Rizin
unix-like reverse engineering framework and cli tools
fuzz_disasm.c
Go to the documentation of this file.
1 // the following must precede stdio (woo, thanks msft)
2 #if defined(_MSC_VER) && _MSC_VER < 1900
3 #define _CRT_SECURE_NO_WARNINGS
4 #endif
5 
6 #include <stdio.h>
7 #include <stdlib.h>
8 #include <inttypes.h>
9 
10 #include <capstone/capstone.h>
11 
12 const char *cs_fuzz_arch(uint8_t arch);
13 
14 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
15 
16 struct platform {
17  cs_arch arch;
18  cs_mode mode;
19  const char *comment;
20  const char *cstoolname;
21 };
22 
23 static FILE *outfile = NULL;
24 
25 struct platform platforms[] = {
26  {
27  // item 0
28  CS_ARCH_X86,
29  CS_MODE_32,
30  "X86 32 (Intel syntax)",
31  "x32"
32  },
33  {
34  // item 1
35  CS_ARCH_X86,
36  CS_MODE_64,
37  "X86 64 (Intel syntax)",
38  "x64"
39  },
40  {
41  // item 2
42  CS_ARCH_ARM,
43  CS_MODE_ARM,
44  "ARM",
45  "arm"
46  },
47  {
48  // item 3
49  CS_ARCH_ARM,
50  CS_MODE_THUMB,
51  "THUMB",
52  "thumb"
53  },
54  {
55  // item 4
56  CS_ARCH_ARM,
57  (cs_mode)(CS_MODE_ARM + CS_MODE_V8),
58  "Arm-V8",
59  "armv8"
60  },
61  {
62  // item 5
63  CS_ARCH_ARM,
64  (cs_mode)(CS_MODE_THUMB+CS_MODE_V8),
65  "THUMB+V8",
66  "thumbv8"
67  },
68  {
69  // item 6
70  CS_ARCH_ARM,
71  (cs_mode)(CS_MODE_THUMB + CS_MODE_MCLASS),
72  "Thumb-MClass",
73  "cortexm"
74  },
75  {
76  // item 7
77  CS_ARCH_ARM64,
78  (cs_mode)0,
79  "ARM-64",
80  "arm64"
81  },
82  {
83  // item 8
84  CS_ARCH_MIPS,
85  (cs_mode)(CS_MODE_MIPS32 + CS_MODE_BIG_ENDIAN),
86  "MIPS-32 (Big-endian)",
87  "mipsbe"
88  },
89  {
90  // item 9
91  CS_ARCH_MIPS,
92  (cs_mode)(CS_MODE_MIPS32 + CS_MODE_MICRO),
93  "MIPS-32 (micro)",
94  "mipsmicro"
95  },
96  {
97  //item 10
98  CS_ARCH_MIPS,
99  CS_MODE_MIPS64,
100  "MIPS-64-EL (Little-endian)",
101  "mips64"
102  },
103  {
104  //item 11
105  CS_ARCH_MIPS,
106  CS_MODE_MIPS32,
107  "MIPS-32-EL (Little-endian)",
108  "mips"
109  },
110  {
111  //item 12
112  CS_ARCH_MIPS,
113  (cs_mode)(CS_MODE_MIPS64 + CS_MODE_BIG_ENDIAN),
114  "MIPS-64 (Big-endian)",
115  "mips64be"
116  },
117  {
118  //item 13
119  CS_ARCH_MIPS,
120  (cs_mode)(CS_MODE_MIPS32 + CS_MODE_MICRO + CS_MODE_BIG_ENDIAN),
121  "MIPS-32 | Micro (Big-endian)",
122  "mipsbemicro"
123  },
124  {
125  //item 14
126  CS_ARCH_PPC,
127  CS_MODE_BIG_ENDIAN,
128  "PPC-64",
129  "ppc64"
130  },
131  {
132  //item 15
133  CS_ARCH_SPARC,
134  CS_MODE_BIG_ENDIAN,
135  "Sparc",
136  "sparc"
137  },
138  {
139  //item 16
140  CS_ARCH_SPARC,
141  (cs_mode)(CS_MODE_BIG_ENDIAN + CS_MODE_V9),
