64 }, 93 | { 6850496, 192 }, 94 | { 6850752, 64 }, 95 | { 6851328, 64 }, 96 | { 6851520, 192 }, 97 | { 6851776, 64 }, 98 | { 6852608, 128 }, 99 | { 6852800, 64 }, 100 | { 6853632, 128 }, 101 | { 6853824, 64 }, 102 | { 6854656, 64 }, 103 | { 6856704, 128 }, 104 | { 6857728, 256 }, 105 | { 6858752, 128 }, 106 | { 6858944, 64 }, 107 | { 6859776, 128 }, 108 | { 6859968, 192 }, 109 | { 6860800, 128 }, 110 | { 6860992, 64 }, 111 | { 6861824, 128 }, 112 | { 6862016, 64 }, 113 | { 6862592, 64 }, 114 | { 6862784, 192 }, 115 | { 6863040, 64 }, 116 | { 6863616, 64 }, 117 | { 6863808, 192 }, 118 | { 6864064, 64 }, 119 | { 6864896, 128 }, 120 | { 6865088, 64 }, 121 | { 6865920, 128 }, 122 | { 6866112, 64 }, 123 | { 17326080, 128 }, 124 | { 19423232, 4224 }, 125 | { 19428352, 256 }, 126 | { 19429376, 128 }, 127 | { 19429568, 64 }, 128 | { 19430400, 128 }, 129 | { 19430592, 192 }, 130 | { 19431424, 128 }, 131 | { 19431616, 64 }, 132 | { 19432448, 128 }, 133 | { 19432640, 64 }, 134 | { 19433216, 64 }, 135 | { 19433408, 192 }, 136 | { 19433664, 64 }, 137 | { 19434240, 64 }, 138 | { 19434432, 192 }, 139 | { 19434688, 64 }, 140 | { 19435520, 128 }, 141 | { 19435712, 64 }, 142 | { 19436544, 128 }, 143 | { 19436736, 64 }, 144 | { 31457280, 128 }, 145 | { 62914560, 128 }, 146 | }; 147 | 148 | const fs_extents ocfs2_extents = { 149 | 28288, 150 | 67108864, 151 | 142, 152 | _ocfs2_extents, 153 | }; 154 | -------------------------------------------------------------------------------- /fuzzers/ocfs2/ocfs2.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "ocfs2-extents.hh" 11 | 12 | static class ocfs2_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | ocfs2_fuzzer(): 17 | fs_fuzzer("ocfs2", 0, 0, ocfs2_extents) 18 | { 19 | } 20 | } ocfs2_fuzzer; 21 | 22 | fuzzer *fuzzer = &ocfs2_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/reiserfs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/reiserfs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | REISERFS_FS: y 6 | REISERFS_CHECK: n 7 | REISERFS_PROC_INFO: y 8 | REISERFS_FS_XATTR: y 9 | REISERFS_FS_POSIX_ACL: y 10 | REISERFS_FS_SECURITY: y 11 | -------------------------------------------------------------------------------- /fuzzers/reiserfs/reiserfs-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _reiserfs_extents[] = { 4 | { 65536, 128 }, 5 | { 65728, 64 }, 6 | { 69632, 1088 }, 7 | { 71680, 2112 }, 8 | { 77760, 192 }, 9 | { 78016, 64 }, 10 | { 81920, 448 }, 11 | { 85056, 2048 }, 12 | { 88064, 2112 }, 13 | { 94208, 64 }, 14 | { 98240, 192 }, 15 | { 98496, 64 }, 16 | { 102400, 64 }, 17 | { 106496, 64 }, 18 | { 110528, 192 }, 19 | { 110784, 64 }, 20 | { 114688, 64 }, 21 | { 118784, 64 }, 22 | { 122816, 192 }, 23 | { 123072, 64 }, 24 | { 126976, 64 }, 25 | { 33628160, 64 }, 26 | { 33632256, 448 }, 27 | { 33635392, 960 }, 28 | }; 29 | 30 | const fs_extents reiserfs_extents = { 31 | 10880, 32 | 67108864, 33 | 24, 34 | _reiserfs_extents, 35 | }; 36 | -------------------------------------------------------------------------------- /fuzzers/reiserfs/reiserfs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "reiserfs-extents.hh" 11 | 12 | static class reiserfs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | reiserfs_fuzzer(): 17 | fs_fuzzer("reiserfs", 0, 0, reiserfs_extents) 18 | { 19 | } 20 | } reiserfs_fuzzer; 21 | 22 | fuzzer *fuzzer = &reiserfs_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/socket/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [net/, drivers/net/] 2 | config: 3 | EPOLL: y 4 | # net/protocols 5 | PACKET: y 6 | PACKET_DIAG: y 7 | UNIX: y 8 | UNIX_DIAG: y 9 | XFRM_USER: y 10 | XFRM_SUB_POLICY: y 11 | XFRM_MIGRATE: y 12 | NET_KEY: y 13 | NET_KEY_MIGRATE: y 14 | INET: y 15 | INET_DIAG: y 16 | INET_UDP_DIAG: y 17 | IPV6: y 18 | IP_DCCP: y 19 | IP_SCTP: y 20 | RDS: y 21 | RDS_TCP: y 22 | RDS_DEBUG: n 23 | TIPC: y 24 | TIPC_MEDIA_UDP: y 25 | ATM: y 26 | L2TP: y 27 | L2TP_V3: y 28 | L2TP_IP: y 29 | DECNET: y 30 | DECNET_ROUTER: y 31 | LLC2: y 32 | IPX: y 33 | ATALK: y 34 | X25: y 35 | LAPB: y 36 | PHONET: y 37 | HAMRADIO: y 38 | CAN: y 39 | CAN_RAW: y 40 | CAN_BCM: y 41 | CAN_GW: y 42 | CAN_DEV: y 43 | IRDA: y 44 | BT: y 45 | BT_RFCOMM: y 46 | AF_RXRPC: y 47 | AF_RXRPC_DEBUG: n 48 | CAIF: y 49 | CAIF_DEBUG: n 50 | -------------------------------------------------------------------------------- /fuzzers/socket/socket.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include "fuzzer.hh" 25 | 26 | struct params { 27 | /* For socket() */ 28 | int domain; 29 | int type; 30 | int protocol; 31 | } __attribute__((packed)); 32 | 33 | class socket_fuzzer: 34 | public fuzzer 35 | { 36 | public: 37 | int epfd; 38 | int pipefd[2]; 39 | pid_t child; 40 | 41 | int fd; 42 | struct params p; 43 | char buffer[1024]; 44 | ssize_t len; 45 | 46 | socket_fuzzer() 47 | { 48 | /* We can get SIGPIPE if we try to send/recv on a half open socket; 49 | * ignore that. */ 50 | signal(SIGPIPE, SIG_IGN); 51 | 52 | epfd = epoll_create(1); 53 | if (epfd == -1) 54 | error(1, errno, "epoll_create()"); 55 | 56 | if (pipe(pipefd) == -1) 57 | error(1, errno, "pipe()"); 58 | 59 | /* We want the read end to be O_NONBLOCK so that splice() doesn't 60 | * block. */ 61 | if (fcntl(pipefd[0], F_SETFL, O_NONBLOCK) == -1) 62 | error(1, errno, "fcntl()"); 63 | 64 | child = fork(); 65 | if (child == -1) 66 | error(1, errno, "fork()"); 67 | if (child == 0) { 68 | /* Continually fill pipe with data; will be consumed by 69 | * the main process. */ 70 | static char data[4096]; 71 | memset(data, 0, sizeof(data)); 72 | while (1) 73 | write(pipefd[1], data, sizeof(data)); 74 | 75 | /* XXX */ 76 | exit(1); 77 | } 78 | } 79 | 80 | ~socket_fuzzer() 81 | { 82 | /* XXX: error handling + kill/waitpid */ 83 | close(epfd); 84 | close(pipefd[0]); 85 | close(pipefd[1]); 86 | kill(child, SIGKILL); 87 | } 88 | 89 | void generate(const char *path) 90 | { 91 | int fd = open(path, O_CREAT | O_WRONLY, 0644); 92 | if (fd == -1) 93 | error(1, errno, "open(%s)", path); 94 | 95 | struct params p; 96 | memset(&p, 0, sizeof(p)); 97 | write(fd, &p, sizeof(p)); 98 | 99 | char buffer[1024]; 100 | memset(buffer, 0, sizeof(buffer)); 101 | write(fd, buffer, sizeof(buffer)); 102 | 103 | close(fd); 104 | } 105 | 106 | int setup(const char *path) 107 | { 108 | fd = open(path, O_RDONLY); 109 | if (fd == -1) 110 | error(1, errno, "open(%s)", path); 111 | 112 | if (read(fd, &p, sizeof(p)) != sizeof(p)) { 113 | close(fd); 114 | return -1; 115 | } 116 | 117 | memset(buffer, 0, sizeof(buffer)); 118 | 119 | len = read(fd, buffer, sizeof(buffer)); 120 | close(fd); 121 | if (len < 0) 122 | return -1; 123 | 124 | return 0; 125 | } 126 | 127 | void cleanup() 128 | { 129 | } 130 | 131 | void run() 132 | { 133 | /* Create two sockets; try to bind() + listen() on one and 134 | * connect() (presumably to the first one) with the other. */ 135 | int sock1 = -1, sock2 = -1, sock3 = -1; 136 | sock1 = socket(p.domain, p.type | SOCK_NONBLOCK, p.protocol); 