1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
|
/** @file
* IPRT - Fuzzing framework
*/
/*
* Copyright (C) 2018-2023 Oracle and/or its affiliates.
*
* This file is part of VirtualBox base platform packages, as
* available from https://www.virtualbox.org.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation, in version 3 of the
* License.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses>.
*
* The contents of this file may alternatively be used under the terms
* of the Common Development and Distribution License Version 1.0
* (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
* in the VirtualBox distribution, in which case the provisions of the
* CDDL are applicable instead of those of the GPL.
*
* You may elect to license modified versions of this file under the
* terms and conditions of either the GPL or the CDDL or both.
*
* SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
*/
#ifndef IPRT_INCLUDED_fuzz_h
#define IPRT_INCLUDED_fuzz_h
#ifndef RT_WITHOUT_PRAGMA_ONCE
# pragma once
#endif
#include <iprt/cdefs.h>
#include <iprt/process.h>
#include <iprt/types.h>
RT_C_DECLS_BEGIN
/** @defgroup grp_rt_fuzz RTFuzz - Data fuzzing framework
* @ingroup grp_rt
* @sa grp_rt_test
* @{
*/
/** A fuzzer context handle. */
typedef struct RTFUZZCTXINT *RTFUZZCTX;
/** Pointer to a fuzzer context handle. */
typedef RTFUZZCTX *PRTFUZZCTX;
/** NIL fuzzer context handle. */
#define NIL_RTFUZZCTX ((RTFUZZCTX)~(uintptr_t)0)
/** A fuzzer input handle. */
typedef struct RTFUZZINPUTINT *RTFUZZINPUT;
/** Pointer to a fuzzer input handle. */
typedef RTFUZZINPUT *PRTFUZZINPUT;
/** NIL fuzzer input handle. */
#define NIL_RTFUZZINPUT ((RTFUZZINPUT)~(uintptr_t)0)
/** A fuzzer config handle. */
typedef struct RTFUZZCFGINT *RTFUZZCFG;
/** Pointer to a fuzzer config handle. */
typedef RTFUZZCFG *PRTFUZZCFG;
/** NIL fuzzer config handle. */
#define NIL_RTFUZZCFG ((RTFUZZCFG)~(uintptr_t)0)
/** A fuzzer target recorder handler. */
typedef struct RTFUZZTGTRECINT *RTFUZZTGTREC;
/** Pointer to a fuzzer target recorder handle. */
typedef RTFUZZTGTREC *PRTFUZZTGTREC;
/** NIL fuzzer target recorder handle. */
#define NIL_RTFUZZTGTREC ((RTFUZZTGTREC)~(uintptr_t)0)
/** A fuzzed target state handle. */
typedef struct RTFUZZTGTSTATEINT *RTFUZZTGTSTATE;
/** Pointer to a fuzzed target state handle. */
typedef RTFUZZTGTSTATE *PRTFUZZTGTSTATE;
/** NIL fuzzed target state handle. */
#define NIL_RTFUZZTGTSTATE ((RTFUZZTGTSTATE)~(uintptr_t)0)
/** Fuzzing observer handle. */
typedef struct RTFUZZOBSINT *RTFUZZOBS;
/** Pointer to a fuzzing observer handle. */
typedef RTFUZZOBS *PRTFUZZOBS;
/** NIL fuzzing observer handle. */
#define NIL_RTFUZZOBS ((RTFUZZOBS)~(uintptr_t)0)
/**
* Fuzzing context type.
*/
typedef enum RTFUZZCTXTYPE
{
/** Invalid type. */
RTFUZZCTXTYPE_INVALID = 0,
/** Original input data is a single binary large object (BLOB), from a file or similar. */
RTFUZZCTXTYPE_BLOB,
/** Original input data is from a data stream like a network connection. */
RTFUZZCTXTYPE_STREAM,
/** 32bit hack. */
RTFUZZCTXTYPE_32BIT_HACK = 0x7fffffff
} RTFUZZCTXTYPE;
/**
* Fuzzing context statistics.
