VirtualBox

source: vbox/trunk/include/iprt/fuzz.h@ 86716

Last change on this file since 86716 was 85121, checked in by vboxsync, 4 years ago

iprt/cdefs.h: Refactored the typedef use of DECLCALLBACK as well as DECLCALLBACKMEMBER to wrap the whole expression, similar to the DECLR?CALLBACKMEMBER macros. This allows adding a throw() at the end when compiling with the VC++ compiler to indicate that the callbacks won't throw anything, so we can stop supressing the C5039 warning about passing functions that can potential throw C++ exceptions to extern C code that can't necessarily cope with such (unwind,++). Introduced a few _EX variations that allows specifying different/no calling convention too, as that's handy when dynamically resolving host APIs. Fixed numerous places missing DECLCALLBACK and such. Left two angry @todos regarding use of CreateThread. bugref:9794

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 35.7 KB
Line 
1/** @file
2 * IPRT - Fuzzing framework
3 */
4
5/*
6 * Copyright (C) 2018-2020 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef IPRT_INCLUDED_fuzz_h
27#define IPRT_INCLUDED_fuzz_h
28#ifndef RT_WITHOUT_PRAGMA_ONCE
29# pragma once
30#endif
31
32#include <iprt/cdefs.h>
33#include <iprt/process.h>
34#include <iprt/types.h>
35
36RT_C_DECLS_BEGIN
37
38/** @defgroup grp_rt_fuzz RTFuzz - Data fuzzing framework
39 * @ingroup grp_rt
40 * @sa grp_rt_test
41 * @{
42 */
43
44/** A fuzzer context handle. */
45typedef struct RTFUZZCTXINT *RTFUZZCTX;
46/** Pointer to a fuzzer context handle. */
47typedef RTFUZZCTX *PRTFUZZCTX;
48/** NIL fuzzer context handle. */
49#define NIL_RTFUZZCTX ((RTFUZZCTX)~(uintptr_t)0)
50/** A fuzzer input handle. */
51typedef struct RTFUZZINPUTINT *RTFUZZINPUT;
52/** Pointer to a fuzzer input handle. */
53typedef RTFUZZINPUT *PRTFUZZINPUT;
54/** NIL fuzzer input handle. */
55#define NIL_RTFUZZINPUT ((RTFUZZINPUT)~(uintptr_t)0)
56
57
58/** A fuzzer config handle. */
59typedef struct RTFUZZCFGINT *RTFUZZCFG;
60/** Pointer to a fuzzer config handle. */
61typedef RTFUZZCFG *PRTFUZZCFG;
62/** NIL fuzzer config handle. */
63#define NIL_RTFUZZCFG ((RTFUZZCFG)~(uintptr_t)0)
64
65
66/** A fuzzer target recorder handler. */
67typedef struct RTFUZZTGTRECINT *RTFUZZTGTREC;
68/** Pointer to a fuzzer target recorder handle. */
69typedef RTFUZZTGTREC *PRTFUZZTGTREC;
70/** NIL fuzzer target recorder handle. */
71#define NIL_RTFUZZTGTREC ((RTFUZZTGTREC)~(uintptr_t)0)
72/** A fuzzed target state handle. */
73typedef struct RTFUZZTGTSTATEINT *RTFUZZTGTSTATE;
74/** Pointer to a fuzzed target state handle. */
75typedef RTFUZZTGTSTATE *PRTFUZZTGTSTATE;
76/** NIL fuzzed target state handle. */
77#define NIL_RTFUZZTGTSTATE ((RTFUZZTGTSTATE)~(uintptr_t)0)
78
79
80/** Fuzzing observer handle. */
81typedef struct RTFUZZOBSINT *RTFUZZOBS;
82/** Pointer to a fuzzing observer handle. */
83typedef RTFUZZOBS *PRTFUZZOBS;
84/** NIL fuzzing observer handle. */
85#define NIL_RTFUZZOBS ((RTFUZZOBS)~(uintptr_t)0)
86
87
88/**
89 * Fuzzing context type.
90 */
91typedef enum RTFUZZCTXTYPE
92{
93 /** Invalid type. */
94 RTFUZZCTXTYPE_INVALID = 0,
95 /** Original input data is a single binary large object (BLOB), from a file or similar. */
96 RTFUZZCTXTYPE_BLOB,
97 /** Original input data is from a data stream like a network connection. */
98 RTFUZZCTXTYPE_STREAM,
99 /** 32bit hack. */
100 RTFUZZCTXTYPE_32BIT_HACK = 0x7fffffff
101} RTFUZZCTXTYPE;
102
103
104/**
105 * Fuzzing context statistics.
106 */
107typedef struct RTFUZZCTXSTATS
108{
109 /** Amount of memory currently allocated. */
110 size_t cbMemory;
111 /** Number of mutations accumulated in the corpus. */
112 uint64_t cMutations;
113} RTFUZZCTXSTATS;
114/** Pointer to fuzzing context statistics. */
115typedef RTFUZZCTXSTATS *PRTFUZZCTXSTATS;
116
117
118/** @name RTFUZZCTX_F_XXX - Flags for RTFuzzCtxCfgSetBehavioralFlags
119 * @{ */
120/** Adds all generated inputs automatically to the input corpus for the owning context. */
121#define RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS RT_BIT_32(0)
122/** All valid behavioral modification flags. */
123#define RTFUZZCTX_F_BEHAVIORAL_VALID (RTFUZZCTX_F_BEHAVIORAL_ADD_INPUT_AUTOMATICALLY_TO_CORPUS)
124/** @} */
125
126
127/** @name RTFUZZOBS_SANITIZER_F_XXX - Flags for RTFuzzObsSetTestBinarySanitizers().
