| commit | cb06fdad05f3e546a4e20f1f3c0127f9ae53de1a | |
| author | Alexander Bulekov <alxndr@bu.edu> | |
| Thu, 20 Feb 2020 04:11:11 +0000 (19 23:11 -0500) | ||
| committer | Stefan Hajnoczi <stefanha@redhat.com> | |
| Sat, 22 Feb 2020 08:26:48 +0000 (22 08:26 +0000) | ||
| tree | b5176e5d8bb8ef7004935b8ca6cbf4c77cf5cf0e | treesnapshot (tar.gz zip) |
| parent | d6919e4cb65230b0c8081eb072893d4e8a191a59 | commitdiff |
fuzz: support for fork-based fuzzing.
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These bitmaps are created through compile-time
instrumentation and they are not shared with fork()-ed processes, by
default. To address this, we create a shared memory region, adjust its
size and map it _over_ the counter region. Furthermore, libfuzzer
doesn't generally expose the globals that specify the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-16-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These bitmaps are created through compile-time
instrumentation and they are not shared with fork()-ed processes, by
default. To address this, we create a shared memory region, adjust its
size and map it _over_ the counter region. Furthermore, libfuzzer
doesn't generally expose the globals that specify the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200220041118.23264-16-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
| tests/qtest/fuzz/Makefile.include | diffblobblamehistory | |
| tests/qtest/fuzz/fork_fuzz.c | [new file with mode: 0644] | blob |
| tests/qtest/fuzz/fork_fuzz.h | [new file with mode: 0644] | blob |
| tests/qtest/fuzz/fork_fuzz.ld | [new file with mode: 0644] | blob |