142  "SparcV9",
143  "sparcv9"
144  },
145  {
146  //item 17
147  CS_ARCH_SYSZ,
148  (cs_mode)0,
149  "SystemZ",
150  "systemz"
151  },
152  {
153  //item 18
154  CS_ARCH_XCORE,
155  (cs_mode)0,
156  "XCore",
157  "xcore"
158  },
159  {
160  //item 19
161  CS_ARCH_MIPS,
162  (cs_mode)(CS_MODE_MIPS32R6 + CS_MODE_BIG_ENDIAN),
163  "MIPS-32R6 (Big-endian)",
164  "mipsbe32r6"
165  },
166  {
167  //item 20
168  CS_ARCH_MIPS,
169  (cs_mode)(CS_MODE_MIPS32R6 + CS_MODE_MICRO + CS_MODE_BIG_ENDIAN),
170  "MIPS-32R6 (Micro+Big-endian)",
171  "mipsbe32r6micro"
172  },
173  {
174  //item 21
175  CS_ARCH_MIPS,
176  CS_MODE_MIPS32R6,
177  "MIPS-32R6 (Little-endian)",
178  "mips32r6"
179  },
180  {
181  //item 22
182  CS_ARCH_MIPS,
183  (cs_mode)(CS_MODE_MIPS32R6 + CS_MODE_MICRO),
184  "MIPS-32R6 (Micro+Little-endian)",
185  "mips32r6micro"
186  },
187  {
188  //item 23
189  CS_ARCH_M68K,
190  (cs_mode)0,
191  "M68K",
192  "m68k"
193  },
194  {
195  //item 24
196  CS_ARCH_M680X,
197  (cs_mode)CS_MODE_M680X_6809,
198  "M680X_M6809",
199  "m6809"
200  },
201  {
202  //item 25
203  CS_ARCH_EVM,
204  (cs_mode)0,
205  "EVM",
206  "evm"
207  },
208  {
209  //item 26
210  CS_ARCH_TMS320C64X,
211  CS_MODE_BIG_ENDIAN,
212  "tms320c64x",
213  "tms320c64x"
214  },
215 };
216 
217 const char * cs_fuzz_arch(uint8_t arch) {
218  return platforms[arch % sizeof(platforms)/sizeof(platforms[0])].cstoolname;
219 }
220 
221 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
222  csh handle;
223  cs_insn *all_insn;
224  cs_detail *detail;
225  cs_err err;
226 
227  if (Size < 1) {
228  // 1 byte for arch choice
229  return 0;
230  } else if (Size > 0x1000) {
231  //limit input to 4kb
232  Size = 0x1000;
233  }
234  if (outfile == NULL) {
235  // we compute the output
236  outfile = fopen("/dev/null", "w");
237  if (outfile == NULL) {
238  return 0;
239  }
240  }
241 
242  int platforms_len = sizeof(platforms)/sizeof(platforms[0]);
243  int i = (int)Data[0] % platforms_len;
244 
245  err = cs_open(platforms[i].arch, platforms[i].mode, &handle);
246  if (err) {
247  return 0;
248  }
249  cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
250 
251  uint64_t address = 0x1000;
252  size_t count = cs_disasm(handle, Data+1, Size-1, address, 0, &all_insn);
253 
254  if (count) {
255  size_t j;
256  int n;
257 
258  for (j = 0; j < count; j++) {
259  cs_insn *i = &(all_insn[j]);
260  fprintf(outfile, "0x%"PRIx64":\t%s\t\t%s // insn-ID: %u, insn-mnem: %s\n",
261  i->address, i->mnemonic, i->op_str,
262  i->id, cs_insn_name(handle, i->id));
263 
