Rizin
unix-like reverse engineering framework and cli tools
Macros | Functions
drivermc.c File Reference
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

Go to the source code of this file.

Macros

#define MAX_INSTR_SIZE   64
 
#define MAX_LINE_SIZE   128
 

Functions

int LLVMFuzzerTestOneInput (const uint8_t *Data, size_t Size)
 
int main (int argc, char **argv)
 

Macro Definition Documentation

◆ MAX_INSTR_SIZE

#define MAX_INSTR_SIZE   64

Definition at line 8 of file drivermc.c.

◆ MAX_LINE_SIZE

#define MAX_LINE_SIZE   128

Definition at line 9 of file drivermc.c.

Function Documentation

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t data,
size_t  size 
)

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

This fuzz target attempts to compress the fuzzed data with the simple compression function with an output buffer that may be too small to ensure that the compressor never crashes.

This fuzz target attempts to decompress the fuzzed data with the simple decompression function to ensure the decompressor never crashes.

This fuzz target performs a lz4 round-trip test (compress & decompress), compares the result with the original, and calls abort() on corruption.

Definition at line 180 of file fuzz_diff.c.

180  {
181  csh handle;
182  cs_insn *insn;
183  cs_err err;
184  const uint8_t **Datap = &Data;
185  size_t * Sizep = &Size;
186  uint64_t address = 0x1000;
187  char LLVMAssemblyText[80];
188  char CapstoneAssemblyText[80];
189 
190  if (Size < 1) {
191  // 1 byte for arch choice
192  return 0;
193  } else if (Size > 0x1000) {
194  //limit input to 4kb
195  Size = 0x1000;
196  }
197  if (outfile == NULL) {
198  // we compute the output
199  outfile = fopen("/dev/null", "w");
200  if (outfile == NULL) {
201  return 0;
202  }
203  LLVMFuzzerInit();
204  }
205 
206  if (Data[0] >= sizeof(platforms)/sizeof(platforms[0])) {
207  return 0;
208  }
209 
210  if (LLVMFuzzerReturnOneInput(Data, Size, LLVMAssemblyText) == 1) {
211  return 0;
212  }
213 
214  err = cs_open(platforms[Data[0]].arch, platforms[Data[0]].mode, &handle);
215  if (err) {
216  return 0;
217  }
218 
219  insn = cs_malloc(handle);
220  Data++;
221  Size--;
222  assert(insn);
223  if (cs_disasm_iter(handle, Datap, Sizep, &address, insn)) {
224  snprintf(CapstoneAssemblyText, 80, "\t%s\t%s", insn->mnemonic, insn->op_str);
225  if (strcmp(CapstoneAssemblyText, LLVMAssemblyText) != 0) {
226  printf("capstone %s != llvm %s", CapstoneAssemblyText, LLVMAssemblyText);
227  abort();
228  }
229  } else {
230  printf("capstone failed with llvm %s", LLVMAssemblyText);
231  abort();
232  }
233  cs_free(insn, 1);
234  cs_close(&handle);
235 
236  return 0;
237 }
err
static bool err
Definition: armass.c:435
handle
static mcore_handle handle
Definition: asm_mcore.c:8
csh
size_t csh
Definition: capstone.h:71
NULL
#define NULL
Definition: cris-opc.c:27
cs_open
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_open(cs_arch arch, cs_mode mode, csh *handle)
Definition: cs.c:453
cs_free
CAPSTONE_EXPORT void CAPSTONE_API cs_free(cs_insn *insn, size_t count)
Definition: cs.c:1017
cs_close
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_close(csh *handle)
Definition: cs.c:501
cs_malloc
CAPSTONE_EXPORT cs_insn *CAPSTONE_API cs_malloc(csh ud)
Definition: cs.c:1030
cs_disasm_iter
CAPSTONE_EXPORT bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size, uint64_t *address, cs_insn *insn)
Definition: cs.c:1058
printf
_Use_decl_annotations_ int __cdecl printf(const char *const _Format,...)
Definition: cs_driver.c:93
arch
cs_arch arch
Definition: cstool.c:13
LLVMFuzzerInit
void LLVMFuzzerInit()
Definition: fuzz_llvm.cpp:9
LLVMFuzzerReturnOneInput
int LLVMFuzzerReturnOneInput(const uint8_t *Data, size_t Size, char *AssemblyText)
Definition: fuzz_llvm.cpp:16
platforms
struct platform platforms[]
Definition: fuzz_diff.c:18
outfile
FILE * outfile
Definition: fuzz_diff.c:16
mode
const char int mode
Definition: ioapi.h:137
snprintf
snprintf
Definition: kernel.h:364
assert
assert(limit<=UINT32_MAX/2)
uint64_t
unsigned long uint64_t
Definition: sftypes.h:28
uint8_t
unsigned char uint8_t
Definition: sftypes.h:31

