about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Dockerfile1
-rw-r--r--README.md4
-rw-r--r--docs/Changelog.md10
-rw-r--r--docs/env_variables.md3
-rw-r--r--include/afl-fuzz.h2
-rw-r--r--include/envs.h1
-rw-r--r--src/afl-fuzz-init.c34
-rw-r--r--src/afl-fuzz-state.c7
-rw-r--r--src/afl-fuzz.c1
9 files changed, 46 insertions, 17 deletions
diff --git a/Dockerfile b/Dockerfile
index 8f89b9aa..9662ca7c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -50,6 +50,7 @@ RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
 
 ENV LLVM_CONFIG=llvm-config-12
 ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_TRY_AFFINITY=1
 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
 
 RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov
diff --git a/README.md b/README.md
index cedf706c..69e2d14a 100644
--- a/README.md
+++ b/README.md
@@ -679,8 +679,8 @@ If you see that an important area or a feature has not been covered so far then
 try to find an input that is able to reach that and start a new secondary in
 that fuzzing campaign with that seed as input, let it run for a few minutes,
 then terminate it. The main node will pick it up and make it available to the
-other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` if you have no
-free core.
+other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
+`export AFL_TRY_AFFINITY=1` if you have no free core.
 
 Note that you in nearly all cases can never reach full coverage. A lot of
 functionality is usually behind options that were not activated or fuzz e.g.
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 33d37067..bbe55e3e 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -33,10 +33,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
       -i dir crashes the target or results in a timeout. By default
       afl++ ignores these and uses them for splicing instead.
-    - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after
-      no new paths have been found for n seconds
-    - when AFL_FAST_CAL is set a variable path will no be calibrated 8 times
-      instead of 40
+    - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing
+      after no new paths have been found for n seconds
+    - when AFL_FAST_CAL is set a variable path will no be calibrated
+      8 times instead of 40
+    - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if
+      it fails
   - afl-cc:
     - We do not support llvm versions prior 6.0 anymore
     - Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 442b0dd0..a3267523 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -312,6 +312,9 @@ checks or alter some of the more exotic semantics of the tool:
     on Linux systems. This slows things down, but lets you run more instances
     of afl-fuzz than would be prudent (if you really want to).
 
+  - Setting `AFL_TRY_AFFINITY` tries to attempts to bind to a specific CPU core
+    on Linux systems, but will not terminate if it fails.
+
   - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
     that is compiled into the target.
 
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index e9a72fc2..4aba3bdf 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -385,7 +385,7 @@ typedef struct afl_env_vars {
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
       afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
-      afl_exit_on_seed_issues;
+      afl_exit_on_seed_issues, afl_try_affinity;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
diff --git a/include/envs.h b/include/envs.h
index f1314bad..e7162c0f 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -120,6 +120,7 @@ static char *afl_environment_variables[] = {
     "AFL_LLVM_INSTRUMENT_FILE",
     "AFL_LLVM_SKIP_NEVERZERO",
     "AFL_NO_AFFINITY",
+    "AFL_TRY_AFFINITY",
     "AFL_LLVM_LTO_STARTID",
     "AFL_LLVM_LTO_DONTWRITEID",
     "AFL_NO_ARITH",
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index f2d1fb9b..88b5bc02 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -113,7 +113,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
   u8  lockfile[PATH_MAX] = "";
   s32 i;
 
-  if (afl->afl_env.afl_no_affinity) {
+  if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) {
 
     if (afl->cpu_to_bind != -1) {
 
@@ -130,10 +130,21 @@ void bind_to_free_cpu(afl_state_t *afl) {
 
     if (!bind_cpu(afl, afl->cpu_to_bind)) {
 
-      FATAL(
-          "Could not bind to requested CPU %d! Make sure you passed a valid "
-          "-b.",
-          afl->cpu_to_bind);
+      if (afl->afl_env.afl_try_affinity) {
+
+        WARNF(
+            "Could not bind to requested CPU %d! Make sure you passed a valid "
+            "-b.",
+            afl->cpu_to_bind);
+
+      } else {
+
+        FATAL(
+            "Could not bind to requested CPU %d! Make sure you passed a valid "
+            "-b.",
+            afl->cpu_to_bind);
+
+      }
 
     }
 
@@ -420,11 +431,14 @@ void bind_to_free_cpu(afl_state_t *afl) {
          "Uh-oh, looks like all %d CPU cores on your system are allocated to\n"
          "    other instances of afl-fuzz (or similar CPU-locked tasks). "
          "Starting\n"
-         "    another fuzzer on this machine is probably a bad plan, but if "
-         "you are\n"
-         "    absolutely sure, you can set AFL_NO_AFFINITY and try again.\n",
-         afl->cpu_core_count);
-    FATAL("No more free CPU cores");
+         "    another fuzzer on this machine is probably a bad plan.\n"
+         "%s",
+         afl->cpu_core_count,
+         afl->afl_env.afl_try_affinity ? ""
+                                       : "    If you are sure, you can set "
+                                         "AFL_NO_AFFINITY and try again.\n");
+
+    if (!afl->afl_env.afl_try_affinity) { FATAL("No more free CPU cores"); }
 
   }
 
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 046d17d6..0658070e 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -202,6 +202,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_no_affinity =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_TRY_AFFINITY",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_try_affinity =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_SKIP_CRASHES",
 
                               afl_environment_variable_len)) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 3b6ac5e2..bb970e5f 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -220,6 +220,7 @@ static void usage(u8 *argv0, int more_help) {
       "                    then they are randomly selected instead all of them being\n"
       "                    used. Defaults to 200.\n"
       "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
+      "AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful\n"
       "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
       "AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n"
       "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-20 04:12:06 +0000