1libzzuf(3) Library Functions Manual libzzuf(3)
2
6 libzzuf - helper library for the zzuf multiple purpose fuzzer
7
9 libzzuf is a helper library automatically preloaded by zzuf when
10 fuzzing applications, but it can also be used alone for debugging pur‐
11 poses or specific cases that cannot be covered by zzuf.
12
14 libzzuf must be preloaded using the operating system's default way of
15 preloading libraries. For instance, on a typical Linux installation:
16 LD_PRELOAD=/usr/lib/zzuf/libzzuf.so
18
20 libzzuf's initial setup is done through environment variables. After
21 they are read, no further information can be sent to the fuzzed
22 process.
23 All environment variables are optional.
25 ZZUF_DEBUG
27 This environment variable is set to the debugging level. 0 means
28 no debugging information is sent to zzuf. 1 logs important
29 information as well as all diverted functions. 2 logs fuzzing
30 status and all optional file stream information.
31 ZZUF_DEBUGFD
33 This environment variable is set to a file descriptor where
34 libzzuf will send debugging information. This is used to send
35 data to the main zzuf controlling binary.
36 ZZUF_SEED
38 This variable is set to the initial random seed. Corresponding
39 zzuf flag: --seed.
40 ZZUF_MINRATIO, ZZUF_MAXRATIO
42 These variables are set to the minimal and maximal fuzzing
43 ratios. Corresponding zzuf flag: --ratio.
44 ZZUF_AUTOINC
46 If this variable is set, the random seed is incremented each
47 time a new file is opened. Corresponding zzuf flag: --autoinc.
48 ZZUF_BYTES
50 This variable contains byte ranges to which fuzzing should be
51 restricted. Corresponding zzuf flag: --bytes.
52 ZZUF_LIST
54 This variable contains file descriptor ranges to which fuzzing
55 should be restricted. Corresponding zzuf flag: --list.
56 ZZUF_NETWORK
58 If this variable is set, network mode is activated. Correspond‐
59 ing zzuf flag: --network.
60 ZZUF_PORTS
62 This variable contains port ranges to which fuzzing should be
63 restricted. Corresponding zzuf flag: --port.
64 ZZUF_PROTECT, ZZUF_REFUSE
66 These variables contain character ranges to protect or refuse.
67 Corresponding zzuf flags: --protect, --refuse.
68 ZZUF_INCLUDE, ZZUF_EXCLUDE
70 These variables contain regular expressions to indicate which
71 files should be included or excluded from the list of fuzzed
72 files. Corresponding zzuf flags: --include, --exclude.
73 ZZUF_SIGNAL
75 If this variable is set, the fuzzed process will be prevented
76 from installing signal handlers that usually cause coredumps.
77 Corresponding zzuf flag: --signal.
78 ZZUF_MEMORY
80 This variable contains the maximum amount of memory that the
81 fuzzed process is allowed to allocate. Corresponding zzuf flag:
82 --max-memory.
83 ZZUF_STDIN
85 If this variable is set, standard input will be fuzzed, too.
86 Corresponding zzuf flag: --stdin.
87
89 In order to intercept file and network operations, signal handlers and
90 memory allocations, libzzuf diverts and reimplements the following
91 functions, which can sometimes be private C library symbols, too:
92 Unix file descriptor handling:
94 open(), dup(), dup2(), lseek(), read(), readv(), pread(),
95 accept(), socket(), recv(), recvfrom(), recvmsg(), aio_read(),
96 aio_return(), close()
97 Standard IO streams:
99 fopen(), freopen(), fseek(), fseeko(), rewind(), fread(),
100 getc(), getchar(), fgetc(), fgets(), ungetc(), fclose()
101 Memory management:
103 mmap(), munmap(), malloc(), calloc(), valloc(), free(), mema‐
104 lign(), posix_memalign()
105 Required on Linux:
107 open64(), lseek64(), mmap64(), _IO_getc(), getline(), getde‐
108 lim(), __getdelim(), getc_unlocked(), getchar_unlocked(),
109 fgetc_unlocked(), fgets_unlocked(), fread_unlocked(), __uflow()
110 Required on BSD systems:
112 fgetln(), __srefill(), __srget()
113 Required on Mac OS X:
115 map_fd()
116 Required on HP-UX:
118 __open64(), __lseek64(), __filbuf()
119 Required on OpenSolaris:
121 freopen64(), fseeko64(), fsetpos64()
122 Signal handling:
124 signal(), sigaction()
125 If an application manipulates file descriptors (reading data, seeking
127 around) using functions that are not in that list, libzzuf will not
128 fuzz its input consistently and the results should not be trusted. You
129 can use a tool such as ltrace(1) on Linux to know the missing func‐
130 tions.
131 On BSD systems, such as FreeBSD or Mac OS X, __srefill() is enough to
133 monitor all standard IO streams functions. On other systems, such as
134 Linux, each function is reimplemented on a case by case basis. One
135 important unimplemented function is fscanf(), because of its complex‐
136 ity. Missing functions will be added upon user request.
137
139 zzuf(1), ld.so(8)
140
142 Copyright © 2002-2015 Sam Hocevar <sam@hocevar.net>.
143 libzzuf and this manual page are free software. They come without any
145 warranty, to the extent permitted by applicable law. You can redis‐
146 tribute them and/or modify them under the terms of the Do What the Fuck
147 You Want to Public License, Version 2, as published by the WTFPL Task
148 Force. See http://www.wtfpl.net/ for more details.
149 zzuf's webpage can be found at http://caca.zoy.org/wiki/zzuf. An over‐
151 view of the architecture and inner works is at
152 http://caca.zoy.org/wiki/zzuf/internals.
153libzzuf 0.15 2015-01-06 libzzuf(3)