264  detail = i->detail;
265 
266  if (detail->regs_read_count > 0) {
267  fprintf(outfile, "\tImplicit registers read: ");
268  for (n = 0; n < detail->regs_read_count; n++) {
269  fprintf(outfile, "%s ", cs_reg_name(handle, detail->regs_read[n]));
270  }
271  }
272 
273  if (detail->regs_write_count > 0) {
274  fprintf(outfile, "\tImplicit registers modified: ");
275  for (n = 0; n < detail->regs_write_count; n++) {
276  fprintf(outfile, "%s ", cs_reg_name(handle, detail->regs_write[n]));
277  }
278  }
279 
280  if (detail->groups_count > 0) {
281  fprintf(outfile, "\tThis instruction belongs to groups: ");
282  for (n = 0; n < detail->groups_count; n++) {
283  fprintf(outfile, "%s ", cs_group_name(handle, detail->groups[n]));
284  }
285  }
286  }
287  fprintf(outfile, "0x%"PRIx64":\n", all_insn[j-1].address + all_insn[j-1].size);
288  cs_free(all_insn, count);
289  }
290 
291  cs_close(&handle);
292 
293  return 0;
294 }
i
lzma_index ** i
Definition: index.h:629
err
static bool err
Definition: armass.c:435
handle
static mcore_handle handle
Definition: asm_mcore.c:8
cs_arch
cs_arch
Architecture type.
Definition: capstone.h:74
CS_ARCH_ARM64
@ CS_ARCH_ARM64
ARM-64, also called AArch64.
Definition: capstone.h:76
CS_ARCH_SPARC
@ CS_ARCH_SPARC
Sparc architecture.
Definition: capstone.h:80
CS_ARCH_XCORE
@ CS_ARCH_XCORE
XCore architecture.
Definition: capstone.h:82
CS_ARCH_M68K
@ CS_ARCH_M68K
68K architecture
Definition: capstone.h:83
CS_ARCH_X86
@ CS_ARCH_X86
X86 architecture (including x86 & x86-64)
Definition: capstone.h:78
CS_ARCH_M680X
@ CS_ARCH_M680X
680X architecture
Definition: capstone.h:85
CS_ARCH_ARM
@ CS_ARCH_ARM
ARM architecture (including Thumb, Thumb-2)
Definition: capstone.h:75
CS_ARCH_MIPS
@ CS_ARCH_MIPS
Mips architecture.
Definition: capstone.h:77
CS_ARCH_SYSZ
@ CS_ARCH_SYSZ
SystemZ architecture.
Definition: capstone.h:81
CS_ARCH_TMS320C64X
@ CS_ARCH_TMS320C64X
TMS320C64x architecture.
Definition: capstone.h:84
CS_ARCH_EVM
@ CS_ARCH_EVM
Ethereum architecture.
Definition: capstone.h:86
CS_ARCH_PPC
@ CS_ARCH_PPC
PowerPC architecture.
Definition: capstone.h:79
cs_mode
cs_mode
Mode type.
Definition: capstone.h:102
CS_MODE_MCLASS
@ CS_MODE_MCLASS
ARM's Cortex-M series.
Definition: capstone.h:109
CS_MODE_64
@ CS_MODE_64
64-bit mode (X86, PPC)
Definition: capstone.h:107
CS_MODE_MIPS64
@ CS_MODE_MIPS64
Mips64 ISA (Mips)
Definition: capstone.h:125
CS_MODE_32
@ CS_MODE_32
32-bit mode (X86)
Definition: capstone.h:106
CS_MODE_ARM
@ CS_MODE_ARM
32-bit ARM
Definition: capstone.h:104
CS_MODE_V8
@ CS_MODE_V8
ARMv8 A32 encodings for ARM.
