1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
From 524ea7097e80b59647971b947eb927cb1ae14f2d Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aalto@cante.net>
Date: Tue, 29 Dec 2009 13:03:36 +0200
Subject: [PATCH] fuzz.1: order options alphabetically, add absolute path note
Signed-off-by: Jari Aalto <jari.aalto@cante.net>
---
fuzz.1 | 151 ++++++++++++++++++++++++++++++++++++++++------------------------
1 files changed, 94 insertions(+), 57 deletions(-)
diff --git a/fuzz.1 b/fuzz.1
index 83e64e6..b1d2731 100644
--- a/fuzz.1
+++ b/fuzz.1
@@ -1,60 +1,50 @@
.TH FUZZ 1 "November 3, 1999"
.UC 1
+
.SH NAME
fuzz \- stress test programs
+
.SH SYNOPSIS
.B fuzz
[\-t|\-\-timeout timeinsecs] [\-p|\-\-printable] [\-n|\-\-newlines]
-[\-l|\-\-length totlen] [\-m|\-\-maxline maxlinelen]
-[\-r|\-\-runcount numruns] [\-b|\-\-bytes] [\-c|\-\-chroot]
-[\-u|\-\-user username] [\-a|\-\-args] [\-o|\-\-omitdata]
+[\-l|\-\-length totlen] [\-m|\-\-maxline maxlinelen]
+[\-r|\-\-runcount numruns] [\-b|\-\-bytes] [\-c|\-\-chroot]
+[\-u|\-\-user username] [\-a|\-\-args] [\-o|\-\-omitdata]
[\-e|\-\-execute filename] [\-x|\-\-maxargs numargs] [\-d|\-\-dontask]
-[\-y|\-\-mararglen arglen] [\-V|\-\-version] [\-i|\-\-priority] target
+[\-y|\-\-mararglen arglen] [\-V|\-\-version] [\-i|\-\-priority] target
targetarg...
+
.SH DESCRIPTION
.BR fuzz
is a program designed to find bugs in other programs. It does this by
doing a form of black box testing. It does this by running the target
-program multiple times and passing it random input. Right now this can
+program multiple times and passing it random input. Right now this can
come from one of two places, stdin and the command line
-arguments. Testing completes whenever the program either the requested
+arguments. Testing completes whenever the program either the requested
number of runs finishes successufully or the program crashes.
Any arguments following the target program are passed directly to the
-target program.
+target program.
+
+NOTE: If the program is not in PATH, it must be referred to using
+absolute path.
+
.SS OPTIONS
+
.TP
-.I "\-t, \-\-timeout TIME"
-This sets the number of seconds that the fuzz will wait for the other
-program before it assumes that the program is hung. The default value
-is 120 seconds. This is sensing of when a program is hung is not
-entirely reliable. See the
-.BR BUGS
+.I "\-a, \-\-args"
+In addition to passing random data via stdin, pass random command line
+arguments. This simply sets the number or random arguments to be
+passed to 256. See the
+.BR BUGS
section.
-.TP
-.I "\-p, \-\-printable"
-This limits both the stdin and the command line arguments to only
-printable characters. By default fuzz passes fully random
-bytes into the target program.
-.TP
-.I "\-n, \-\-newlines"
-Include random newlines in the input stream.
-.TP
-.I "\-l, \-\-length LENGTH"
-The length in bytes of the data stream to pass through stdin into the
-target program. The default length is 100K.
-.TP
-.I "\-m, \-\-maxline MAXLINELEN"
-Specify the maximum line length within the random data stream passed
-into stdin.
-.TP
-.I "\-r, \-\-runcount RUNCOUNT"
-The number of times to run the target program. The default is 10,000.
+
.TP
.I "\-b, \-\-bytes"
In addition to counting through the number of runs. Count through the
bytes being sent through stdin to the program. This option really
serves no purpose other than making something interesting to watch.