References arch, assert(), cs_close(), cs_disasm_iter(), cs_free(), cs_malloc(), cs_open(), err, handle, LLVMFuzzerInit(), LLVMFuzzerReturnOneInput(), NULL, outfile, platforms, printf(), and snprintf.

Referenced by main().

◆ main()

int main ( int  argc,
char **  argv 
)

Definition at line 11 of file drivermc.c.

12 {
13  FILE * fp;
14  uint8_t Data[MAX_INSTR_SIZE];
15  char line[MAX_LINE_SIZE];
16  size_t Size;
17  char arch[MAX_LINE_SIZE];
18  char mode[MAX_LINE_SIZE];
19  unsigned int value;
20  int i;
21 
22  if (argc < 2) {
23  return 1;
24  }
25  for (i = 1; i < argc; i++) {
26  //opens the file, get its size, and reads it into a buffer
27  fp = fopen(argv[i], "rb");
28  if (fp == NULL) {
29  return 2;
30  }
31  printf("Trying %s\n", argv[i]);
32  if (fgets(line, MAX_LINE_SIZE, fp) == NULL) {
33  break;
34  }
35  if (line[0] == '#') {
36  if (sscanf(line, "# %[^,], %[^,]", arch, mode) != 2) {
37  printf("Wrong mode %s\n", line);
38  return 1;
39  }
40  if (strcmp(arch, "CS_ARCH_X86") == 0 && strcmp(mode, "CS_MODE_32") == 0) {
41  Data[0] = 0;
42  } else if (strcmp(arch, "CS_ARCH_X86") == 0 && strcmp(mode, "CS_MODE_64") == 0) {
43  Data[0] = 1;
44  } else if (strcmp(arch, "CS_ARCH_ARM") == 0 && strcmp(mode, "CS_MODE_ARM") == 0) {
45  Data[0] = 2;
46  } else if (strcmp(arch, "CS_ARCH_ARM") == 0 && strcmp(mode, "CS_MODE_THUMB") == 0) {
47  Data[0] = 3;
48  } else if (strcmp(arch, "CS_ARCH_ARM") == 0 && strcmp(mode, "CS_MODE_ARM+CS_MODE_V8") == 0) {
49  Data[0] = 4;
50  } else if (strcmp(arch, "CS_ARCH_ARM") == 0 && strcmp(mode, "CS_MODE_THUMB+CS_MODE_V8") == 0) {
51  Data[0] = 5;
52  } else if (strcmp(arch, "CS_ARCH_ARM") == 0 && strcmp(mode, "CS_MODE_THUMB+CS_MODE_MCLASS") == 0) {
53  Data[0] = 6;
54  } else if (strcmp(arch, "CS_ARCH_ARM64") == 0 && strcmp(mode, "0") == 0) {
55  Data[0] = 7;
56  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32+CS_MODE_BIG_ENDIAN") == 0) {
57  Data[0] = 8;
58  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32+CS_MODE_MICRO") == 0) {
59  Data[0] = 9;
60  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS64") == 0) {
61  Data[0] = 10;
62  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32") == 0) {
63  Data[0] = 11;
64  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS64+CS_MODE_BIG_ENDIAN") == 0) {
65  Data[0] = 12;
66  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32+CS_MODE_MICRO+CS_MODE_BIG_ENDIAN") == 0) {
67  Data[0] = 13;
68  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32+CS_MODE_BIG_ENDIAN+CS_MODE_MICRO") == 0) {
69  Data[0] = 13;
70  } else if (strcmp(arch, "CS_ARCH_PPC") == 0 && strcmp(mode, "CS_MODE_BIG_ENDIAN") == 0) {