*/
typedef struct RTFUZZCTXSTATS
{
/** Amount of memory currently allocated. */
size_t cbMemory;
/** Number of mutations accumulated in the corpus. */
uint64_t cMutations;
} RTFUZZCTXSTATS;
/** Pointer to fuzzing context statistics. */
typedef RTFUZZCTXSTATS *PRTFUZZCTXSTATS;
/** @name RTFUZZCTX_F_XXX - Flags for RTFuzzCtxCfgSetBehavioralFlags
* @{ */
/** Adds all generated inputs automatically to the input corpus for the owning context. */
#define RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS RT_BIT_32(0)
/** All valid behavioral modification flags. */
#define RTFUZZCTX_F_BEHAVIORAL_VALID (RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS)
/** @} */
/** @name RTFUZZOBS_SANITIZER_F_XXX - Flags for RTFuzzObsSetTestBinarySanitizers().
* @{ */
/** ASAN is compiled and enabled (observer needs to configure to abort on error to catch memory errors). */
#define RTFUZZOBS_SANITIZER_F_ASAN UINT32_C(0x00000001)
/** A converage sanitizer is compiled in which can be used to produce coverage reports aiding in the
* fuzzing process. */
#define RTFUZZOBS_SANITIZER_F_SANCOV UINT32_C(0x00000002)
/** @} */
/** @name RTFUZZTGT_REC_STATE_F_XXX - Flags for RTFuzzTgtRecorderCreate().
* @{ */
/** The output from stdout is used to compare states. */
#define RTFUZZTGT_REC_STATE_F_STDOUT RT_BIT_32(0)
/** The output from stderr is used to compare states. */
#define RTFUZZTGT_REC_STATE_F_STDERR RT_BIT_32(1)
/** The process status is used to compare states. */
#define RTFUZZTGT_REC_STATE_F_PROCSTATUS RT_BIT_32(2)
/** The coverage report is used to compare states. */
#define RTFUZZTGT_REC_STATE_F_SANCOV RT_BIT_32(3)
/** Mask of all valid flags. */
#define RTFUZZTGT_REC_STATE_F_VALID UINT32_C(0x0000000f)
/** @} */
/** @name RTFUZZCFG_IMPORT_F_XXX - Flags for RTFuzzCfgImport().
* @{ */
/** Default flags. */
#define RTFUZZCFG_IMPORT_F_DEFAULT 0
/** Adds only the inputs and doesn't set any glboal configuration flags of the fuzzing context. */
#define RTFUZZCFG_IMPORT_F_ONLY_INPUT RT_BIT_32(0)
/** Mask of all valid flags. */
#define RTFUZZCFG_IMPORT_F_VALID UINT32_C(0x00000001)
/** @} */
/**
* Fuzzing context state export callback.
*
* @returns IPRT status code.
* @param hFuzzCtx Handle of the fuzzing context.
* @param pvBuf The data to write.
* @param cbWrite Number of bytes to write.
* @param pvUser Opaque user data passed in RTFuzzCtxStateExport().
*/
typedef DECLCALLBACKTYPE(int, FNRTFUZZCTXEXPORT,(RTFUZZCTX hFuzzCtx, const void *pvBuf, size_t cbWrite, void *pvUser));
/** Pointer to a fuzzing context state export callback. */
typedef FNRTFUZZCTXEXPORT *PFNRTFUZZCTXEXPORT;
/**
* Fuzzing context state import callback.
*
* @returns IPRT status code.
* @param hFuzzCtx Handle of the fuzzing context.
* @param pvBuf Where to store the read data.
* @param cbRead Number of bytes to read.
* @param pcbRead Where to store the amount of data written, optional.
* @param pvUser Opaque user data passed in RTFuzzCtxCreateFromState().
*/
typedef DECLCALLBACKTYPE(int, FNRTFUZZCTXIMPORT,(RTFUZZCTX hFuzzCtx, void *pvBuf, size_t cbRead, size_t *pcbRead, void *pvUser));
/** Pointer to a fuzzing context state export callback. */
typedef FNRTFUZZCTXIMPORT *PFNRTFUZZCTXIMPORT;
/**
* Creates a new fuzzing context.
*
* @returns IPRT status code.
* @param phFuzzCtx Where to store the handle to the fuzzing context on success.
* @param enmType Fuzzing context data type.
*/
RTDECL(int) RTFuzzCtxCreate(PRTFUZZCTX phFuzzCtx, RTFUZZCTXTYPE enmType);
/**
* Creates a new fuzzing context from the given state.
*
* @returns IPRT status code.
* @param phFuzzCtx Where to store the handle to the fuzzing context on success.