128 * @{ */
129/** ASAN is compiled and enabled (observer needs to configure to abort on error to catch memory errors). */
130#define RTFUZZOBS_SANITIZER_F_ASAN UINT32_C(0x00000001)
131/** A converage sanitizer is compiled in which can be used to produce coverage reports aiding in the
132 * fuzzing process. */
133#define RTFUZZOBS_SANITIZER_F_SANCOV UINT32_C(0x00000002)
134/** @} */
135
136
137/** @name RTFUZZTGT_REC_STATE_F_XXX - Flags for RTFuzzTgtRecorderCreate().
138 * @{ */
139/** The output from stdout is used to compare states. */
140#define RTFUZZTGT_REC_STATE_F_STDOUT RT_BIT_32(0)
141/** The output from stderr is used to compare states. */
142#define RTFUZZTGT_REC_STATE_F_STDERR RT_BIT_32(1)
143/** The process status is used to compare states. */
144#define RTFUZZTGT_REC_STATE_F_PROCSTATUS RT_BIT_32(2)
145/** The coverage report is used to compare states. */
146#define RTFUZZTGT_REC_STATE_F_SANCOV RT_BIT_32(3)
147/** Mask of all valid flags. */
148#define RTFUZZTGT_REC_STATE_F_VALID UINT32_C(0x0000000f)
149/** @} */
150
151
152/** @name RTFUZZCFG_IMPORT_F_XXX - Flags for RTFuzzCfgImport().
153 * @{ */
154/** Default flags. */
155#define RTFUZZCFG_IMPORT_F_DEFAULT 0
156/** Adds only the inputs and doesn't set any glboal configuration flags of the fuzzing context. */
157#define RTFUZZCFG_IMPORT_F_ONLY_INPUT RT_BIT_32(0)
158/** Mask of all valid flags. */
159#define RTFUZZCFG_IMPORT_F_VALID UINT32_C(0x00000001)
160/** @} */
161
162
163/**
164 * Fuzzing context state export callback.
165 *
166 * @returns IPRT status code.
167 * @param hFuzzCtx Handle of the fuzzing context.
168 * @param pvBuf The data to write.
169 * @param cbWrite Number of bytes to write.
170 * @param pvUser Opaque user data passed in RTFuzzCtxStateExport().
171 */
172typedef DECLCALLBACKTYPE(int, FNRTFUZZCTXEXPORT,(RTFUZZCTX hFuzzCtx, const void *pvBuf, size_t cbWrite, void *pvUser));
173/** Pointer to a fuzzing context state export callback. */
174typedef FNRTFUZZCTXEXPORT *PFNRTFUZZCTXEXPORT;
175
176/**
177 * Fuzzing context state import callback.
178 *
179 * @returns IPRT status code.
180 * @param hFuzzCtx Handle of the fuzzing context.
181 * @param pvBuf Where to store the read data.
182 * @param cbRead Number of bytes to read.
183 * @param pcbRead Where to store the amount of data written, optional.
184 * @param pvUser Opaque user data passed in RTFuzzCtxCreateFromState().
185 */
186typedef DECLCALLBACKTYPE(int, FNRTFUZZCTXIMPORT,(RTFUZZCTX hFuzzCtx, void *pvBuf, size_t cbRead, size_t *pcbRead, void *pvUser));
187/** Pointer to a fuzzing context state export callback. */
188typedef FNRTFUZZCTXIMPORT *PFNRTFUZZCTXIMPORT;
189
190
191/**
192 * Creates a new fuzzing context.
193 *
194 * @returns IPRT status code.
195 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
196 * @param enmType Fuzzing context data type.
197 */
198RTDECL(int) RTFuzzCtxCreate(PRTFUZZCTX phFuzzCtx, RTFUZZCTXTYPE enmType);
199
200/**
201 * Creates a new fuzzing context from the given state.
202 *
203 * @returns IPRT status code.
204 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
205 * @param pfnImport State import callback.
206 * @param pvUser Opaque user data to pass to the callback.
207 */
208RTDECL(int) RTFuzzCtxCreateFromState(PRTFUZZCTX phFuzzCtx, PFNRTFUZZCTXIMPORT pfnImport, void *pvUser);
209
210/**
211 * Creates a new fuzzing context loading the state from the given memory buffer.
212 *
213 * @returns IPRT status code.
214 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
215 * @param pvState Pointer to the memory containing the state.
216 * @param cbState Size of the state buffer.
217 */
218RTDECL(int) RTFuzzCtxCreateFromStateMem(PRTFUZZCTX phFuzzCtx, const void *pvState, size_t cbState);
219
220/**
221 * Creates a new fuzzing context loading the state from the given file.
222 *
223 * @returns IPRT status code.
224 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
225 * @param pszFilename File to load the fuzzing context from.
226 */
227RTDECL(int) RTFuzzCtxCreateFromStateFile(PRTFUZZCTX phFuzzCtx, const char *pszFilename);
228
229/**
230 * Retains a reference to the given fuzzing context.