137 | sock2 = socket(p.domain, p.type | SOCK_NONBLOCK, p.protocol); 138 | if (sock1 == -1 || sock2 == -1) { 139 | if (sock1 != -1) 140 | close(sock1); 141 | if (sock2 != -1) 142 | close(sock2); 143 | return; 144 | } 145 | 146 | /* Try to increase determinism */ 147 | int so_reuseaddr = 1; 148 | setsockopt(sock1, SOL_SOCKET, SO_REUSEADDR, &so_reuseaddr, sizeof(so_reuseaddr)); 149 | setsockopt(sock2, SOL_SOCKET, SO_REUSEADDR, &so_reuseaddr, sizeof(so_reuseaddr)); 150 | 151 | /* Try to avoid getting stuck */ 152 | struct timeval timeout = { 0, 1 }; 153 | setsockopt(sock1, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)); 154 | setsockopt(sock1, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)); 155 | setsockopt(sock2, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)); 156 | setsockopt(sock2, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)); 157 | 158 | /* Try to make them connect... it's a long shot, but worth a try */ 159 | struct sockaddr_storage addr; 160 | socklen_t addrlen = sizeof(addr); 161 | 162 | /* Kernel bug? If you bind() a named UNIX socket that uses all the 163 | * 108 bytes in the name (not including the final NUL byte), then 164 | * the kernel will happily accept the full name and return a name 165 | * length that _includes_ the NUL byte (which is past the end of 166 | * struct sockaddr_un). */ 167 | if (p.domain == AF_UNIX && len == 111) 168 | len = 110; 169 | 170 | int err = bind(sock1, (struct sockaddr *) buffer, len); 171 | if (p.domain == AF_UNIX && err == 0) { 172 | /* Clean up UNIX sockets in the filesystem immediately */ 173 | struct sockaddr_un *addr_un = (struct sockaddr_un *) buffer; 174 | if (addr_un->sun_path[0] != '\0') 175 | unlink(addr_un->sun_path); 176 | } 177 | 178 | listen(sock1, SOMAXCONN); 179 | connect(sock2, (struct sockaddr *) buffer, len); 180 | sock3 = accept4(sock1, (struct sockaddr *) &addr, &addrlen, SOCK_NONBLOCK); 181 | 182 | #if 1 183 | /* Unlikely to succeed, but we do it for kicks. */ 184 | int sock4 = accept4(sock2, (struct sockaddr *) &addr, &addrlen, SOCK_NONBLOCK); 185 | if (sock4 != -1) 186 | close(sock4); 187 | 188 | if (sock3 != -3) { 189 | int sock5 = accept4(sock3, (struct sockaddr *) &addr, &addrlen, SOCK_NONBLOCK); 190 | if (sock5 != -1) 191 | close(sock5); 192 | } 193 | #endif 194 | 195 | /* For completeness */ 196 | addrlen = sizeof(addr); 197 | getsockname(sock1, (struct sockaddr *) &addr, &addrlen); 198 | addrlen = sizeof(addr); 199 | getsockname(sock2, (struct sockaddr *) &addr, &addrlen); 200 | addrlen = sizeof(addr); 201 | getpeername(sock1, (struct sockaddr *) &addr, &addrlen); 202 | addrlen = sizeof(addr); 203 | getpeername(sock2, (struct sockaddr *) &addr, &addrlen); 204 | 205 | struct epoll_event ev; 206 | memset(&ev, 0, sizeof(ev)); 207 | ev.events = EPOLLIN | EPOLLOUT | EPOLLRDHUP | EPOLLPRI | EPOLLERR | EPOLLHUP | EPOLLET | EPOLLONESHOT; 208 | if (sock1 != -1) 209 | epoll_ctl(epfd, EPOLL_CTL_ADD, sock1, &ev); 210 | if (sock2 != -1) 211 | epoll_ctl(epfd, EPOLL_CTL_ADD, sock2, &ev); 212 | if (sock3 != -1) 213 | epoll_ctl(epfd, EPOLL_CTL_ADD, sock3, &ev); 214 | 215 | /* Communicate? */ 216 | const char str[] = "hello world"; 217 | send(sock1, str, sizeof(str), 0); 218 | send(sock2, str, sizeof(str), 0); 219 | if (sock3 != -1) 220 | send(sock3, str, sizeof(str), 0); 221 | recv(sock1, buffer, sizeof(buffer), 0); 222 | recv(sock2, buffer, sizeof(buffer), 0); 223 | if (sock3 != -1) 224 | recv(sock3, buffer, sizeof(buffer), 0); 225 | 226 | if (sock1 != -1) 227 | splice(pipefd[0], NULL, sock1, NULL, 4096 + 2048, SPLICE_F_NONBLOCK | SPLICE_F_MORE); 228 | if (sock2 != -1) 229 | splice(pipefd[0], NULL, sock2, NULL, 4096 + 2048, SPLICE_F_NONBLOCK | SPLICE_F_MORE); 230 | if (sock3 != -1) 231 | splice(pipefd[0], NULL, sock3, NULL, 4096 + 2048, SPLICE_F_NONBLOCK | SPLICE_F_MORE); 232 | 233 | void *mem1 = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, sock1, 0); 234 | if (mem1 != MAP_FAILED) { 235 | ++*(char *) mem1; 236 | munmap(mem1, 4096); 237 | } 238 | 239 | void *mem2 = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, sock2, 0); 240 | if (mem2 != MAP_FAILED) { 241 | ++*(char *) mem2; 242 | munmap(mem2, 4096); 243 | } 244 | 245 | void *mem3 = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, sock3, 0); 246 | if (mem3 != MAP_FAILED) { 247 | ++*(char *) mem3; 248 | munmap(mem3, 4096); 249 | } 250 | 251 | struct epoll_event evs[10]; 252 | epoll_wait(epfd, evs, 10, 0); 253 | 254 | if (sock1 != -1) 255 | epoll_ctl(epfd, EPOLL_CTL_DEL, sock1, NULL); 256 | if (sock2 != -1) 257 | epoll_ctl(epfd, EPOLL_CTL_DEL, sock2, NULL); 258 | if (sock3 != -1) 259 | epoll_ctl(epfd, EPOLL_CTL_DEL, sock3, NULL); 260 | 261 | shutdown(sock1, SHUT_RD); 262 | shutdown(sock2, SHUT_WR); 263 | if (sock3 != -1) 264 | shutdown(sock3, SHUT_WR); 265 | shutdown(sock1, SHUT_WR); 266 | shutdown(sock2, SHUT_RD); 267 | if (sock3 != -1) 268 | shutdown(sock3, SHUT_RD); 269 | 270 | if (sock1 != -1) 271 | close(sock1); 272 | if (sock2 != -1) 273 | close(sock2); 274 | if (sock3 != -1) 275 | close(sock3); 276 | } 277 | } socket_fuzzer; 278 | 279 | fuzzer *fuzzer = &socket_fuzzer; 280 | -------------------------------------------------------------------------------- /fuzzers/udf/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/udf/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | UDF_FS: y 6 | -------------------------------------------------------------------------------- /fuzzers/udf/udf-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _udf_extents[] = { 4 | { 32768, 64 }, 5 | { 34816, 64 }, 6 | { 36864, 64 }, 7 | { 524288, 64 }, 8 | { 526336, 128 }, 9 | { 526528, 320 }, 10 | { 528384, 128 }, 11 | { 528576, 128 }, 12 | { 528768, 64 }, 13 | { 530432, 256 }, 14 | { 532480, 64 }, 15 | { 534528, 128 }, 16 | { 534720, 192 }, 17 | { 536576, 64 }, 18 | { 559104, 192 }, 19 | { 561152, 1024 }, 20 | { 563200, 128 }, 21 | { 563392, 320 }, 22 | { 565248, 256 }, 23 | { 567296, 384 }, 24 | { 569344, 256 }, 25 | { 571392, 320 }, 26 | { 573440, 576 }, 27 | { 575488, 256 }, 28 | { 577536, 256 }, 29 | { 579584, 256 }, 30 | { 581632, 256 }, 31 | { 583680, 256 }, 32 | { 585728, 256 }, 33 | { 16250880, 64 }, 34 | { 16742400, 128 }, 35 | { 16742592, 320 }, 36 | { 16744448, 128 }, 37 | { 16744640, 128 }, 38 | { 16744832, 64 }, 39 | { 16746496, 256 }, 40 | { 16748544, 64 }, 41 | { 16750592, 128 }, 42 | { 16750784, 192 }, 43 | { 16752640, 64 }, 44 | { 16775168, 64 }, 45 | }; 46 | 47 | const fs_extents udf_extents = { 48 | 8320, 49 | 16777216, 50 | 41, 51 | _udf_extents, 52 | }; 53 | -------------------------------------------------------------------------------- /fuzzers/udf/udf.