* @param pfnImport State import callback.
* @param pvUser Opaque user data to pass to the callback.
*/
RTDECL(int) RTFuzzCtxCreateFromState(PRTFUZZCTX phFuzzCtx, PFNRTFUZZCTXIMPORT pfnImport, void *pvUser);
/**
* Creates a new fuzzing context loading the state from the given memory buffer.
*
* @returns IPRT status code.
* @param phFuzzCtx Where to store the handle to the fuzzing context on success.
* @param pvState Pointer to the memory containing the state.
* @param cbState Size of the state buffer.
*/
RTDECL(int) RTFuzzCtxCreateFromStateMem(PRTFUZZCTX phFuzzCtx, const void *pvState, size_t cbState);
/**
* Creates a new fuzzing context loading the state from the given file.
*
* @returns IPRT status code.
* @param phFuzzCtx Where to store the handle to the fuzzing context on success.
* @param pszFilename File to load the fuzzing context from.
*/
RTDECL(int) RTFuzzCtxCreateFromStateFile(PRTFUZZCTX phFuzzCtx, const char *pszFilename);
/**
* Retains a reference to the given fuzzing context.
*
* @returns New reference count on success.
* @param hFuzzCtx Handle of the fuzzing context.
*/
RTDECL(uint32_t) RTFuzzCtxRetain(RTFUZZCTX hFuzzCtx);
/**
* Releases a reference from the given fuzzing context, destroying it when reaching 0.
*
* @returns New reference count on success, 0 if the fuzzing context got destroyed.
* @param hFuzzCtx Handle of the fuzzing context.
*/
RTDECL(uint32_t) RTFuzzCtxRelease(RTFUZZCTX hFuzzCtx);
/**
* Queries statistics about the given fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCtx Handle of the fuzzing context.
* @param pStats Where to store the stats on success.
*/
RTDECL(int) RTFuzzCtxQueryStats(RTFUZZCTX hFuzzCtx, PRTFUZZCTXSTATS pStats);
/**
* Exports the given fuzzing context state.
*
* @returns IPRT statuse code
* @param hFuzzCtx The fuzzing context to export.
* @param pfnExport Export callback.
* @param pvUser Opaque user data to pass to the callback.
*/
RTDECL(int) RTFuzzCtxStateExport(RTFUZZCTX hFuzzCtx, PFNRTFUZZCTXEXPORT pfnExport, void *pvUser);
/**
* Exports the given fuzzing context state to memory allocating the buffer.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context to export.
* @param ppvState Where to store the pointer to the memory containing state on success.
* Free with RTMemFree().
* @param pcbState Where to store the size of the state in bytes.
*/
RTDECL(int) RTFuzzCtxStateExportToMem(RTFUZZCTX hFuzzCtx, void **ppvState, size_t *pcbState);
/**
* Exports the given fuzzing context state to the given file.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context to export.
* @param pszFilename The file to save the state to.
*/
RTDECL(int) RTFuzzCtxStateExportToFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
/**
* Adds a new seed to the input corpus of the given fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pvInput The pointer to the input buffer.
* @param cbInput Size of the input buffer.
*/
RTDECL(int) RTFuzzCtxCorpusInputAdd(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput);
/**
* Adds a new seed to the input corpus of the given fuzzing context - extended version.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pvInput The pointer to the input buffer.
* @param cbInput Size of the input buffer.
* @param offMutStart Start offset at which a mutation can happen.
* @param cbMutRange Size of the range in bytes where a mutation can happen,
* use UINT64_MAX to allow mutations till the end of the input.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddEx(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput,
uint64_t offMutStart, uint64_t cbMutRange);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given file.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pszFilename The filename to load the seed from.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given file - extended version.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pszFilename The filename to load the seed from.
* @param offMutStart Start offset at which a mutation can happen.
* @param cbMutRange Size of the range in bytes where a mutation can happen,
* use UINT64_MAX to allow mutations till the end of the input.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromFileEx(RTFUZZCTX hFuzzCtx, const char *pszFilename,
uint64_t offMutStart, uint64_t cbMutRange);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given VFS file.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param hVfsFile The VFS file handle to load the seed from.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFile(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given VFS file - extended version.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param hVfsFile The VFS file handle to load the seed from.
* @param offMutStart Start offset at which a mutation can happen.
