ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

add -b option to afl-fuzz

Browse Source
This commit is contained in:
van Hauser
2020-07-30 19:00:41 +02:00
parent c661587128
commit 320f26d26f
5 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -15,6 +15,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- afl-fuzz:
- added -F option to allow -M main fuzzers to sync to foreign fuzzers,
e.g. honggfuzz or libfuzzer
- added -b option to bind to a specific CPU
- eliminated CPU affinity race condition for -S/-M runs
- expanded havoc mode added, on no cycle finds add extra splicing and
MOpt into the mix

3
include/afl-fuzz.h
View File

@ -545,7 +545,8 @@ typedef struct afl_state {
u64 total_bitmap_size, /* Total bit count for all bitmaps */
total_bitmap_entries; /* Number of bitmaps counted */
s32 cpu_core_count; /* CPU core count */
s32 cpu_core_count, /* CPU core count */
cpu_to_bind; /* bind to specific CPU */
#ifdef HAVE_AFFINITY
s32 cpu_aff; /* Selected CPU core */

22
src/afl-fuzz-init.c
View File

@ -53,6 +53,13 @@ void bind_to_free_cpu(afl_state_t *afl) {
u8 cpu_used[4096] = {0}, lockfile[PATH_MAX] = "";
u32 i;
if (afl->cpu_to_bind != -1) {
i = afl->cpu_to_bind;
goto set_cpu;
}
if (afl->sync_id) {
s32 lockfd, first = 1;
@ -295,20 +302,23 @@ void bind_to_free_cpu(afl_state_t *afl) {
try:
if (afl->cpu_to_bind != -1)
FATAL("bind to CPU #%d failed!", afl->cpu_to_bind);
#if !defined(__ANDROID__)
for (i = cpu_start; i < afl->cpu_core_count; i++) {
for (i = cpu_start; i < afl->cpu_core_count; i++) {
if (!cpu_used[i]) { break; }
if (!cpu_used[i]) { break; }
}
}
if (i == afl->cpu_core_count) {
#else
for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--)
if (!cpu_used[i]) break;
for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--)
if (!cpu_used[i]) break;
if (i == -1) {
#endif
@ -327,6 +337,8 @@ void bind_to_free_cpu(afl_state_t *afl) {
OKF("Found a free CPU core, try binding to #%u.", i);
set_cpu:
afl->cpu_aff = i;
#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)

1
src/afl-fuzz-state.c
View File

@ -94,6 +94,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->havoc_div = 1; /* Cycle count divisor for havoc */
afl->stage_name = "init"; /* Name of the current fuzz stage */
afl->splicing_with = -1; /* Splicing with which test case? */
afl->cpu_to_bind = -1;
#ifdef HAVE_AFFINITY
afl->cpu_aff = -1; /* Selected CPU core */

19
src/afl-fuzz.c
View File

@ -143,6 +143,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
//" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap
//" "file\n"
" -C - crash exploration mode (the peruvian rabbit thing)\n"
" -b cpu_id - bind the fuzzing process to the specified CPU core "
"(0-...)\n"
" -e ext - file extension for the fuzz test input file (if "
"needed)\n\n",
argv0, EXEC_TIMEOUT, MEM_LIMIT, FOREIGN_SYNCS_MAX);
@ -271,9 +273,9 @@ int main(int argc, char **argv_orig, char **envp) {
afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing
while ((opt = getopt(argc, argv,
"+c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) >
0) {
while ((opt = getopt(
argc, argv,
"+b:c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0) {
switch (opt) {
@ -281,6 +283,17 @@ int main(int argc, char **argv_orig, char **envp) {
afl->infoexec = optarg;
break;
case 'b': { /* bind CPU core */
if (afl->cpu_to_bind != -1) FATAL("Multiple -b options not supported");
if (sscanf(optarg, "%u", &afl->cpu_to_bind) < 0 || optarg[0] == '-')
FATAL("Bad syntax used for -b");
break;
}
case 'c': {
afl->shm.cmplog_mode = 1;