Commit dda2f556 authored by Alexander Bulekov's avatar Alexander Bulekov Committed by Thomas Huth
Browse files

fuzz: do not use POSIX shm for coverage bitmap 



We used shm_open with mmap to share libfuzzer's coverage bitmap with
child (runner) processes. The same functionality can be achieved with
MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or
permissioning the shared memory object.

Signed-off-by: default avatarAlexander Bulekov <alxndr@bu.edu>
Message-Id: <20200622165040.15121-1-alxndr@bu.edu>
Reviewed-by: default avatarDarren Kenny <darren.kenny@oracle.com>
Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
parent 45222b9a

tests/qtest/fuzz/fork_fuzz.c

+13 −27
Original line number Diff line number Diff line
@@ -17,39 +17,25 @@ 


void counter_shm_init(void)

{

    char *shm_path = g_strdup_printf("/qemu-fuzz-cntrs.%d", getpid());

    int fd = shm_open(shm_path, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);

    g_free(shm_path);



    if (fd == -1) {

        perror("Error: ");

        exit(1);

    }

    if (ftruncate(fd, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START) == -1) {

        perror("Error: ");

        exit(1);

    }

    /* Copy what's in the counter region to the shm.. */

    void *rptr = mmap(NULL ,

            &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,

            PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

    memcpy(rptr,

    /* Copy what's in the counter region to a temporary buffer.. */

    void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);

    memcpy(copy,

           &__FUZZ_COUNTERS_START,

           &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);



    munmap(rptr, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);



    /* And map the shm over the counter region */

    rptr = mmap(&__FUZZ_COUNTERS_START,

    /* Map a shared region over the counter region */

    if (mmap(&__FUZZ_COUNTERS_START,

             &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,

            PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0);



    close(fd);



    if (!rptr) {

             PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS,

             0, 0) == MAP_FAILED) {

        perror("Error: ");

        exit(1);

    }



    /* Copy the original data back to the counter-region */

    memcpy(&__FUZZ_COUNTERS_START, copy,

           &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);

    free(copy);

}