fuzz: do not use POSIX shm for coverage bitmap

We used shm_open with mmap to share libfuzzer's coverage bitmap with child (runner) processes. The same functionality can be achieved with MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or permissioning the shared memory object. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200622165040.15121-1-alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-11-27 13:30:52 +00:00 · 2020-06-22 12:50:40 -04:00 · 2020-06-22 12:50:40 -04:00 · dda2f556c3
commit dda2f556c3
parent 45222b9a90
1 changed files with 13 additions and 27 deletions
--- a/tests/qtest/fuzz/fork_fuzz.c
+++ b/tests/qtest/fuzz/fork_fuzz.c
@ -17,39 +17,25 @@

 void counter_shm_init(void)
 {
-    char *shm_path = g_strdup_printf("/qemu-fuzz-cntrs.%d", getpid());
-    int fd = shm_open(shm_path, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
-    g_free(shm_path);
-
-    if (fd == -1) {
-        perror("Error: ");
-        exit(1);
-    }
-    if (ftruncate(fd, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START) == -1) {
-        perror("Error: ");
-        exit(1);
-    }
-    /* Copy what's in the counter region to the shm.. */
-    void *rptr = mmap(NULL ,
-            &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
-            PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
-    memcpy(rptr,
+    /* Copy what's in the counter region to a temporary buffer.. */
+    void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
+    memcpy(copy,
           &__FUZZ_COUNTERS_START,
           &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);

-    munmap(rptr, &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
-
-    /* And map the shm over the counter region */
-    rptr = mmap(&__FUZZ_COUNTERS_START,
-            &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
-            PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0);
-
-    close(fd);
-
-    if (!rptr) {
+    /* Map a shared region over the counter region */
+    if (mmap(&__FUZZ_COUNTERS_START,
+             &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
+             PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS,
+             0, 0) == MAP_FAILED) {
        perror("Error: ");
        exit(1);
    }
+
+    /* Copy the original data back to the counter-region */
+    memcpy(&__FUZZ_COUNTERS_START, copy,
+           &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
+    free(copy);
 }