* @param cbMutRange Size of the range in bytes where a mutation can happen,
* use UINT64_MAX to allow mutations till the end of the input.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFileEx(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile,
uint64_t offMutStart, uint64_t cbMutRange);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given VFS I/O stream.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param hVfsIos The VFS I/O stream handle to load the seed from.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsIoStrm(RTFUZZCTX hFuzzCtx, RTVFSIOSTREAM hVfsIos);
/**
* Adds a new seed to the input corpus of the given fuzzing context from the given VFS I/O stream - extended version.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param hVfsIos The VFS I/O stream handle to load the seed from.
* @param offMutStart Start offset at which a mutation can happen.
* @param cbMutRange Size of the range in bytes where a mutation can happen,
* use UINT64_MAX to allow mutations till the end of the input.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsIoStrmEx(RTFUZZCTX hFuzzCtx, RTVFSIOSTREAM hVfsIos,
uint64_t offMutStart, uint64_t cbMutRange);
/**
* Adds new seeds to the input corpus of the given fuzzing context from the given directory.
*
* Will only process regular files, i.e. ignores directories, symbolic links, devices, fifos
* and such.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pszDirPath The directory to load seeds from.
*/
RTDECL(int) RTFuzzCtxCorpusInputAddFromDirPath(RTFUZZCTX hFuzzCtx, const char *pszDirPath);
/**
* Restricts the maximum input size to generate by the fuzzing context.
*
* @returns IPRT status code
* @param hFuzzCtx The fuzzing context handle.
* @param cbMax Maximum input size in bytes.
*/
RTDECL(int) RTFuzzCtxCfgSetInputSeedMaximum(RTFUZZCTX hFuzzCtx, size_t cbMax);
/**
* Returns the maximum input size of the given fuzzing context.
*
* @returns Maximum input size generated in bytes.
* @param hFuzzCtx The fuzzing context handle.
*/
RTDECL(size_t) RTFuzzCtxCfgGetInputSeedMaximum(RTFUZZCTX hFuzzCtx);
/**
* Sets flags controlling the behavior of the fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param fFlags Flags controlling the fuzzing context, RTFUZZCTX_F_XXX.
*/
RTDECL(int) RTFuzzCtxCfgSetBehavioralFlags(RTFUZZCTX hFuzzCtx, uint32_t fFlags);
/**
* Returns the current set behavioral flags for the given fuzzing context.
*
* @returns Behavioral flags of the given fuzzing context.
* @param hFuzzCtx The fuzzing context handle.
*/
RTDECL(uint32_t) RTFuzzCfgGetBehavioralFlags(RTFUZZCTX hFuzzCtx);
/**
* Sets the temporary directory used by the fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param pszPathTmp The directory for the temporary state.
*/
RTDECL(int) RTFuzzCtxCfgSetTmpDirectory(RTFUZZCTX hFuzzCtx, const char *pszPathTmp);
/**
* Returns the current temporary directory.
*
* @returns Current temporary directory.
* @param hFuzzCtx The fuzzing context handle.
*/
RTDECL(const char *) RTFuzzCtxCfgGetTmpDirectory(RTFUZZCTX hFuzzCtx);
/**
* Sets the range in which a particular input can get mutated.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param offStart Start offset at which a mutation can happen.
* @param cbRange Size of the range in bytes where a mutation can happen,
* use UINT64_MAX to allow mutations till the end of the input.
*/
RTDECL(int) RTFuzzCtxCfgSetMutationRange(RTFUZZCTX hFuzzCtx, uint64_t offStart, uint64_t cbRange);
/**
* Reseeds the PRNG of the given fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param uSeed The new seed.
*/
RTDECL(int) RTFuzzCtxReseed(RTFUZZCTX hFuzzCtx, uint64_t uSeed);
/**
* Generates a new input from the given fuzzing context and returns it.
*
* @returns IPRT status code.
* @param hFuzzCtx The fuzzing context handle.
* @param phFuzzInput Where to store the handle to the fuzzed input on success.
*/
RTDECL(int) RTFuzzCtxInputGenerate(RTFUZZCTX hFuzzCtx, PRTFUZZINPUT phFuzzInput);
/**
* Retains a reference to the given fuzzing input handle.
*
* @returns New reference count on success.
* @param hFuzzInput The fuzzing input handle.