Definition: capstone.h:110
CS_MODE_MICRO
@ CS_MODE_MICRO
MicroMips mode (MIPS)
Definition: capstone.h:111
CS_MODE_MIPS32
@ CS_MODE_MIPS32
Mips32 ISA (Mips)
Definition: capstone.h:124
CS_MODE_MIPS32R6
@ CS_MODE_MIPS32R6
Mips32r6 ISA.
Definition: capstone.h:113
CS_MODE_BIG_ENDIAN
@ CS_MODE_BIG_ENDIAN
big-endian mode
Definition: capstone.h:123
CS_MODE_V9
@ CS_MODE_V9
SparcV9 mode (Sparc)
Definition: capstone.h:115
CS_MODE_THUMB
@ CS_MODE_THUMB
ARM's Thumb mode, including Thumb-2.
Definition: capstone.h:108
CS_MODE_M680X_6809
@ CS_MODE_M680X_6809
M680X Motorola 6809 mode.
Definition: capstone.h:132
CS_OPT_DETAIL
@ CS_OPT_DETAIL
Break down instruction structure into details.
Definition: capstone.h:171
csh
size_t csh
Definition: capstone.h:71
CS_OPT_ON
@ CS_OPT_ON
Turn ON an option (CS_OPT_DETAIL, CS_OPT_SKIPDATA).
Definition: capstone.h:183
NULL
#define NULL
Definition: cris-opc.c:27
cs_disasm
CAPSTONE_EXPORT size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size, uint64_t offset, size_t count, cs_insn **insn)
Definition: cs.c:798
cs_group_name
CAPSTONE_EXPORT const char *CAPSTONE_API cs_group_name(csh ud, unsigned int group)
Definition: cs.c:1178
cs_open
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_open(cs_arch arch, cs_mode mode, csh *handle)
Definition: cs.c:453
cs_insn_name
CAPSTONE_EXPORT const char *CAPSTONE_API cs_insn_name(csh ud, unsigned int insn)
Definition: cs.c:1166
cs_free
CAPSTONE_EXPORT void CAPSTONE_API cs_free(cs_insn *insn, size_t count)
Definition: cs.c:1017
cs_reg_name
CAPSTONE_EXPORT const char *CAPSTONE_API cs_reg_name(csh ud, unsigned int reg)
Definition: cs.c:1154
cs_close
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_close(csh *handle)
Definition: cs.c:501
cs_option
CAPSTONE_EXPORT cs_err CAPSTONE_API cs_option(csh ud, cs_opt_type type, size_t value)
Definition: cs.c:646
arch
cs_arch arch
Definition: cstool.c:13
count
static static sync static getppid static getegid const char static filename char static len const char char static bufsiz static mask static vfork const void static prot static getpgrp const char static swapflags static arg static fd static protocol static who struct sockaddr static addrlen static backlog struct timeval struct timezone static tz const struct iovec static count static mode const void const struct sockaddr static tolen const char static pathname void count
Definition: sflib.h:98
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
Definition: fuzz_disasm.c:221
platforms
struct platform platforms[]
Definition: fuzz_disasm.c:25
cs_fuzz_arch
const char * cs_fuzz_arch(uint8_t arch)
Definition: fuzz_disasm.c:217
outfile
static FILE * outfile
Definition: fuzz_disasm.c:23
size
voidpf void uLong size
Definition: ioapi.h:138
mode
const char int mode
Definition: ioapi.h:137
n
int n
Definition: mipsasm.c:19
benchmark.FILE
string FILE
Definition: benchmark.py:21
test_evm.detail
detail
Definition: test_evm.py:9
int
static int
Definition: sfsocketcall.h:114
uint64_t
unsigned long uint64_t
Definition: sftypes.h:28
uint8_t
unsigned char uint8_t
Definition: sftypes.h:31
platform::comment
const char * comment
Definition: fuzz_disasm.c:19
platform::cstoolname
const char * cstoolname
Definition: fuzz_disasm.c:20
PRIx64
#define PRIx64
Definition: sysdefs.h:94