#!/usr/bin/env python
# Copyright (C) 2018-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
'''
This script is a convenience tool to run a standalone fuzz target against each
item in its associated fuzz corpus.
'''
from __future__ import print_function, division, absolute_import
import argparse
import os
import subprocess
import sys
import tempfile
import threading
def which(program):
'''
Implements bash "which" feature.
Find the full path to a program located in the PATH.
https://stackoverflow.com/a/377028
'''
def is_exe(fpath):
return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
fpath, _ = os.path.split(program)
if fpath:
if is_exe(program):
return program
else:
for path in os.environ["PATH"].split(os.pathsep):
exe_file = os.path.join(path, program)
if is_exe(exe_file):
return exe_file
return None
def cmd(command):
'''
Run a command in a subprocess.
https://stackoverflow.com/a/4408409
https://stackoverflow.com/a/10012262
'''
with tempfile.TemporaryFile() as tempf:
p = subprocess.Popen(command, stderr=tempf)
is_killed = {'value': False}
def timeout(p, is_killed):
is_killed['value'] = True
p.kill()
timer = threading.Timer(2, timeout, [p, is_killed])
try:
timer.start()
p.wait()
tempf.seek(0)
text = tempf.read().decode("utf-8").strip()
returncode = p.returncode
finally:
timer.cancel()
if is_killed['value']:
text = 'error: timeout, ' + text
returncode = 1
return text, returncode
def run_test(fuzzer, corpus_path):
'''
Test a standalone fuzz target with each item from the fuzz corpus.
'''
builddir = os.environ.get("builddir", ".")
fuzz_target = os.path.join(builddir, fuzzer)
print("Fuzz Target: {fuzzer}".format(fuzzer=fuzzer))
print("Corpus Path: {corpus_path}".format(corpus_path=corpus_path))
if not os.path.exists(fuzz_target):
print("Failed to find fuzz target: {binary}!".format(binary=fuzz_target))
sys.exit(1)
failures = 0
valgrind = None
if os.environ.get('VG', ''):
valgrind = which('valgrind')
for fname in os.listdir(corpus_path):
seedpath = os.path.join(corpus_path, fname)
text, returncode = cmd([fuzz_target, seedpath])
if text.strip():
print(text)
failed = False
if returncode != 0 or 'error' in text:
print('failure on %s' % fname)
failed = True
if valgrind:
text, returncode = cmd(
[valgrind, '--error-exitcode=1', fuzz_target, seedpath])
if returncode:
print(text)
print('failure on %s' % fname)
failed = True
if failed:
failures = failures + 1
if failures:
print("%i scanfile fuzzer related tests failed." % failures)
sys.exit(1)
def main():
'''
Get command line options to support this tool.
'''
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument(
'-f',
'--fuzzer',
required=True,
help="The fuzz target to test.")
parser.add_argument(
'-c',
'--corpus',
required=True,
help="Path of the fuzz corpus.")
args = parser.parse_args()
run_test(args.fuzzer, args.corpus)
if __name__ == '__main__':
main()