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "udf-extents.hh" 11 | 12 | static class udf_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | udf_fuzzer(): 17 | fs_fuzzer("udf", MS_RDONLY | MS_SILENT, 0, udf_extents) 18 | { 19 | } 20 | } udf_fuzzer; 21 | 22 | fuzzer *fuzzer = &udf_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/usb/config.yml: -------------------------------------------------------------------------------- 1 | # UML doesn't support USB drivers, unfortunately 2 | vm: kvm 3 | instrument: 4 | - drivers/usb/ 5 | - drivers/net/ 6 | - drivers/media/ 7 | - drivers/hid/ 8 | - drivers/staging/ 9 | - sound/usb/ 10 | config: 11 | USB_DUMMY_HCD: y 12 | USB_GADGET: y 13 | USB_GADGETFS: y 14 | 15 | # USB support 16 | USB_ANNOUNCE_NEW_DEVICES: y 17 | USB_DEFAULT_PERSIST: y 18 | USB_DYNAMIC_MINORS: y 19 | USB_OTG_WHITELIST: n 20 | USB_OTG_BLACKLIST_HUB: n 21 | USB_ULPI_BUS: y 22 | USB_MON: n 23 | USB_WUSB: y 24 | USB_WUSB_CBAF: y 25 | USB_WUSB_CBAF_DEBUG: n 26 | USB_U132_HCD: y 27 | #USB_RENESAS_USBHS_HCD: y 28 | USB_HWA_HCD: y 29 | USB_HCD_TEST_MODE: n 30 | #USB_RENESAS_USBHS: y 31 | USB_ACM: y 32 | USB_PRINTER: y 33 | USB_WDM: y 34 | USB_TMC: y 35 | USB_STORAGE: y 36 | USB_STORAGE_DEBUG: n 37 | USB_STORAGE_REALTEK: y 38 | USB_STORAGE_DATAFAB: y 39 | USB_STORAGE_FREECOM: y 40 | USB_STORAGE_ISD200: y 41 | USB_STORAGE_USBAT: y 42 | USB_STORAGE_SDDR09: y 43 | USB_STORAGE_SDDR55: y 44 | USB_STORAGE_JUMPSHOT: y 45 | USB_STORAGE_ALAUDA: y 46 | USB_STORAGE_KARMA: y 47 | USB_STORAGE_CYPRESS_ATACB: y 48 | USB_STORAGE_ENE_UB6250: y 49 | USB_UAS: y 50 | USB_MDC800: y 51 | USB_MICROTEK: y 52 | USBIP_CORE: y 53 | USBIP_VHCI_HCD: y 54 | USBIP_HOST: y 55 | USBIP_DEBUG: n 56 | USB_ISP1760: y 57 | USB_ISP1760_DUAL_ROLE: y 58 | USB_SERIAL: y 59 | USB_SERIAL_CONSOLE: y 60 | USB_SERIAL_GENERIC: y 61 | USB_SERIAL_SIMPLE: y 62 | USB_SERIAL_AIRCABLE: y 63 | USB_SERIAL_ARK3116: y 64 | USB_SERIAL_BELKIN: y 65 | USB_SERIAL_CH341: y 66 | USB_SERIAL_WHITEHEAT: y 67 | USB_SERIAL_DIGI_ACCELEPORT: y 68 | USB_SERIAL_CP210X: y 69 | USB_SERIAL_CYPRESS_M8: y 70 | USB_SERIAL_EMPEG: y 71 | USB_SERIAL_FTDI_SIO: y 72 | USB_SERIAL_VISOR: y 73 | USB_SERIAL_IPAQ: y 74 | USB_SERIAL_IR: y 75 | USB_SERIAL_EDGEPORT: y 76 | USB_SERIAL_EDGEPORT_TI: y 77 | USB_SERIAL_F81232: y 78 | USB_SERIAL_GARMIN: y 79 | USB_SERIAL_IPW: y 80 | USB_SERIAL_IUU: y 81 | USB_SERIAL_KEYSPAN_PDA: y 82 | USB_SERIAL_KEYSPAN: y 83 | USB_SERIAL_KLSI: y 84 | USB_SERIAL_KOBIL_SCT: y 85 | USB_SERIAL_MCT_U232: y 86 | USB_SERIAL_METRO: y 87 | USB_SERIAL_MOS7720: y 88 | USB_SERIAL_MOS7840: y 89 | USB_SERIAL_MXUPORT11: y 90 | USB_SERIAL_MXUPORT: y 91 | USB_SERIAL_NAVMAN: y 92 | USB_SERIAL_PL2303: y 93 | USB_SERIAL_OTI6858: y 94 | USB_SERIAL_QCAUX: y 95 | USB_SERIAL_QUALCOMM: y 96 | USB_SERIAL_SPCP8X5: y 97 | USB_SERIAL_SAFE: y 98 | USB_SERIAL_SAFE_PADDED: y 99 | USB_SERIAL_SIERRAWIRELESS: y 100 | USB_SERIAL_SYMBOL: y 101 | USB_SERIAL_TI: y 102 | USB_SERIAL_CYBERJACK: y 103 | USB_SERIAL_XIRCOM: y 104 | USB_SERIAL_OPTION: y 105 | USB_SERIAL_OMNINET: y 106 | USB_SERIAL_OPTICON: y 107 | USB_SERIAL_XSENS_MT: y 108 | USB_SERIAL_WISHBONE: y 109 | USB_SERIAL_SSU100: y 110 | USB_SERIAL_QT2: y 111 | USB_SERIAL_DEBUG: y 112 | USB_EMI62: y 113 | USB_EMI26: y 114 | USB_ADUTUX: y 115 | USB_SEVSEG: y 116 | USB_RIO500: y 117 | USB_LEGOTOWER: y 118 | USB_LCD: y 119 | USB_LED: y 120 | USB_CYPRESS_CY7C63: y 121 | USB_CYTHERM: y 122 | USB_IDMOUSE: y 123 | USB_FTDI_ELAN: y 124 | USB_LD: y 125 | USB_TRANCEVIBRATOR: y 126 | USB_IOWARRIOR: y 127 | USB_TEST: n 128 | USB_EHSET_TEST_FIXTURE: y 129 | USB_ISIGHTFW: y 130 | USB_YUREX: y 131 | USB_EZUSB_FX2: y 132 | USB_HSIC_USB3503: y 133 | USB_LINK_LAYER_TEST: n 134 | USB_CHAOSKEY: y 135 | USB_ATM: y 136 | USB_SPEEDTOUCH: y 137 | USB_CXACRU: y 138 | USB_UEAGLEATM: y 139 | USB_XUSBATM: y 140 | #KEYSTONE_USB_PHY: y 141 | NOP_USB_XCEIV: y 142 | #AM335X_PHY_USB: y 143 | USB_GPIO_VBUS: y 144 | USB_ISP1301: y 145 | #USB_MSM_OTG: y 146 | #USB_QCOM_8X16_PHY: y 147 | USB_LED_TRIG: y 148 | 149 | # USB sound devices 150 | SND_USB: y 151 | SND_USB_AUDIO: y 152 | SND_USB_UA101: y 153 | SND_USB_USX2Y: y 154 | SND_USB_CAIAQ: y 155 | SND_USB_CAIAQ_INPUT: y 156 | SND_USB_US122L: y 157 | SND_USB_6FIRE: y 158 | SND_USB_HIFACE: y 159 | SND_BCD2000: y 160 | SND_USB_POD: y 161 | SND_USB_PODHD: y 162 | SND_USB_TONEPORT: y 163 | SND_USB_VARIAX: y 164 | 165 | # Media USB Adapters 166 | USB_VIDEO_CLASS: y 167 | USB_VIDEO_CLASS_INPUT_EVDEV: y 168 | USB_GSPCA: y 169 | USB_M5602: y 170 | USB_STV06XX: y 171 | USB_GL860: y 172 | USB_GSPCA_BENQ: y 173 | USB_GSPCA_CONEX: y 174 | USB_GSPCA_CPIA1: y 175 | USB_GSPCA_DTCS033: y 176 | USB_GSPCA_ETOMS: y 177 | USB_GSPCA_FINEPIX: y 178 | USB_GSPCA_JEILINJ: y 179 | USB_GSPCA_JL2005BCD: y 180 | USB_GSPCA_KINECT: y 181 | USB_GSPCA_KONICA: y 182 | USB_GSPCA_MARS: y 183 | USB_GSPCA_MR97310A: y 184 | USB_GSPCA_NW80X: y 185 | USB_GSPCA_OV519: y 186 | USB_GSPCA_OV534: y 187 | USB_GSPCA_OV534_9: y 188 | USB_GSPCA_PAC207: y 189 | USB_GSPCA_PAC7302: y 190 | USB_GSPCA_PAC7311: y 191 | USB_GSPCA_SE401: y 192 | USB_GSPCA_SN9C2028: y 193 | USB_GSPCA_SN9C20X: y 194 | USB_GSPCA_SONIXB: y 195 | USB_GSPCA_SONIXJ: y 196 | USB_GSPCA_SPCA500: y 197 | USB_GSPCA_SPCA501: y 198 | USB_GSPCA_SPCA505: y 199 | USB_GSPCA_SPCA506: y 200 | USB_GSPCA_SPCA508: y 201 | USB_GSPCA_SPCA561: y 202 | USB_GSPCA_SPCA1528: y 203 | USB_GSPCA_SQ905: y 204 | USB_GSPCA_SQ905C: y 205 | USB_GSPCA_SQ930X: y 206 | USB_GSPCA_STK014: y 207 | USB_GSPCA_STK1135: y 208 | USB_GSPCA_STV0680: y 209 | USB_GSPCA_SUNPLUS: y 210 | USB_GSPCA_T613: y 211 | USB_GSPCA_TOPRO: y 212 | USB_GSPCA_TOUPTEK: y 213 | USB_GSPCA_TV8532: y 214 | USB_GSPCA_VC032X: y 215 | USB_GSPCA_VICAM: y 216 | USB_GSPCA_XIRLINK_CIT: y 217 | USB_GSPCA_ZC3XX: y 218 | USB_PWC: y 219 | USB_PWC_DEBUG: n 220 | USB_PWC_INPUT_EVDEV: y 221 | VIDEO_CPIA2: y 222 | USB_ZR364XX: y 223 | USB_STKWEBCAM: y 224 | USB_S2255: y 225 | VIDEO_USBTV: y 226 | VIDEO_PVRUSB2: y 227 | VIDEO_PVRUSB2_SYSFS: y 228 | VIDEO_PVRUSB2_DVB: y 229 | VIDEO_PVRUSB2_DEBUGIFC: n 230 | VIDEO_HDPVR: y 231 | VIDEO_USBVISION: y 232 | VIDEO_STK1160_COMMON: y 233 | VIDEO_STK1160_AC97: y 234 | VIDEO_GO7007: y 235 | VIDEO_GO7007_USB: y 236 | VIDEO_GO7007_LOADER: y 237 | VIDEO_GO7007_USB_S2250_BOARD: y 238 | VIDEO_AU0828: y 239 | VIDEO_AU0828_V4L2: y 240 | VIDEO_AU0828_RC: y 241 | VIDEO_CX231XX: y 242 | VIDEO_CX231XX_RC: y 243 | VIDEO_CX231XX_ALSA: y 244 | VIDEO_CX231XX_DVB: y 245 | VIDEO_TM6000: y 246 | VIDEO_TM6000_ALSA: y 247 | VIDEO_TM6000_DVB: y 248 | DVB_USB: y 249 | DVB_USB_DEBUG: n 250 | DVB_USB_A800: y 251 | DVB_USB_DIBUSB_MB: y 252 | DVB_USB_DIBUSB_MB_FAULTY: y 253 | DVB_USB_DIBUSB_MC: y 254 | DVB_USB_DIB0700: y 255 | DVB_USB_UMT_010: y 256 | DVB_USB_CXUSB: y 257 | DVB_USB_M920X: y 258 | DVB_USB_DIGITV: y 259 | DVB_USB_VP7045: y 260 | DVB_USB_VP702X: y 261 | DVB_USB_GP8PSK: y 262 | DVB_USB_NOVA_T_USB2: y 263 | DVB_USB_TTUSB2: y 264 | DVB_USB_DTT200U: y 265 | DVB_USB_OPERA1: y 266 | DVB_USB_AF9005: y 267 | DVB_USB_AF9005_REMOTE: y 268 | DVB_USB_PCTV452E: y 269 | DVB_USB_DW2102: y 270 | DVB_USB_CINERGY_T2: y 271 | DVB_USB_DTV5100: y 272 | DVB_USB_FRIIO: y 273 | DVB_USB_AZ6027: y 274 | DVB_USB_TECHNISAT_USB2: y 275 | DVB_USB_V2: y 276 | DVB_USB_AF9015: y 277 | DVB_USB_AF9035: y 278 | DVB_USB_ANYSEE: y 279 | DVB_USB_AU6610: y 280 | DVB_USB_AZ6007: y 281 | DVB_USB_CE6230: y 282 | DVB_USB_EC168: y 283 | DVB_USB_GL861: y 284 | DVB_USB_LME2510: y 285 | DVB_USB_MXL111SF: y 286 | DVB_USB_RTL28XXU: y 287 | DVB_USB_DVBSKY: y 288 | DVB_TTUSB_BUDGET: y 289 | DVB_TTUSB_DEC: y 290 | SMS_USB_DRV: y 291 | DVB_B2C2_FLEXCOP_USB: y 292 | DVB_B2C2_FLEXCOP_USB_DEBUG: n 293 | DVB_AS102: y 294 | VIDEO_EM28XX: y 295 | VIDEO_EM28XX_V4L2: y 296 | VIDEO_EM28XX_ALSA: y 297 | VIDEO_EM28XX_DVB: y 298 | VIDEO_EM28XX_RC: y 299 | USB_AIRSPY: y 300 | USB_HACKRF: y 301 | 302 | # USB Network Adapters 303 | USB_CATC: y 304 | USB_KAWETH: y 305 | USB_PEGASUS: y 306 | USB_RTL8150: y 307 | USB_RTL8152: y 308 | USB_LAN78XX: y 309 | USB_USBNET: y 310 | USB_NET_AX8817X: y 311 | USB_NET_AX88179_178A: y 312 | USB_NET_CDCETHER: y 313 | USB_NET_CDC_EEM: y 314 | USB_NET_CDC_NCM: y 315 | USB_NET_HUAWEI_CDC_NCM: y 316 | USB_NET_CDC_MBIM: y 317 | USB_NET_DM9601: y 318 | USB_NET_SR9700: y 319 | USB_NET_SR9800: y 320 | USB_NET_SMSC75XX: y 321 | USB_NET_SMSC95XX: y 322 | USB_NET_GL620A: y 323 | USB_NET_NET1080: y 324 | USB_NET_PLUSB: y 325 | USB_NET_MCS7830: y 326 | USB_NET_RNDIS_HOST: y 327 | USB_NET_CDC_SUBSET: y 328 | USB_ALI_M5632: y 329 | USB_AN2720: y 330 | USB_BELKIN: y 331 | USB_ARMLINUX: y 332 | USB_EPSON2888: y 333 | USB_KC2190: y 334 | USB_NET_ZAURUS: y 335 | USB_NET_CX82310_ETH: y 336 | USB_NET_KALMIA: y 337 | USB_NET_QMI_WWAN: y 338 | USB_HSO: y 339 | USB_NET_INT51X1: y 340 | USB_CDC_PHONET: y 341 | USB_IPHETH: y 342 | USB_SIERRA_NET: y 343 | USB_VL600: y 344 | USB_NET_CH9200: y 345 | 346 | # Misc 347 | I2C_TINY_USB: y 348 | IR_IGORPLUGUSB: y 349 | IR_MCEUSB: y 350 | IR_TTUSBIR: y 351 | JOYSTICK_IFORCE_USB: y 352 | MEMSTICK_REALTEK_USB: y 353 | MFD_RTSX_USB: y 354 | MISDN_HFCUSB: y 355 | MMC_REALTEK_USB: y 356 | MOUSE_SYNAPTICS_USB: y 357 | ORINOCO_USB: y 358 | RT2500USB: y 359 | RT2800USB: y 360 | RT2800USB_RT33XX: y 361 | RT2800USB_RT3573: y 362 | RT2800USB_RT35XX: y 363 | RT2800USB_RT53XX: y 364 | RT2800USB_RT55XX: y 365 | RT2800USB_UNKNOWN: y 366 | TABLET_USB_ACECAD: y 367 | TABLET_USB_AIPTEK: y 368 | TABLET_USB_GTCO: y 369 | TABLET_USB_HANWANG: y 370 | TABLET_USB_KBTAB: y 371 | TAHVO_USB: y 372 | TAHVO_USB_HOST_BY_DEFAULT: y 373 | TOUCHSCREEN_USB_3M: y 374 | TOUCHSCREEN_USB_COMPOSITE: y 375 | TOUCHSCREEN_USB_DMC_TSC10: y 376 | TOUCHSCREEN_USB_E2I: y 377 | TOUCHSCREEN_USB_EASYTOUCH: y 378 | TOUCHSCREEN_USB_EGALAX: y 379 | TOUCHSCREEN_USB_ELO: y 380 | TOUCHSCREEN_USB_ETT_TC45USB: y 381 | TOUCHSCREEN_USB_ETURBO: y 382 | TOUCHSCREEN_USB_GENERAL_TOUCH: y 383 | TOUCHSCREEN_USB_GOTOP: y 384 | TOUCHSCREEN_USB_GUNZE: y 385 | TOUCHSCREEN_USB_IDEALTEK: y 386 | TOUCHSCREEN_USB_IRTOUCH: y 387 | TOUCHSCREEN_USB_ITM: y 388 | TOUCHSCREEN_USB_JASTEC: y 389 | TOUCHSCREEN_USB_NEXIO: y 390 | TOUCHSCREEN_USB_PANJIT: y 391 | TOUCHSCREEN_USB_ZYTRONIC: y 392 | USB_APPLEDISPLAY: y 393 | USB_HID: y 394 | HID_PID: y 395 | USB_HIDDEV: y 396 | USB_IDMOUSE: y 397 | USB_RAREMONO: y 398 | -------------------------------------------------------------------------------- /fuzzers/usb/usb.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | #include "fuzzer.hh" 25 | 26 | static const char *ep_names[31] = { 27 | "/dev/gadget/dummy_udc", 28 | "/dev/gadget/ep1in-bulk", 29 | "/dev/gadget/ep2out-bulk", 30 | "/dev/gadget/ep3in-iso", 31 | "/dev/gadget/ep4out-iso", 32 | "/dev/gadget/ep5in-int", 33 | "/dev/gadget/ep6in-bulk", 34 | "/dev/gadget/ep7out-bulk", 35 | "/dev/gadget/ep8in-iso", 36 | "/dev/gadget/ep9out-iso", 37 | "/dev/gadget/ep10in-int", 38 | "/dev/gadget/ep11in-bulk", 39 | "/dev/gadget/ep12out-bulk", 40 | "/dev/gadget/ep13in-iso", 41 | "/dev/gadget/ep14out-iso", 42 | "/dev/gadget/ep15in-int", 43 | "/dev/gadget/ep1out-bulk", 44 | "/dev/gadget/ep2in-bulk", 45 | "/dev/gadget/ep3out", 46 | "/dev/gadget/ep4in", 47 | "/dev/gadget/ep5out", 48 | "/dev/gadget/ep6out", 49 | "/dev/gadget/ep7in", 50 | "/dev/gadget/ep8out", 51 | "/dev/gadget/ep9in", 52 | "/dev/gadget/ep10out", 53 | "/dev/gadget/ep11out", 54 | "/dev/gadget/ep12in", 55 | "/dev/gadget/ep13out", 56 | "/dev/gadget/ep14in", 57 | "/dev/gadget/ep15out", 58 | }; 59 | 60 | class usb_fuzzer: 61 | public fuzzer 62 | { 63 | public: 64 | int fd; 65 | 66 | usb_fuzzer() 67 | { 68 | mkdir("/dev/gadget", 0755); 69 | } 70 | 71 | int setup(const char *path) 72 | { 73 | if (mount("none", "/dev/gadget", "gadgetfs", 0, NULL) != 0) 74 | error(1, errno, "mount()"); 75 | 76 | fd = open(path, O_RDONLY); 77 | if (fd == -1) 78 | error(1, errno, "open(%s)", path); 79 | 80 | return 0; 81 | } 82 | 83 | void cleanup() 84 | { 85 | close(fd); 86 | 87 | if (umount2("/dev/gadget", MNT_FORCE | MNT_DETACH) == -1) 88 | error(1, errno, "umount2()"); 89 | } 90 | 91 | void run() 92 | { 93 | int fds[31]; 94 | for (unsigned int i = 0; i < 31; ++i) 95 | fds[i] = -1; 96 | 97 | while (1) { 98 | uint8_t ep; 99 | if (read(fd, &ep, sizeof(ep)) != sizeof(ep)) 100 | goto out_close_fds; 101 | 102 | ep = ep % 31; 103 | 104 | int epfd = fds[ep]; 105 | if (epfd == -1) { 106 | epfd = open(ep_names[ep], O_RDWR); 107 | if (epfd == -1) 108 | continue; 109 | 110 | fds[ep] = epfd; 111 | } 112 | 113 | uint8_t packet_len; 114 | if (read(fd, &packet_len, sizeof(packet_len)) != sizeof(packet_len)) 115 | goto out_close_fds; 116 | 117 | if (packet_len == 0) { 118 | struct pollfd pfd = {}; 119 | pfd.fd = epfd; 120 | pfd.events = POLLIN; 121 | if (poll(&pfd, 1, 0) == 1) { 122 | static char buf[4096]; 123 | if (read(epfd, buf, sizeof(buf)) == -1 && errno == EINTR) 124 | break; 125 | } 126 | } else { 127 | uint8_t buffer[256]; 128 | int len = read(fd, buffer, packet_len); 129 | if (len <= 0) 130 | goto out_close_fds; 131 | 132 | if (write(epfd, buffer, len) == -1 && errno == EINTR) 133 | break; 134 | } 135 | } 136 | 137 | out_close_fds: 138 | for (unsigned int i = 0; i < 31; ++i) { 139 | if (fds[i] != -1) 140 | close(fds[i]); 141 | } 142 | } 143 | } usb_fuzzer; 144 | 145 | fuzzer *fuzzer = &usb_fuzzer; 146 | -------------------------------------------------------------------------------- /fuzzers/vfat/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/fat/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | VFAT_FS: y 6 | NLS_CODEPAGE_437: y 7 | NLS_ISO8859_1: y 8 | NLS_UTF8: y 9 | -------------------------------------------------------------------------------- /fuzzers/vfat/vfat-extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _vfat_extents[] = { 4 | { 0, 192 }, 5 | { 448, 128 }, 6 | { 66048, 64 }, 7 | { 131584, 64 }, 8 | { 150016, 128 }, 9 | { 152064, 320 }, 10 | { 154112, 64 }, 11 | { 156160, 64 }, 12 | }; 13 | 14 | const fs_extents vfat_extents = { 15 | 1024, 16 | 67108864, 17 | 8, 18 | _vfat_extents, 19 | }; 20 | -------------------------------------------------------------------------------- /fuzzers/vfat/vfat.