diff mbox series

[RFC,v2,14/17] fuzz: Add forking support to the fuzzer

Message ID 20190805071038.32146-15-alxndr@bu.edu (mailing list archive)
State New, archived
Headers show
Series [RFC,v2,01/17] fuzz: Move initialization from main to qemu_init | expand

Commit Message

Alexander Bulekov Aug. 5, 2019, 7:11 a.m. UTC 
Forking is a simple way of ensuring that state doesn't leak between
runs. This patch depends on a modification to libfuzzer:
https://reviews.llvm.org/D65672

Signed-off-by: Alexander Oleinik <alxndr@bu.edu>
---
 tests/fuzz/fuzzer_hooks.c | 62 +++++++++++++++++++++++++++++++++++++++
 tests/fuzz/fuzzer_hooks.h | 21 +++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 tests/fuzz/fuzzer_hooks.c
 create mode 100644 tests/fuzz/fuzzer_hooks.h

Comments

Stefan Hajnoczi Aug. 9, 2019, 9:46 a.m. UTC | #1 
On Mon, Aug 05, 2019 at 07:11:15AM +0000, Oleinik, Alexander wrote:
> +void *counter_shm;
> +size_t feature_shm_len;
> +uintptr_t feature_shm;
> +size_t offset;
> +
> +typedef struct CoverageRegion {
> +    uint8_t *start;
> +    size_t length;
> +    bool store; /* Set this if it needs to be copied to the forked process */
> +} CoverageRegion;
> +
> +CoverageRegion regions[10];
> +int region_index;
> +

The global variable names in this file are likely to cause naming
collisions.  Do they need to be global?  If yes, please prefix with
"fuzz_".
diff mbox series

Patch

diff --git a/tests/fuzz/fuzzer_hooks.c b/tests/fuzz/fuzzer_hooks.c
new file mode 100644
index 0000000000..87c94ef65f
--- /dev/null
+++ b/tests/fuzz/fuzzer_hooks.c
@@ -0,0 +1,62 @@ 
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "fuzzer_hooks.h"
+
+#include <dlfcn.h>
+#include <elf.h>
+
+
+
+void *counter_shm;
+size_t feature_shm_len;
+uintptr_t feature_shm;
+size_t offset;
+
+typedef struct CoverageRegion {
+    uint8_t *start;
+    size_t length;
+    bool store; /* Set this if it needs to be copied to the forked process */
+} CoverageRegion;
+
+CoverageRegion regions[10];
+int region_index;
+
+
+void counter_shm_init(void)
+{
+    LLVMFuzzerIterateFeatureRegions(&measure_shm_size);
+    feature_shm = (uintptr_t)mmap(NULL, feature_shm_len,
+            PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+}
+
+void counter_shm_store(void)
+{
+    offset = 0;
+    LLVMFuzzerIterateFeatureRegions(&feature_store);
+}
+
+void counter_shm_load(void)
+{
+    offset = 0;
+    LLVMFuzzerIterateFeatureRegions(&feature_load);
+}
+
+void feature_load(void *start, size_t len)
+{
+    memcpy(start, (void *)(feature_shm + offset), len);
+    offset += len;
+}
+
+void feature_store(void *start, size_t len)
+{
+    memcpy((void *)(feature_shm + offset), start, len);
+    offset += len;
+}
+
+void measure_shm_size(void *start, size_t len)
+{
+    feature_shm_len += len;
+}
+
diff --git a/tests/fuzz/fuzzer_hooks.h b/tests/fuzz/fuzzer_hooks.h
new file mode 100644
index 0000000000..2f411193dd
--- /dev/null
+++ b/tests/fuzz/fuzzer_hooks.h
@@ -0,0 +1,21 @@ 
+#ifndef FUZZER_HOOKS_H
+#define FUZZER_HOOKS_H
+
+
+/* NOTE: Pending https://reviews.llvm.org/D65672
+ * Alternatively, a similar functionality can be added fairly straightforwardly
+ * with AFL deferred fork mode, albeit requiring a different fuzzer and compiler
+ * https://github.com/mirrorer/afl/blob/master/llvm_mode/README.llvm#L82
+ */
+extern void LLVMFuzzerIterateFeatureRegions(void (*CB)(void *, size_t));
+
+void measure_shm_size(void *start, size_t len);
+
+void counter_shm_init(void);
+void counter_shm_store(void);
+void counter_shm_load(void);
+void feature_load(void *start, size_t len);
+void feature_store(void *start, size_t len);
+
+#endif
+