aoh / radamsa Goto Github PK
View Code? Open in Web Editor NEWa general-purpose fuzzer
a general-purpose fuzzer
[michel@twppc64:~/work]
$git clone https://github.com/aoh/radamsa.git
$cd radamsa/
$make
...
cd owl-lisp-0.1.10 && make bin/vm
make[2]: Entering directory '/mnt/disk2/michel/work/radamsa/owl-lisp-0.1.10'
# make a vm without a bundled heap
echo "unsigned char *heap = 0;" > c/vm.c
cat c/ovm.c >> c/vm.c
cc -Wall -O2 -o bin/vm c/vm.c
c/vm.c: In function 'boot':
c/vm.c:1016:4: warning: call to function 'vm' without a real prototype [-Wunprototyped-calls]
return vm(entry, oargs);
^
c/vm.c:148:6: note: 'vm' was declared here
word vm();
^
make[2]: Leaving directory '/mnt/disk2/michel/work/radamsa/owl-lisp-0.1.10'
make[1]: Leaving directory '/mnt/disk2/michel/work/radamsa'
owl-lisp-0.1.10/bin/vm owl-lisp-0.1.10/fasl/init.fasl -O2 -o radamsa.c rad/main.scm
Cannot compile rad/main.scm because cannot open file
Makefile:36: recipe for target 'radamsa.c' failed
make: *** [radamsa.c] Error 2
It has been observed at least on OSX that some of the unit tests sometimes have sporadic failures. Following are some example failures as output by tests/run:
-n o tests/ts1.sh:
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `\'v\217\347' and `\376"i\3317.\345\250V\333w>\346\311\203\034\316=\337~\233n\320\325\005\371\320Sp\301|\247"\036\024\221\247\016\213\222;\256=<c&\3224'.
-n o tests/tr2.sh:
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `6\030v\317\3133о\366|\263htv9\0173\340\2421\275F\a\232\360DJ\017\233\037:)\241\023\375\350.\272\r<6\201\002\330\203+\005\221#\355$\343\321F\357T\036\264g[>]\344\200Ę\265s\236\031E\302-\220ǰܺob<\210\004\32415\246\300{ˏ\030\270xrژ\335/\243_ވ8\255y\a\177\362\234!\251N\336\322\371\325p\024\f\241\353\371\204\313\020V\031\311\210V\302\004\\\237\374\316\215!i\357s\231,P\373+\346\303\310tX\300\355\177\247R\347u:3bA-\2148\03114\361\271k\241\376\247/\033\271S\\|,\a#\200w\237\374\002\232!\024\316\346\371C\017\370\354˕\343\241\301\244\025\2763\000iÜP\340\021.\001\301\246\304\363\233\266\022!\030\232L\024\204\311K\030\340\3249.\310\354\a_\t\374{j.$0\021q\267\252<\021\023\260\301Z\235m\005\330H\342~\016\t\242\310\303Oڏ\210S\311\177\275\240\345AwQ g\334\370\302\336\021\207\r}`;8\326Ҵ\270.\363q6\325J,\234(\253QƼ\226V\310\301$W\231A\273\033\000\251\274ѥ\321\322\027\320\000뚦{@\277~-\205\343݅E\200\341\032\203\240\027\3338\366z\351CM6\177C\201\312(N\273\346\201d\200\032\177\371*\177\sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `\rX\266\204(a) (b)' and `\rX\266\204'.
Some of the unit tests when they fail do not emit output to help diagnose the failure. Here is an example invoking tests/ab.sh directly:
$ rc=0
$ attempt=1
$ while [ $rc -eq 0 ]; do tests/ab.sh bin/radamsa ; rc=$?; echo $attempt; attempt=$((attempt+1)); done
1
2
3
4
5
6
7
8
9
10
11
12
$
After 12 attempts a failure was observed, but the reason for the failure is not emitted.
Likely it is the expectation that the unit test results be consistent. If the current revision in git is under development and the sporadic failure is expected or some cleanup is still underway, kindly ignore. I was unable to determine if release v0.4's unit tests encountered sporadic failures as issue #5 affects the v0.4 release.
As a comparison, release v0.3 had consistently passing unit tests.
(As a side note, at least on OSX the built-in echo command in sh does not support the -n option. This is the reason that "-n" is printed before all of the tests in tests/run . Consider reworking when echo is used in that script so that the -n option is unnecessary, if relevant).