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "vfat-extents.hh" 11 | 12 | static class vfat_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | vfat_fuzzer(): 17 | fs_fuzzer("vfat", 0, 0, vfat_extents) 18 | { 19 | } 20 | } vfat_fuzzer; 21 | 22 | fuzzer *fuzzer = &vfat_fuzzer; 23 | -------------------------------------------------------------------------------- /fuzzers/xfs/config.yml: -------------------------------------------------------------------------------- 1 | instrument: [fs/xfs/] 2 | config: 3 | BLK_DEV_LOOP: y 4 | BLK_DEV_LOOP_MIN_COUNT: 8 5 | XFS_FS: y 6 | XFS_QUOTA: y 7 | XFS_POSIX_ACL: y 8 | XFS_RT: y 9 | XFS_WARN: n 10 | XFS_DEBUG: n 11 | -------------------------------------------------------------------------------- /fuzzers/xfs/xfs.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fs-fuzzer.hh" 10 | #include "xfs-extents.hh" 11 | 12 | static class xfs_fuzzer: 13 | public fs_fuzzer 14 | { 15 | public: 16 | xfs_fuzzer(): 17 | fs_fuzzer("xfs", 0, "nobarrier", xfs_extents) 18 | { 19 | } 20 | } xfs_fuzzer; 21 | 22 | fuzzer *fuzzer = &xfs_fuzzer; 23 | -------------------------------------------------------------------------------- /include/crc32c.h: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #ifndef KERNEL_FUZZING_CRC32C_H 10 | #define KERNEL_FUZZING_CRC32C_H 11 | 12 | #include 13 | 14 | static inline uint32_t crc32c(uint32_t x, const uint8_t *buf, unsigned int size) 15 | { 16 | static const uint32_t lookup[] = { 17 | 0x00000000, 18 | 0xf26b8303, 19 | 0xe13b70f7, 20 | 0x1350f3f4, 21 | 0xc79a971f, 22 | 0x35f1141c, 23 | 0x26a1e7e8, 24 | 0xd4ca64eb, 25 | 0x8ad958cf, 26 | 0x78b2dbcc, 27 | 0x6be22838, 28 | 0x9989ab3b, 29 | 0x4d43cfd0, 30 | 0xbf284cd3, 31 | 0xac78bf27, 32 | 0x5e133c24, 33 | 0x105ec76f, 34 | 0xe235446c, 35 | 0xf165b798, 36 | 0x030e349b, 37 | 0xd7c45070, 38 | 0x25afd373, 39 | 0x36ff2087, 40 | 0xc494a384, 41 | 0x9a879fa0, 42 | 0x68ec1ca3, 43 | 0x7bbcef57, 44 | 0x89d76c54, 45 | 0x5d1d08bf, 46 | 0xaf768bbc, 47 | 0xbc267848, 48 | 0x4e4dfb4b, 49 | 0x20bd8ede, 50 | 0xd2d60ddd, 51 | 0xc186fe29, 52 | 0x33ed7d2a, 53 | 0xe72719c1, 54 | 0x154c9ac2, 55 | 0x061c6936, 56 | 0xf477ea35, 57 | 0xaa64d611, 58 | 0x580f5512, 59 | 0x4b5fa6e6, 60 | 0xb93425e5, 61 | 0x6dfe410e, 62 | 0x9f95c20d, 63 | 0x8cc531f9, 64 | 0x7eaeb2fa, 65 | 0x30e349b1, 66 | 0xc288cab2, 67 | 0xd1d83946, 68 | 0x23b3ba45, 69 | 0xf779deae, 70 | 0x05125dad, 71 | 0x1642ae59, 72 | 0xe4292d5a, 73 | 0xba3a117e, 74 | 0x4851927d, 75 | 0x5b016189, 76 | 0xa96ae28a, 77 | 0x7da08661, 78 | 0x8fcb0562, 79 | 0x9c9bf696, 80 | 0x6ef07595, 81 | 0x417b1dbc, 82 | 0xb3109ebf, 83 | 0xa0406d4b, 84 | 0x522bee48, 85 | 0x86e18aa3, 86 | 0x748a09a0, 87 | 0x67dafa54, 88 | 0x95b17957, 89 | 0xcba24573, 90 | 0x39c9c670, 91 | 0x2a993584, 92 | 0xd8f2b687, 93 | 0x0c38d26c, 94 | 0xfe53516f, 95 | 0xed03a29b, 96 | 0x1f682198, 97 | 0x5125dad3, 98 | 0xa34e59d0, 99 | 0xb01eaa24, 100 | 0x42752927, 101 | 0x96bf4dcc, 102 | 0x64d4cecf, 103 | 0x77843d3b, 104 | 0x85efbe38, 105 | 0xdbfc821c, 106 | 0x2997011f, 107 | 0x3ac7f2eb, 108 | 0xc8ac71e8, 109 | 0x1c661503, 110 | 0xee0d9600, 111 | 0xfd5d65f4, 112 | 0x0f36e6f7, 113 | 0x61c69362, 114 | 0x93ad1061, 115 | 0x80fde395, 116 | 0x72966096, 117 | 0xa65c047d, 118 | 0x5437877e, 119 | 0x4767748a, 120 | 0xb50cf789, 121 | 0xeb1fcbad, 122 | 0x197448ae, 123 | 0x0a24bb5a, 124 | 0xf84f3859, 125 | 0x2c855cb2, 126 | 0xdeeedfb1, 127 | 0xcdbe2c45, 128 | 0x3fd5af46, 129 | 0x7198540d, 130 | 0x83f3d70e, 131 | 0x90a324fa, 132 | 0x62c8a7f9, 133 | 0xb602c312, 134 | 0x44694011, 135 | 0x5739b3e5, 136 | 0xa55230e6, 137 | 0xfb410cc2, 138 | 0x092a8fc1, 139 | 0x1a7a7c35, 140 | 0xe811ff36, 141 | 0x3cdb9bdd, 142 | 0xceb018de, 143 | 0xdde0eb2a, 144 | 0x2f8b6829, 145 | 0x82f63b78, 146 | 0x709db87b, 147 | 0x63cd4b8f, 148 | 0x91a6c88c, 149 | 0x456cac67, 150 | 0xb7072f64, 151 | 0xa457dc90, 152 | 0x563c5f93, 153 | 0x082f63b7, 154 | 0xfa44e0b4, 155 | 0xe9141340, 156 | 0x1b7f9043, 157 | 0xcfb5f4a8, 158 | 0x3dde77ab, 159 | 0x2e8e845f, 160 | 0xdce5075c, 161 | 0x92a8fc17, 162 | 0x60c37f14, 163 | 0x73938ce0, 164 | 0x81f80fe3, 165 | 0x55326b08, 166 | 0xa759e80b, 167 | 0xb4091bff, 168 | 0x466298fc, 169 | 0x1871a4d8, 170 | 0xea1a27db, 171 | 0xf94ad42f, 172 | 0x0b21572c, 173 | 0xdfeb33c7, 174 | 0x2d80b0c4, 175 | 0x3ed04330, 176 | 0xccbbc033, 177 | 0xa24bb5a6, 178 | 0x502036a5, 179 | 0x4370c551, 180 | 0xb11b4652, 181 | 0x65d122b9, 182 | 0x97baa1ba, 183 | 0x84ea524e, 184 | 0x7681d14d, 185 | 0x2892ed69, 186 | 0xdaf96e6a, 187 | 0xc9a99d9e, 188 | 0x3bc21e9d, 189 | 0xef087a76, 190 | 0x1d63f975, 191 | 0x0e330a81, 192 | 0xfc588982, 193 | 0xb21572c9, 194 | 0x407ef1ca, 195 | 0x532e023e, 196 | 0xa145813d, 197 | 0x758fe5d6, 198 | 0x87e466d5, 199 | 0x94b49521, 200 | 0x66df1622, 201 | 0x38cc2a06, 202 | 0xcaa7a905, 203 | 0xd9f75af1, 204 | 0x2b9cd9f2, 205 | 0xff56bd19, 206 | 0x0d3d3e1a, 207 | 0x1e6dcdee, 208 | 0xec064eed, 209 | 0xc38d26c4, 210 | 0x31e6a5c7, 211 | 0x22b65633, 212 | 0xd0ddd530, 213 | 0x0417b1db, 214 | 0xf67c32d8, 215 | 0xe52cc12c, 216 | 0x1747422f, 217 | 0x49547e0b, 218 | 0xbb3ffd08, 219 | 0xa86f0efc, 220 | 0x5a048dff, 221 | 0x8ecee914, 222 | 0x7ca56a17, 223 | 0x6ff599e3, 224 | 0x9d9e1ae0, 225 | 0xd3d3e1ab, 226 | 0x21b862a8, 227 | 0x32e8915c, 228 | 0xc083125f, 229 | 0x144976b4, 230 | 0xe622f5b7, 231 | 0xf5720643, 232 | 0x07198540, 233 | 0x590ab964, 234 | 0xab613a67, 235 | 0xb831c993, 236 | 0x4a5a4a90, 237 | 0x9e902e7b, 238 | 0x6cfbad78, 239 | 0x7fab5e8c, 240 | 0x8dc0dd8f, 241 | 0xe330a81a, 242 | 0x115b2b19, 243 | 0x020bd8ed, 244 | 0xf0605bee, 245 | 0x24aa3f05, 246 | 0xd6c1bc06, 247 | 0xc5914ff2, 248 | 0x37faccf1, 249 | 0x69e9f0d5, 250 | 0x9b8273d6, 251 | 0x88d28022, 252 | 0x7ab90321, 253 | 0xae7367ca, 254 | 0x5c18e4c9, 255 | 0x4f48173d, 256 | 0xbd23943e, 257 | 0xf36e6f75, 258 | 0x0105ec76, 259 | 0x12551f82, 260 | 0xe03e9c81, 261 | 0x34f4f86a, 262 | 0xc69f7b69, 263 | 0xd5cf889d, 264 | 0x27a40b9e, 265 | 0x79b737ba, 266 | 0x8bdcb4b9, 267 | 0x988c474d, 268 | 0x6ae7c44e, 269 | 0xbe2da0a5, 270 | 0x4c4623a6, 271 | 0x5f16d052, 272 | 0xad7d5351, 273 | }; 274 | 275 | for (unsigned int i = 0; i < size; ++i) 276 | x = lookup[(uint8_t) x ^ buf[i]] ^ (x >> 8); 277 | 278 | return x; 279 | } 280 | 281 | #endif 282 | -------------------------------------------------------------------------------- /include/fs-fuzzer.hh: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #ifndef KERNEL_FUZZING_FS_FUZZER_HH 10 | #define KERNEL_FUZZING_FS_FUZZER_HH 11 | 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "fuzzer.hh" 24 | #include "mount.hh" 25 | 26 | struct fs_extents { 27 | struct extent { 28 | off_t offset; 29 | size_t len; 30 | }; 31 | 32 | unsigned int in_size; 33 | unsigned int out_size; 34 | unsigned int nr_extents; 35 | const extent *extents; 36 | }; 37 | 38 | class fs_fuzzer: 39 | public fuzzer 40 | { 41 | public: 42 | mount_helper helper; 43 | const fs_extents &extents; 44 | char filename[PATH_MAX]; 45 | 46 | uint8_t *buffer; 47 | 48 | fs_fuzzer(const char *fstype, unsigned long flags, const char *data, 49 | const fs_extents &extents): 50 | helper(fstype, flags, data), 51 | extents(extents), 