71  Data[0] = 14;
72  } else if (strcmp(arch, "CS_ARCH_SPARC") == 0 && strcmp(mode, "CS_MODE_BIG_ENDIAN") == 0) {
73  Data[0] = 15;
74  } else if (strcmp(arch, "CS_ARCH_SPARC") == 0 && strcmp(mode, "CS_MODE_BIG_ENDIAN + CS_MODE_V9") == 0) {
75  Data[0] = 16;
76  } else if (strcmp(arch, "CS_ARCH_SYSZ") == 0 && strcmp(mode, "0") == 0) {
77  Data[0] = 17;
78  } else if (strcmp(arch, "CS_ARCH_XCORE") == 0 && strcmp(mode, "0") == 0) {
79  Data[0] = 18;
80  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32R6+CS_MODE_BIG_ENDIAN") == 0) {
81  Data[0] = 19;
82  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32R6+CS_MODE_MICRO+CS_MODE_BIG_ENDIAN") == 0) {
83  Data[0] = 20;
84  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32R6") == 0) {
85  Data[0] = 21;
86  } else if (strcmp(arch, "CS_ARCH_MIPS") == 0 && strcmp(mode, "CS_MODE_MIPS32R6+CS_MODE_MICRO") == 0) {
87  Data[0] = 22;
88  } else if (strcmp(arch, "CS_ARCH_M68K") == 0 && strcmp(mode, "0") == 0) {
89  Data[0] = 23;
90  } else if (strcmp(arch, "CS_ARCH_M680X") == 0 && strcmp(mode, "CS_MODE_M680X_6809") == 0) {
91  Data[0] = 24;
92  } else if (strcmp(arch, "CS_ARCH_EVM") == 0 && strcmp(mode, "0") == 0) {
93  Data[0] = 25;
94  } else {
95  printf("Unknown mode\n");
96  //fail instead of continue
97  return 1;
98  }
99  } else {
100  printf("No mode\n");
101  //fail instead of continue
102  return 1;
103  }
104 
105  while(1) {
106  if (fgets(line, MAX_LINE_SIZE, fp) == NULL) {
107  break;
108  }
109  Size = 1;
110  // we start line at offset 0 and Data buffer at offset 1
111  // since Data[0] is option : arch + mode
112  while (sscanf(line+(Size-1)*5, "0x%02x", &value) == 1) {
113  Data[Size] = value;
114  Size++;
115  if (line[(Size-1)*5-1] != ',') {
116  //end of pattern
117  break;
118  } else if (MAX_LINE_SIZE < (Size-1)*5) {
119  printf("Line overflow\n");
120  return 1;
121  }
122  }
123  //lauch fuzzer
124  LLVMFuzzerTestOneInput(Data, Size);
125  }
126  fclose(fp);
127  }
128  return 0;
129 }
i
lzma_index ** i
Definition: index.h:629
value
static int value
Definition: cmd_api.c:93
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
Definition: fuzz_diff.c:180
MAX_LINE_SIZE
#define MAX_LINE_SIZE
Definition: drivermc.c:9
MAX_INSTR_SIZE
#define MAX_INSTR_SIZE
Definition: drivermc.c:8
argv
static static fork const void static count static fd const char const char static newpath char char argv
Definition: sflib.h:40
benchmark.FILE
string FILE
Definition: benchmark.py:21
setup.line
line
Definition: setup.py:34

References arch, argv, benchmark::FILE, i, setup::line, LLVMFuzzerTestOneInput(), MAX_INSTR_SIZE, MAX_LINE_SIZE, NULL, printf(), and value.