*/
RTDECL(uint32_t) RTFuzzInputRetain(RTFUZZINPUT hFuzzInput);
/**
* Releases a reference from the given fuzzing input handle, destroying it when reaching 0.
*
* @returns New reference count on success, 0 if the fuzzing input got destroyed.
* @param hFuzzInput The fuzzing input handle.
*/
RTDECL(uint32_t) RTFuzzInputRelease(RTFUZZINPUT hFuzzInput);
/**
* Queries the data pointer and size of the given fuzzed input blob.
*
* @returns IPRT status code
* @param hFuzzInput The fuzzing input handle.
* @param ppv Where to store the pointer to the input data on success.
* @param pcb Where to store the size of the input data on success.
*/
RTDECL(int) RTFuzzInputQueryBlobData(RTFUZZINPUT hFuzzInput, void **ppv, size_t *pcb);
/**
* Processes the given data stream for a streamed fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzInput The fuzzing input handle.
* @param pvBuf The data buffer.
* @param cbBuf Size of the buffer.
*/
RTDECL(int) RTFuzzInputMutateStreamData(RTFUZZINPUT hFuzzInput, void *pvBuf, size_t cbBuf);
/**
* Queries the string of the MD5 digest for the given fuzzed input.
*
* @returns IPRT status code.
* @retval VERR_BUFFER_OVERFLOW if the size of the string buffer is not sufficient.
* @param hFuzzInput The fuzzing input handle.
* @param pszDigest Where to store the digest string and a closing terminator.
* @param cchDigest Size of the string buffer in characters (including the zero terminator).
*/
RTDECL(int) RTFuzzInputQueryDigestString(RTFUZZINPUT hFuzzInput, char *pszDigest, size_t cchDigest);
/**
* Writes the given fuzzing input to the given file.
*
* @returns IPRT status code.
* @param hFuzzInput The fuzzing input handle.
* @param pszFilename The filename to store the input to.
*/
RTDECL(int) RTFuzzInputWriteToFile(RTFUZZINPUT hFuzzInput, const char *pszFilename);
/**
* Adds the given fuzzed input to the input corpus of the owning context.
*
* @returns IPRT status code.
* @retval VERR_ALREADY_EXISTS if the input exists already.
* @param hFuzzInput The fuzzing input handle.
*/
RTDECL(int) RTFuzzInputAddToCtxCorpus(RTFUZZINPUT hFuzzInput);
/**
* Removes the given fuzzed input from the input corpus of the owning context.
*
* @returns IPRT status code.
* @retval VERR_NOT_FOUND if the input is not part of the corpus.
* @param hFuzzInput The fuzzing input handle.
*/
RTDECL(int) RTFuzzInputRemoveFromCtxCorpus(RTFUZZINPUT hFuzzInput);
/**
* Creates a fuzzing config from the given VFS file handle.
*
* @returns IPRT status code.
* @param phFuzzCfg Where to store the handle to the fuzzing config on success.
* @param hVfsFile The VFS file to use (retained).
* @param pErrInfo Where to store extended error info. Optional.
*/
RTDECL(int) RTFuzzCfgCreateFromVfsFile(PRTFUZZCFG phFuzzCfg, RTVFSFILE hVfsFile, PRTERRINFO pErrInfo);
/**
* Creates a fuzzing config from the given file path.
*
* @returns IPRT status code.
* @param phFuzzCfg Where to store the handle to the fuzzing config on success.
* @param pszFilename Filename to load the config from.
* @param pErrInfo Where to store extended error info. Optional.
*/
RTDECL(int) RTFuzzCfgCreateFromFile(PRTFUZZCFG phFuzzCfg, const char *pszFilename, PRTERRINFO pErrInfo);
/**
* Retains a reference to the given fuzzing config.
*
* @returns New reference count on success.
* @param hFuzzCfg Handle of the fuzzing config.
*/
RTDECL(uint32_t) RTFuzzCfgRetain(RTFUZZCFG hFuzzCfg);
/**
* Releases a reference from the given fuzzing config, destroying it when reaching 0.
*
* @returns New reference count on success, 0 if the fuzzing config got destroyed.
* @param hFuzzCfg Handle of the fuzzing config.
*/
RTDECL(uint32_t) RTFuzzCfgRelease(RTFUZZCFG hFuzzCfg);
/**
* Imports the given fuzzing config into a previously created fuzzing context.