231 *
232 * @returns New reference count on success.
233 * @param hFuzzCtx Handle of the fuzzing context.
234 */
235RTDECL(uint32_t) RTFuzzCtxRetain(RTFUZZCTX hFuzzCtx);
236
237/**
238 * Releases a reference from the given fuzzing context, destroying it when reaching 0.
239 *
240 * @returns New reference count on success, 0 if the fuzzing context got destroyed.
241 * @param hFuzzCtx Handle of the fuzzing context.
242 */
243RTDECL(uint32_t) RTFuzzCtxRelease(RTFUZZCTX hFuzzCtx);
244
245/**
246 * Queries statistics about the given fuzzing context.
247 *
248 * @returns IPRT status code.
249 * @param hFuzzCtx Handle of the fuzzing context.
250 * @param pStats Where to store the stats on success.
251 */
252RTDECL(int) RTFuzzCtxQueryStats(RTFUZZCTX hFuzzCtx, PRTFUZZCTXSTATS pStats);
253
254/**
255 * Exports the given fuzzing context state.
256 *
257 * @returns IPRT statuse code
258 * @param hFuzzCtx The fuzzing context to export.
259 * @param pfnExport Export callback.
260 * @param pvUser Opaque user data to pass to the callback.
261 */
262RTDECL(int) RTFuzzCtxStateExport(RTFUZZCTX hFuzzCtx, PFNRTFUZZCTXEXPORT pfnExport, void *pvUser);
263
264/**
265 * Exports the given fuzzing context state to memory allocating the buffer.
266 *
267 * @returns IPRT status code.
268 * @param hFuzzCtx The fuzzing context to export.
269 * @param ppvState Where to store the pointer to the memory containing state on success.
270 * Free with RTMemFree().
271 * @param pcbState Where to store the size of the state in bytes.
272 */
273RTDECL(int) RTFuzzCtxStateExportToMem(RTFUZZCTX hFuzzCtx, void **ppvState, size_t *pcbState);
274
275/**
276 * Exports the given fuzzing context state to the given file.
277 *
278 * @returns IPRT status code.
279 * @param hFuzzCtx The fuzzing context to export.
280 * @param pszFilename The file to save the state to.
281 */
282RTDECL(int) RTFuzzCtxStateExportToFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
283
284/**
285 * Adds a new seed to the input corpus of the given fuzzing context.
286 *
287 * @returns IPRT status code.
288 * @param hFuzzCtx The fuzzing context handle.
289 * @param pvInput The pointer to the input buffer.
290 * @param cbInput Size of the input buffer.
291 */
292RTDECL(int) RTFuzzCtxCorpusInputAdd(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput);
293
294/**
295 * Adds a new seed to the input corpus of the given fuzzing context - extended version.
296 *
297 * @returns IPRT status code.
298 * @param hFuzzCtx The fuzzing context handle.
299 * @param pvInput The pointer to the input buffer.
300 * @param cbInput Size of the input buffer.
301 * @param offMutStart Start offset at which a mutation can happen.
302 * @param cbMutRange Size of the range in bytes where a mutation can happen,
303 * use UINT64_MAX to allow mutations till the end of the input.
304 */
305RTDECL(int) RTFuzzCtxCorpusInputAddEx(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput,
306 uint64_t offMutStart, uint64_t cbMutRange);
307
308/**
309 * Adds a new seed to the input corpus of the given fuzzing context from the given file.
310 *
311 * @returns IPRT status code.
312 * @param hFuzzCtx The fuzzing context handle.
313 * @param pszFilename The filename to load the seed from.
314 */
315RTDECL(int) RTFuzzCtxCorpusInputAddFromFile(RTFUZZCTX hFuzzCtx, const char *pszFilename);
316
317/**
318 * Adds a new seed to the input corpus of the given fuzzing context from the given file - extended version.
319 *
320 * @returns IPRT status code.
321 * @param hFuzzCtx The fuzzing context handle.
322 * @param pszFilename The filename to load the seed from.
323 * @param offMutStart Start offset at which a mutation can happen.
324 * @param cbMutRange Size of the range in bytes where a mutation can happen,
325 * use UINT64_MAX to allow mutations till the end of the input.
326 */
327RTDECL(int) RTFuzzCtxCorpusInputAddFromFileEx(RTFUZZCTX hFuzzCtx, const char *pszFilename,
328 uint64_t offMutStart, uint64_t cbMutRange);
329
330/**
331 * Adds a new seed to the input corpus of the given fuzzing context from the given VFS file.
332 *
333 * @returns IPRT status code.
334 * @param hFuzzCtx The fuzzing context handle.
335 * @param hVfsFile The VFS file handle to load the seed from.
336 */
337RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFile(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile);
338
339/**
340 * Adds a new seed to the input corpus of the given fuzzing context from the given VFS file - extended version.
341 *
342 * @returns IPRT status code.
343 * @param hFuzzCtx The fuzzing context handle.
344 * @param hVfsFile The VFS file handle to load the seed from.
345 * @param offMutStart Start offset at which a mutation can happen.
346 * @param cbMutRange Size of the range in bytes where a mutation can happen,
347 * use UINT64_MAX to allow mutations till the end of the input.
