fuzz: support for fork-based fuzzing.
fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by:Alexander Bulekov <alxndr@bu.edu> Reviewed-by:
Showing
- tests/qtest/fuzz/Makefile.include 5 additions, 0 deletionstests/qtest/fuzz/Makefile.include
- tests/qtest/fuzz/fork_fuzz.c 55 additions, 0 deletionstests/qtest/fuzz/fork_fuzz.c
- tests/qtest/fuzz/fork_fuzz.h 23 additions, 0 deletionstests/qtest/fuzz/fork_fuzz.h
- tests/qtest/fuzz/fork_fuzz.ld 37 additions, 0 deletionstests/qtest/fuzz/fork_fuzz.ld
Loading
Please register or sign in to comment