ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

add AFL_TRY_AFFINITY

Browse Source
This commit is contained in:
vanhauser-thc
2021-05-25 10:45:24 +02:00
parent 8e75adfee5
commit 87b16c4460
9 changed files with 46 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Dockerfile
View File

@ -50,6 +50,7 @@ RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
ENV LLVM_CONFIG=llvm-config-12
ENV AFL_SKIP_CPUFREQ=1
ENV AFL_TRY_AFFINITY=1
ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov

4
README.md
View File

@ -679,8 +679,8 @@ If you see that an important area or a feature has not been covered so far then
try to find an input that is able to reach that and start a new secondary in
that fuzzing campaign with that seed as input, let it run for a few minutes,
then terminate it. The main node will pick it up and make it available to the
other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` if you have no
free core.
other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
`export AFL_TRY_AFFINITY=1` if you have no free core.
Note that you in nearly all cases can never reach full coverage. A lot of
functionality is usually behind options that were not activated or fuzz e.g.

10
docs/Changelog.md
View File

@ -33,10 +33,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
-i dir crashes the target or results in a timeout. By default
afl++ ignores these and uses them for splicing instead.
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after
no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will no be calibrated 8 times
instead of 40
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
after no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will no be calibrated
8 times instead of 40
- added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
it fails
- afl-cc:
- We do not support llvm versions prior 6.0 anymore
- Fix for -pie compiled binaries with default afl-clang-fast PCGUARD

3
docs/env_variables.md
View File

@ -312,6 +312,9 @@ checks or alter some of the more exotic semantics of the tool:
on Linux systems. This slows things down, but lets you run more instances
of afl-fuzz than would be prudent (if you really want to).
- Setting `AFL_TRY_AFFINITY` tries to attempts to bind to a specific CPU core
on Linux systems, but will not terminate if it fails.
- Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
that is compiled into the target.

2
include/afl-fuzz.h
View File

@ -385,7 +385,7 @@ typedef struct afl_env_vars {
afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
afl_exit_on_seed_issues;
afl_exit_on_seed_issues, afl_try_affinity;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,

1
include/envs.h
View File

@ -120,6 +120,7 @@ static char *afl_environment_variables[] = {
"AFL_LLVM_INSTRUMENT_FILE",
"AFL_LLVM_SKIP_NEVERZERO",
"AFL_NO_AFFINITY",
"AFL_TRY_AFFINITY",
"AFL_LLVM_LTO_STARTID",
"AFL_LLVM_LTO_DONTWRITEID",
"AFL_NO_ARITH",

34
src/afl-fuzz-init.c
View File

@ -113,7 +113,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
u8 lockfile[PATH_MAX] = "";
s32 i;
if (afl->afl_env.afl_no_affinity) {
if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) {
if (afl->cpu_to_bind != -1) {
@ -130,10 +130,21 @@ void bind_to_free_cpu(afl_state_t *afl) {
if (!bind_cpu(afl, afl->cpu_to_bind)) {
FATAL(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
if (afl->afl_env.afl_try_affinity) {
WARNF(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
} else {
FATAL(
"Could not bind to requested CPU %d! Make sure you passed a valid "
"-b.",
afl->cpu_to_bind);
}
}
@ -420,11 +431,14 @@ void bind_to_free_cpu(afl_state_t *afl) {
"Uh-oh, looks like all %d CPU cores on your system are allocated to\n"
" other instances of afl-fuzz (or similar CPU-locked tasks). "
"Starting\n"
" another fuzzer on this machine is probably a bad plan, but if "
"you are\n"
" absolutely sure, you can set AFL_NO_AFFINITY and try again.\n",
afl->cpu_core_count);
FATAL("No more free CPU cores");
" another fuzzer on this machine is probably a bad plan.\n"
"%s",
afl->cpu_core_count,
afl->afl_env.afl_try_affinity ? ""
: " If you are sure, you can set "
"AFL_NO_AFFINITY and try again.\n");
if (!afl->afl_env.afl_try_affinity) { FATAL("No more free CPU cores"); }
}

7
src/afl-fuzz-state.c
View File

@ -202,6 +202,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_no_affinity =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_TRY_AFFINITY",
afl_environment_variable_len)) {
afl->afl_env.afl_try_affinity =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_SKIP_CRASHES",
afl_environment_variable_len)) {

1
src/afl-fuzz.c
View File

@ -220,6 +220,7 @@ static void usage(u8 *argv0, int more_help) {
" then they are randomly selected instead all of them being\n"
" used. Defaults to 200.\n"
"AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
"AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful\n"
"AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
"AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n"
"AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"