348 */
349RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFileEx(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile,
350 uint64_t offMutStart, uint64_t cbMutRange);
351
352/**
353 * Adds a new seed to the input corpus of the given fuzzing context from the given VFS I/O stream.
354 *
355 * @returns IPRT status code.
356 * @param hFuzzCtx The fuzzing context handle.
357 * @param hVfsIos The VFS I/O stream handle to load the seed from.
358 */
359RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsIoStrm(RTFUZZCTX hFuzzCtx, RTVFSIOSTREAM hVfsIos);
360
361/**
362 * Adds a new seed to the input corpus of the given fuzzing context from the given VFS I/O stream - extended version.
363 *
364 * @returns IPRT status code.
365 * @param hFuzzCtx The fuzzing context handle.
366 * @param hVfsIos The VFS I/O stream handle to load the seed from.
367 * @param offMutStart Start offset at which a mutation can happen.
368 * @param cbMutRange Size of the range in bytes where a mutation can happen,
369 * use UINT64_MAX to allow mutations till the end of the input.
370 */
371RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsIoStrmEx(RTFUZZCTX hFuzzCtx, RTVFSIOSTREAM hVfsIos,
372 uint64_t offMutStart, uint64_t cbMutRange);
373
374/**
375 * Adds new seeds to the input corpus of the given fuzzing context from the given directory.
376 *
377 * Will only process regular files, i.e. ignores directories, symbolic links, devices, fifos
378 * and such.
379 *
380 * @returns IPRT status code.
381 * @param hFuzzCtx The fuzzing context handle.
382 * @param pszDirPath The directory to load seeds from.
383 */
384RTDECL(int) RTFuzzCtxCorpusInputAddFromDirPath(RTFUZZCTX hFuzzCtx, const char *pszDirPath);
385
386/**
387 * Restricts the maximum input size to generate by the fuzzing context.
388 *
389 * @returns IPRT status code
390 * @param hFuzzCtx The fuzzing context handle.
391 * @param cbMax Maximum input size in bytes.
392 */
393RTDECL(int) RTFuzzCtxCfgSetInputSeedMaximum(RTFUZZCTX hFuzzCtx, size_t cbMax);
394
395/**
396 * Returns the maximum input size of the given fuzzing context.
397 *
398 * @returns Maximum input size generated in bytes.
399 * @param hFuzzCtx The fuzzing context handle.
400 */
401RTDECL(size_t) RTFuzzCtxCfgGetInputSeedMaximum(RTFUZZCTX hFuzzCtx);
402
403/**
404 * Sets flags controlling the behavior of the fuzzing context.
405 *
406 * @returns IPRT status code.
407 * @param hFuzzCtx The fuzzing context handle.
408 * @param fFlags Flags controlling the fuzzing context, RTFUZZCTX_F_XXX.
409 */
410RTDECL(int) RTFuzzCtxCfgSetBehavioralFlags(RTFUZZCTX hFuzzCtx, uint32_t fFlags);
411
412/**
413 * Returns the current set behavioral flags for the given fuzzing context.
414 *
415 * @returns Behavioral flags of the given fuzzing context.
416 * @param hFuzzCtx The fuzzing context handle.
417 */
418RTDECL(uint32_t) RTFuzzCfgGetBehavioralFlags(RTFUZZCTX hFuzzCtx);
419
420/**
421 * Sets the temporary directory used by the fuzzing context.
422 *
423 * @returns IPRT status code.
424 * @param hFuzzCtx The fuzzing context handle.
425 * @param pszPathTmp The directory for the temporary state.
426 */
427RTDECL(int) RTFuzzCtxCfgSetTmpDirectory(RTFUZZCTX hFuzzCtx, const char *pszPathTmp);
428
429/**
430 * Returns the current temporary directory.
431 *
432 * @returns Current temporary directory.
433 * @param hFuzzCtx The fuzzing context handle.
434 */
435RTDECL(const char *) RTFuzzCtxCfgGetTmpDirectory(RTFUZZCTX hFuzzCtx);
436
437/**
438 * Sets the range in which a particular input can get mutated.
439 *
440 * @returns IPRT status code.
441 * @param hFuzzCtx The fuzzing context handle.
442 * @param offStart Start offset at which a mutation can happen.
443 * @param cbRange Size of the range in bytes where a mutation can happen,
444 * use UINT64_MAX to allow mutations till the end of the input.
445 */
446RTDECL(int) RTFuzzCtxCfgSetMutationRange(RTFUZZCTX hFuzzCtx, uint64_t offStart, uint64_t cbRange);
447
448/**
449 * Reseeds the PRNG of the given fuzzing context.
450 *
451 * @returns IPRT status code.
452 * @param hFuzzCtx The fuzzing context handle.
453 * @param uSeed The new seed.
454 */
455RTDECL(int) RTFuzzCtxReseed(RTFUZZCTX hFuzzCtx, uint64_t uSeed);
456
457/**
458 * Generates a new input from the given fuzzing context and returns it.
459 *
460 * @returns IPRT status code.
461 * @param hFuzzCtx The fuzzing context handle.
462 * @param phFuzzInput Where to store the handle to the fuzzed input on success.
463 */
464RTDECL(int) RTFuzzCtxInputGenerate(RTFUZZCTX hFuzzCtx, PRTFUZZINPUT phFuzzInput);
465
466
467/**
468 * Retains a reference to the given fuzzing input handle.
469 *
470 * @returns New reference count on success.
