Skip to content

Commit dda2f55

Browse files
a1xndrhuth
authored andcommitted
fuzz: do not use POSIX shm for coverage bitmap
We used shm_open with mmap to share libfuzzer's coverage bitmap with child (runner) processes. The same functionality can be achieved with MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or permissioning the shared memory object. Signed-off-by: Alexander Bulekov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Darren Kenny <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Thomas Huth <[email protected]>
1 parent 45222b9 commit dda2f55

File tree

1 file changed

+13
-27
lines changed

1 file changed

+13
-27
lines changed

tests/qtest/fuzz/fork_fuzz.c

Lines changed: 13 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -17,39 +17,25 @@
1717

1818
void counter_shm_init(void)
1919
{
20-
char *shm_path = g_strdup_printf("/qemu-fuzz-cntrs.%d", getpid());
21-
int fd = shm_open(shm_path, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
22-
g_free(shm_path);
23-
24-
if (fd == -1) {
25-
perror("Error: ");
26-
exit(1);
27-
}
28-
if (ftruncate(fd, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START) == -1) {
29-
perror("Error: ");
30-
exit(1);
31-
}
32-
/* Copy what's in the counter region to the shm.. */
33-
void *rptr = mmap(NULL ,
34-
&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
35-
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
36-
memcpy(rptr,
20+
/* Copy what's in the counter region to a temporary buffer.. */
21+
void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
22+
memcpy(copy,
3723
&__FUZZ_COUNTERS_START,
3824
&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
3925

40-
munmap(rptr, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
41-
42-
/* And map the shm over the counter region */
43-
rptr = mmap(&__FUZZ_COUNTERS_START,
44-
&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
45-
PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0);
46-
47-
close(fd);
48-
49-
if (!rptr) {
26+
/* Map a shared region over the counter region */
27+
if (mmap(&__FUZZ_COUNTERS_START,
28+
&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
29+
PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS,
30+
0, 0) == MAP_FAILED) {
5031
perror("Error: ");
5132
exit(1);
5233
}
34+
35+
/* Copy the original data back to the counter-region */
36+
memcpy(&__FUZZ_COUNTERS_START, copy,
37+
&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
38+
free(copy);
5339
}
5440

5541

0 commit comments

Comments
 (0)