honggfuzz Android linux PTRACE arch port

gistfile1.txt

--{ Changelog
* libunwind
** A fresh upstream copy is forked and statically cross-compiled using Android NDK
** Helper compile script handles all build env setup & config flags settings
** Small patches are applied for ARM64 & x86 builds dues to Android compatibility issues
** Is used to both generate stack trace and extract function names from fuzzing targets
** Line number (as used in the main Linux libbfd stream) is now replaced with offset from
   func symbol
** Improved error handling in arch_unwindStack()

* libcapstone
** A fresh upstream copy is forked and statically cross-compiled using Android NDK
** Helper compile script handles all build env setup & config flags settings
** Is used instead of libbfd to disassemble crash instruction

* Main honggfuzz
** Renamed "linux/ptrace.*" to "linux/ptrace_utils.*" due to include conflicts with Android
   NDK sysroot
** Replaced wait3() syscall with wait4() since it's no longer present in recent Android
** Increased function name string buffer size since it was too small for mangled C++ func names
** Reduced backtrace function frames limit since reports stack allocated buffer was not
   capable to store such sizes.
** Introduce various Android compatibility macros for PTRACE defs, process_vm_readv and other
** Wrap register & instruction sizes under macros to better reflect actual sizes for supported
   CPU architectures (simplifies debugging)
** Engineer ptrace analyze data function to prevent debuggerd from also attaching fuzzing target
   and interferer with the analysis process.
** Improve Android build process

--{ ToDo:
* Fix libunwind x86_64 cross-compile build issues.
* Save relative PC (subtract from map load base address) in report file. An approach using link_map
  is probably the fastest and most reliable way.
* Link with C++ runtime to use the cxx_demangle routines (not really that important)

--{ Compiling
Build matching architecture libcapstone & libunwind from upstream branches. Execute the following from root directory

anestisb@nemesis:[honggfuzz]: third_party/android/scripts/compile-capstone.sh third_party/android/capstone arm
anestisb@nemesis:[honggfuzz]: third_party/android/scripts/compile-libunwind.sh third_party/android/libunwind arm
anestisb@nemesis:[honggfuzz]: make -B android ANDROID_APP_ABI=armeabi-v7a

--{ Running
PoC test agaisnt master Android for a reported ART runtime bug (https://code.google.com/p/android/issues/detail?id=178523)

anestisb@nemesis:[honggfuzz]: adb push libs/armeabi-v7a/honggfuzz /data/local/tmp/
anestisb@nemesis:[honggfuzz]: adb shell
root@shamu:/data/local/tmp # ./honggfuzz -f 0dd97cab0b7a4afb043fd78209493e77.dex -q -n 1 -N 1 -r 0.0 -t 8 -u -- dex2oat --dex-file=___FILE___ --oat-file=out.oat --instruction-set=arm --instruction-set-features=default --compiler-backend=Optimizing
[INFO] debugLevel: 3, inputFile '0dd97cab0b7a4afb043fd78209493e77.dex', nullifyStdio: 1, fuzzStdin: 0, saveUnique: 1, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 8, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', ignoreAddr: 0x0, memoryLimit: 0 (MiB), fuzzExe: 'dex2oat', fuzzedPid: 0
[INFO] Launched new process, pid: 20688, (1/1)
[INFO] Ok, that's interesting, saved '.honggfuzz.20685.5841132.2c4eb83f6ed28c1.fuzz' as 'SIGSEGV.PC.b6d66ca2.CODE.1.ADDR.0x2b2a80e0.INSTR.ldr.w_r5,_[ip,_r1,_lsl_#2].0dd97cab0b7a4afb043fd78209493e77.dex.fuzz'
[INFO] Finished fuzzing 1 times.
root@shamu:/data/local/tmp # cat HONGGFUZZ.REPORT.TXT                          
=====================================================================
TIME: 1970-03-09.14:32:13
=====================================================================
ORIG_FNAME: 0dd97cab0b7a4afb043fd78209493e77.dex
FUZZ_FNAME: .honggfuzz.20685.5841132.2c4eb83f6ed28c1.fuzz
PID: 20693
SIGNAL: SIGSEGV (11)
FAULT ADDRESS: 0x2b2a80e0
INSTRUCTION: ldr.w_r5,_[ip,_r1,_lsl_#2]
STACK:
 <0xb6d66ca2> [_ZN3art13TypeInference25UpdateSRegFromLowWordTypeEiNS0_4TypeE + 0xd]
 <0xb6d65f53> [_ZN3art13TypeInference15InitializeSRegsEv + 0x98a]
 <0xb6d6517f> [_ZN3art13TypeInferenceC1EPNS_8MIRGraphEPNS_20ScopedArenaAllocatorE + 0x10a]
 <0xb6def521> [_ZN3art8MIRGraph15InferTypesStartEv + 0x2c]
 <0xb6db3ef5> [_ZN3art13QuickCompiler6CreateEPNS_14CompilerDriverE + 0x7c]
 <0xb6dea319> [_ZTv0_n12_NSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev + 0x488]
 <0xb6de9d1f> [_ZN3art8MIRGraph30CalculateBasicBlockInformationEPKNS_11PassManagerE + 0x92]
 <0xb6dea319> [_ZTv0_n12_NSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev + 0x488]
 <0xb6db32e5> [_ZNK3art13QuickCompiler7CompileEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS1_ + 0x5ec]
 <0xb6e8a191> [_ZNK3art18OptimizingCompiler7CompileEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS1_ + 0xc8]
 <0xb6dfadcf> [_ZN3art14CompilerDriver13CompileMethodEPNS_6ThreadEPKNS_7DexFile8CodeItemEjNS_10InvokeTypeEtjP8_jobjectRKS3_NS_24DexToDexCompilationLevelEb + 0x92]
 <0xb6e06029> [_ZNSt3__112__hash_tableIPN3art6mirror6ObjectENS_4hashIS4_EENS_8equal_toIS4_EENS_9allocatorIS4_EEE8__rehashEj + 0x34f0]
 <0xb6e034fb> [_ZNSt3__112__hash_tableIPN3art6mirror6ObjectENS_4hashIS4_EENS_8equal_toIS4_EENS_9allocatorIS4_EEE8__rehashEj + 0x9c2]
 <0xb6b52565> [_ZN3art16ThreadPoolWorker3RunEv + 0x3c]
 <0xb6b523b5> [_ZN3art16ThreadPoolWorker8CallbackEPv + 0x3c]
 <0xb67aef37> [_ZL15__pthread_startPv + 0x22]
 <0xb6780b2f> [__start_thread + 0xa]
=====================================================================
root@shamu:/data/local/tmp # 

Really awesome work! Thanks for working on this.