471 * @param hFuzzInput The fuzzing input handle.
472 */
473RTDECL(uint32_t) RTFuzzInputRetain(RTFUZZINPUT hFuzzInput);
474
475/**
476 * Releases a reference from the given fuzzing input handle, destroying it when reaching 0.
477 *
478 * @returns New reference count on success, 0 if the fuzzing input got destroyed.
479 * @param hFuzzInput The fuzzing input handle.
480 */
481RTDECL(uint32_t) RTFuzzInputRelease(RTFUZZINPUT hFuzzInput);
482
483/**
484 * Queries the data pointer and size of the given fuzzed input blob.
485 *
486 * @returns IPRT status code
487 * @param hFuzzInput The fuzzing input handle.
488 * @param ppv Where to store the pointer to the input data on success.
489 * @param pcb Where to store the size of the input data on success.
490 */
491RTDECL(int) RTFuzzInputQueryBlobData(RTFUZZINPUT hFuzzInput, void **ppv, size_t *pcb);
492
493/**
494 * Processes the given data stream for a streamed fuzzing context.
495 *
496 * @returns IPRT status code.
497 * @param hFuzzInput The fuzzing input handle.
498 * @param pvBuf The data buffer.
499 * @param cbBuf Size of the buffer.
500 */
501RTDECL(int) RTFuzzInputMutateStreamData(RTFUZZINPUT hFuzzInput, void *pvBuf, size_t cbBuf);
502
503/**
504 * Queries the string of the MD5 digest for the given fuzzed input.
505 *
506 * @returns IPRT status code.
507 * @retval VERR_BUFFER_OVERFLOW if the size of the string buffer is not sufficient.
508 * @param hFuzzInput The fuzzing input handle.
509 * @param pszDigest Where to store the digest string and a closing terminator.
510 * @param cchDigest Size of the string buffer in characters (including the zero terminator).
511 */
512RTDECL(int) RTFuzzInputQueryDigestString(RTFUZZINPUT hFuzzInput, char *pszDigest, size_t cchDigest);
513
514/**
515 * Writes the given fuzzing input to the given file.
516 *
517 * @returns IPRT status code.
518 * @param hFuzzInput The fuzzing input handle.
519 * @param pszFilename The filename to store the input to.
520 */
521RTDECL(int) RTFuzzInputWriteToFile(RTFUZZINPUT hFuzzInput, const char *pszFilename);
522
523/**
524 * Adds the given fuzzed input to the input corpus of the owning context.
525 *
526 * @returns IPRT status code.
527 * @retval VERR_ALREADY_EXISTS if the input exists already.
528 * @param hFuzzInput The fuzzing input handle.
529 */
530RTDECL(int) RTFuzzInputAddToCtxCorpus(RTFUZZINPUT hFuzzInput);
531
532/**
533 * Removes the given fuzzed input from the input corpus of the owning context.
534 *
535 * @returns IPRT status code.
536 * @retval VERR_NOT_FOUND if the input is not part of the corpus.
537 * @param hFuzzInput The fuzzing input handle.
538 */
539RTDECL(int) RTFuzzInputRemoveFromCtxCorpus(RTFUZZINPUT hFuzzInput);
540
541
542/**
543 * Creates a fuzzing config from the given VFS file handle.
544 *
545 * @returns IPRT status code.
546 * @param phFuzzCfg Where to store the handle to the fuzzing config on success.
547 * @param hVfsFile The VFS file to use (retained).
548 * @param pErrInfo Where to store extended error info. Optional.
549 */
550RTDECL(int) RTFuzzCfgCreateFromVfsFile(PRTFUZZCFG phFuzzCfg, RTVFSFILE hVfsFile, PRTERRINFO pErrInfo);
551
552/**
553 * Creates a fuzzing config from the given file path.
554 *
555 * @returns IPRT status code.
556 * @param phFuzzCfg Where to store the handle to the fuzzing config on success.
557 * @param pszFilename Filename to load the config from.
558 * @param pErrInfo Where to store extended error info. Optional.
559 */
560RTDECL(int) RTFuzzCfgCreateFromFile(PRTFUZZCFG phFuzzCfg, const char *pszFilename, PRTERRINFO pErrInfo);
561
562/**
563 * Retains a reference to the given fuzzing config.
564 *
565 * @returns New reference count on success.
566 * @param hFuzzCfg Handle of the fuzzing config.
567 */
568RTDECL(uint32_t) RTFuzzCfgRetain(RTFUZZCFG hFuzzCfg);
569
570/**
571 * Releases a reference from the given fuzzing config, destroying it when reaching 0.
572 *
573 * @returns New reference count on success, 0 if the fuzzing config got destroyed.
574 * @param hFuzzCfg Handle of the fuzzing config.
575 */
576RTDECL(uint32_t) RTFuzzCfgRelease(RTFUZZCFG hFuzzCfg);
577
578/**
579 * Imports the given fuzzing config into a previously created fuzzing context.
580 *
581 * @returns IPRT status code.
582 * @param hFuzzCfg Handle of the fuzzing config.
583 * @param hFuzzCtx Handle of the fuzzing context.
584 * @param fFlags Flags controlling what to import exactly, combination of RTFUZZCFG_IMPORT_F_XXX.