*
* @returns IPRT status code.
* @param hFuzzCfg Handle of the fuzzing config.
* @param hFuzzCtx Handle of the fuzzing context.
* @param fFlags Flags controlling what to import exactly, combination of RTFUZZCFG_IMPORT_F_XXX.
*/
RTDECL(int) RTFuzzCfgImport(RTFUZZCFG hFuzzCfg, RTFUZZCTX hFuzzCtx, uint32_t fFlags);
/**
* Queries the custom config for the controller of the fuzzing process.
*
* @returns IPRT status code.
* @param hFuzzCfg Handle of the fuzzing config.
* @param phVfsFile Where to store the handle of the VFS file containing the custom config.
*/
RTDECL(int) RTFuzzCfgQueryCustomCfg(RTFUZZCFG hFuzzCfg, PRTVFSFILE phVfsFile);
/**
* Creates a new fuzzed target recorder.
*
* @returns IPRT status code.
* @param phFuzzTgtRec Where to store the handle to the fuzzed target recorder on success.
* @param fRecFlags What to take into account when checking for equal states.
* Combination of RTFUZZTGT_REC_STATE_F_*
*/
RTDECL(int) RTFuzzTgtRecorderCreate(PRTFUZZTGTREC phFuzzTgtRec, uint32_t fRecFlags);
/**
* Retains a reference to the given fuzzed target recorder handle.
*
* @returns New reference count on success.
* @param hFuzzTgtRec The fuzzed target recorder handle.
*/
RTDECL(uint32_t) RTFuzzTgtRecorderRetain(RTFUZZTGTREC hFuzzTgtRec);
/**
* Releases a reference from the given fuzzed target recorder handle, destroying it when reaching 0.
*
* @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
* @param hFuzzTgtRec The fuzzed target recorder handle.
*/
RTDECL(uint32_t) RTFuzzTgtRecorderRelease(RTFUZZTGTREC hFuzzTgtRec);
/**
* Creates a new empty fuzzed target state.
*
* @returns IPRT status code.
* @param hFuzzTgtRec The fuzzed target recorder handle.
* @param phFuzzTgtState Where to store the handle to the fuzzed target state on success.
*/
RTDECL(int) RTFuzzTgtRecorderCreateNewState(RTFUZZTGTREC hFuzzTgtRec, PRTFUZZTGTSTATE phFuzzTgtState);
/**
* Retains a reference to the given fuzzed target state handle.
*
* @returns New reference count on success.
* @param hFuzzTgtState The fuzzed target state handle.
*/
RTDECL(uint32_t) RTFuzzTgtStateRetain(RTFUZZTGTSTATE hFuzzTgtState);
/**
* Releases a reference from the given fuzzed target state handle, destroying it when reaching 0.
*
* @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
* @param hFuzzTgtState The fuzzed target state handle.
*/
RTDECL(uint32_t) RTFuzzTgtStateRelease(RTFUZZTGTSTATE hFuzzTgtState);
/**
* Resets the given fuzzed target state to an empty state (keeping allocated memory).
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
*
* @note Useful when the state is not added to the recorded set to avoid allocating memory.
*/
RTDECL(int) RTFuzzTgtStateReset(RTFUZZTGTSTATE hFuzzTgtState);
/**
* Finalizes the given fuzzed target state, making it readonly.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
*/
RTDECL(int) RTFuzzTgtStateFinalize(RTFUZZTGTSTATE hFuzzTgtState);
/**
* Adds the given state to the set for the owning target recorder.
*
* @returns IPRT status code.
* @retval VERR_ALREADY_EXISTS if the state is already existing in the recorder set.
* @param hFuzzTgtState The fuzzed target state handle.
*
* @note This also finalizes the target state if not already done.
*/
RTDECL(int) RTFuzzTgtStateAddToRecorder(RTFUZZTGTSTATE hFuzzTgtState);
/**
* Appends the given stdout output to the given target state.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param pvStdOut Pointer to the stdout data buffer.
* @param cbStdOut Size of the stdout data buffer in bytes.
*/
RTDECL(int) RTFuzzTgtStateAppendStdoutFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdOut, size_t cbStdOut);
/**
* Appends the given stderr output to the given target state.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param pvStdErr Pointer to the stderr data buffer.
* @param cbStdErr Size of the stderr data buffer in bytes.
