On Fri, Nov 29, 2019 at 09:34:50PM +0000, Oleinik, Alexander wrote: > fork() is a simple way to ensure that state does not leak in between > fuzzing runs. Unfortunately, the fuzzer mutation engine relies on > bitmaps which contain coverage information for each fuzzing run, and > these bitmaps should be copied from the child to the parent(where the > mutation occurs). These bitmaps are created through compile-time > instrumentation and they are not shared with fork()-ed processes, by > default. To address this, we create a shared memory region, adjust its > size and map it _over_ the counter region. Furthermore, libfuzzer > doesn't generally expose the globals that specify the location of the > counters/coverage bitmap. As a workaround, we rely on a custom linker > script which forces all of the bitmaps we care about to be placed in a > contiguous region, which is easy to locate and mmap over. > > Signed-off-by: Alexander Bulekov <[email protected]> > --- > exec.c | 12 ++++++-- > tests/fuzz/Makefile.include | 3 ++ > tests/fuzz/fork_fuzz.c | 55 +++++++++++++++++++++++++++++++++++++ > tests/fuzz/fork_fuzz.h | 23 ++++++++++++++++ > tests/fuzz/fork_fuzz.ld | 37 +++++++++++++++++++++++++ > tests/fuzz/fuzz.c | 2 +- > 6 files changed, 129 insertions(+), 3 deletions(-) > create mode 100644 tests/fuzz/fork_fuzz.c > create mode 100644 tests/fuzz/fork_fuzz.h > create mode 100644 tests/fuzz/fork_fuzz.ld
Reviewed-by: Stefan Hajnoczi <[email protected]>
signature.asc
Description: PGP signature
