[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 24/31] fuzz: support for fork-based fuzzing.
From: |
Stefan Hajnoczi |
Subject: |
Re: [PULL 24/31] fuzz: support for fork-based fuzzing. |
Date: |
Mon, 24 Feb 2020 11:35:29 +0000 |
On Sat, Feb 22, 2020 at 05:34:29AM -0600, Eric Blake wrote:
> On 2/22/20 2:50 AM, Stefan Hajnoczi wrote:
> > From: Alexander Bulekov <address@hidden>
> >
> > fork() is a simple way to ensure that state does not leak in between
> > fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
> > bitmaps which contain coverage information for each fuzzing run, and
> > these bitmaps should be copied from the child to the parent(where the
> > mutation occurs). These bitmaps are created through compile-time
> > instrumentation and they are not shared with fork()-ed processes, by
> > default. To address this, we create a shared memory region, adjust its
> > size and map it _over_ the counter region. Furthermore, libfuzzer
> > doesn't generally expose the globals that specify the location of the
> > counters/coverage bitmap. As a workaround, we rely on a custom linker
> > script which forces all of the bitmaps we care about to be placed in a
> > contiguous region, which is easy to locate and mmap over.
> >
> > Signed-off-by: Alexander Bulekov <address@hidden>
> > Reviewed-by: Stefan Hajnoczi <address@hidden>
> > Reviewed-by: Darren Kenny <address@hidden>
> > Message-id: address@hidden
> > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > ---
>
> Random drive-by observation:
>
> > +++ b/tests/qtest/fuzz/fork_fuzz.ld
> > @@ -0,0 +1,37 @@
> > +/* We adjust linker script modification to place all of the stuff that
> > needs to
> > + * persist across fuzzing runs into a contiguous seciton of memory. Then,
> > it is
>
> section
Thanks, Eric!
Alex, please send follow-up patches to fix this typo and the 80
character line limit issues identified by patchew (see patch email reply
to this email thread).
Stefan
signature.asc
Description: PGP signature
- [PULL 16/31] libqtest: make bufwrite rely on the TransportOps, (continued)
- [PULL 16/31] libqtest: make bufwrite rely on the TransportOps, Stefan Hajnoczi, 2020/02/22
- [PULL 17/31] qtest: add in-process incoming command handler, Stefan Hajnoczi, 2020/02/22
- [PULL 18/31] libqos: rename i2c_send and i2c_recv, Stefan Hajnoczi, 2020/02/22
- [PULL 19/31] libqos: split qos-test and libqos makefile vars, Stefan Hajnoczi, 2020/02/22
- [PULL 21/31] fuzz: add fuzzer skeleton, Stefan Hajnoczi, 2020/02/22
- [PULL 20/31] libqos: move useful qos-test funcs to qos_external, Stefan Hajnoczi, 2020/02/22
- [PULL 22/31] exec: keep ram block across fork when using qtest, Stefan Hajnoczi, 2020/02/22
- [PULL 23/31] main: keep rcu_atfork callback enabled for qtest, Stefan Hajnoczi, 2020/02/22
- [PULL 24/31] fuzz: support for fork-based fuzzing., Stefan Hajnoczi, 2020/02/22
- [PULL 25/31] fuzz: add support for qos-assisted fuzz targets, Stefan Hajnoczi, 2020/02/22
- [PULL 26/31] fuzz: add target/fuzz makefile rules, Stefan Hajnoczi, 2020/02/22
- [PULL 27/31] fuzz: add configure flag --enable-fuzzing, Stefan Hajnoczi, 2020/02/22
- [PULL 28/31] fuzz: add i440fx fuzz targets, Stefan Hajnoczi, 2020/02/22
- [PULL 29/31] fuzz: add virtio-net fuzz target, Stefan Hajnoczi, 2020/02/22
- [PULL 30/31] fuzz: add virtio-scsi fuzz target, Stefan Hajnoczi, 2020/02/22
- [PULL 31/31] fuzz: add documentation to docs/devel/, Stefan Hajnoczi, 2020/02/22
- Re: [PULL 00/31] Block patches, no-reply, 2020/02/22