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1
open the pod bay doords please hay doords please hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1< open the pod bay doords please hal
open the pod bay doords please hadoords please hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1< open the pod bay doords please hal
opelease hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
$
Can you make it so we can replay a specific test from the metadata log? Or, so we can start fuzzing at a certain iteration given a seed value?
Hi.
In fuzzing time, I from time to time getting this error
bug: not removing alarm on io error, if there
what do you think, why I getting it and how I can fix it?
Thanks for adding the ability to start from a specific iteration. Can you add the iteration number to the -v output as well?
Hey!
I'm interested in possibly contributing to this (if I can wrap my head around it)
What dialect and implementation of Scheme are you using? I'm unfamiliar with some of what I see
output generators should return a function instead of a fd, so that outputs which do not correspond to a fd can be implemented easily (currently udp and muxer, possibly later library output continuation)
Did the latest commit break support for "-n inf" ? Specifying an iteration still works fine, e.g. -n 100, but -n inf doesn't produce any output.
Hi!
I would like to embed radamsa in a few different places as a library instead of having to call a binary on the command line from my own fuzzers. Is there a (recommended) way of doing so?
Thanks in advance!
When compiling, make throws following error:
radamsa.c: In function ‘vm’:
radamsa.c:4904:0: note: -Wmisleading-indentation is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
case 968:if(acc==4){if(R[4]==F(0)){R[7]=F(0);ob=(word *)R[3];R[3]=R[7];acc=1;}else{if(R[5]==F(0)){R[7]=F(0);ob=(word *)R[3];R[3]=R[7];acc=1;}else{{word ob=R[4];if(allocp(ob))ob=V(ob);R[7]=F((ob>>TPOS)&63);}if(R[7]==F(0)){{word ob=R[5];if(allocp(ob))ob=V(ob);R[8]=F((ob>>TPOS)&63);}if(R[8]==F(0)){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[9]=F((word)(res&FMAX));R[10]=F((word)(res>>FBITS));}if(R[10]==F(0)){ob=(word *)R[3];R[3]=R[9];acc=1;}else{R[11]=INULL;*fp=NUMHDR;fp[1]=R[10];fp[2]=R[11];R[12]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[9];fp[2]=R[12];R[13]=(word)fp;fp+=3;ob=(word *)R[3];R[3]=R[13];acc=1;}}else{R[9]=F(40);if(R[8]==R[9]){R[10]=G(R[1],2);R[6]=F(0);ob=(word *)R[10];acc=4;}else{R[10]=F(32);if(R[8]==R[10]){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[11]=F((word)(res&FMAX));R[12]=F((word)(res>>FBITS));}*fp=make_header(3,TPROC);fp[1]=G(R[1],3);fp[2]=R[3];R[13]=(word)fp;fp+=3;if(R[12]==F(0)){R[3]=R[11];ob=(word *)R[13];acc=1;}else{R[14]=INULL;*fp=NUMHDR;fp[1]=R[12];fp[2]=R[14];R[15]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[15];R[3]=(word)fp;fp+=3;ob=(word *)R[13];acc=1;}}else{R[11]=F(41);if(R[8]==R[11]){R[12]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],4);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);ob=(word *)R[12];acc=4;}else{R[12]=F(42);if(R[8]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],5);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[8]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],6);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[8]=F(32);if(R[7]==R[8]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[9]=F((ob>>TPOS)&63);}if(R[9]==F(0)){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[10]=F((word)(res&FMAX));R[11]=F((word)(res>>FBITS));}*fp=make_header(3,TPROC);fp[1]=G(R[1],9);fp[2]=R[3];R[12]=(word)fp;fp+=3;if(R[11]==F(0)){R[3]=R[10];ob=(word *)R[12];acc=1;}else{R[13]=INULL;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[13];R[14]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[10];fp[2]=R[14];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=1;}}else{R[10]=F(40);if(R[9]==R[10]){R[11]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],10);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);ob=(word *)R[11];acc=4;}else{if(R[9]==R[8]){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[11]=F((word)(res&FMAX));R[12]=F((word)(res>>FBITS));}if(R[12]==F(0)){ob=(word *)R[3];R[3]=R[11];acc=1;}else{R[13]=INULL;*fp=NUMHDR;fp[1]=R[12];fp[2]=R[13];R[14]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[14];R[15]=(word)fp;fp+=3;ob=(word *)R[3];R[3]=R[15];acc=1;}}else{R[11]=F(41);if(R[9]==R[11]){R[12]=G(R[1],2);R[6]=F(0);ob=(word *)R[12];acc=4;}else{R[12]=F(42);if(R[9]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],11);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[9]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],12);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[9]=F(40);if(R[7]==R[9]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[10]=F((ob>>TPOS)&63);}if(R[10]==F(0)){R[11]=G(R[1],2);R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[11];acc=4;}else{if(R[10]==R[9]){R[11]=G(R[1],13);ob=(word *)R[11];acc=3;}else{if(R[10]==R[8]){R[11]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],14);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[11];acc=4;}else{R[11]=F(41);if(R[10]==R[11]){R[12]=G(R[1],13);*fp=make_header(3,TPROC);fp[1]=G(R[1],15);fp[2]=R[3];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=3;}else{R[12]=F(42);if(R[10]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],16);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[10]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],17);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[10]=F(41);if(R[7]==R[10]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[11]=F((ob>>TPOS)&63);}if(R[11]==F(0)){R[12]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],18);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[12];acc=4;}else{if(R[11]==R[9]){R[12]=G(R[1],13);*fp=make_header(3,TPROC);fp[1]=G(R[1],19);fp[2]=R[3];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=3;}else{if(R[11]==R[8]){R[12]=G(R[1],2);R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[12];acc=4;}else{if(R[11]==R[10]){R[12]=G(R[1],13);ob=(word *)R[12];acc=3;}else{R[12]=F(42);if(R[11]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],20);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[11]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],21);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[11]=F(42);if(R[7]==R[11]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[12]=F((ob>>TPOS)&63);}if(R[12]==R[11]){R[13]=G(R[4],1);R[14]=G(R[5],1);*fp=make_header(6,TCLOS);fp[1]=G(R[1],22);fp[5]=R[3];fp[4]=R[6];fp[3]=R[5];fp[2]=R[4];R[3]=(word)fp;fp+=6;R[4]=R[13];R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[12]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],23);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[4],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],24);fp[3]=R[3];fp[2]=R[4];R[3]=(word)fp;fp+=4;R[4]=R[14];ob=(word *)R[6];acc=4;}}}else{R[12]=F(43);if(R[7]==R[12]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[13]=F((ob>>TPOS)&63);}if(R[13]==R[12]){{word *ob=(word *)R[4];word hdr;assert(allocp(R[4]),R[4],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[16]=ob[1];R[17]=ob[2];}*fp=make_header(8,TCLOS);fp[1]=G(R[1],25);fp[7]=R[3];fp[6]=R[6];fp[5]=R[14];fp[4]=R[17];fp[3]=R[15];fp[2]=R[16];R[3]=(word)fp;fp+=8;R[4]=R[14];R[5]=R[16];ob=(word *)R[6];acc=4;}else{{word *ob=(word *)R[4];word hdr;assert(allocp(R[4]),R[4],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],26);fp[5]=R[3];fp[4]=R[6];fp[3]=R[15];fp[2]=R[5];R[3]=(word)fp;fp+=6;R[4]=R[14];ob=(word *)R[6];acc=4;}}else{R[13]=G(R[1],7);R[14]=G(R[1],27);R[6]=R[5];R[5]=R[4];R[4]=R[14];ob=(word *)R[13];acc=4;}}}}}}}}}else{{error(17,ob,F(acc));}}break; /* #<function> */
cc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-6/README.Bugs> for instructions.
Makefile:20: recipe for target 'bin/radamsa' failed
make: *** [bin/radamsa] Error 4
Any idea?
Hey, I'm fuzzing something that relies on file extensions and I'm using a large number of file types to fuzz it from my test cases (i.e. samples are at ../tests/*
and look like from_twitter.exe
, setup.bat
, malware.yaml
. pick-suffix
only takes the first suffix it finds for the first file and uses that as %s
for every output file.
So, I tried to add an output formatter %p
that will insert the whole filename that was used to generate the test case. I thought the best way to do this would be to use get meta 'source
but I can't figure out how 'source
is set and it is occasionally not set at all for some test cases (I assume this is when it splices files together?).
