|
|
(2 intermediate revisions by one user not shown) |
Line 1: |
Line 1: |
− | = Fsfuzzer = | + | = fsfuzzer = |
| | | |
− | One commonly known simple tool is fsfuzzer: http://www.digitaldwarf.be/products/mangle.c, and its content is reproduced here: | + | One commonly known simple tool is [https://wayback.archive.org/web/20090809161050/http://www.digitaldwarf.be/products/mangle.c fsfuzzer] and its content is reproduced [[Filesystem_Testing_Tools/mangle.c|here]]. |
| | | |
− | <pre>
| + | Its fuller contents are [http://projects.info-pull.com/mokb/fsfuzzer-0.6.tgz packaged] on the [http://projects.info-pull.com/mokb/ MoKB site] (customization for ext4 will be needed). |
− | /* | + | |
− | trivial binary file fuzzer by Ilja van Sprundel.
| + | |
− | It's usage is very simple, it takes a filename and headersize
| + | |
− | as input. it will then change approximatly between 0 and 10% of
| + | |
− | the header with random bytes (biased towards the highest bit set)
| + | |
− |
| + | |
− | obviously you need a bash script or something as a wrapper !
| + | |
| | | |
− | so far this broke: - libmagic (used file)
| |
− | - preview (osX pdf viewer)
| |
− | - xpdf (hang, not a crash ...)
| |
− | - mach-o loading (osX 10.3.7, seems to be fixed later)
| |
− | - qnx elf loader (panics almost instantly, yikes !)
| |
− | - FreeBSD elf loading
| |
− | - openoffice
| |
− | - amp
| |
− | - osX image loading (.dmg)
| |
− | - libbfd (used objdump)
| |
− | - libtiff (used tiff2pdf)
| |
− | - xine (division by 0, took 20 minutes of fuzzing)
| |
− | - OpenBSD elf loading (3.7 on a sparc)
| |
− | - unixware 713 elf loading
| |
− | - DragonFlyBSD elf loading
| |
− | - solaris 10 elf loading
| |
− | - cistron-radiusd
| |
− | - linux ext2fs (2.4.29) image loading (division by 0)
| |
− | - linux reiserfs (2.4.29) image loading (instant panic !!!)
| |
− | - linux jfs (2.4.29) image loading (long (uninteruptable) loop, 2 oopses)
| |
− | - linux xfs (2.4.29) image loading (instant panic)
| |
− | - windows macromedia flash .swf loading (obviously the windows version of mangle needs a few tweaks to work ...)
| |
− | - Quicktime player 7.0.1 for MacOS X
| |
− | - totem
| |
− | - gnumeric
| |
− | - vlc
| |
− | - mplayer
| |
− | - python bytecode interpreter
| |
− | - realplayer 10.0.6.776 (GOLD)
| |
− | - dvips
| |
− | */
| |
− | #include <stdio.h>
| |
− | #include <sys/types.h>
| |
− | #include <sys/mman.h>
| |
− | #include <fcntl.h>
| |
− |
| |
− | #define DEFAULT_HEADER_SIZE 1024
| |
− | #define DEFAULT_NAME "test2"
| |
− |
| |
− | int getseed(void) {
| |
− | int fd = open("/dev/urandom", O_RDONLY);
| |
− | int r;
| |
− | if (fd < 0) {
| |
− | perror("open");
| |
− | exit(0);
| |
− | }
| |
− | read(fd, &r, sizeof(r));
| |
− | close(fd);
| |
− | return(r);
| |
− | }
| |
− |
| |
− | int main(int argc, char **argv) {
| |
− |
| |
− | int fd;
| |
− | char *p, *name;
| |
− | unsigned char c;
| |
− | unsigned int count, i, off, hsize;
| |
− |
| |
− | if (argc < 2) {
| |
− | hsize = DEFAULT_HEADER_SIZE;
| |
− | name = DEFAULT_NAME;
| |
− | } else if (argc < 3) {
| |
− | hsize = DEFAULT_HEADER_SIZE;
| |
− | name = argv[1];
| |
− | } else {
| |
− | hsize = atoi(argv[2]);
| |
− | name = argv[1];
| |
− | }
| |
− | fd = open(name, O_RDWR);
| |
− | if (fd < 0) {
| |
− | perror("open");
| |
− | exit(0);
| |
− | }
| |
− | p = mmap(0, hsize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
| |
− | if ((int) p == -1) {
| |
− | perror("mmap");
| |
− | close(fd);
| |
− | exit(0);
| |
− | }
| |
− | srand(getseed());
| |
− | count = (unsigned) rand() % (hsize / 10);
| |
− | for (i = 0; i < count; i++) {
| |
− | off = rand() % hsize;
| |
− | c = rand() % 256;
| |
− | /* we want the highest bit set more often, in case of signedness issues */
| |
− | if ( (rand() % 2) && c < 128) c |= 0x80;
| |
− | p[off] = c;
| |
− | }
| |
− | close(fd);
| |
− | munmap(p, hsize);
| |
− | }
| |
− | </pre>
| |
− |
| |
− | Its fuller content is packaged here (known as <b>fsfuzzer</b>, customization for ext4 will be needed):
| |
− |
| |
− | http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz
| |
| | | |
| = fsstress = | | = fsstress = |
| | | |
− | Another is <b>fsstress</b>. | + | Another is [https://github.com/linux-test-project/ltp/tree/master/testcases/kernel/fs/fsstress fsstress], which in turn comes from the [https://linux-test-project.github.io/ Linux Test Project]. See [http://www.aleph1.co.uk/lurker/message/20080516.114655.2a368241.en.html fsstress in action] |
− | | + | |
− | http://cvs.sourceforge.net/viewcvs.py/ltp/ltp/testcases/kernel/fs/fsstress/
| + | |
− | | + | |
− | The above in turn comes from a bigger project called LTP:
| + | |
− | | + | |
− | http://ltp.sourceforge.net/
| + | |
− | | + | |
− | whose full download for i386 is here:
| + | |
− | | + | |
− | ftp://fr2.rpmfind.net/linux/sourceforge/l/lt/ltp/ltp-full-2003.04.04-0.i386.rpm
| + | |
− | | + | |
− | One way to use it is described is described here:
| + | |
− | | + | |
− | http://www.aleph1.co.uk/lurker/message/20080516.114655.2a368241.en.html. | + | |