Last active
August 29, 2015 14:26
-
-
Save anestisb/afb85fd90276acc786ab to your computer and use it in GitHub Desktop.
honggfuzz Android linux PTRACE arch port
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--{ Changelog | |
* libunwind | |
** A fresh upstream copy is forked and statically cross-compiled using Android NDK | |
** Helper compile script handles all build env setup & config flags settings | |
** Small patches are applied for ARM64 & x86 builds dues to Android compatibility issues | |
** Is used to both generate stack trace and extract function names from fuzzing targets | |
** Line number (as used in the main Linux libbfd stream) is now replaced with offset from | |
func symbol | |
** Improved error handling in arch_unwindStack() | |
* libcapstone | |
** A fresh upstream copy is forked and statically cross-compiled using Android NDK | |
** Helper compile script handles all build env setup & config flags settings | |
** Is used instead of libbfd to disassemble crash instruction | |
* Main honggfuzz | |
** Renamed "linux/ptrace.*" to "linux/ptrace_utils.*" due to include conflicts with Android | |
NDK sysroot | |
** Replaced wait3() syscall with wait4() since it's no longer present in recent Android | |
** Increased function name string buffer size since it was too small for mangled C++ func names | |
** Reduced backtrace function frames limit since reports stack allocated buffer was not | |
capable to store such sizes. | |
** Introduce various Android compatibility macros for PTRACE defs, process_vm_readv and other | |
** Wrap register & instruction sizes under macros to better reflect actual sizes for supported | |
CPU architectures (simplifies debugging) | |
** Engineer ptrace analyze data function to prevent debuggerd from also attaching fuzzing target | |
and interferer with the analysis process. | |
** Improve Android build process | |
--{ ToDo: | |
* Fix libunwind x86_64 cross-compile build issues. | |
* Save relative PC (subtract from map load base address) in report file. An approach using link_map | |
is probably the fastest and most reliable way. | |
* Link with C++ runtime to use the cxx_demangle routines (not really that important) | |
--{ Compiling | |
Build matching architecture libcapstone & libunwind from upstream branches. Execute the following from root directory | |
anestisb@nemesis:[honggfuzz]: third_party/android/scripts/compile-capstone.sh third_party/android/capstone arm | |
anestisb@nemesis:[honggfuzz]: third_party/android/scripts/compile-libunwind.sh third_party/android/libunwind arm | |
anestisb@nemesis:[honggfuzz]: make -B android ANDROID_APP_ABI=armeabi-v7a | |
--{ Running | |
PoC test agaisnt master Android for a reported ART runtime bug (https://code.google.com/p/android/issues/detail?id=178523) | |
anestisb@nemesis:[honggfuzz]: adb push libs/armeabi-v7a/honggfuzz /data/local/tmp/ | |
anestisb@nemesis:[honggfuzz]: adb shell | |
root@shamu:/data/local/tmp # ./honggfuzz -f 0dd97cab0b7a4afb043fd78209493e77.dex -q -n 1 -N 1 -r 0.0 -t 8 -u -- dex2oat --dex-file=___FILE___ --oat-file=out.oat --instruction-set=arm --instruction-set-features=default --compiler-backend=Optimizing | |
[INFO] debugLevel: 3, inputFile '0dd97cab0b7a4afb043fd78209493e77.dex', nullifyStdio: 1, fuzzStdin: 0, saveUnique: 1, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 8, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', ignoreAddr: 0x0, memoryLimit: 0 (MiB), fuzzExe: 'dex2oat', fuzzedPid: 0 | |
[INFO] Launched new process, pid: 20688, (1/1) | |
[INFO] Ok, that's interesting, saved '.honggfuzz.20685.5841132.2c4eb83f6ed28c1.fuzz' as 'SIGSEGV.PC.b6d66ca2.CODE.1.ADDR.0x2b2a80e0.INSTR.ldr.w_r5,_[ip,_r1,_lsl_#2].0dd97cab0b7a4afb043fd78209493e77.dex.fuzz' | |
[INFO] Finished fuzzing 1 times. | |
root@shamu:/data/local/tmp # cat HONGGFUZZ.REPORT.TXT | |
===================================================================== | |
TIME: 1970-03-09.14:32:13 | |
===================================================================== | |
ORIG_FNAME: 0dd97cab0b7a4afb043fd78209493e77.dex | |
FUZZ_FNAME: .honggfuzz.20685.5841132.2c4eb83f6ed28c1.fuzz | |
PID: 20693 | |
SIGNAL: SIGSEGV (11) | |
FAULT ADDRESS: 0x2b2a80e0 | |
INSTRUCTION: ldr.w_r5,_[ip,_r1,_lsl_#2] | |
STACK: | |
<0xb6d66ca2> [_ZN3art13TypeInference25UpdateSRegFromLowWordTypeEiNS0_4TypeE + 0xd] | |
<0xb6d65f53> [_ZN3art13TypeInference15InitializeSRegsEv + 0x98a] | |
<0xb6d6517f> [_ZN3art13TypeInferenceC1EPNS_8MIRGraphEPNS_20ScopedArenaAllocatorE + 0x10a] | |
<0xb6def521> [_ZN3art8MIRGraph15InferTypesStartEv + 0x2c] | |
<0xb6db3ef5> [_ZN3art13QuickCompiler6CreateEPNS_14CompilerDriverE + 0x7c] | |
<0xb6dea319> [_ZTv0_n12_NSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev + 0x488] | |
<0xb6de9d1f> [_ZN3art8MIRGraph30CalculateBasicBlockInformationEPKNS_11PassManagerE + 0x92] | |
<0xb6dea319> [_ZTv0_n12_NSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev + 0x488] | |
<0xb6db32e5> [_ZNK3art13QuickCompiler7CompileEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS1_ + 0x5ec] | |
<0xb6e8a191> [_ZNK3art18OptimizingCompiler7CompileEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS1_ + 0xc8] | |
<0xb6dfadcf> [_ZN3art14CompilerDriver13CompileMethodEPNS_6ThreadEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS3_NS_24DexToDexCompilationLevelEb + 0x92] | |
<0xb6e06029> [_ZNSt3__112__hash_tableIPN3art6mirror6ObjectENS_4hashIS4_EENS_8equal_toIS4_EENS_9allocatorIS4_EEE8__rehashEj + 0x34f0] | |
<0xb6e034fb> [_ZNSt3__112__hash_tableIPN3art6mirror6ObjectENS_4hashIS4_EENS_8equal_toIS4_EENS_9allocatorIS4_EEE8__rehashEj + 0x9c2] | |
<0xb6b52565> [_ZN3art16ThreadPoolWorker3RunEv + 0x3c] | |
<0xb6b523b5> [_ZN3art16ThreadPoolWorker8CallbackEPv + 0x3c] | |
<0xb67aef37> [_ZL15__pthread_startPv + 0x22] | |
<0xb6780b2f> [__start_thread + 0xa] | |
===================================================================== | |
root@shamu:/data/local/tmp # |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Really awesome work! Thanks for working on this.