This attempt results in a large number of test cases with an unknown source file suffix (muted
in my commit). Any ideas on how that could be better retrieved?
Example meta of where it fails to grab the source~
utf8-insert: 3, muta-num: 5, generator: jump, nth: 22587, path: "/cygdrive/m/22587_unk", head: "/home/qt/_test/test.sis", output: file-writer, length: 827, tail: "/home/qt/_test/test.tar.gz", pattern: many-dec
It seems to me that it occurs in cases where the file is a combination of head/tail files. I'm unsure if the best solution should combine the head/tail filenames or simply select one based on the formatter (%0p
/ %1p
) or randomly.
mkdir bla; echo a > bla/a; echo b > bla/b; for i in seq 100
; do echo ; radamsa -r bla | xxd ; done
While i get the wonderfully mangled output, I never get a combined output of a and b - is this possible, or is the initial overhead of deducing structures and such just too heavy when handling multiple inputs?
When building radamsa from the master branch 5c67b3c9f5f00aa8304ec62be3dad2ebf2aa66e1
my gcc has an internal error. The error comes from the following line:
gcc -Wall -O2 -o bin/radamsa radamsa.c
And the error message (the only one I get) is quite generic:
gcc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
As it seems to be a very speical case of using the C language, I decided to ask you if this is a known issue or something wild and crazy that shouldn't happen. If this is unknown and hard to replicate, then maybe I'll make a bug report to gcc. My gcc --version
shows this:
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.1) 5.4.0 20160609
The issue persists in the v0.5 tagged commit 3f53d530499e66e663803d857f2ba4729408e440
.
It would be nice if the checksum algorithm radamsa uses internally for test case deduplication was selectable.
As aoh told me on IRC, radamsa uses a custom 96-bit checksum for the uniqueness filter (i.e. deduplication). At first it used SHA256 for this purpose but it was replaced with a simpler and leaner stream algorithm due to better performance and memory usage. However, in certain workflows, one may want truly unique files so it makes sense to spend a bit more resources to calculate a better quality hash (e.g. SHA256).
Additionally, if this is implemented, it would be nice if the checksum was exposed as an output pattern specifier (e.g. %h
for hash, or whatever), since it would allow files generated by radamsa to be automatically deduplicated at the filesystem level. This integrates nicely into workflows that use the same strategy to ensure test case uniqueness in a corpus.
I get a hang sometimes when running radamsa as a child process on macOS and linux. I don't think I've done anything wrong here, but if so my apologies.
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
void radamsa(uint8_t *buf, const size_t buf_sz) {
int child_in[2] = { -1, -1 };
int child_out[2] = { -1, -1 };
pipe (child_in);
pipe (child_out);
pid_t child = fork ();
if (child == 0) {
dup2 (child_in[0], STDIN_FILENO);
dup2 (child_out[1], STDOUT_FILENO);
close (child_in[0]);
close (child_in[1]);
close (child_out[0]);
close (child_out[1]);
execlp ("radamsa", "radamsa", NULL);
abort ();
}
close (child_in[0]);
close (child_out[1]);
FILE *in = fdopen (child_in[1], "w");
FILE *out = fdopen (child_out[0], "r");
fwrite (buf, 1, buf_sz, in);
fclose (in);
int status;
waitpid (child, &status, 0);
fread (buf, 1, buf_sz, out);
fclose (out);
}
int main() {
for (;;) {
uint8_t buf[20] = { 0 };
memset (buf, 0x41, sizeof(buf) - 1);
radamsa (buf, sizeof(buf) - 1);
printf ("%s\n", buf);
}
}
Linux backtrace:
(gdb) bt
#0 0x00007f96014f93a0 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007f9601522fd4 in usleep (useconds=<optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:32
#2 0x0000000000404361 in vm ()
#3 0x000000000049f580 in boot ()
#4 0x0000000000401009 in main ()
macOS:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
* frame #0: 0x00007fff9f8eaf46 libsystem_kernel.dylib`__semwait_signal + 10
frame #1: 0x00007fff9f871b72 libsystem_c.dylib`nanosleep + 199
frame #2: 0x00007fff9f871a66 libsystem_c.dylib`usleep + 54
frame #3: 0x0000000101bcbaf3 radamsa`vm + 2941
frame #4: 0x0000000101bcab48 radamsa`boot + 784
frame #5: 0x0000000101bf28f9 radamsa`main + 9
frame #6: 0x00007fff9f7bc235 libdyld.dylib`start + 1
My reproducer pretty reliably hangs in a few seconds. Tested on 10.12.4 and linux 4.3. Happy to provide any more info if it would be useful.
Hi.
Can you please help me.
I have, for example, this HTTP request
POST / HTTP/1.1
Cache-Control: max-age=0
Host: server_ip
Content-Length: 84
Content-Type: application/xml;charset=UTF-8
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>abc</root>
How I can say radamsa for start fuzzing only this part of full request?
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>abc</root>
radamsa -n inf samples/*.80 -o 127.0.0.1:80,outputs/tcp-%n,- | cat -v should work as expected.
Greetings,
My name is Niranjan , packager of radamsa in fedora, I would like to know if you could create new release tag 0.5 , since there has been lot of changes from the last release 0.4.
I would like to update the radamsa package in fedora to the latest changes.
In the release of Radamsa 0.3, available here:
https://ouspg.googlecode.com/files/radamsa-0.3.tar.gz
the compilation step consisted of compiling the included radamsa.c file. This allowed one to download a release and compile without downloading anything else.
I noticed that in Radamsa 0.4 that the makefile now will clone the owl-lisp git repo, build it, then use owl-lisp to generate radamsa.c before compiling it. This can lead to build issues, as owl-lisp may not be accessible at the time or the version of own-lisp downloaded over git may not be a version compatible with Radamsa 0.4.
As a concrete example, I found myself unable to build Radamsa 0.4 because the latest revision of owl-lisp built but was unable to generate radamsa.c :
$ cd radamsa-0.4/
$ make
make get-owl
make[1]: Entering directory `/home/brarcher/tmp/radamsa-0.4'
# fetching and building owl to build radamsa
# this may take a few minutes on first build
git clone https://github.com/aoh/owl-lisp.git
Cloning into 'owl-lisp'...
remote: Counting objects: 4485, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4485 (delta 0), reused 0 (delta 0), pack-reused 4481
Receiving objects: 100% (4485/4485), 6.36 MiB | 0 bytes/s, done.
Resolving deltas: 100% (3076/3076), done.
Checking connectivity... done.
cd owl-lisp && git pull
Already up-to-date.
cd owl-lisp && make
make[2]: Entering directory `/home/brarcher/tmp/radamsa-0.4/owl-lisp'
...
make[2]: Leaving directory `/home/brarcher/tmp/radamsa-0.4/owl-lisp'
make[1]: Leaving directory `/home/brarcher/tmp/radamsa-0.4'
owl-lisp/bin/ol -O2 -o radamsa.c rad/main.scm
Cannot compile rad/main.scm because
Library (rad main) failed:
Failed to load (rad output) because
Library (rad output) failed:
Definition of tcp-client failed because
What is 'sleeper-id'?
make: *** [radamsa.c] Error 2
Kindly consider one of the following alternatives:
Thank you for your consideration.
As the title says. The last version I was able to build was 0.4a in late 2013.
When I try to build Radamsa now, it complains about:
#include <netinet/in.h>
^
compilation terminated.
I've tried using different owl versions, commenting some owl code and generating radamsa.c, etc, but I cannot get it to work.
If you point me in the right direction I will try to make it work.
Radamsa has helped me greatly finding bugs in Windows (see PR #30) and I'm sure I'm not the only one!
It may be important to inform users of Radamsa of relevant changes between released versions. This may include the addition of addition patterns, new features, bug fixes, etc. Typically this is accomplished using a NEWS file in the repository or release tarball.
It is not obvious between revisions 0.3 and 0.4 what changed, and why one should be interested in updating. The inclusion of a NEWS file will help inform users of such changes.
The GNU Coding Standard gives recommendations for the content of a NEWS file. This is available here:
NEWS-File.
Kindly consider adding and maintaining a NEWS file at relevant milestones of the Radamsa project.
Hello,
Does this tool works for ARM? Though i didn't see ARM as supported platform. But just wanted to know if it works or not.
I am running radamsa v0.6 like this:
echo "no" | ./radamsa --seed 1171423923758331160377055 -n 100 -v --output-template {{{%f}}},
and the result I get is:
Random seed: 1171423923758331160377055 {{{n�o }}}, - 1: 14b {{{ no }}}, - 2: 11b {{{}}}, - 3: 7b {{{n� ������o }}}, - 4: 29b {{{no� }}}, - 5: 14b {{{no��� }}}, - 6: 16b {{{no� }}}, - 7: 14b {{{שּׁnไo }}}, - 8: 16b {{{noᅟ }}}, - 9: 13b {{{nooooooooooooooooooooooooooooooooooooooo�oooooooooooooooo oooooooooooooooooooooooooooooooooooooʲ�������������������� ��������������������������������������������������������������������������������������� }}}, - 10: 218b {{{noooooooooo�oooooooooooo�ooooooooooooooooooooooooooooooooooo�oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo }}}, - 11: 272b {{{no� }}}, - 12: 14b {{{ßno }}}, - 13: 12b {{{�no n�o }}}, - 14: 20b no{ }}}, - 15: 11b {{{nXnonononoonnononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononono }}}, - 16: 772b {{{�������������no }}}, - 17: 26b ����/�+/vvv ��vvvvvvvv����� }}}, - 18: 425b }}}, - 19: 8b {{{��o n� o�oon� }}}, - 20: 21b {{{no no }}}, - 21: 13b {{{nnnnnnnnnnnnnnnnnno }}}, - 22: 27b {{{no }}}, - 23: 10b {{{oo }}}, - 24: 10b
The return code is also non-zero. OS is RHEL 8.7.
It appears that radamsa gives incorrect output when used with the seek option as compared to without that option. I generated the below output with the latest version of radamsa on Github with on up-to-date Ubuntu 16.04.3:
$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v
Random seed: 3333
- :8888/1 <- 127.0.0.1: 25b
- :8888/2 <- 127.0.0.1: 11b
- :8888/3 <- 127.0.0.1: 12b
- :8888/4 <- 127.0.0.1: 9b
- :8888/5 <- 127.0.0.1: 12b
- :8888/6 <- 127.0.0.1: 36b
- :8888/7 <- 127.0.0.1: 12b
- :8888/8 <- 127.0.0.1: 15b
- :8888/9 <- 127.0.0.1: 11b
- :8888/10 <- 127.0.0.1: 23b
- :8888/11 <- 127.0.0.1: 13b
- :8888/12 <- 127.0.0.1: 7b
- :8888/13 <- 127.0.0.1: 8b
- :8888/14 <- 127.0.0.1: 10b
- :8888/15 <- 127.0.0.1: 16b
- :8888/16 <- 127.0.0.1: 8b
- :8888/17 <- 127.0.0.1: 11b
- :8888/18 <- 127.0.0.1: 13b
- :8888/19 <- 127.0.0.1: 8b
- :8888/20 <- 127.0.0.1: 5b
- :8888/21 <- 127.0.0.1: 10b
- :8888/22 <- 127.0.0.1: 9b
- :8888/23 <- 127.0.0.1: 7b
- :8888/24 <- 127.0.0.1: 6b
- :8888/25 <- 127.0.0.1: 14b
- :8888/26 <- 127.0.0.1: 8b
- :8888/27 <- 127.0.0.1: 8b
- :8888/28 <- 127.0.0.1: 5b
- :8888/29 <- 127.0.0.1: 8b
- :8888/30 <- 127.0.0.1: 7b
- :8888/31 <- 127.0.0.1: 8b
- :8888/32 <- 127.0.0.1: 9b
- :8888/33 <- 127.0.0.1: 4b
- :8888/34 <- 127.0.0.1: 45b
From another terminal:
$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; done
1
00000000: 0000 f3a0 80ad f3a0 80f7 644c f3a0 8180 ..........dL....
00000010: b7f3 a081 b700 0000 00 .........
2
00000000: 0000 e19a 8000 0000 0000 00 ...........
3
00000000: 0000 f3a0 81a6 0000 0000 0000 ............
4
00000000: 00f3 a081 0000 00c0 80 .........
5
00000000: 0000 00f3 a081 a500 0000 0000 ............
6
00000000: 0000 0000 0081 8800 0000 0000 0000 0000 ................
00000010: 0000 00e4 0000 0031 9533 0084 3195 db95 .......1.3..1...
00000020: e2f4 a0db ....
7
00000000: 0000 0000 0000 00f3 a081 ae00 ............
8
00000000: 0000 00ed baad 005b 0000 f3a0 81a0 00 .......[.......
9
00000000: 0000 0000 00e3 85a4 0000 00 ...........
10
00000000: 816b f3a0 e1a0 8e81 93ac acac acf4 acf4 .k..............
00000010: e200 f400 0000 00 .......
11
00000000: 0000 f3a0 8193 e280 ac00 0000 00 .............
12
00000000: 0000 0000 0000 00 .......
13
00000000: 0000 0000 0000 0000 ........
14
00000000: 0000 0000 0000 c300 0000 ..........
15
00000000: 0000 0000 0000 00c0 8000 0000 8181 8181 ................
16
00000000: 0000 0000 0000 0010 ........
17
00000000: 0000 0000 0400 0000 0400 00 ...........
18
00000000: 008a 0000 0000 0000 0000 0000 00 .............
19
00000000: 0000 0000 0000 0001 ........
20
00000000: 0000 0000 00 .....
21
00000000: 0000 0000 00c5 00c5 0000 ..........
22
00000000: 0000 007e 0000 0000 00 ...~.....
23
00000000: 0400 0000 0000 00 .......
24
00000000: 0000 0000 0000 ......
25
00000000: 0000 0000 0000 0000 0000 0000 0000 ..............
26
00000000: 00c0 8000 0000 8000 ........
27
00000000: 0000 0000 0000 8000 ........
28
00000000: 0100 0100 00 .....
29
00000000: 0000 0000 0000 2000 ...... .
30
00000000: 0020 0000 0000 00 . .....
31
00000000: 0000 0000 0004 0000 ........
32
00000000: 1400 0000 0000 0004 00 .........
33
00000000: 38f6 2000 8. .
34
00000000: 0073 0700 0000 00a0 f3a0 81e3 a0f3 80ba .s..............
00000010: 0000 0010 a0f3 a080 f3a4 25f2 80ba 0002 ..........%.....
00000020: 0000 a0f3 a080 f3a0 f380 ba00 00 .............
Then trying to duplicate the last output, I do the following:
$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v -S 34
Random seed: 3333
- :8888/34 <- 127.0.0.1: 8b
and from another terminal:
$ nc 127.0.0.1 8888 | xxd
00000000: 0000 0000 0004 0000 ........
As can be seen, radamsa returns the 31st output rather than the 34th as expected. Further, comparing the output of
$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v
# Then from another terminal
$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; done
and
$ for i in $(seq 1 34); do printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n 1 -o :8888 -v -S $i; done
# Then from another terminal
$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; sleep 1; done # sleep needed to make sure radamsa is up
It appears that test case 16 is the first one to differ.
Some mutations (e.g. fuse old) need some information about data elsewhere in order to work properly on the first run. As a result, simple and likely common usage patterns such as $ while true; do radamsa samples/* | tee testcase | timeout 10 target - || break; done
will never make many useful changes.
Radamsa should preseed these mutations with one or more data blocks. This would be trivial if radamsa wasn't required to be deterministic whether the sample data comes from a file or a pipe.
Anyway, it sucks, so it should be solved.
there may be spurious reads after eof in sample file streaming
Hey,
I'm maintaining radamsa for a distribution and for building it would be nice to simply use the system owl-lisp and not download it from the internet.
In an earlier version i could just get rid of 'get-owl' target but not its quite strictly baked inside.
It would be gorgeous for distribution based packaging if we could have an optional switch or such to build without downloading owl-list and assume it being already installed
I have radamsa running on Ubuntu 14.04 and Mac 10.11.4, trying to send data to a remote IP address.
echo "AAA" | radamsa -o 10.1.1.2:80 -n 1
In tcpdump I can see my Mac completes a SYN, SYN/ACK, ACK, but stops there, not sending a PSH with the payload. On Ubuntu the payload is sent as expected.
Hi.
When I use radamsa for fuzzing the network protocol I got a some issue.
When I launched radamsa with this parameters
radamsa need_fuzz_protocol.bin -s 3 -n 1000000 -o server_ip:server_port -vv
He generate only 4 case
another seed
But if I generate test case's in a folder, radamsa successfully generated all 100000 cases.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.