585 */
586RTDECL(int) RTFuzzCfgImport(RTFUZZCFG hFuzzCfg, RTFUZZCTX hFuzzCtx, uint32_t fFlags);
587
588/**
589 * Queries the custom config for the controller of the fuzzing process.
590 *
591 * @returns IPRT status code.
592 * @param hFuzzCfg Handle of the fuzzing config.
593 * @param phVfsFile Where to store the handle of the VFS file containing the custom config.
594 */
595RTDECL(int) RTFuzzCfgQueryCustomCfg(RTFUZZCFG hFuzzCfg, PRTVFSFILE phVfsFile);
596
597
598/**
599 * Creates a new fuzzed target recorder.
600 *
601 * @returns IPRT status code.
602 * @param phFuzzTgtRec Where to store the handle to the fuzzed target recorder on success.
603 * @param fRecFlags What to take into account when checking for equal states.
604 * Combination of RTFUZZTGT_REC_STATE_F_*
605 */
606RTDECL(int) RTFuzzTgtRecorderCreate(PRTFUZZTGTREC phFuzzTgtRec, uint32_t fRecFlags);
607
608/**
609 * Retains a reference to the given fuzzed target recorder handle.
610 *
611 * @returns New reference count on success.
612 * @param hFuzzTgtRec The fuzzed target recorder handle.
613 */
614RTDECL(uint32_t) RTFuzzTgtRecorderRetain(RTFUZZTGTREC hFuzzTgtRec);
615
616/**
617 * Releases a reference from the given fuzzed target recorder handle, destroying it when reaching 0.
618 *
619 * @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
620 * @param hFuzzTgtRec The fuzzed target recorder handle.
621 */
622RTDECL(uint32_t) RTFuzzTgtRecorderRelease(RTFUZZTGTREC hFuzzTgtRec);
623
624/**
625 * Creates a new empty fuzzed target state.
626 *
627 * @returns IPRT status code.
628 * @param hFuzzTgtRec The fuzzed target recorder handle.
629 * @param phFuzzTgtState Where to store the handle to the fuzzed target state on success.
630 */
631RTDECL(int) RTFuzzTgtRecorderCreateNewState(RTFUZZTGTREC hFuzzTgtRec, PRTFUZZTGTSTATE phFuzzTgtState);
632
633/**
634 * Retains a reference to the given fuzzed target state handle.
635 *
636 * @returns New reference count on success.
637 * @param hFuzzTgtState The fuzzed target state handle.
638 */
639RTDECL(uint32_t) RTFuzzTgtStateRetain(RTFUZZTGTSTATE hFuzzTgtState);
640
641/**
642 * Releases a reference from the given fuzzed target state handle, destroying it when reaching 0.
643 *
644 * @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
645 * @param hFuzzTgtState The fuzzed target state handle.
646 */
647RTDECL(uint32_t) RTFuzzTgtStateRelease(RTFUZZTGTSTATE hFuzzTgtState);
648
649/**
650 * Resets the given fuzzed target state to an empty state (keeping allocated memory).
651 *
652 * @returns IPRT status code.
653 * @param hFuzzTgtState The fuzzed target state handle.
654 *
655 * @note Useful when the state is not added to the recorded set to avoid allocating memory.
656 */
657RTDECL(int) RTFuzzTgtStateReset(RTFUZZTGTSTATE hFuzzTgtState);
658
659/**
660 * Finalizes the given fuzzed target state, making it readonly.
661 *
662 * @returns IPRT status code.
663 * @param hFuzzTgtState The fuzzed target state handle.
664 */
665RTDECL(int) RTFuzzTgtStateFinalize(RTFUZZTGTSTATE hFuzzTgtState);
666
667/**
668 * Adds the given state to the set for the owning target recorder.
669 *
670 * @returns IPRT status code.
671 * @retval VERR_ALREADY_EXISTS if the state is already existing in the recorder set.
672 * @param hFuzzTgtState The fuzzed target state handle.
673 *
674 * @note This also finalizes the target state if not already done.
675 */
676RTDECL(int) RTFuzzTgtStateAddToRecorder(RTFUZZTGTSTATE hFuzzTgtState);
677
678/**
679 * Appends the given stdout output to the given target state.
680 *
681 * @returns IPRT status code.
682 * @param hFuzzTgtState The fuzzed target state handle.
683 * @param pvStdOut Pointer to the stdout data buffer.
684 * @param cbStdOut Size of the stdout data buffer in bytes.
685 */
686RTDECL(int) RTFuzzTgtStateAppendStdoutFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdOut, size_t cbStdOut);
687
688/**
689 * Appends the given stderr output to the given target state.
690 *
691 * @returns IPRT status code.
692 * @param hFuzzTgtState The fuzzed target state handle.
693 * @param pvStdErr Pointer to the stderr data buffer.
694 * @param cbStdErr Size of the stderr data buffer in bytes.
695 */
696RTDECL(int) RTFuzzTgtStateAppendStderrFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdErr, size_t cbStdErr);
697
698/**
699 * Appends the given stdout output to the given target state, reading from the given pipe.
700 *
701 * @returns IPRT status code.
702 * @param hFuzzTgtState The fuzzed target state handle.
703 * @param hPipe The stdout pipe to read the data from.
704 */
705RTDECL(int) RTFuzzTgtStateAppendStdoutFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
706
707/**
708 * Appends the given stderr output to the given target state, reading from the given pipe.
