2 * e2fuzz.c -- Fuzz an ext4 image, for testing purposes.
4 * Copyright (C) 2014 Oracle.
7 * This file may be redistributed under the terms of the GNU Library
8 * General Public License, version 2.
11 #define _XOPEN_SOURCE 600
12 #define _FILE_OFFSET_BITS 64
13 #define _LARGEFILE64_SOURCE 1
17 #include <sys/types.h>
26 #include "ext2fs/ext2_fs.h"
27 #include "ext2fs/ext2fs.h"
29 static int dryrun = 0;
30 static int verbose = 0;
31 static int metadata_only = 1;
32 static unsigned long long user_corrupt_bytes = 0;
33 static double user_corrupt_pct = 0.0;
35 #if !defined HAVE_PWRITE64 && !defined HAVE_PWRITE
36 static ssize_t my_pwrite(int fd, const void *buf, size_t count, off_t offset)
38 if (lseek(fd, offset, SEEK_SET) < 0)
41 return write(fd, buf, count);
43 #endif /* !defined HAVE_PWRITE64 && !defined HAVE_PWRITE */
50 fd = open("/dev/urandom", O_RDONLY);
55 if (read(fd, &r, sizeof(r)) != sizeof(r))
56 printf("Unable to read random seed!\n");
63 ext2fs_block_bitmap bmap;
64 struct ext2_inode *inode;
65 blk64_t corrupt_blocks;
68 int find_block_helper(ext2_filsys fs, blk64_t *blocknr, e2_blkcnt_t blockcnt,
69 blk64_t ref_blk, int ref_offset, void *priv_data)
71 struct find_block *fb = (struct find_block *)priv_data;
73 if (S_ISDIR(fb->inode->i_mode) || !metadata_only || blockcnt < 0) {
74 ext2fs_mark_block_bitmap2(fb->bmap, *blocknr);
81 errcode_t find_metadata_blocks(ext2_filsys fs, ext2fs_block_bitmap bmap,
88 struct ext2_inode inode;
93 fb.corrupt_blocks = 0;
95 /* Construct bitmaps of super/descriptor blocks */
96 for (i = 0; i < fs->group_desc_count; i++) {
97 ext2fs_reserve_super_and_bgd(fs, i, bmap);
99 /* bitmaps and inode table */
100 b = ext2fs_block_bitmap_loc(fs, i);
101 ext2fs_mark_block_bitmap2(bmap, b);
104 b = ext2fs_inode_bitmap_loc(fs, i);
105 ext2fs_mark_block_bitmap2(bmap, b);
108 c = ext2fs_inode_table_loc(fs, i);
109 ext2fs_mark_block_bitmap_range2(bmap, c,
110 fs->inode_blocks_per_group);
111 fb.corrupt_blocks += fs->inode_blocks_per_group;
117 memset(&inode, 0, sizeof(inode));
118 retval = ext2fs_open_inode_scan(fs, 0, &scan);
122 retval = ext2fs_get_next_inode_full(scan, &ino, &inode, sizeof(inode));
126 if (inode.i_links_count == 0)
129 b = ext2fs_file_acl_block(fs, &inode);
131 ext2fs_mark_block_bitmap2(bmap, b);
136 * Inline data, sockets, devices, and symlinks have
137 * no blocks to iterate.