52 | buffer(new uint8_t[extents.in_size]) 53 | { 54 | helper.loop_setup(); 55 | mkdir(helper.mountpoint, 0755); 56 | } 57 | 58 | ~fs_fuzzer() 59 | { 60 | delete[] buffer; 61 | } 62 | 63 | int setup(const char *path) 64 | { 65 | helper.unmount(); 66 | helper.loop_detach(1); 67 | 68 | snprintf(filename, sizeof(filename), "%s.full", path); 69 | if (construct_image(path, filename)) 70 | return 1; 71 | 72 | helper.loop_attach(filename); 73 | return 0; 74 | } 75 | 76 | void cleanup() 77 | { 78 | helper.unmount(); 79 | helper.loop_detach(0); 80 | unlink(filename); 81 | } 82 | 83 | void run() 84 | { 85 | if (helper.mount() == 0) 86 | helper.activity(); 87 | 88 | helper.unmount(); 89 | } 90 | 91 | virtual void info() 92 | { 93 | } 94 | 95 | virtual void fix_checksums(int fd) 96 | { 97 | /* By default, do nothing. */ 98 | } 99 | 100 | /* Construct a proper filesystem image given a compact input image 101 | * (typically the testcase afl has mutated). */ 102 | int construct_image(const char *in, const char *out) 103 | { 104 | int infd = open(in, O_RDONLY); 105 | if (infd == -1) 106 | return -1; 107 | 108 | ssize_t read_len = read(infd, buffer, extents.in_size); 109 | close(infd); 110 | if (read_len != extents.in_size) 111 | return -1; 112 | 113 | int outfd = open(out, O_RDWR | O_CREAT | O_TRUNC, 0700); 114 | if (outfd == -1) 115 | return -1; 116 | 117 | const uint8_t *ptr = buffer; 118 | if (ftruncate(outfd, extents.out_size) == -1) 119 | goto error_close_outfd; 120 | 121 | for (unsigned int i = 0; i < extents.nr_extents; ++i) { 122 | if (lseek(outfd, extents.extents[i].offset, SEEK_SET) == -1) 123 | goto error_close_outfd; 124 | 125 | ssize_t write_len = write(outfd, ptr, extents.extents[i].len); 126 | if (write_len != (ssize_t) extents.extents[i].len) 127 | goto error_close_outfd; 128 | 129 | ptr += extents.extents[i].len; 130 | } 131 | 132 | /* Sanity check to see that we read exactly how much we expected */ 133 | assert(ptr == &buffer[extents.in_size]); 134 | 135 | fix_checksums(outfd); 136 | close(outfd); 137 | return 0; 138 | 139 | error_close_outfd: 140 | close(outfd); 141 | return -1; 142 | } 143 | }; 144 | 145 | #endif 146 | -------------------------------------------------------------------------------- /include/fuzzer.hh: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #ifndef KERNEL_FUZZING_FUZZER_HH 10 | #define KERNEL_FUZZING_FUZZER_HH 11 | 12 | class fuzzer { 13 | public: 14 | fuzzer() 15 | { 16 | } 17 | 18 | virtual ~fuzzer() 19 | { 20 | } 21 | 22 | /* Generate initial set of test cases */ 23 | virtual void generate(const char *path) 24 | { 25 | } 26 | 27 | /* Not instrumented */ 28 | virtual int setup(const char *path) 29 | { 30 | return 0; 31 | } 32 | 33 | /* Not instrumented */ 34 | virtual void cleanup() 35 | { 36 | } 37 | 38 | /* Instrumented */ 39 | virtual void run() = 0; 40 | 41 | /* Print some human-readable info about the test-case to stdout */ 42 | virtual void info() 43 | { 44 | } 45 | }; 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /include/mount.hh: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #ifndef KERNEL_FUZZING_MOUNT_HH 10 | #define KERNEL_FUZZING_MOUNT_HH 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | #include 28 | #include 29 | 30 | class mount_helper { 31 | public: 32 | const char *loopdev; 33 | const char *mountpoint; 34 | const char *fstype; 35 | unsigned long flags; 36 | const char *data; 37 | 38 | char *foo_bar_baz; 39 | char *foo_baz; 40 | char *xattr; 41 | char *hln; 42 | char *sln; 43 | 44 | int loop_fd; 45 | 46 | mount_helper(const char *fstype, unsigned long flags = 0, const char *data = 0): 47 | loopdev("/dev/loop0"), 48 | mountpoint("/mnt"), 49 | fstype(fstype), 50 | flags(flags), 51 | data(data), 52 | foo_bar_baz(0), 53 | foo_baz(0), 54 | xattr(0), 55 | hln(0), 56 | sln(0) 57 | { 58 | asprintf(&foo_bar_baz, "%s/foo/bar/baz", mountpoint); 59 | asprintf(&foo_baz, "%s/foo/baz", mountpoint); 60 | asprintf(&xattr, "%s/foo/bar/xattr", mountpoint); 61 | asprintf(&hln, "%s/foo/bar/hln", mountpoint); 62 | asprintf(&sln, "%s/foo/bar/sln", mountpoint); 63 | } 64 | 65 | ~mount_helper() 66 | { 67 | free(foo_bar_baz); 68 | free(foo_baz); 69 | free(xattr); 70 | free(hln); 71 | free(sln); 72 | } 73 | 74 | void loop_setup() 75 | { 76 | loop_fd = open(loopdev, O_RDWR); 77 | if (loop_fd < 0) 78 | error(1, errno, "open(%s)", loopdev); 79 | } 80 | 81 | void loop_attach(const char *filename) 82 | { 83 | int file_fd = open(filename, O_RDWR); 84 | if (file_fd < 0) 85 | error(1, errno, "open(%s)", filename); 86 | 87 | unsigned int max_nr_retry = 150; 88 | 89 | while (1) { 90 | if (ioctl(loop_fd, LOOP_SET_FD, file_fd) == 0) 91 | break; 92 | 93 | if (!--max_nr_retry) { 94 | /* Do the whole setup again */ 95 | ioctl(loop_fd, LOOP_CLR_FD, 0); 96 | close(loop_fd); 97 | loop_setup(); 98 | max_nr_retry = 150; 99 | } 100 | } 101 | 102 | close(file_fd); 103 | } 104 | 105 | void loop_detach(bool ignore_errors) 106 | { 107 | if (ioctl(loop_fd, LOOP_CLR_FD, 0) < 0 && !ignore_errors) 108 | error(1, errno, "ioctl(%s, LOOP_CLR_FD)", loopdev); 109 | } 110 | 111 | void loop_setinfo(const char *filename) 112 | { 113 | struct loop_info64 linfo; 114 | memset(&linfo, 0, sizeof(linfo)); 115 | 116 | strncpy((char *) linfo.lo_file_name, filename, sizeof(linfo.lo_file_name)); 117 | 118 | if (ioctl(loop_fd, LOOP_SET_STATUS64, &linfo) < 0) 119 | error(1, errno, "ioctl(%s, LOOP_SET_STATUS64)", loopdev); 120 | } 121 | 122 | int mount() 123 | { 124 | return ::mount(loopdev, mountpoint, fstype, flags, data); 125 | } 126 | 127 | int unmount() 128 | { 129 | int err = umount2(mountpoint, 0); 130 | if (err) 131 | err = umount2(mountpoint, MNT_FORCE); 132 | if (err) 133 | err = umount2(mountpoint, MNT_DETACH); 134 | return err; 135 | } 136 | 137 | void activity() 138 | { 139 | 140 | DIR *dir = opendir(mountpoint); 141 | if (dir) { 142 | readdir(dir); 143 | closedir(dir); 144 | } 145 | 146 | static int buf[8192]; 147 | memset(buf, 0, sizeof(buf)); 148 | 149 | int fd = open(foo_bar_baz, O_RDONLY); 150 | if (fd != -1) { 151 | void *mem = mmap(NULL, 4096, PROT_READ, MAP_SHARED | MAP_POPULATE, fd, 0); 152 | if (mem != MAP_FAILED) { 153 | munmap(mem, 4096); 154 | } 155 | 156 | read(fd, buf, 11); 157 | read(fd, buf, 11); 158 | close(fd); 159 | } 160 | 161 | fd = open(foo_bar_baz, O_RDWR | O_TRUNC | O_DIRECT, 0777); 162 | if (fd != -1) { 163 | write(fd, buf, 517); 164 | write(fd, buf, sizeof(buf)); 165 | lseek(fd, 0, SEEK_SET); 166 | read(fd, buf, sizeof(buf)); 167 | lseek(fd, 1234, SEEK_SET); 168 | read(fd, buf, 517); 169 | close(fd); 170 | } 171 | 172 | fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); 173 | if (fd != -1) { 174 | void *mem = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd, 0); 175 | if (mem != MAP_FAILED) { 176 | //++*((char *) mem); 177 | munmap(mem, 4096); 178 | } 179 | 180 | write(fd, buf, sizeof(buf)); 181 | write(fd, buf, sizeof(buf)); 182 | fdatasync(fd); 183 | fsync(fd); 184 | 185 | lseek(fd, 1024 - 33, SEEK_SET); 186 | write(fd, buf, sizeof(buf)); 187 | lseek(fd, 1024 * 1024 + 67, SEEK_SET); 188 | write(fd, buf, sizeof(buf)); 189 | lseek(fd, 1024 * 1024 * 1024 - 113, SEEK_SET); 190 | write(fd, buf, sizeof(buf)); 191 | 192 | lseek(fd, 0, SEEK_SET); 193 | write(fd, buf, sizeof(buf)); 194 | 195 | fallocate(fd, 0, 0, 123871237); 196 | fallocate(fd, 0, -13123, 123); 197 | fallocate(fd, 0, 234234, -45897); 198 | fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 0, 4243261); 199 | fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, -95713, 38447); 200 | fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 18237, -9173); 201 | 202 | close(fd); 203 | } 204 | 205 | rename(foo_bar_baz, foo_baz); 206 | 207 | struct stat stbuf; 208 | memset(&stbuf, 0, sizeof(stbuf)); 209 | stat(foo_baz, &stbuf); 210 | 211 | chmod(foo_baz, 0000); 212 | chmod(foo_baz, 1777); 213 | chmod(foo_baz, 3777); 214 | chmod(foo_baz, 7777); 215 | chown(foo_baz, 0, 0); 216 | chown(foo_baz, 1, 1); 217 | 218 | unlink(foo_bar_baz); 219 | unlink(foo_baz); 220 | 221 | mknod(foo_baz, 0777, makedev(0, 0)); 222 | 223 | char buf2[113]; 224 | memset(buf2, 0, sizeof(buf2)); 225 | listxattr(xattr, buf2, sizeof(buf2)); 226 | removexattr(xattr, "user.mime_type"); 227 | setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); 228 | setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE); 229 | readlink(sln, buf2, sizeof(buf2)); 230 | } 231 | }; 232 | 233 | #endif 234 | -------------------------------------------------------------------------------- /python/kafl.py: -------------------------------------------------------------------------------- 1 | import errno 2 | import logging 3 | import os 4 | import pipes 5 | import shutil 6 | import subprocess 7 | import tempfile 8 | 9 | import jinja2 10 | import yaml 11 | 12 | HERE = os.path.abspath(os.path.dirname(__file__)) 13 | 14 | def mkdirp(path): 15 | try: 16 | os.makedirs(path) 17 | except OSError as e: 18 | if e.errno != errno.EEXIST: 19 | raise 20 | 21 | def git_export(git_dir, rev, path): 22 | archive = subprocess.Popen([ 23 | 'git', '--git-dir=' + git_dir, 24 | 'archive', '--format=tar', 25 | rev, 26 | ], stdout=subprocess.PIPE) 27 | subprocess.check_call(['tar', 'x'], cwd=path, stdin=archive.stdout) 28 | archive.wait() 29 | 30 | CONFIG_PATH = os.path.join(HERE, '..', 'config.yml') 31 | 32 | with open(CONFIG_PATH) as f: 33 | config = yaml.load(f) 34 | 35 | def make(path, args): 36 | env = os.environ.copy() 37 | 38 | gcc5_path = config.get('gcc5_path') 39 | if gcc5_path: 40 | PATH = env['PATH'] 41 | env['PATH'] = gcc5_path + ':' + PATH 42 | 43 | cc_args = [] 44 | cc = config.get('cc') 45 | if cc: 46 | cc_args.append('CC=' + cc) 47 | 48 | subprocess.check_call(['make'] + cc_args + args, cwd=path, env=env) 49 | 50 | TEMPLATES_DIR = os.path.join(HERE, '..', 'templates') 51 | 52 | template_env = jinja2.Environment(loader=jinja2.FileSystemLoader(TEMPLATES_DIR)) 53 | guest_init_template = template_env.get_template('init') 54 | 55 | INCLUDE_DIR = os.path.join(HERE, '..', 'include') 56 | SRC_DIR = os.path.join(HERE, '..', 'src') 57 | 58 | class Fuzzer(object): 59 | def __init__(self, name, path): 60 | self.name = name 61 | self.path = path 62 | 63 | with open(os.path.join(path, 'config.yml')) as f: 64 | self.config = yaml.load(f) 65 | 66 | def build_so(self, cwd=None): 67 | subprocess.check_call([ 68 | 'g++', '-Wall', 69 | '-I' + INCLUDE_DIR, 70 | '-fpic', '-shared', 71 | '-o', self.name + '.so', 72 | os.path.join(SRC_DIR, 'afl-wrapper.cc'), 73 | os.path.join(self.path, self.name + '.cc'), 74 | ], cwd=(cwd or self.path)) 75 | 76 | def build_exe(self, cwd=None): 77 | subprocess.check_call([ 78 | 'g++', '-Wall', 79 | '-I' + INCLUDE_DIR, 80 | '-o', self.name + '.exe', 81 | os.path.join(SRC_DIR, 'standalone.cc'), 82 | os.path.join(self.path, self.name + '.cc'), 83 | ], cwd=(cwd or self.path)) 84 | 85 | FUZZERS_DIR = os.path.join(HERE, '..', 'fuzzers') 86 | 87 | all_fuzzers = {} 88 | for name in os.listdir(FUZZERS_DIR): 89 | all_fuzzers[name] = Fuzzer(name, os.path.join(FUZZERS_DIR, name)) 90 | 91 | def write_init(path, vm, commands): 92 | with open(path, 'w') as f: 93 | print >>f, guest_init_template.render({ 94 | 'vm': vm, 95 | 'commands': [' '.join([pipes.quote(arg) for arg in args]) for args in commands], 96 | }) 97 | 98 | os.chmod(path, 0755) 99 | 100 | def instrument(path): 101 | assert path.endswith('.o') or path.endswith('/') 102 | 103 | if path.endswith('.o'): 104 | dirname, basename = os.path.split(path) 105 | makefile_path = os.path.join(dirname, 'Makefile') 106 | 107 | logging.debug("Adding instrumentation to %s", makefile_path) 108 | with open(makefile_path, 'a') as f: 109 | print >>f 110 | print >>f, '# Instrumentation for AFL' 111 | print >>f, 'CFLAGS_%s += $(FUZZ_INSTRUMENT_PLUGIN_CFLAGS)' % basename 112 | 113 | if path.endswith('/'): 114 | makefile_path = os.path.join(path, 'Makefile') 115 | 116 | logging.debug("Adding instrumentation to %s", makefile_path) 117 | with open(makefile_path, 'a') as f: 118 | print >>f 119 | print >>f, '# Instrumentation for AFL' 120 | print >>f, 'subdir-ccflags-y += $(FUZZ_INSTRUMENT_PLUGIN_CFLAGS)' 121 | 122 | CONFIG_DIR = os.path.join(HERE, '..') 123 | 124 | class KernelBuilder(object): 125 | def __init__(self, config, fuzzer, vm): 126 | self.repo = config['linux_repo'] 127 | self.rev = config['linux_afl_rev'] 128 | 129 | self.fuzzer = fuzzer 130 | self.makefiles = fuzzer.config['instrument'] 131 | 132 | self.vm = vm 133 | 134 | def write_config(self, config_path): 135 | with open(config_path, 'w') as fout: 136 | # First write the common part 137 | with open(os.path.join(CONFIG_DIR, 'satconfig.common')) as fin: 138 | fout.write(fin.read()) 139 | 140 | # Then write the VM-specific part 141 | with open(os.path.join(CONFIG_DIR, 'satconfig.' + self.vm)) as fin: 142 | fout.write(fin.read()) 143 | 144 | for var, value in self.fuzzer.config.get('config').iteritems(): 145 | print >>fout, 'CONFIG_%s=%s' % (var, value) 146 | 147 | def make(self, path, args): 148 | vm_args = [] 149 | if self.vm == 'uml': 150 | vm_args.append('ARCH=um') 151 | 152 | make(path, vm_args + args) 153 | 154 | def build(self, output_dir=None, config=None): 155 | output_dir = output_dir or self.fuzzer.path 156 | 157 | tmpdir = tempfile.mkdtemp() 158 | try: 159 | logging.debug("Building kernel in %s", tmpdir) 160 | 161 | git_export(self.repo, self.rev, tmpdir) 162 | for makefile in self.makefiles: 163 | instrument(os.path.join(tmpdir, makefile)) 164 | 165 | if config: 166 | shutil.copyfile(config, os.path.join(tmpdir, '.config')) 167 | else: 168 | self.write_config(os.path.join(tmpdir, '.satconfig')) 169 | 170 | self.make(tmpdir, ['satconfig']) 171 | self.make(tmpdir, ['silentoldconfig']) 172 | 173 | # Copy back the generated config as a fallback 174 | shutil.copyfile(os.path.join(tmpdir, '.config'), 175 | os.path.join(output_dir, 'config.' + self.vm)) 176 | 177 | self.make(tmpdir, ['-j4']) 178 | shutil.copy(os.path.join(tmpdir, 'vmlinux'), 179 | os.path.join(output_dir, 'vmlinux.' + self.vm)) 180 | 181 | if self.vm == 'kvm': 182 | shutil.copy(os.path.join(tmpdir, 'arch', 'x86', 'boot', 'bzImage'), 183 | os.path.join(output_dir, 'bzImage.' + self.vm)) 184 | except: 185 | raise 186 | finally: 187 | logging.info("Cleaning up temporary directory %s", tmpdir) 188 | shutil.rmtree(tmpdir) 189 | 190 | self.build_location = tmpdir 191 | 192 | class AFLBuilder(object): 193 | def __init__(self, config, fuzzer): 194 | self.repo = config['afl_repo'] 195 | self.rev = config['afl_rev'] 196 | 197 | self.fuzzer = fuzzer 198 | 199 | def build(self): 200 | tmpdir = tempfile.mkdtemp() 201 | try: 202 | logging.debug("Building AFL in %s", tmpdir) 203 | 204 | git_export(self.repo, self.rev, tmpdir) 205 | subprocess.check_call(['make'], cwd=tmpdir) 206 | shutil.copy(os.path.join(tmpdir, 'afl-fuzz'), self.fuzzer.path) 207 | except: 208 | raise 209 | finally: 210 | shutil.rmtree(tmpdir) 211 | 212 | class TerminalSaver(object): 213 | def __init__(self): 214 | pass 215 | 216 | def __enter__(self): 217 | self.stty = subprocess.check_output(['stty', '-g']).splitlines()[0] 218 | 219 | def __exit__(self, type, value, traceback): 220 | subprocess.check_call(['stty', self.stty]) 221 | subprocess.check_call(['setterm', '-cursor', 'on']) 222 | -------------------------------------------------------------------------------- /satconfig.common: -------------------------------------------------------------------------------- 1 | CONFIG_MODULES=n 2 | 3 | # Standard features 4 | CONFIG_BUG=y 5 | CONFIG_PRINTK=y 6 | CONFIG_TTY_PRINTK=y 7 | CONFIG_BINFMT_ELF=y 8 | CONFIG_BINFMT_SCRIPT=y 9 | CONFIG_PROC_FS=y 10 | CONFIG_SYSFS=y 11 | CONFIG_TMPFS=y 12 | CONFIG_BLK_DEV_MD=y 13 | CONFIG_DEVTMPFS_MOUNT=y 14 | 15 | # Debugging 16 | CONFIG_EARLY_PRINTK=y 17 | 18 | CONFIG_KALLSYMS_ALL=y 19 | CONFIG_DEBUG_INFO=y 20 | CONFIG_DEBUG_INFO_REDUCED=y 21 | CONFIG_DEBUG_BUGVERBOSE=y 22 | CONFIG_FRAME_POINTER=y 23 | 24 | CONFIG_DEBUG_PAGEALLOC=y 25 | 26 | CONFIG_LOCKUP_DETECTOR=y 27 | CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y 28 | CONFIG_DETECT_HUNG_TASK=y 29 | CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y 30 | CONFIG_PANIC_ON_OOPS=y 31 | CONFIG_PANIC_TIMEOUT=-1 32 | 33 | CONFIG_DEBUG_SPINLOCK=y 34 | CONFIG_DEBUG_MUTEXES=y 35 | CONFIG_DEBUG_ATOMIC_SLEEP=y 36 | CONFIG_DEBUG_LIST=y 37 | 38 | # x86-specific 39 | CONFIG_GENERIC_CPU=y 40 | -------------------------------------------------------------------------------- /satconfig.kvm: -------------------------------------------------------------------------------- 1 | # kvmtool-specific options 2 | 3 | # For AFL (increased determinism, etc.) 4 | CONFIG_PREEMPT=n 5 | CONFIG_SMP=n 6 | 7 | # debugging 8 | CONFIG_KASAN=y 9 | CONFIG_KASAN_INLINE=y 10 | CONFIG_TEST_KASAN=n 11 | 12 | # virtualisation 13 | CONFIG_KVM_GUEST=y 14 | CONFIG_PARAVIRT=y 15 | #CONFIG_PARAVIRT_SPINLOCKS=y 16 | 17 | CONFIG_SERIAL_8250=y 18 | CONFIG_SERIAL_8250_CONSOLE=y 19 | 20 | # virtio 21 | CONFIG_VIRTIO=y 22 | CONFIG_VIRTIO_RING=y 23 | CONFIG_VIRTIO_PCI=y 24 | CONFIG_VIRTIO_PCI_LEGACY=y 25 | CONFIG_VIRTIO_NET=y 26 | CONFIG_VIRTIO_CONSOLE=y 27 | 28 | # 9p 29 | CONFIG_NET_9P=y 30 | CONFIG_NET_9P_VIRTIO=y 31 | CONFIG_9P_FS=y 32 | -------------------------------------------------------------------------------- /satconfig.uml: -------------------------------------------------------------------------------- 1 | # UML-specific 2 | CONFIG_STDERR_CONSOLE=y 3 | CONFIG_HOSTFS=y 4 | CONFIG_DEBUG_ATOMIC_SLEEP=n # UML doesn't have CONFIG_PREEMPT 5 | -------------------------------------------------------------------------------- /src/afl-wrapper.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include "fuzzer.hh" 10 | 11 | /* 12 | * This gets compiled together with a specific fuzzer (from fuzzers/) 13 | * into a shared object that AFL knows how to load and run. 14 | */ 15 | 16 | extern class fuzzer *fuzzer; 17 | 18 | extern "C" int pre_hook(int argc, char *argv[]) 19 | { 20 | return fuzzer->setup(argv[1]); 21 | } 22 | 23 | extern "C" void post_hook(int argc, char *argv[]) 24 | { 25 | fuzzer->cleanup(); 26 | } 27 | 28 | extern "C" void run(int argc, char *argv[]) 29 | { 30 | fuzzer->run(); 31 | } 32 | -------------------------------------------------------------------------------- /src/standalone.cc: -------------------------------------------------------------------------------- 1 | /* 2 | * kernel-fuzzing.git 3 | * Copyright (c) 2016 Oracle and/or its affiliates. All rights reserved. 4 | * 5 | * Licensed under the Universal Permissive License v1.0 as shown at 6 | * http://oss.oracle.com/licenses/upl. 7 | */ 8 | 9 | #include 10 | 11 | #include "fuzzer.hh" 12 | 13 | /* 14 | * This gets compiled together with a specific fuzzer (from fuzzers/) 15 | * into a standalone binary that can be used to run a test case without 16 | * using AFL. 17 | */ 18 | 19 | extern class fuzzer *fuzzer; 20 | 21 | int main(int argc, char *argv[]) 22 | { 23 | if (!strcmp(argv[1], "--generate")) { 24 | fuzzer->generate(argv[2]); 25 | } else if (!strcmp(argv[1], "--info")) { 26 | if (fuzzer->setup(argv[2])) 27 | return 1; 28 | fuzzer->info(); 29 | fuzzer->cleanup(); 30 | } else { 31 | if (fuzzer->setup(argv[1])) 32 | return 1; 33 | 34 | fuzzer->run(); 35 | fuzzer->cleanup(); 36 | } 37 | 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /templates/extents.hh: -------------------------------------------------------------------------------- 1 | #include "fs-fuzzer.hh" 2 | 3 | const fs_extents::extent _{{ name }}_extents[] = { 4 | {% for offset, length in extents -%} 5 | { {{ offset }}, {{ length }} }, 6 | {% endfor -%} 7 | }; 8 | 9 | const fs_extents {{ name }}_extents = { 10 | {{ in_size }}, 11 | {{ out_size }}, 12 | {{ extents|length }}, 13 | _{{ name }}_extents, 14 | }; 15 | -------------------------------------------------------------------------------- /templates/init: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | set -e 4 | set -u 5 | set -x 6 | 7 | mount -t proc none /proc || true 8 | mount -t sysfs none /sys || true 9 | 10 | # Allow us to mount stuff in /mnt inside the guest 11 | mkdir -p /mnt 12 | mount -t tmpfs none /mnt 13 | 14 | # Allow screen to run inside the guest 15 | mkdir -p /var/run/screen 16 | mount -t tmpfs none /var/run/screen 17 | 18 | mount -t tmpfs none /tmp 19 | 20 | # save core dumps 21 | echo ulimit -c unlimited 22 | ulimit -c unlimited 23 | 24 | # Workaround for older versions of AFL that try to check the binary 25 | # for instrumentation 26 | export AFL_SKIP_BIN_CHECK=1 27 | 28 | {% for command in commands -%} 29 | {{ command }} 30 | {% endfor %} 31 | 32 | # Clean shutdown, no molly-guard 33 | {% if vm == 'uml' %} 34 | /sbin/halt -f 35 | {% endif %} 36 | 37 | {% if vm == 'kvm' %} 38 | /sbin/reboot -f 39 | {% endif %} 40 | --------------------------------------------------------------------------------