709 *
710 * @returns IPRT status code.
711 * @param hFuzzTgtState The fuzzed target state handle.
712 * @param hPipe The stdout pipe to read the data from.
713 */
714RTDECL(int) RTFuzzTgtStateAppendStderrFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
715
716/**
717 * Adds the SanCov coverage information from the given file to the given target state.
718 *
719 * @returns IPRT status code.
720 * @param hFuzzTgtState The fuzzed target state handle.
721 * @param pszFilename Filename of the coverage report.
722 */
723RTDECL(int) RTFuzzTgtStateAddSanCovReportFromFile(RTFUZZTGTSTATE hFuzzTgtState, const char *pszFilename);
724
725/**
726 * Adds the given process status to the target state.
727 *
728 * @returns IPRT status code.
729 * @param hFuzzTgtState The fuzzed target state handle.
730 * @param pProcSts The process status to add.
731 */
732RTDECL(int) RTFuzzTgtStateAddProcSts(RTFUZZTGTSTATE hFuzzTgtState, PCRTPROCSTATUS pProcSts);
733
734/**
735 * Dumps the given target state to the given directory.
736 *
737 * @returns IPRT status code.
738 * @param hFuzzTgtState The fuzzed target state handle.
739 * @param pszDirPath The directory to dump to.
740 */
741RTDECL(int) RTFuzzTgtStateDumpToDir(RTFUZZTGTSTATE hFuzzTgtState, const char *pszDirPath);
742
743
744/**
745 * Fuzzed binary input channel.
746 */
747typedef enum RTFUZZOBSINPUTCHAN
748{
749 /** Invalid. */
750 RTFUZZOBSINPUTCHAN_INVALID = 0,
751 /** File input. */
752 RTFUZZOBSINPUTCHAN_FILE,
753 /** Input over stdin. */
754 RTFUZZOBSINPUTCHAN_STDIN,
755 /** The binary is a fuzzing aware client using the
756 * specified protocol over stdin/stdout. */
757 RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT,
758 /** TCP server. */
759 RTFUZZOBSINPUTCHAN_TCP_SERVER,
760 /** TCP client. */
761 RTFUZZOBSINPUTCHAN_TCP_CLIENT,
762 /** UDP server. */
763 RTFUZZOBSINPUTCHAN_UDP_SERVER,
764 /** UDP client. */
765 RTFUZZOBSINPUTCHAN_UDP_CLIENT,
766 /** 32bit hack. */
767 RTFUZZOBSINPUTCHAN_32BIT_HACK = 0x7fffffff
768} RTFUZZOBSINPUTCHAN;
769
770/**
771 * Fuzzing observer statistics.
772 */
773typedef struct RTFUZZOBSSTATS
774{
775 /** Number of fuzzed inputs per second. */
776 uint32_t cFuzzedInputsPerSec;
777 /** Number of overall fuzzed inputs. */
778 uint32_t cFuzzedInputs;
779 /** Number of observed hangs. */
780 uint32_t cFuzzedInputsHang;
781 /** Number of observed crashes. */
782 uint32_t cFuzzedInputsCrash;
783} RTFUZZOBSSTATS;
784/** Pointer to a fuzzing observer statistics record. */
785typedef RTFUZZOBSSTATS *PRTFUZZOBSSTATS;
786
787/**
788 * Creates a new fuzzing observer.
789 *
790 * @returns IPRT status code.
791 * @param phFuzzObs Where to store the fuzzing observer handle on success.
792 * @param enmType Fuzzing context data type.
793 * @param fTgtRecFlags Flags to pass to the target state recorder, see RTFuzzTgtRecorderCreate().
794 */
795RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs, RTFUZZCTXTYPE enmType, uint32_t fTgtRecFlags);
796
797/**
798 * Destroys a previously created fuzzing observer.
799 *
800 * @returns IPRT status code.
801 * @param hFuzzObs The fuzzing observer handle.
802 */
803RTDECL(int) RTFuzzObsDestroy(RTFUZZOBS hFuzzObs);
804
805/**
806 * Queries the internal fuzzing context of the given observer.
807 *
808 * @returns IPRT status code.
809 * @param hFuzzObs The fuzzing observer handle.
810 * @param phFuzzCtx Where to store the handle to the fuzzing context on success.
811 *
812 * @note The fuzzing context handle should be released with RTFuzzCtxRelease() when not used anymore.
813 */
814RTDECL(int) RTFuzzObsQueryCtx(RTFUZZOBS hFuzzObs, PRTFUZZCTX phFuzzCtx);
815
816/**
817 * Queries the current statistics for the given fuzzing observer.
818 *
819 * @returns IPRT status code.
820 * @param hFuzzObs The fuzzing observer handle.
821 * @param pStats Where to store the statistics to.
822 */
823RTDECL(int) RTFuzzObsQueryStats(RTFUZZOBS hFuzzObs, PRTFUZZOBSSTATS pStats);
824
825/**
826 * Sets the temp directory for the given fuzzing observer.
827 *
828 * @returns IPRT status code.
829 * @param hFuzzObs The fuzzing observer handle.
830 * @param pszTmp The temp directory path.
831 */
832RTDECL(int) RTFuzzObsSetTmpDirectory(RTFUZZOBS hFuzzObs, const char *pszTmp);
833
834/**
835 * Sets the directory to store results to.
