Running ASAN on Android O

[art...@samsung.com]

Hello,

I'm trying to run an ASAN application on Android O and the application crashes with the following stacktrace:

10-10 14:10:34.490 15270 15270 F DEBUG   :     #00 pc 000000000006af38  /system/lib64/libc.so (tgkill+8)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #01 pc 000000000001e050  /system/lib64/libc.so (abort+88)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #02 pc 000000000008ce88  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer5AbortEv+60)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #03 pc 0000000000092d40  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer3DieEv+152)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #04 pc 000000000007e26c  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asanL15AsanCheckFailedEPKciS1_yy+284)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #05 pc 0000000000092dc4  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer11CheckFailedEPKciS1_yy+116)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #06 pc 000000000006e06c  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZL28InitializeCommonInterceptorsv+15476)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #07 pc 0000000000069c70  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asan26InitializeAsanInterceptorsEv+36)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #08 pc 000000000007d8cc  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asanL16AsanInitInternalEv+348)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #09 pc 00000000000e0f3c  /system/lib64/asan/libart.so (asan.module_ctor+4)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #10 pc 000000000001f4b8  /system/bin/linker64 (__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_+276)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #11 pc 000000000001f6e8  /system/bin/linker64 (__dl__ZN6soinfo17call_constructorsEv+396)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #12 pc 000000000000c0cc  /system/bin/linker64 (__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv+1460)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #13 pc 0000000000008f84  /system/bin/linker64 (__dl__Z8__dlopenPKciPKv+68)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #14 pc 00000000000010cc  /system/lib64/libdl.so (dlopen+12)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #15 pc 0000000000004d68  /system/lib64/libnativehelper.so (_ZN13JniInvocation4InitEPKc+136)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #16 pc 00000000000fbc08  /system/lib64/libandroid_runtime.so (_ZN7android14AndroidRuntime5startEPKcRKNS_6VectorINS_7String8EEEb+360)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #17 pc 00000000000025c0  /system/bin/asan/app_process64 (main+1624)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #18 pc 000000000001bab0  /system/lib64/libc.so (__libc_init+88)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #19 pc 0000000000001ec8  /system/bin/asan/app_process64 (do_arm64_start+80)


I know that CHECK(REAL(memcpy)) in the function InitializeAsanInterceptors fails because REAL(memcpy) returns 0.
As I understand this macro expands to __interception::real_memcpy. I see that this variable is in bss segment of libclang_rt.asan-aarch64-android.so library
and I can't find who assign the address to the original memcpy function to it.

Could you point me to right code or explain how it should work?
May be this is already known issue and a patch already exists?


Thank you

[art...@samsung.com]

I found that GetRealFunctionAddress returns 0 for all intercepted libc functions.
Probably the problem is in bionic

[art...@samsung.com]

Who should load libclang_rt.asan-aarch64-android.so? A sanitized executable or a sanitized library?

I have two binaries compiled with asan: /system/bin/asan/app_process64 and /system/lib64/asan/libart.so
In my case libclang_rt.asan-aarch64-android.so is loaded by libart.so. And there are no libc.so in the soinfo_list after libart.so.
May be app_process64 should load libclang_rt.asan-aarch64-android.so?

[Francis Ricci]

You should use LD_PRELOAD to load the ASan dso, or interception (and
memory mapping) won't be set up properly.

> --
> You received this message because you are subscribed to the Google Groups
> "address-sanitizer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to address-saniti...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[art...@samsung.com]

I'm sorry
I forgot to add LOCAL_SANITIZE := address to Android.mk for app_process.
So the binary /system/bin/asan/app_process64 was not sanitized.

Now all works fine.
Thank you

[ANUPAM ANURAG]

Hi All,

Could you please guide me how to implement ASAN on Android AOSP(Any Android version) and get reports as above you got in your compilation.

10-10 14:10:34.490 15270 15270 F DEBUG   :     #00 pc 000000000006af38  /system/lib64/libc.so (tgkill+8)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #01 pc 000000000001e050  /system/lib64/libc.so (abort+88)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #02 pc 000000000008ce88  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer5AbortEv+60)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #03 pc 0000000000092d40  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer3DieEv+152)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #04 pc 000000000007e26c  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asanL15AsanCheckFailedEPKciS1_yy+284)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #05 pc 0000000000092dc4  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN11__sanitizer11CheckFailedEPKciS1_yy+116)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #06 pc 000000000006e06c  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZL28InitializeCommonInterceptorsv+15476)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #07 pc 0000000000069c70  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asan26InitializeAsanInterceptorsEv+36)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #08 pc 000000000007d8cc  /system/lib64/libclang_rt.asan-aarch64-android.so (_ZN6__asanL16AsanInitInternalEv+348)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #09 pc 00000000000e0f3c  /system/lib64/asan/libart.so (asan.module_ctor+4)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #10 pc 000000000001f4b8  /system/bin/linker64 (__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_+276)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #11 pc 000000000001f6e8  /system/bin/linker64 (__dl__ZN6soinfo17call_constructorsEv+396)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #12 pc 000000000000c0cc  /system/bin/linker64 (__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv+1460)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #13 pc 0000000000008f84  /system/bin/linker64 (__dl__Z8__dlopenPKciPKv+68)
10-10 14:10:34.490 15270 15270 F DEBUG   :     #14 pc 00000000000010cc  /system/lib64/libdl.so (dlopen+12)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #15 pc 0000000000004d68  /system/lib64/libnativehelper.so (_ZN13JniInvocation4InitEPKc+136)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #16 pc 00000000000fbc08  /system/lib64/libandroid_runtime.so (_ZN7android14AndroidRuntime5startEPKcRKNS_6VectorINS_7String8EEEb+360)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #17 pc 00000000000025c0  /system/bin/asan/app_process64 (main+1624)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #18 pc 000000000001bab0  /system/lib64/libc.so (__libc_init+88)
10-10 14:10:34.491 15270 15270 F DEBUG   :     #19 pc 0000000000001ec8  /system/bin/asan/app_process64 (do_arm64_start+80)

If , I can implement it packages/apps folder also, that would be fine. Anywhere in AOSP folder If I can implement and get sanitization report.

Thanks and regards,

Anupam Anurag.