[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 24/31] fuzz: support for fork-based fuzzing.
From: |
Alexander Bulekov |
Subject: |
Re: [PULL 24/31] fuzz: support for fork-based fuzzing. |
Date: |
Wed, 26 Feb 2020 21:50:25 -0500 |
User-agent: |
NeoMutt/20180716 |
On 200224 1135, Stefan Hajnoczi wrote:
> On Sat, Feb 22, 2020 at 05:34:29AM -0600, Eric Blake wrote:
> > On 2/22/20 2:50 AM, Stefan Hajnoczi wrote:
> > > From: Alexander Bulekov <address@hidden>
> > >
> > > fork() is a simple way to ensure that state does not leak in between
> > > fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
> > > bitmaps which contain coverage information for each fuzzing run, and
> > > these bitmaps should be copied from the child to the parent(where the
> > > mutation occurs). These bitmaps are created through compile-time
> > > instrumentation and they are not shared with fork()-ed processes, by
> > > default. To address this, we create a shared memory region, adjust its
> > > size and map it _over_ the counter region. Furthermore, libfuzzer
> > > doesn't generally expose the globals that specify the location of the
> > > counters/coverage bitmap. As a workaround, we rely on a custom linker
> > > script which forces all of the bitmaps we care about to be placed in a
> > > contiguous region, which is easy to locate and mmap over.
> > >
> > > Signed-off-by: Alexander Bulekov <address@hidden>
> > > Reviewed-by: Stefan Hajnoczi <address@hidden>
> > > Reviewed-by: Darren Kenny <address@hidden>
> > > Message-id: address@hidden
> > > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > > ---
> >
> > Random drive-by observation:
> >
> > > +++ b/tests/qtest/fuzz/fork_fuzz.ld
> > > @@ -0,0 +1,37 @@
> > > +/* We adjust linker script modification to place all of the stuff that
> > > needs to
> > > + * persist across fuzzing runs into a contiguous seciton of memory.
> > > Then, it is
> >
> > section
>
> Thanks, Eric!
>
> Alex, please send follow-up patches to fix this typo and the 80
> character line limit issues identified by patchew (see patch email reply
> to this email thread).
Thank you Eric, Stefan!
Just sent out some fixes.
> Stefan
- [PULL 17/31] qtest: add in-process incoming command handler, (continued)
- [PULL 17/31] qtest: add in-process incoming command handler, Stefan Hajnoczi, 2020/02/22
- [PULL 18/31] libqos: rename i2c_send and i2c_recv, Stefan Hajnoczi, 2020/02/22
- [PULL 19/31] libqos: split qos-test and libqos makefile vars, Stefan Hajnoczi, 2020/02/22
- [PULL 21/31] fuzz: add fuzzer skeleton, Stefan Hajnoczi, 2020/02/22
- [PULL 20/31] libqos: move useful qos-test funcs to qos_external, Stefan Hajnoczi, 2020/02/22
- [PULL 22/31] exec: keep ram block across fork when using qtest, Stefan Hajnoczi, 2020/02/22
- [PULL 23/31] main: keep rcu_atfork callback enabled for qtest, Stefan Hajnoczi, 2020/02/22
- [PULL 24/31] fuzz: support for fork-based fuzzing., Stefan Hajnoczi, 2020/02/22
- [PULL 25/31] fuzz: add support for qos-assisted fuzz targets, Stefan Hajnoczi, 2020/02/22
- [PULL 26/31] fuzz: add target/fuzz makefile rules, Stefan Hajnoczi, 2020/02/22
- [PULL 27/31] fuzz: add configure flag --enable-fuzzing, Stefan Hajnoczi, 2020/02/22
- [PULL 28/31] fuzz: add i440fx fuzz targets, Stefan Hajnoczi, 2020/02/22
- [PULL 29/31] fuzz: add virtio-net fuzz target, Stefan Hajnoczi, 2020/02/22
- [PULL 30/31] fuzz: add virtio-scsi fuzz target, Stefan Hajnoczi, 2020/02/22
- [PULL 31/31] fuzz: add documentation to docs/devel/, Stefan Hajnoczi, 2020/02/22
- Re: [PULL 00/31] Block patches, no-reply, 2020/02/22
- Re: [PULL 00/31] Block patches, Peter Maydell, 2020/02/24