836 *
837 * @returns IPRT status code.
838 * @param hFuzzObs The fuzzing observer handle.
839 * @param pszResults The path to store the results.
840 */
841RTDECL(int) RTFuzzObsSetResultDirectory(RTFUZZOBS hFuzzObs, const char *pszResults);
842
843/**
844 * Sets the binary to run for each fuzzed input.
845 *
846 * @returns IPRT status code.
847 * @param hFuzzObs The fuzzing observer handle.
848 * @param pszBinary The binary path.
849 * @param enmInputChan The input channel to use.
850 */
851RTDECL(int) RTFuzzObsSetTestBinary(RTFUZZOBS hFuzzObs, const char *pszBinary, RTFUZZOBSINPUTCHAN enmInputChan);
852
853/**
854 * Sets additional arguments to run the binary with.
855 *
856 * @returns IPRT status code.
857 * @param hFuzzObs The fuzzing observer handle.
858 * @param papszArgs Pointer to the array of arguments.
859 * @param cArgs Number of arguments.
860 */
861RTDECL(int) RTFuzzObsSetTestBinaryArgs(RTFUZZOBS hFuzzObs, const char * const *papszArgs, unsigned cArgs);
862
863/**
864 * Sets an environment block to run the binary in.
865 *
866 * @returns IPRT status code.
867 * @param hFuzzObs The fuzzing observer handle.
868 * @param hEnv The environment block to set for the test binary.
869 * Use RTENV_DEFAULT for the default process environment or
870 * NULL for an empty environment.
871 *
872 * @note Upon successful return of this function the observer has taken ownership over the
873 * environment block and can alter it in unexpected ways. It also destroys the environment
874 * block when the observer gets destroyed. So don't touch the environment block after
875 * calling this function.
876 */
877RTDECL(int) RTFuzzObsSetTestBinaryEnv(RTFUZZOBS hFuzzObs, RTENV hEnv);
878
879/**
880 * Makes the observer aware of any configured sanitizers for the test binary.
881 *
882 * @returns IPRT status code.
883 * @param hFuzzObs The fuzzing observer handle.
884 * @param fSanitizers Bitmask of compiled and enabled sanitiziers in the
885 * target binary.
886 */
887RTDECL(int) RTFuzzObsSetTestBinarySanitizers(RTFUZZOBS hFuzzObs, uint32_t fSanitizers);
888
889/**
890 * Sets maximum timeout until a process is considered hung and killed.
891 *
892 * @returns IPRT status code.
893 * @param hFuzzObs The fuzzing observer handle.
894 * @param msTimeoutMax The maximum number of milliseconds to wait until the process
895 * is considered hung.
896 */
897RTDECL(int) RTFuzzObsSetTestBinaryTimeout(RTFUZZOBS hFuzzObs, RTMSINTERVAL msTimeoutMax);
898
899/**
900 * Starts fuzzing the set binary.
901 *
902 * @returns IPRT status code.
903 * @param hFuzzObs The fuzzing observer handle.
904 * @param cProcs Number of processes to run simulteanously,
905 * 0 will create as many processes as there are CPUs available.
906 */
907RTDECL(int) RTFuzzObsExecStart(RTFUZZOBS hFuzzObs, uint32_t cProcs);
908
909/**
910 * Stops the fuzzing process.
911 *
912 * @returns IPRT status code.
913 * @param hFuzzObs The fuzzing observer handle.
914 */
915RTDECL(int) RTFuzzObsExecStop(RTFUZZOBS hFuzzObs);
916
917
918/**
919 * A fuzzing master program.
920 *
921 * @returns Program exit code.
922 *
923 * @param cArgs The number of arguments.
924 * @param papszArgs The argument vector. (Note that this may be
925 * reordered, so the memory must be writable.)
926 */
927RTR3DECL(RTEXITCODE) RTFuzzCmdMaster(unsigned cArgs, char **papszArgs);
928
929
930/**
931 * Client input consumption callback.
932 *
933 * @returns IPRT status code.
934 * @retval VINF_SUCCESS the fuzzed code accepted the input.
935 * @retval VERR_* the client rejected the input while parsing it.
936 * @param pvBuf The buffer containing the input data.
937 * @param cbBuf Size of the buffer in bytes.
938 * @param pvUser Opaque user data.
939 */
940typedef DECLCALLBACKTYPE(int, FNFUZZCLIENTCONSUME,(const void *pvBuf, size_t cbBuf, void *pvUser));
941/** Pointer to a client consumption callback. */
942typedef FNFUZZCLIENTCONSUME *PFNFUZZCLIENTCONSUME;
943
944/**
945 * A fuzzing client program for more efficient fuzzing.
946 *
947 * @returns Program exit code.
948 *
949 * @param cArgs The number of arguments.
950 * @param papszArgs The argument vector. (Note that this may be
951 * reordered, so the memory must be writable.)
952 * @param pfnConsume Input data consumption callback.
953 * @param pvUser Opaque user data to pass to the callback.
954 */
955RTR3DECL(RTEXITCODE) RTFuzzCmdFuzzingClient(unsigned cArgs, char **papszArgs, PFNFUZZCLIENTCONSUME pfnConsume, void *pvUser);
956/** @} */
957
958RT_C_DECLS_END
959
960#endif /* !IPRT_INCLUDED_fuzz_h */
961
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette