aoh / radamsa Goto Github PK

View Code? Open in Web Editor NEW

1.3K 1.3K 136.0 388 KB

a general-purpose fuzzer

radamsa's People

Contributors

Stargazers

Watchers

Forkers

darkkey ouspg 0xbadca7 bigfool 0xr0ot zhuyue1314 securextools jing-xie cifasis h0wl synchroack frankthater pombredanne greg5678 syjzwjj android-leak vah13 geek-li bahtiyarb-ef c0de3 anttimaula-fsc cweb sandeepl337 trustifierlabs hxp2k6 dwendt tmcmil shuixi2013 abc-hello-jecky cunninglogic deki0r wangshu88 leemit jack51706 chubbymaggie rongqinglee entropy1337 awesome-security anthraxx team-firebugs fuzzyushi dyjakan 1683942030 nimdakey hawking2013 knooow xificurc byteways nahualito tracesrc alexhe zer0dayeurope suhasbhairav tickez androm3da ajgappmark yangy-xiao thomasking2014 bikashdash richinseattle archerbroler houcy riijj ssorsa lubyruffy idkwim minhtranca ismailbozkurt akz747 dipsec 0xfordcomma alessiodallapiazza jdschmitz fuzzamos t03cuta xmoezzz crajeshbe saintz666 cc-crack mattheworzechowski chouaibhm shaunstanislauslau ahadc dp3496 nahtnahs julianvolodia santosomar devindusoft unshorn finfou neo4reo dekoder yough3rt windyware jmininger emorasoul xer0times p3r1k0 ith4cker yan-1-20

radamsa's Issues

bug: not removing alarm on io error, if there

Hi.
In fuzzing time, I from time to time getting this error

bug: not removing alarm on io error, if there

what do you think, why I getting it and how I can fix it?

Infinity option not working: -n inf

Did the latest commit break support for "-n inf" ? Specifying an iteration still works fine, e.g. -n 100, but -n inf doesn't produce any output.

ft mutation seems to think it succeeds when it doen't

$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1

< open the pod bay doords please hal

open the pod bay doords please hay doords please hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1

< open the pod bay doords please hal

open the pod bay doords please hadoords please hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
1c1

< open the pod bay doords please hal

opelease hal
$ echo 'open the pod bay doords please hal' > foo; radamsa -m ft -p od < foo > bar; diff foo bar
$

not possible to use system owl-lisp instead of downloading

Hey,
I'm maintaining radamsa for a distribution and for building it would be nice to simply use the system owl-lisp and not download it from the internet.
In an earlier version i could just get rid of 'get-owl' target but not its quite strictly baked inside.

It would be gorgeous for distribution based packaging if we could have an optional switch or such to build without downloading owl-list and assume it being already installed

Selectable checksum algorithms and exposing the checksum in the output pattern

It would be nice if the checksum algorithm radamsa uses internally for test case deduplication was selectable.

As aoh told me on IRC, radamsa uses a custom 96-bit checksum for the uniqueness filter (i.e. deduplication). At first it used SHA256 for this purpose but it was replaced with a simpler and leaner stream algorithm due to better performance and memory usage. However, in certain workflows, one may want truly unique files so it makes sense to spend a bit more resources to calculate a better quality hash (e.g. SHA256).

Additionally, if this is implemented, it would be nice if the checksum was exposed as an output pattern specifier (e.g. %h for hash, or whatever), since it would allow files generated by radamsa to be automatically deduplicated at the filesystem level. This integrates nicely into workflows that use the same strategy to ensure test case uniqueness in a corpus.

unit tests sometimes have sporadic failures

It has been observed at least on OSX that some of the unit tests sometimes have sporadic failures. Following are some example failures as output by tests/run:

-n o tests/ts1.sh: 
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `\'v\217\347' and `\376"i\3317.\345\250V\333w>\346\311\203\034\316=\337~\233n\320\325\005\371\320Sp\301|\247"\036\024\221\247\016\213\222;\256=<c&\3224'.

-n  o tests/tr2.sh: 
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `6\030v\317\3133о\366|\263htv9\0173\340\2421\275F\a\232\360DJ\017\233\037:)\241\023\375\350.\272\r<6\201\002\330\203+\005\221#\355$\343\321F\357T\036\264g[>]\344\200Ę\265s\236\031E\302-\220ǰܺob<\210\004\32415\246\300{ˏ\030\270xrژ\335/\243_ވ8\255y\a\177\362\234!\251N\336\322\371\325p\024\f\241\353&#6\371\204\313\020V\031\311\210V\302\004\\\237\374\316\215!i\357s\231,P\373+\346\303\310tX\300\355\177\247R\347u:3bA-\2148\03114\361\271k\241\376\247/\033\271S\\|,\a#\200w\237\374\002\232!\024\316\346\371C\017\370\354˕\343\241\301\244\025\2763\000iÜP\340\021.\001\301\246\304\363\233\266\022!\030\232L\024\204\311K\030\340\3249.\310\354\a_\t\374{j.$0\021q\267\252<\021\023\260\301Z\235m\005\330H\342~\016\t\242\310\303Oڏ\210S\311\177\275\240\345AwQ g\334\370\302\336\021\207\r}`;8\326Ҵ\270.\363q6\325J,\234(\253QƼ\226V\310\301$W\231A\273\033\000\251\274ѥ\321\322\027\320\000뚦{@\277~-\205\343݅E\200\341\032\203\240\027\3338\366z\351CM6\177C\201\312(N\273\346\201d\200\032\177\371*\177\sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `\rX\266\204(a) (b)' and `\rX\266\204'.

Some of the unit tests when they fail do not emit output to help diagnose the failure. Here is an example invoking tests/ab.sh directly:

$ rc=0
$ attempt=1
$ while [ $rc -eq 0 ]; do tests/ab.sh bin/radamsa ; rc=$?; echo $attempt; attempt=$((attempt+1)); done
1
2
3
4
5
6
7
8
9
10
11
12
$

After 12 attempts a failure was observed, but the reason for the failure is not emitted.

Likely it is the expectation that the unit test results be consistent. If the current revision in git is under development and the sporadic failure is expected or some cleanup is still underway, kindly ignore. I was unable to determine if release v0.4's unit tests encountered sporadic failures as issue #5 affects the v0.4 release.

As a comparison, release v0.3 had consistently passing unit tests.

(As a side note, at least on OSX the built-in echo command in sh does not support the -n option. This is the reason that "-n" is printed before all of the tests in tests/run . Consider reworking when echo is used in that script so that the -n option is unnecessary, if relevant).

Preseed mutations

Some mutations (e.g. fuse old) need some information about data elsewhere in order to work properly on the first run. As a result, simple and likely common usage patterns such as $ while true; do radamsa samples/* | tee testcase | timeout 10 target - || break; done will never make many useful changes.

Radamsa should preseed these mutations with one or more data blocks. This would be trivial if radamsa wasn't required to be deterministic whether the sample data comes from a file or a pipe.

Anyway, it sucks, so it should be solved.

Dialect and implementation of Scheme?

Hey!

I'm interested in possibly contributing to this (if I can wrap my head around it)
What dialect and implementation of Scheme are you using? I'm unfamiliar with some of what I see

Radamsa hang on linux and macOS

I get a hang sometimes when running radamsa as a child process on macOS and linux. I don't think I've done anything wrong here, but if so my apologies.

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/wait.h>

void radamsa(uint8_t *buf, const size_t buf_sz) {
    int child_in[2]  = { -1, -1 };
    int child_out[2] = { -1, -1 };

    pipe (child_in);
    pipe (child_out);

    pid_t child = fork ();

    if (child == 0) {
        dup2 (child_in[0], STDIN_FILENO);
        dup2 (child_out[1], STDOUT_FILENO);

        close (child_in[0]);
        close (child_in[1]);

        close (child_out[0]);
        close (child_out[1]);

        execlp ("radamsa", "radamsa", NULL);

        abort ();
    }

    close (child_in[0]);
    close (child_out[1]);

    FILE *in  = fdopen (child_in[1], "w");
    FILE *out = fdopen (child_out[0], "r");

    fwrite (buf, 1, buf_sz, in);
    fclose (in);

    int status;
    waitpid (child, &status, 0);

    fread (buf, 1, buf_sz, out);

    fclose (out);
}

int main() {
    for (;;) {
        uint8_t buf[20] = { 0 };
        memset (buf, 0x41, sizeof(buf) - 1);

        radamsa (buf, sizeof(buf) - 1);

        printf ("%s\n", buf);
    }
}

Linux backtrace:

(gdb) bt
#0  0x00007f96014f93a0 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f9601522fd4 in usleep (useconds=<optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:32
#2  0x0000000000404361 in vm ()
#3  0x000000000049f580 in boot ()
#4  0x0000000000401009 in main ()

macOS:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  * frame #0: 0x00007fff9f8eaf46 libsystem_kernel.dylib`__semwait_signal + 10
    frame #1: 0x00007fff9f871b72 libsystem_c.dylib`nanosleep + 199
    frame #2: 0x00007fff9f871a66 libsystem_c.dylib`usleep + 54
    frame #3: 0x0000000101bcbaf3 radamsa`vm + 2941
    frame #4: 0x0000000101bcab48 radamsa`boot + 784
    frame #5: 0x0000000101bf28f9 radamsa`main + 9
    frame #6: 0x00007fff9f7bc235 libdyld.dylib`start + 1

My reproducer pretty reliably hangs in a few seconds. Tested on 10.12.4 and linux 4.3. Happy to provide any more info if it would be useful.

something available for ARM

Hello,

Does this tool works for ARM? Though i didn't see ARM as supported platform. But just wanted to know if it works or not.

Adding original filename to output filename

Hey, I'm fuzzing something that relies on file extensions and I'm using a large number of file types to fuzz it from my test cases (i.e. samples are at ../tests/* and look like from_twitter.exe, setup.bat, malware.yaml. pick-suffix only takes the first suffix it finds for the first file and uses that as %s for every output file.

So, I tried to add an output formatter %p that will insert the whole filename that was used to generate the test case. I thought the best way to do this would be to use get meta 'source but I can't figure out how 'source is set and it is occasionally not set at all for some test cases (I assume this is when it splices files together?).

This attempt results in a large number of test cases with an unknown source file suffix (muted in my commit). Any ideas on how that could be better retrieved?

dwendt@c88a8f0

Example meta of where it fails to grab the source~

utf8-insert: 3, muta-num: 5, generator: jump, nth: 22587, path: "/cygdrive/m/22587_unk", head: "/home/qt/_test/test.sis", output: file-writer, length: 827, tail: "/home/qt/_test/test.tar.gz", pattern: many-dec

It seems to me that it occurs in cases where the file is a combination of head/tail files. I'm unsure if the best solution should combine the head/tail filenames or simply select one based on the formatter (%0p / %1p) or randomly.

Can it be installed on a raspberry pi ?

I tried to make it on a raspberry pi zero w, always failed, is it lack of memory or what, can't it?
Thank you.

question about radamsa using

Hi.
Can you please help me.
I have, for example, this HTTP request

POST / HTTP/1.1
Cache-Control: max-age=0
Host: server_ip
Content-Length: 84
Content-Type: application/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>abc</root>

How I can say radamsa for start fuzzing only this part of full request?

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<root>abc</root>

add output splitter

radamsa -n inf samples/*.80 -o 127.0.0.1:80,outputs/tcp-%n,- | cat -v should work as expected.

amount of fuzzed objects differ from count parameter

I am running radamsa v0.6 like this:
echo "no" | ./radamsa --seed 1171423923758331160377055 -n 100 -v --output-template {{{%f}}},

and the result I get is:
Random seed: 1171423923758331160377055 {{{n�o }}}, - 1: 14b {{{ no }}}, - 2: 11b {{{}}}, - 3: 7b {{{n� ��o }}}, - 4: 29b {{{no� }}}, - 5: 14b {{{no�� }}}, - 6: 16b {{{no� }}}, - 7: 14b {{{שּׁnไo }}}, - 8: 16b {{{noᅟ }}}, - 9: 13b {{{nooooooooooooooooooooooooooooooooooooooo�oooooooooooooooo oooooooooooooooooooooooooooooooooooooʲ�� }}}, - 10: 218b {{{noooooooooo�oooooooooooo�ooooooooooooooooooooooooooooooooooo�oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo }}}, - 11: 272b {{{no� }}}, - 12: 14b {{{ßno }}}, - 13: 12b {{{�no n�o }}}, - 14: 20b no{ }}}, - 15: 11b {{{nXnonononoonnononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononononono }}}, - 16: 772b {{{��no }}}, - 17: 26b ��/�+/vvv ��vvvvvvvv�� }}}, - 18: 425b }}}, - 19: 8b {{{��o n� o�oon� }}}, - 20: 21b {{{no no }}}, - 21: 13b {{{nnnnnnnnnnnnnnnnnno }}}, - 22: 27b {{{no }}}, - 23: 10b {{{oo }}}, - 24: 10b

The return code is also non-zero. OS is RHEL 8.7.

Internal compiler error

When building radamsa from the master branch 5c67b3c9f5f00aa8304ec62be3dad2ebf2aa66e1 my gcc has an internal error. The error comes from the following line:

gcc -Wall -O2 -o bin/radamsa radamsa.c

And the error message (the only one I get) is quite generic:

gcc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.

As it seems to be a very speical case of using the C language, I decided to ask you if this is a known issue or something wild and crazy that shouldn't happen. If this is unknown and hard to replicate, then maybe I'll make a bug report to gcc. My gcc --version shows this:

gcc (Ubuntu 5.4.0-6ubuntu1~16.04.1) 5.4.0 20160609

The issue persists in the v0.5 tagged commit 3f53d530499e66e663803d857f2ba4729408e440.

[QUESTION] Is it possible to use radamsa as a library?

Hi!

I would like to embed radamsa in a few different places as a library instead of having to call a binary on the command line from my own fuzzers. Is there a (recommended) way of doing so?

Thanks in advance!

Inconsistent output with the --seek option

It appears that radamsa gives incorrect output when used with the seek option as compared to without that option. I generated the below output with the latest version of radamsa on Github with on up-to-date Ubuntu 16.04.3:

$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v
Random seed: 3333
 - :8888/1 <- 127.0.0.1: 25b
 - :8888/2 <- 127.0.0.1: 11b
 - :8888/3 <- 127.0.0.1: 12b
 - :8888/4 <- 127.0.0.1: 9b
 - :8888/5 <- 127.0.0.1: 12b
 - :8888/6 <- 127.0.0.1: 36b
 - :8888/7 <- 127.0.0.1: 12b
 - :8888/8 <- 127.0.0.1: 15b
 - :8888/9 <- 127.0.0.1: 11b
 - :8888/10 <- 127.0.0.1: 23b
 - :8888/11 <- 127.0.0.1: 13b
 - :8888/12 <- 127.0.0.1: 7b
 - :8888/13 <- 127.0.0.1: 8b
 - :8888/14 <- 127.0.0.1: 10b
 - :8888/15 <- 127.0.0.1: 16b
 - :8888/16 <- 127.0.0.1: 8b
 - :8888/17 <- 127.0.0.1: 11b
 - :8888/18 <- 127.0.0.1: 13b
 - :8888/19 <- 127.0.0.1: 8b
 - :8888/20 <- 127.0.0.1: 5b
 - :8888/21 <- 127.0.0.1: 10b
 - :8888/22 <- 127.0.0.1: 9b
 - :8888/23 <- 127.0.0.1: 7b
 - :8888/24 <- 127.0.0.1: 6b
 - :8888/25 <- 127.0.0.1: 14b
 - :8888/26 <- 127.0.0.1: 8b
 - :8888/27 <- 127.0.0.1: 8b
 - :8888/28 <- 127.0.0.1: 5b
 - :8888/29 <- 127.0.0.1: 8b
 - :8888/30 <- 127.0.0.1: 7b
 - :8888/31 <- 127.0.0.1: 8b
 - :8888/32 <- 127.0.0.1: 9b
 - :8888/33 <- 127.0.0.1: 4b
 - :8888/34 <- 127.0.0.1: 45b

From another terminal:

$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; done 
1
00000000: 0000 f3a0 80ad f3a0 80f7 644c f3a0 8180  ..........dL....
00000010: b7f3 a081 b700 0000 00                   .........
2
00000000: 0000 e19a 8000 0000 0000 00              ...........
3
00000000: 0000 f3a0 81a6 0000 0000 0000            ............
4
00000000: 00f3 a081 0000 00c0 80                   .........
5
00000000: 0000 00f3 a081 a500 0000 0000            ............
6
00000000: 0000 0000 0081 8800 0000 0000 0000 0000  ................
00000010: 0000 00e4 0000 0031 9533 0084 3195 db95  .......1.3..1...
00000020: e2f4 a0db                                ....
7
00000000: 0000 0000 0000 00f3 a081 ae00            ............
8
00000000: 0000 00ed baad 005b 0000 f3a0 81a0 00    .......[.......
9
00000000: 0000 0000 00e3 85a4 0000 00              ...........
10
00000000: 816b f3a0 e1a0 8e81 93ac acac acf4 acf4  .k..............
00000010: e200 f400 0000 00                        .......
11
00000000: 0000 f3a0 8193 e280 ac00 0000 00         .............
12
00000000: 0000 0000 0000 00                        .......
13
00000000: 0000 0000 0000 0000                      ........
14
00000000: 0000 0000 0000 c300 0000                 ..........
15
00000000: 0000 0000 0000 00c0 8000 0000 8181 8181  ................
16
00000000: 0000 0000 0000 0010                      ........
17
00000000: 0000 0000 0400 0000 0400 00              ...........
18
00000000: 008a 0000 0000 0000 0000 0000 00         .............
19
00000000: 0000 0000 0000 0001                      ........
20
00000000: 0000 0000 00                             .....
21
00000000: 0000 0000 00c5 00c5 0000                 ..........
22
00000000: 0000 007e 0000 0000 00                   ...~.....
23
00000000: 0400 0000 0000 00                        .......
24
00000000: 0000 0000 0000                           ......
25
00000000: 0000 0000 0000 0000 0000 0000 0000       ..............
26
00000000: 00c0 8000 0000 8000                      ........
27
00000000: 0000 0000 0000 8000                      ........
28
00000000: 0100 0100 00                             .....
29
00000000: 0000 0000 0000 2000                      ...... .
30
00000000: 0020 0000 0000 00                        . .....
31
00000000: 0000 0000 0004 0000                      ........
32
00000000: 1400 0000 0000 0004 00                   .........
33
00000000: 38f6 2000                                8. .
34
00000000: 0073 0700 0000 00a0 f3a0 81e3 a0f3 80ba  .s..............
00000010: 0000 0010 a0f3 a080 f3a4 25f2 80ba 0002  ..........%.....
00000020: 0000 a0f3 a080 f3a0 f380 ba00 00         .............

Then trying to duplicate the last output, I do the following:

$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v -S 34
Random seed: 3333
 - :8888/34 <- 127.0.0.1: 8b

and from another terminal:

$ nc 127.0.0.1 8888 | xxd
00000000: 0000 0000 0004 0000                      ........

As can be seen, radamsa returns the 31st output rather than the 34th as expected. Further, comparing the output of

$ printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n inf -o :8888 -v
# Then from another terminal
$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; done

and

$ for i in $(seq 1 34); do printf "\x00\x00\x00\x00\x00\x00\x00\x00" | ./radamsa -s 3333 -n 1 -o :8888 -v -S $i; done
# Then from another terminal
$ for i in $(seq 1 34); do echo $i; nc 127.0.0.1 8888 | xxd; sleep 1; done # sleep needed to make sure radamsa is up

It appears that test case 16 is the first one to differ.

Please make radamsa great again (building on Windows)

As the title says. The last version I was able to build was 0.4a in late 2013.

When I try to build Radamsa now, it complains about:
#include <netinet/in.h>
^
compilation terminated.

I've tried using different owl versions, commenting some owl code and generating radamsa.c, etc, but I cannot get it to work.
If you point me in the right direction I will try to make it work.

Radamsa has helped me greatly finding bugs in Windows (see PR #30) and I'm sure I'm not the only one!

combining inputs?

mkdir bla; echo a > bla/a; echo b > bla/b; for i in seq 100 ; do echo ; radamsa -r bla | xxd ; done

While i get the wonderfully mangled output, I never get a combined output of a and b - is this possible, or is the initial overhead of deducing structures and such just too heavy when handling multiple inputs?

Replay specific test from metadata or start from iteration

Can you make it so we can replay a specific test from the metadata log? Or, so we can start fuzzing at a certain iteration given a seed value?

flexible output generators

output generators should return a function instead of a fd, so that outputs which do not correspond to a fd can be implemented easily (currently udp and muxer, possibly later library output continuation)

Request to remove owl-lisp cloning during radamsa build

In the release of Radamsa 0.3, available here:

https://ouspg.googlecode.com/files/radamsa-0.3.tar.gz

the compilation step consisted of compiling the included radamsa.c file. This allowed one to download a release and compile without downloading anything else.

I noticed that in Radamsa 0.4 that the makefile now will clone the owl-lisp git repo, build it, then use owl-lisp to generate radamsa.c before compiling it. This can lead to build issues, as owl-lisp may not be accessible at the time or the version of own-lisp downloaded over git may not be a version compatible with Radamsa 0.4.

As a concrete example, I found myself unable to build Radamsa 0.4 because the latest revision of owl-lisp built but was unable to generate radamsa.c :

$ cd radamsa-0.4/
$ make
make get-owl
make[1]: Entering directory `/home/brarcher/tmp/radamsa-0.4'
# fetching and building owl to build radamsa
# this may take a few minutes on first build
git clone https://github.com/aoh/owl-lisp.git
Cloning into 'owl-lisp'...
remote: Counting objects: 4485, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4485 (delta 0), reused 0 (delta 0), pack-reused 4481
Receiving objects: 100% (4485/4485), 6.36 MiB | 0 bytes/s, done.
Resolving deltas: 100% (3076/3076), done.
Checking connectivity... done.
cd owl-lisp && git pull 
Already up-to-date.
cd owl-lisp && make
make[2]: Entering directory `/home/brarcher/tmp/radamsa-0.4/owl-lisp'
...
make[2]: Leaving directory `/home/brarcher/tmp/radamsa-0.4/owl-lisp'
make[1]: Leaving directory `/home/brarcher/tmp/radamsa-0.4'
owl-lisp/bin/ol -O2 -o radamsa.c rad/main.scm
Cannot compile rad/main.scm because  
  Library (rad main) failed: 
    Failed to load (rad output) because 
      Library (rad output) failed: 
        Definition of tcp-client failed because 
          What is 'sleeper-id'? 
make: *** [radamsa.c] Error 2

Kindly consider one of the following alternatives:

For releases of Radamsa package the generated radamsa.c file and avoid the owl-lisp dependency.
Package an appropriate version of owl-lisp in the Radamsa package

also consider a way to only compile owl-lisp instead of also running its unit tests
3) Search for owl-lisp on the system with a configure script or a CMake script and link against it

Thank you for your consideration.

cc: internal compiler error: Killed (program cc1)

When compiling, make throws following error:

radamsa.c: In function ‘vm’:
radamsa.c:4904:0: note: -Wmisleading-indentation is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
          case 968:if(acc==4){if(R[4]==F(0)){R[7]=F(0);ob=(word *)R[3];R[3]=R[7];acc=1;}else{if(R[5]==F(0)){R[7]=F(0);ob=(word *)R[3];R[3]=R[7];acc=1;}else{{word ob=R[4];if(allocp(ob))ob=V(ob);R[7]=F((ob>>TPOS)&63);}if(R[7]==F(0)){{word ob=R[5];if(allocp(ob))ob=V(ob);R[8]=F((ob>>TPOS)&63);}if(R[8]==F(0)){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[9]=F((word)(res&FMAX));R[10]=F((word)(res>>FBITS));}if(R[10]==F(0)){ob=(word *)R[3];R[3]=R[9];acc=1;}else{R[11]=INULL;*fp=NUMHDR;fp[1]=R[10];fp[2]=R[11];R[12]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[9];fp[2]=R[12];R[13]=(word)fp;fp+=3;ob=(word *)R[3];R[3]=R[13];acc=1;}}else{R[9]=F(40);if(R[8]==R[9]){R[10]=G(R[1],2);R[6]=F(0);ob=(word *)R[10];acc=4;}else{R[10]=F(32);if(R[8]==R[10]){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[11]=F((word)(res&FMAX));R[12]=F((word)(res>>FBITS));}*fp=make_header(3,TPROC);fp[1]=G(R[1],3);fp[2]=R[3];R[13]=(word)fp;fp+=3;if(R[12]==F(0)){R[3]=R[11];ob=(word *)R[13];acc=1;}else{R[14]=INULL;*fp=NUMHDR;fp[1]=R[12];fp[2]=R[14];R[15]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[15];R[3]=(word)fp;fp+=3;ob=(word *)R[13];acc=1;}}else{R[11]=F(41);if(R[8]==R[11]){R[12]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],4);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);ob=(word *)R[12];acc=4;}else{R[12]=F(42);if(R[8]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],5);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[8]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],6);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[8]=F(32);if(R[7]==R[8]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[9]=F((ob>>TPOS)&63);}if(R[9]==F(0)){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[10]=F((word)(res&FMAX));R[11]=F((word)(res>>FBITS));}*fp=make_header(3,TPROC);fp[1]=G(R[1],9);fp[2]=R[3];R[12]=(word)fp;fp+=3;if(R[11]==F(0)){R[3]=R[10];ob=(word *)R[12];acc=1;}else{R[13]=INULL;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[13];R[14]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[10];fp[2]=R[14];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=1;}}else{R[10]=F(40);if(R[9]==R[10]){R[11]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],10);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);ob=(word *)R[11];acc=4;}else{if(R[9]==R[8]){{uint64_t res=(uint64_t) (((uint64_t) fixval(R[4]))*((uint64_t)fixval(R[5])));R[11]=F((word)(res&FMAX));R[12]=F((word)(res>>FBITS));}if(R[12]==F(0)){ob=(word *)R[3];R[3]=R[11];acc=1;}else{R[13]=INULL;*fp=NUMHDR;fp[1]=R[12];fp[2]=R[13];R[14]=(word)fp;fp+=3;*fp=NUMHDR;fp[1]=R[11];fp[2]=R[14];R[15]=(word)fp;fp+=3;ob=(word *)R[3];R[3]=R[15];acc=1;}}else{R[11]=F(41);if(R[9]==R[11]){R[12]=G(R[1],2);R[6]=F(0);ob=(word *)R[12];acc=4;}else{R[12]=F(42);if(R[9]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],11);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[9]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],12);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[9]=F(40);if(R[7]==R[9]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[10]=F((ob>>TPOS)&63);}if(R[10]==F(0)){R[11]=G(R[1],2);R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[11];acc=4;}else{if(R[10]==R[9]){R[11]=G(R[1],13);ob=(word *)R[11];acc=3;}else{if(R[10]==R[8]){R[11]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],14);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[11];acc=4;}else{R[11]=F(41);if(R[10]==R[11]){R[12]=G(R[1],13);*fp=make_header(3,TPROC);fp[1]=G(R[1],15);fp[2]=R[3];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=3;}else{R[12]=F(42);if(R[10]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],16);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[10]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],17);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[10]=F(41);if(R[7]==R[10]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[11]=F((ob>>TPOS)&63);}if(R[11]==F(0)){R[12]=G(R[1],2);*fp=make_header(3,TPROC);fp[1]=G(R[1],18);fp[2]=R[3];R[3]=(word)fp;fp+=3;R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[12];acc=4;}else{if(R[11]==R[9]){R[12]=G(R[1],13);*fp=make_header(3,TPROC);fp[1]=G(R[1],19);fp[2]=R[3];R[3]=(word)fp;fp+=3;ob=(word *)R[12];acc=3;}else{if(R[11]==R[8]){R[12]=G(R[1],2);R[6]=F(0);R[9]=R[5];R[5]=R[4];R[4]=R[9];ob=(word *)R[12];acc=4;}else{if(R[11]==R[10]){R[12]=G(R[1],13);ob=(word *)R[12];acc=3;}else{R[12]=F(42);if(R[11]==R[12]){R[13]=G(R[5],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],20);fp[3]=R[3];fp[2]=R[5];R[3]=(word)fp;fp+=4;R[5]=R[13];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[11]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],21);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[1],7);R[15]=G(R[1],8);R[6]=R[5];R[5]=R[4];R[4]=R[15];ob=(word *)R[14];acc=4;}}}}}}}else{R[11]=F(42);if(R[7]==R[11]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[12]=F((ob>>TPOS)&63);}if(R[12]==R[11]){R[13]=G(R[4],1);R[14]=G(R[5],1);*fp=make_header(6,TCLOS);fp[1]=G(R[1],22);fp[5]=R[3];fp[4]=R[6];fp[3]=R[5];fp[2]=R[4];R[3]=(word)fp;fp+=6;R[4]=R[13];R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[13]=F(43);if(R[12]==R[13]){{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],23);fp[5]=R[3];fp[4]=R[6];fp[3]=R[4];fp[2]=R[15];R[3]=(word)fp;fp+=6;R[5]=R[14];ob=(word *)R[6];acc=4;}else{R[14]=G(R[4],1);*fp=make_header(4,TCLOS);fp[1]=G(R[1],24);fp[3]=R[3];fp[2]=R[4];R[3]=(word)fp;fp+=4;R[4]=R[14];ob=(word *)R[6];acc=4;}}}else{R[12]=F(43);if(R[7]==R[12]){{word ob=R[5];if(allocp(ob))ob=V(ob);R[13]=F((ob>>TPOS)&63);}if(R[13]==R[12]){{word *ob=(word *)R[4];word hdr;assert(allocp(R[4]),R[4],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}{word *ob=(word *)R[5];word hdr;assert(allocp(R[5]),R[5],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[16]=ob[1];R[17]=ob[2];}*fp=make_header(8,TCLOS);fp[1]=G(R[1],25);fp[7]=R[3];fp[6]=R[6];fp[5]=R[14];fp[4]=R[17];fp[3]=R[15];fp[2]=R[16];R[3]=(word)fp;fp+=8;R[4]=R[14];R[5]=R[16];ob=(word *)R[6];acc=4;}else{{word *ob=(word *)R[4];word hdr;assert(allocp(R[4]),R[4],IFALSE);hdr=*ob;assert_not((rawp(hdr)||hdrsize(hdr)!=3),ob,IFALSE);R[14]=ob[1];R[15]=ob[2];}*fp=make_header(6,TCLOS);fp[1]=G(R[1],26);fp[5]=R[3];fp[4]=R[6];fp[3]=R[15];fp[2]=R[5];R[3]=(word)fp;fp+=6;R[4]=R[14];ob=(word *)R[6];acc=4;}}else{R[13]=G(R[1],7);R[14]=G(R[1],27);R[6]=R[5];R[5]=R[4];R[4]=R[14];ob=(word *)R[13];acc=4;}}}}}}}}}else{{error(17,ob,F(acc));}}break; /* #<function> */

cc: internal compiler error: Killed (program cc1)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-6/README.Bugs> for instructions.
Makefile:20: recipe for target 'bin/radamsa' failed
make: *** [bin/radamsa] Error 4

Any idea?

tcp_client on Mac OS X not sending data

I have radamsa running on Ubuntu 14.04 and Mac 10.11.4, trying to send data to a remote IP address.

echo "AAA" | radamsa -o 10.1.1.2:80 -n 1

In tcpdump I can see my Mac completes a SYN, SYN/ACK, ACK, but stops there, not sending a PSH with the payload. On Ubuntu the payload is sent as expected.

a unknown bug in network fuzzing time

Hi.
When I use radamsa for fuzzing the network protocol I got a some issue.

When I launched radamsa with this parameters

radamsa need_fuzz_protocol.bin -s 3 -n 1000000 -o server_ip:server_port -vv

He generate only 4 case

another seed

But if I generate test case's in a folder, radamsa successfully generated all 100000 cases.

check fd closing w/ uniqueness filter blocking

check sample file reads after eof

there may be spurious reads after eof in sample file streaming

Request for new 0.5 release

Greetings,

My name is Niranjan , packager of radamsa in fedora, I would like to know if you could create new release tag 0.5 , since there has been lot of changes from the last release 0.4.

I would like to update the radamsa package in fedora to the latest changes.

add external contributions up to 0.4 to NEWS

Add an iteration counter to console output

Thanks for adding the ability to start from a specific iteration. Can you add the iteration number to the -v output as well?

Consider adding a NEWS file to the repo

It may be important to inform users of Radamsa of relevant changes between released versions. This may include the addition of addition patterns, new features, bug fixes, etc. Typically this is accomplished using a NEWS file in the repository or release tarball.

It is not obvious between revisions 0.3 and 0.4 what changed, and why one should be interested in updating. The inclusion of a NEWS file will help inform users of such changes.

The GNU Coding Standard gives recommendations for the content of a NEWS file. This is available here:
NEWS-File.

Kindly consider adding and maintaining a NEWS file at relevant milestones of the Radamsa project.

make failure: Cannot compile rad/main.scm because cannot open file

[michel@twppc64:~/work]
$git clone https://github.com/aoh/radamsa.git
$cd radamsa/
$make
...
cd owl-lisp-0.1.10 && make bin/vm
make[2]: Entering directory '/mnt/disk2/michel/work/radamsa/owl-lisp-0.1.10'
# make a vm without a bundled heap
echo "unsigned char *heap = 0;" > c/vm.c
cat c/ovm.c >> c/vm.c
cc -Wall -O2 -o bin/vm c/vm.c
c/vm.c: In function 'boot':
c/vm.c:1016:4: warning: call to function 'vm' without a real prototype [-Wunprototyped-calls]
    return vm(entry, oargs);
    ^
c/vm.c:148:6: note: 'vm' was declared here
 word vm();
      ^
make[2]: Leaving directory '/mnt/disk2/michel/work/radamsa/owl-lisp-0.1.10'
make[1]: Leaving directory '/mnt/disk2/michel/work/radamsa'
owl-lisp-0.1.10/bin/vm owl-lisp-0.1.10/fasl/init.fasl -O2 -o radamsa.c rad/main.scm
Cannot compile rad/main.scm because  cannot open file 
Makefile:36: recipe for target 'radamsa.c' failed
make: *** [radamsa.c] Error 2

aoh / radamsa Goto Github PK

radamsa's People

Contributors

Stargazers

Watchers

Forkers

radamsa's Issues

< open the pod bay doords please hal

< open the pod bay doords please hal

< open the pod bay doords please hal

Recommend Projects

Recommend Topics

Recommend Org