arch_prepareParentAfterFork():213 Couldn't attach to pid=17670

chen chen

unread,

Jun 2, 2020, 10:44:09 AM6/2/20

to honggfuzz

I put fuzzhello.c in aosp, and compile it. but I got the error when run it in Android. Anyone can help me?

honggfuzz -f in/ -P -- /data/fuzz/arm64/fuzzhello/fuzzhello


cmdline:'/data/fuzz/arm64/fuzzhello/fuzzhello', bin:'/data/fuzz/arm64/fuzzhello/fuzzhello' inputDir:'in/', fuzzStdin:false, mutationsPerRun:6, externalCommand:'', timeout:10, mutationsMax:0, threadsMax:4




------------------------[  0 days 00 hrs 00 mins 00 secs ]----------------------
  Iterations : 4
  Mode [2/3] : Switching to the Feedback Driven Mode
      Target : /data/fuzz/arm64/fuzzhello/fuzzhello
     Threads : 4, CPUs: 8, CPU%: 0% [0%/CPU]
       Speed : 0/sec [avg: 0]
     Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
    Timeouts : 0 [10 sec]
 Corpus Size : 0, max: 8192 bytes, init: 1 files
  Cov Update : 0 days 00 hrs 00 mins 00 secs ago
    Coverage : edge: 0 pc: 0 cmp: 0
---------------------------------- [ LOGS ] ------------------/ honggfuzz 1.9 /-


[2020-06-02T22:35:45+0800][W][17664] arch_archInit():321 Unknown libc implementation. Using clone() instead of fork()
Entering phase 1/3: Dry Run
Launched new fuzzing thread, no. #0
Launched new fuzzing thread, no. #1
Entering phase 2/3: Switching to Dynamic Main (Feedback Driven Mode)
Launched new fuzzing thread, no. #2==17670==WARNING: HWASan is ignoring requested __hwasan_handle_longjmp: stack top: 0xb900005657df38d0; target 0x007e57a4f740; distance: 0x47000027ffc5be70 (370840195268)
False positive error reports may follow

Launched new fuzzing thread, no. #3
[2020-06-02T22:35:45+0800][W][17665] arch_traceWaitForPidStop():1301 PID 17670 not in a stopped state - status:11
[2020-06-02T22:35:45+0800][W][17665] arch_attachToNewPid():183 arch_traceAttach(pid=17670) failed
[2020-06-02T22:35:45+0800][F][17665] arch_prepareParentAfterFork():213 Couldn't attach to pid=17670

fuzzhello.c

// Copyright 2016 Google Inc. All Rights Reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
#include <inttypes.h>
extern HF_ITER(uint8_t** buf, size_t* len);
void test(char* buf){
    if (buf[0] == 'f') {
      printf("one\n");
      if (buf[1] == 'o') {
        printf("two\n");
        if (buf[2] == 'o') {
          printf("three\n");
          if (buf[3] == '!') {
            printf("four\n");
            abort();
          }
        }
      }
    }
}
int main(void) {
  for (;;) {
    size_t len;
    uint8_t *buf;

    HF_ITER(&buf, &len);
    test(buf);

  }
  return 0;
}

chen chen

unread,

Jun 2, 2020, 10:48:29 AM6/2/20

to honggfuzz

[ro.build.fingerprint]: [Android/aosp_flame/flame:S/AOSP.MASTER/eng.xxxx.20200528.212025:userdebug/test-keys

Robert Święcki

unread,

Jun 2, 2020, 11:30:36 AM6/2/20

to chen chen, honggfuzz

It seems to crash just after fork and before execve(). Can you try without HWASAN (I assume there's some compilation option disabling that, like -fno-sanitize=hardware or somesuch)? I never played with fuzzing under Android, so it's just a guess. Once it works, you might try various sanitization options, like asan or hwsan.

--
You received this message because you are subscribed to the Google Groups "honggfuzz" group.
To unsubscribe from this group and stop receiving emails from it, send an email to honggfuzz+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/honggfuzz/4dae0af0-3038-44eb-a46e-5af950b25903%40googlegroups.com.

--

Robert Święcki

chen chen

unread,

Jun 3, 2020, 4:46:17 AM6/3/20

to honggfuzz

Thanks, It works after I compile honggfuzz without hwaddress.

But it can't find any bugs. The coverages always show " edge: 0 pc: 0". What's the reason?

my fuzzhello Android.bp is

cc_fuzz {
  name: "fuzzhello",
  srcs: [
    "fuzzhello.c",
  ],
  cflags: [
           "-Wno-error",
           "-Wno-int-conversion",
     ],
     shared_libs: ["honggfuzz_libhfuzz"],


  }

The honggfuzz :

flame:/data/fuzz/arm64/fuzzhello # honggfuzz -f in/ -W out -s -- ./fuzzhello                                          
cmdline:'./fuzzhello', bin:'./fuzzhello' inputDir:'in/', fuzzStdin:true, mutationsPerRun:6, externalCommand:'', timeout:10, mutationsMax:0, threadsMax:4



------------------------[  0 days 00 hrs 06 mins 58 secs ]----------------------
  Iterations : 149976 [149.98k]
  Mode [3/3] : Feedback Driven Mode
      Target : ./fuzzhello
     Threads : 4, CPUs: 8, CPU%: 564% [70%/CPU]
       Speed : 285/sec [avg: 358]

     Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
    Timeouts : 0 [10 sec]

 Corpus Size : 820, max: 8192 bytes, init: 920 files
  Cov Update : 0 days 00 hrs 06 mins 22 secs ago
    Coverage : edge: 0 pc: 0 cmp: 3280

---------------------------------- [ LOGS ] ------------------/ honggfuzz 1.9 /-

Size:2 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3248
Size:4 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3252
Size:4 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3256
Size:7 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3260
Size:2 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3264
Size:4 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3268
Size:5 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3272
Size:3 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3276
Size:3 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/4, Tot:0/0/0/0/0/3280

Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to hong...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/honggfuzz/4dae0af0-3038-44eb-a46e-5af950b25903%40googlegroups.com.

--
Robert Święcki

Robert Święcki

unread,

Jun 3, 2020, 10:23:36 AM6/3/20

to chen chen, honggfuzz

The coverage feedback is added by

-fsanitize-coverage=trace-pc-guard

Please try to add this flag to copts/ldopts.

Though, I didn't previously fuzz android apps, it was others who implemented it for android, so maybe there are some better ways to do that.

To unsubscribe from this group and stop receiving emails from it, send an email to honggfuzz+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/honggfuzz/ab0fdc60-d213-4685-a36d-c574966a1c90%40googlegroups.com.

--

Robert Święcki

unread,

Jun 3, 2020, 10:25:28 AM6/3/20

to chen chen, honggfuzz

Well, the full set of flags can be found here:

https://github.com/google/honggfuzz/blob/4474f2a01ecfcb07c0b75e33a41817d45fabc92a/hfuzz_cc/hfuzz-cc.c#L358

So, essentially:

-fno-sanitize=fuzzer -fno-sanitize=fuzzer-no-link -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls

You can skip

-fno-sanitize=fuzzer -fno-sanitize=fuzzer-no-link

if they're not recognized by the compiler, as these were added only in some newer clang/llvm versions.