*/
RTDECL(int) RTFuzzTgtStateAppendStderrFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdErr, size_t cbStdErr);
/**
* Appends the given stdout output to the given target state, reading from the given pipe.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param hPipe The stdout pipe to read the data from.
*/
RTDECL(int) RTFuzzTgtStateAppendStdoutFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
/**
* Appends the given stderr output to the given target state, reading from the given pipe.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param hPipe The stdout pipe to read the data from.
*/
RTDECL(int) RTFuzzTgtStateAppendStderrFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
/**
* Adds the SanCov coverage information from the given file to the given target state.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param pszFilename Filename of the coverage report.
*/
RTDECL(int) RTFuzzTgtStateAddSanCovReportFromFile(RTFUZZTGTSTATE hFuzzTgtState, const char *pszFilename);
/**
* Adds the given process status to the target state.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param pProcSts The process status to add.
*/
RTDECL(int) RTFuzzTgtStateAddProcSts(RTFUZZTGTSTATE hFuzzTgtState, PCRTPROCSTATUS pProcSts);
/**
* Dumps the given target state to the given directory.
*
* @returns IPRT status code.
* @param hFuzzTgtState The fuzzed target state handle.
* @param pszDirPath The directory to dump to.
*/
RTDECL(int) RTFuzzTgtStateDumpToDir(RTFUZZTGTSTATE hFuzzTgtState, const char *pszDirPath);
/**
* Fuzzed binary input channel.
*/
typedef enum RTFUZZOBSINPUTCHAN
{
/** Invalid. */
RTFUZZOBSINPUTCHAN_INVALID = 0,
/** File input. */
RTFUZZOBSINPUTCHAN_FILE,
/** Input over stdin. */
RTFUZZOBSINPUTCHAN_STDIN,
/** The binary is a fuzzing aware client using the
* specified protocol over stdin/stdout. */
RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT,
/** TCP server. */
RTFUZZOBSINPUTCHAN_TCP_SERVER,
/** TCP client. */
RTFUZZOBSINPUTCHAN_TCP_CLIENT,
/** UDP server. */
RTFUZZOBSINPUTCHAN_UDP_SERVER,
/** UDP client. */
RTFUZZOBSINPUTCHAN_UDP_CLIENT,
/** 32bit hack. */
RTFUZZOBSINPUTCHAN_32BIT_HACK = 0x7fffffff
} RTFUZZOBSINPUTCHAN;
/**
* Fuzzing observer statistics.
*/
typedef struct RTFUZZOBSSTATS
{
/** Number of fuzzed inputs per second. */
uint32_t cFuzzedInputsPerSec;
/** Number of overall fuzzed inputs. */
uint32_t cFuzzedInputs;
/** Number of observed hangs. */
uint32_t cFuzzedInputsHang;
/** Number of observed crashes. */
uint32_t cFuzzedInputsCrash;
} RTFUZZOBSSTATS;
/** Pointer to a fuzzing observer statistics record. */
typedef RTFUZZOBSSTATS *PRTFUZZOBSSTATS;
/**
* Creates a new fuzzing observer.
*
* @returns IPRT status code.
* @param phFuzzObs Where to store the fuzzing observer handle on success.
* @param enmType Fuzzing context data type.
* @param fTgtRecFlags Flags to pass to the target state recorder, see RTFuzzTgtRecorderCreate().
*/
RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs, RTFUZZCTXTYPE enmType, uint32_t fTgtRecFlags);
/**
* Destroys a previously created fuzzing observer.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
*/
RTDECL(int) RTFuzzObsDestroy(RTFUZZOBS hFuzzObs);
/**
* Queries the internal fuzzing context of the given observer.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param phFuzzCtx Where to store the handle to the fuzzing context on success.
*
* @note The fuzzing context handle should be released with RTFuzzCtxRelease() when not used anymore.
*/
RTDECL(int) RTFuzzObsQueryCtx(RTFUZZOBS hFuzzObs, PRTFUZZCTX phFuzzCtx);
/**
* Queries the current statistics for the given fuzzing observer.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param pStats Where to store the statistics to.
*/
RTDECL(int) RTFuzzObsQueryStats(RTFUZZOBS hFuzzObs, PRTFUZZOBSSTATS pStats);
/**
* Sets the temp directory for the given fuzzing observer.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param pszTmp The temp directory path.