139 if ((inode.i_flags & EXT4_INLINE_DATA_FL) ||
140 S_ISLNK(inode.i_mode) || S_ISFIFO(inode.i_mode) ||
141 S_ISCHR(inode.i_mode) || S_ISBLK(inode.i_mode) ||
142 S_ISSOCK(inode.i_mode))
145 retval = ext2fs_block_iterate3(fs, ino, BLOCK_FLAG_READ_ONLY,
146 NULL, find_block_helper, &fb);
150 retval = ext2fs_get_next_inode_full(scan, &ino, &inode,
156 ext2fs_close_inode_scan(scan);
159 *corrupt_bytes = fb.corrupt_blocks * fs->blocksize;
163 uint64_t rand_num(uint64_t min, uint64_t max)
167 uint8_t *px = (uint8_t *)&x;
169 for (i = 0; i < sizeof(x); i++)
172 return min + (uint64_t)((double)(max - min) * (x / (UINT64_MAX + 1.0)));
175 int process_fs(const char *fsname)
179 ext2_filsys fs = NULL;
180 ext2fs_block_bitmap corrupt_map;
181 off_t hsize, count, off, offset, corrupt_bytes;
185 /* If mounted rw, force dryrun mode */
186 ret = ext2fs_check_if_mounted(fsname, &flags);
188 fprintf(stderr, "%s: failed to determine filesystem mount "
193 if (!dryrun && (flags & EXT2_MF_MOUNTED) &&
194 !(flags & EXT2_MF_READONLY)) {
195 fprintf(stderr, "%s: is mounted rw, performing dry run.\n",
200 /* Ensure the fs is clean and does not have errors */
201 ret = ext2fs_open(fsname, EXT2_FLAG_64BITS, 0, 0, unix_io_manager,
204 fprintf(stderr, "%s: failed to open filesystem.\n",
209 if ((fs->super->s_state & EXT2_ERROR_FS)) {
210 fprintf(stderr, "%s: errors detected, run fsck.\n",
215 if (!dryrun && (fs->super->s_state & EXT2_VALID_FS) == 0) {
216 fprintf(stderr, "%s: unclean shutdown, performing dry run.\n",
221 /* Construct a bitmap of whatever we're corrupting */
222 if (!metadata_only) {
223 /* Load block bitmap */
224 ret = ext2fs_read_block_bitmap(fs);
226 fprintf(stderr, "%s: error while reading block bitmap\n",
230 corrupt_map = fs->block_map;
231 corrupt_bytes = (ext2fs_blocks_count(fs->super) -
232 ext2fs_free_blocks_count(fs->super)) *
235 ret = ext2fs_allocate_block_bitmap(fs, "metadata block map",
238 fprintf(stderr, "%s: unable to create block bitmap\n",
243 /* Iterate everything... */
244 ret = find_metadata_blocks(fs, corrupt_map, &corrupt_bytes);
246 fprintf(stderr, "%s: while finding metadata\n",
252 /* Run around corrupting things */
253 fd = open(fsname, O_RDWR);
259 hsize = fs->blocksize * ext2fs_blocks_count(fs->super);
260 if (user_corrupt_bytes > 0)
261 count = user_corrupt_bytes;
262 else if (user_corrupt_pct > 0.0)
263 count = user_corrupt_pct * corrupt_bytes / 100;
265 count = rand_num(0, corrupt_bytes / 100);
266 offset = 4096; /* never corrupt superblock */
267 for (i = 0; i < count; i++) {
269 off = rand_num(offset, hsize);
270 while (!ext2fs_test_block_bitmap2(corrupt_map,
271 off / fs->blocksize));
273 if ((rand() % 2) && c < 128)
276 printf("Corrupting byte %zu in block %zu to 0x%x\n",
277 off % fs->blocksize, off / fs->blocksize, c);
281 if (pwrite64(fd, &c, sizeof(c), off) != sizeof(c)) {
286 if (pwrite(fd, &c, sizeof(c), off) != sizeof(c)) {
291 if (my_pwrite(fd, &c, sizeof(c), off) != sizeof(c)) {
300 ret = ext2fs_close_free(&fs);
302 fprintf(stderr, "%s: error while closing filesystem\n",
310 if (corrupt_map != fs->block_map)
311 ext2fs_free_block_bitmap(corrupt_map);
313 ext2fs_close_free(&fs);
317 void print_help(const char *progname)
319 printf("Usage: %s OPTIONS device\n", progname);
320 printf("-b: Corrupt this many bytes.\n");
321 printf("-d: Fuzz data blocks too.\n");
322 printf("-n: Dry run only.\n");
323 printf("-v: Verbose output.\n");
327 int main(int argc, char *argv[])
331 while ((c = getopt(argc, argv, "b:dnv")) != -1) {
334 if (optarg[strlen(optarg) - 1] == '%') {
335 user_corrupt_pct = strtod(optarg, NULL);
336 if (user_corrupt_pct > 100 ||
337 user_corrupt_pct < 0) {
338 fprintf(stderr, "%s: Invalid percentage.\n",
343 user_corrupt_bytes = strtoull(optarg, NULL, 0);
363 for (c = optind; c < argc; c++)
364 if (process_fs(argv[c]))