+
.TP
.I "\-c, \-\-chroot"
Since there is no telling what a program will do when given random
@@ -64,6 +54,56 @@ that the fuzz be run as root. It will drop privlages before it runs
the test program. This option is best used in conjunction with the
\-\-user option. This often times requires that a program is
statically linked.
+
+.TP
+.I "\-d, \-\-dontask"
+In the cases where the target program is for sure part of a package and the
+packaging information will provide the needed version information then you
+can use this option to avoid being asked what the version is.
+
+.TP
+.I "\-i, \-\-priority"
+Run at a specified priority.
+
+.TP
+.I "\-l, \-\-length LENGTH"
+The length in bytes of the data stream to pass through stdin into the
+target program. The default length is 100K.
+
+.TP
+.I "\-m, \-\-maxline MAXLINELEN"
+Specify the maximum line length within the random data stream passed
+into stdin.
+
+.TP
+.I "\-n, \-\-newlines"
+Include random newlines in the input stream.
+
+.TP
+.I "\-o, \-\-omitdata"
+Some programs don't take input from stdin. They only take input from
+the command line arguments. If this is the case simply use the
+\-\-omitdata option.
+
+.TP
+.I "\-p, \-\-printable"
+This limits both the stdin and the command line arguments to only
+printable characters. By default fuzz passes fully random
+bytes into the target program.
+
+.TP
+.I "\-r, \-\-runcount RUNCOUNT"
+The number of times to run the target program. The default is 10,000.
+
+.TP
+.I "\-t, \-\-timeout TIME"
+This sets the number of seconds that the fuzz will wait for the other
+program before it assumes that the program is hung. The default value
+is 120 seconds. This is sensing of when a program is hung is not
+entirely reliable. See the
+.BR BUGS
+section.
+
.TP
.I "\-u, \-\-user USERNAME"
Since there is no telling what a program will do when given random
@@ -72,51 +112,48 @@ that it is easy to find and repair anything that may have been
scribbled across your file system. This option was designed to be used
in conjuntion with the \-\-chroot option and will only work if fuzz is
run as root.
+
.TP
-.I "\-a, \-\-args"
-In addition to passing random data via stdin, pass random command line
-arguments. This simply sets the number or random arguments to be
-passed to 256. See the
-.BR BUGS
-section.
-.TP
-.I "\-o, \-\-omitdata"
-Some programs don't take input from stdin. They only take input from
-the command line arguments. If this is the case simply use the
-\-\-omitdata option.
+.I "\-V, \-\-version"
+Print the version of fuzz and exit.
+
.TP
.I "\-x. \-\-maxargs NUMARGS"
-This is to set the maximum number of arguments that are passed to each
+This is to set the maximum number of arguments that are passed to each
invocation of the target program.
+
.TP
.I "\-y, \-\-maxarglen ARGLEN"
Sets the maximum length of an arguments passed to the target program.
-.TP
-.I "\-V, \-\-version"
-Print the version of fuzz and exit.
-.TP
-.I "\-i, \-\-priority"
-Run at a specified priority.
-.TP
-.I "\-d, \-\-dontask"
-In the cases where the target program is for sure part of a package and the
-packaging information will provide the needed version information then you
-can use this option to avoid being asked what the version is.
+
.SH EXAMPLES
+
+Check grep:
+
.RS
fuzz grep foo
.RE
+
+Run program with different user:
+
+.RS
+fuzz \-\-chroot \-\-user nobody cpio \-i
+.RE
+
+When program is not in path, use absolute patch to access it:
+
.RS
-fuzz -c -u nobody cpio -i
+fuzz ./src/myprogram
.RE
+
.SH BUGS
The random arg functions doesn't work very well right now. The
arguments passed are so random that the program usually just prints
out the usage message and then terminates. This will become much more
useful later when we are mating data sets with the intention of
maximizing code coverage.
+
.SH AUTHORS
.nf
Ben Woodard <ben@valinux.com>
.fi
-
--
1.6.5
|