*/
RTDECL(int) RTFuzzObsSetTmpDirectory(RTFUZZOBS hFuzzObs, const char *pszTmp);
/**
* Sets the directory to store results to.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param pszResults The path to store the results.
*/
RTDECL(int) RTFuzzObsSetResultDirectory(RTFUZZOBS hFuzzObs, const char *pszResults);
/**
* Sets the binary to run for each fuzzed input.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param pszBinary The binary path.
* @param enmInputChan The input channel to use.
*/
RTDECL(int) RTFuzzObsSetTestBinary(RTFUZZOBS hFuzzObs, const char *pszBinary, RTFUZZOBSINPUTCHAN enmInputChan);
/**
* Sets additional arguments to run the binary with.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param papszArgs Pointer to the array of arguments.
* @param cArgs Number of arguments.
*/
RTDECL(int) RTFuzzObsSetTestBinaryArgs(RTFUZZOBS hFuzzObs, const char * const *papszArgs, unsigned cArgs);
/**
* Sets an environment block to run the binary in.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param hEnv The environment block to set for the test binary.
* Use RTENV_DEFAULT for the default process environment or
* NULL for an empty environment.
*
* @note Upon successful return of this function the observer has taken ownership over the
* environment block and can alter it in unexpected ways. It also destroys the environment
* block when the observer gets destroyed. So don't touch the environment block after
* calling this function.
*/
RTDECL(int) RTFuzzObsSetTestBinaryEnv(RTFUZZOBS hFuzzObs, RTENV hEnv);
/**
* Makes the observer aware of any configured sanitizers for the test binary.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param fSanitizers Bitmask of compiled and enabled sanitiziers in the
* target binary.
*/
RTDECL(int) RTFuzzObsSetTestBinarySanitizers(RTFUZZOBS hFuzzObs, uint32_t fSanitizers);
/**
* Sets maximum timeout until a process is considered hung and killed.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param msTimeoutMax The maximum number of milliseconds to wait until the process
* is considered hung.
*/
RTDECL(int) RTFuzzObsSetTestBinaryTimeout(RTFUZZOBS hFuzzObs, RTMSINTERVAL msTimeoutMax);
/**
* Starts fuzzing the set binary.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
* @param cProcs Number of processes to run simulteanously,
* 0 will create as many processes as there are CPUs available.
*/
RTDECL(int) RTFuzzObsExecStart(RTFUZZOBS hFuzzObs, uint32_t cProcs);
/**
* Stops the fuzzing process.
*
* @returns IPRT status code.
* @param hFuzzObs The fuzzing observer handle.
*/
RTDECL(int) RTFuzzObsExecStop(RTFUZZOBS hFuzzObs);
/**
* A fuzzing master program.
*
* @returns Program exit code.
*
* @param cArgs The number of arguments.
* @param papszArgs The argument vector. (Note that this may be
* reordered, so the memory must be writable.)
*/
RTR3DECL(RTEXITCODE) RTFuzzCmdMaster(unsigned cArgs, char **papszArgs);
/**
* Client input consumption callback.
*
* @returns IPRT status code.
* @retval VINF_SUCCESS the fuzzed code accepted the input.
* @retval VERR_* the client rejected the input while parsing it.
* @param pvBuf The buffer containing the input data.
* @param cbBuf Size of the buffer in bytes.
* @param pvUser Opaque user data.
*/
typedef DECLCALLBACKTYPE(int, FNFUZZCLIENTCONSUME,(const void *pvBuf, size_t cbBuf, void *pvUser));
/** Pointer to a client consumption callback. */
typedef FNFUZZCLIENTCONSUME *PFNFUZZCLIENTCONSUME;
/**
* A fuzzing client program for more efficient fuzzing.
*
* @returns Program exit code.
*
* @param cArgs The number of arguments.
* @param papszArgs The argument vector. (Note that this may be
* reordered, so the memory must be writable.)
* @param pfnConsume Input data consumption callback.
* @param pvUser Opaque user data to pass to the callback.
*/
RTR3DECL(RTEXITCODE) RTFuzzCmdFuzzingClient(unsigned cArgs, char **papszArgs, PFNFUZZCLIENTCONSUME pfnConsume, void *pvUser);
/** @} */
RT_C_DECLS_END
#endif /* !IPRT_INCLUDED_fuzz_h */
|