Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
android fuzzing with no luck
270 views
Skip to first unread message
Dominik Kwiatkowski
Dec 7, 2020, 2:16:03 PM12/7/20
to libfuzzer
Tries fuzzing on android according to the instructions https://source.android.com/devices/tech/debug/libfuzzer
Unfortunately, after running the file, the fuzzer only processes subsequent iterations and nothing ... without any effect:
$ ./fuzz_me_fuzzer
INFO: Seed: 3547023876
INFO: Loaded 2 modules (17709 inline 8-bit counters): 17702 [0x7fc322ca33f0, 0x7fc322ca7916), 7 [0x55ea99033908, 0x55ea9903390f),
INFO: Loaded 2 PC tables (17709 PCs): 17702 [0x7fc322ca7918,0x7fc322cecb78), 7 [0x55ea99033910,0x55ea99033980),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 1 ft: 1 corp: 1/1b exec/s: 0 rss: 28Mb
#524288 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 174762 rss: 405Mb
#1048576 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 209715 rss: 592Mb
#2097152 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 190650 rss: 592Mb
#4194304 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 182361 rss: 592Mb
#8388608 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 178481 rss: 592Mb
#16777216 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 178481 rss: 592Mb
#33554432 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 178481 rss: 592Mb
#67108864 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 177536 rss: 592Mb
^C==108679== libFuzzer: run interrupted; exiting
However, after simply compiling the same code in clang under Linux, everything works great:
$ ./a.out
INFO: Seed: 4200740109
INFO: Loaded 1 modules (7 inline 8-bit counters): 7 [0x7a6e80, 0x7a6e87),
INFO: Loaded 1 PC tables (7 PCs): 7 [0x56f7c0,0x56f830),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 27Mb
#7 NEW cov: 4 ft: 5 corp: 2/5b lim: 4 exec/s: 0 rss: 27Mb L: 4/4 MS: 5 InsertByte-ShuffleBytes-EraseBytes-CopyPart-CrossOver-
#27 REDUCE cov: 4 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 27Mb L: 3/3 MS: 5 CMP-ChangeByte-EraseBytes-ChangeBit-CopyPart- DE: "\xff\xff\xff\xff"-
#1655 REDUCE cov: 5 ft: 6 corp: 3/8b lim: 17 exec/s: 0 rss: 27Mb L: 4/4 MS: 3 InsertByte-PersAutoDict-CMP- DE: "\xff\xff\xff\xff"-"F\x00"-
#1694 REDUCE cov: 5 ft: 6 corp: 3/7b lim: 17 exec/s: 0 rss: 27Mb L: 3/3 MS: 4 ChangeByte-InsertByte-EraseBytes-EraseBytes-
#5396 REDUCE cov: 6 ft: 7 corp: 4/10b lim: 53 exec/s: 0 rss: 27Mb L: 3/3 MS: 2 EraseBytes-InsertByte-
#9008 NEW cov: 7 ft: 8 corp: 5/14b lim: 86 exec/s: 0 rss: 28Mb L: 4/4 MS: 2 InsertByte-ChangeByte-
=================================================================
==108724==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000033453 at pc 0x000000551313 bp 0x7ffdb0c47400 sp 0x7ffdb0c473f8
READ of size 1 at 0x602000033453 thread T0
#0 0x551312 in FuzzMe(unsigned char const*, unsigned long) /home/destrudo/Desktop/fuzzing/fuzzing/tutorial/libFuzzer/fuzz_me.cc:9:7
#1 0x5513b4 in LLVMFuzzerTestOneInput /home/destrudo/Desktop/fuzzing/fuzzing/tutorial/libFuzzer/fuzz_me.cc:13:3
#2 0x459411 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
#3 0x458c55 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:469:3
#4 0x45aef7 in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:695:19
#5 0x45bc15 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:831:5
#6 0x4499d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:825:6
#7 0x472e42 in main /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#8 0x7f570ea64bf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
#9 0x41db69 in _start (/home/destrudo/Desktop/fuzzing/a.out+0x41db69)
0x602000033453 is located 0 bytes to the right of 3-byte region [0x602000033450,0x602000033453)
allocated by thread T0 here:
#0 0x51f08d in malloc /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x432247 in operator new(unsigned long) (/home/destrudo/Desktop/fuzzing/a.out+0x432247)
#2 0x458c55 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:469:3
#3 0x45aef7 in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:695:19
#4 0x45bc15 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:831:5
#5 0x4499d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:825:6
#6 0x472e42 in main /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#7 0x7f570ea64bf6 in __libc_start_main /build/glibc-S7xCS9/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/destrudo/Desktop/fuzzing/fuzzing/tutorial/libFuzzer/fuzz_me.cc:9:7 in FuzzMe(unsigned char const*, unsigned long)
Shadow bytes around the buggy address:
0x0c047fffe630: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffe640: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffe650: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffe660: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffe670: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fffe680: fa fa fd fd fa fa fd fd fa fa[03]fa fa fa fa fa
0x0c047fffe690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==108724==ABORTING
MS: 1 EraseBytes-; base unit: b12a5fb022bfa156688cbf4bd378a79199838125
0x46,0x55,0x5a,
FUZ
artifact_prefix='./'; Test unit written to ./crash-0eb8e4ed029b774d80f2b66408203801cb982a60
Base64: RlVa
Will be grateful for any help and suggestions.
Regards,
Dominik
mit...@google.com
Dec 9, 2020, 7:33:01 PM12/9/20
to libfuzzer
Hi Dominik,
Looks like something has gone wrong with your sancov instrumentation somewhere.
To help me diagnose, could you please provide me the following info?
- A copy of the shell commands issued to build the fuzz and run the fuzz target.
- What the result of `SANITIZE_TARGET=address make example_fuzzer && $ANDROID_HOST_OUT/fuzz/x86_64/example_fuzzer/example_fuzzer`?
- What's the result of `cd prebuilts/clang/host/linux-x86 && git log -n1`?
Thanks,
Mitch.
Dominik Kwiatkowski
Dec 10, 2020, 11:48:03 AM12/10/20
to libfuzzer
Ok, so lets go:
1) Shell commands that leads me to the failure? Here they are:
wget <google-device-here>.tar.gz
tar xvf <google-device-here>.tar.gz
./extract-google_devices-walleye.sh
wget <qualcom-device-here>.tar.gz
tar xvf < qualcom -device-here>.tar.gz
./extract-qcom-walleye.sh
. build/envsetup.sh
lunch aosp_walleye-eng
repo init -u https://android.googlesource.com/platform/manifest -b android-11.0.0_r17
repo sync -j8wget <google-device-here>.tar.gz
tar xvf <google-device-here>.tar.gz
./extract-google_devices-walleye.sh
wget <qualcom-device-here>.tar.gz
tar xvf < qualcom -device-here>.tar.gz
./extract-qcom-walleye.sh
. build/envsetup.sh
lunch aosp_walleye-eng
SANITIZE_TARGET=hwaddress m fuzz_me_fuzzer
adb rootadb sync data
adb shell /data/fuzz/arm64/fuzz_me_fuzzer/fuzz_me_fuzzer
2)`SANITIZE_TARGET=address make example_fuzzer && $ANDROID_HOST_OUT/fuzz/x86_64/example_fuzzer/example_fuzzer` command resultt? Of course:
06:24:18 ************************************************************
06:24:18 You are building on a machine with 15.6GB of RAM
06:24:18
06:24:18 The minimum required amount of free memory is around 16GB,
06:24:18 and even with that, some configurations may not work.
06:24:18
06:24:18 If you run into segfaults or other errors, try reducing your
06:24:18 -j value.
06:24:18 ************************************************************
============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=11
TARGET_PRODUCT=aosp_walleye
TARGET_BUILD_VARIANT=eng
TARGET_BUILD_TYPE=release
TARGET_ARCH=arm64
TARGET_ARCH_VARIANT=armv8-a
TARGET_CPU_VARIANT=cortex-a73
TARGET_2ND_ARCH=arm
TARGET_2ND_ARCH_VARIANT=armv8-a
TARGET_2ND_CPU_VARIANT=cortex-a73
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-5.4.0-56-generic-x86_64-Ubuntu-18.04.5-LTS
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=RP1A.201105.002
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=device/google/muskie device/google/wahoo vendor/google/camera hardware/google/camera hardware/google/pixel hardware/qcom/msm8998 vendor/qcom/walleye/proprietary
============================================
out/soong/make_vars-aosp_walleye.mk was modified, regenerating...
out/soong/Android-aosp_walleye.mk was modified, regenerating...
[ 53% 116/217] including hardware/qcom/camera/Android.mk ...
hardware/qcom/camera/msm8998/QCamera2/Android.mk: warning: camera.msm8998: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/camera/msm8998/QCamera2/stack/mm-camera-interface/Android.mk: warning: libmmcamera_interface: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 54% 118/217] including hardware/qcom/display/Android.mk ...
hardware/qcom/display/msm8998/include/Android.mk:9: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libqservice/../common.mk: warning: libqservice: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libqdutils/../common.mk: warning: libqdutils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libqdutils/../common.mk: warning: libqdMetaData: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/sdm/libs/utils/Android.mk:33: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/sdm/libs/core/Android.mk:75: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/sdm/libs/core/Android.mk:88: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libcopybit/Android.mk:23: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/gpu_tonemapper/Android.mk:9: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libdrmutils/Android.mk: warning: libdrmutils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libgralloc1/../common.mk: warning: gralloc.msm8998: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 54% 119/217] including hardware/qcom/gps/Android.mk ...
hardware/qcom/gps/msm8998/core/Android.mk: warning: libloc_core: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/location/Android.mk: warning: liblocation_api: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/Android.mk: warning: libgps.utils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/platform_lib_abstractions/loc_pla/src/Android.mk: warning: libloc_pla: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/platform_lib_abstractions/loc_stub/src/Android.mk: warning: libloc_stub: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 55% 121/217] including hardware/qcom/media/Android.mk ...
hardware/qcom/media/msm8998/mm-core/Android.mk: warning: libOmxCore: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/media/msm8998/libstagefrighthw/Android.mk: warning: libstagefrighthw: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/media/msm8998/mm-video-v4l2/vidc/venc/Android.mk:60: warning: "venc: PQ compiled out"
[ 56% 123/218] including hardware/qcom/msm8998/json-c/Android.mk ...
hardware/qcom/msm8998/json-c/Android.mk: warning: libjson: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 56% 124/219] including hardware/qcom/msm8998/thermal-engine/Android.mk ...
hardware/qcom/msm8998/thermal-engine/Android.mk:25: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
[ 56% 125/220] including hardware/qcom/msm8998/time-services/Android.mk ...
hardware/qcom/msm8998/time-services/Android.mk:14: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
[100% 220/220] writing build rules ...
build/make/core/Makefile:49: warning: overriding commands for target `out/target/product/walleye/vendor/etc/IPACM_cfg.xml'
build/make/core/base_rules.mk:492: warning: ignoring old commands for target `out/target/product/walleye/vendor/etc/IPACM_cfg.xml'
build/make/core/Makefile:49: warning: overriding commands for target `out/target/product/walleye/vendor/etc/gps.conf'
build/make/core/base_rules.mk:492: warning: ignoring old commands for target `out/target/product/walleye/vendor/etc/gps.conf'
out/target/product/walleye/obj/CONFIG/kati_packaging/dist.mk was modified, regenerating...
[100% 378/378] Install: out/target/product/walleye/data/fuzz/arm64/example_fuzzer/example_fuzzer
#### build completed successfully (09:49 (mm:ss)) ####
bash: out/fuzz/x86_64/example_fuzzer/example_fuzzer: No such file or directory
3) cd prebuilts/clang/host/linux-x86 && git log -n1 ? There you have it:
commit 252aba16f513a857bc923172f67b0e55e23de35f (grafted, HEAD, tag: android-11.0.0_r17, tag: m/android-11.0.0_r17)
Author: android-build-team Robot <android-buil...@google.com>
Date: Fri Jun 12 01:04:50 2020 +0000
Snap for 6582636 from 431c74471920f3f9b0517692fb69515c023bde41 to rvc-release
Change-Id: Iae87ffa204c2f308992ae73b21eafe76331fceb8
Thank you for any advice.
Stay safe,
Dominik
mit...@google.com
Dec 10, 2020, 2:57:50 PM12/10/20
to libfuzzer
> bash: out/fuzz/x86_64/example_fuzzer/example_fuzzer: No such file or directory
This is extremely strange. Can you please try re-lunching (`source $ANDROID_BUILD_TOP/build/envsetup.sh && lunch aosp_walleye-userdebug`), and then pass me the result of `SANITIZE_TARGET=hwaddress SANITIZE_HOST=address make example_fuzzer && echo $ANDROID_BUILD_TOP $ANDROID_HOST_OUT && ls -l $ANDROID_HOST_OUT/fuzz/** && $ANDROID_HOST_OUT/fuzz/x86_64/example_fuzzer/example_fuzzer`
Part of the problem is definitely SANITIZE_TARGET=address rather than SANITIZE_HOST=address. The former asks ASan to be used for the binaries for your Android device, the latter asks for host executables to be built with ASan. Easy mistake to make, even I did just above :).
The thing that concerns me still is the repeated no-growth pulses (`#524288 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 174762 rss: 405Mb`). Let's sort out the build problems first though, and we'll see if that fixes up the issue :). If you could also attach the binary produced (in $ANDROID_HOST_OUT/fuzz/x86_64/example_fuzzer/example_fuzzer), that would be great.
Dominik Kwiatkowski
Dec 14, 2020, 8:48:18 AM12/14/20
to libfuzzer
Thank you for your help. I really really appreciate that! So i re-run the build environment with:
source $ANDROID_BUILD_TOP/build/envsetup.sh && lunch aosp_walleye-userdebug
and then:
SANITIZE_TARGET=hwaddress SANITIZE_HOST=address make example_fuzzer && echo $ANDROID_BUILD_TOP $ANDROID_HOST_OUT && ls -l $ANDROID_HOST_OUT/fuzz/** && $ANDROID_HOST_OUT/fuzz/x86_64/example_fuzzer/example_fuzzer And here are the results:
18:26:15 ************************************************************
18:26:15 You are building on a machine with 15.6GB of RAM
18:26:15
18:26:15 The minimum required amount of free memory is around 16GB,
18:26:15 and even with that, some configurations may not work.
18:26:15
18:26:15 If you run into segfaults or other errors, try reducing your
18:26:15 -j value.
18:26:15 ************************************************************
18:26:15 You are building on a machine with 15.6GB of RAM
18:26:15
18:26:15 The minimum required amount of free memory is around 16GB,
18:26:15 and even with that, some configurations may not work.
18:26:15
18:26:15 If you run into segfaults or other errors, try reducing your
18:26:15 -j value.
18:26:15 ************************************************************
============================================
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=11
TARGET_PRODUCT=aosp_walleye
TARGET_BUILD_VARIANT=eng
TARGET_BUILD_TYPE=release
TARGET_ARCH=arm64
TARGET_ARCH_VARIANT=armv8-a
TARGET_CPU_VARIANT=cortex-a73
TARGET_2ND_ARCH=arm
TARGET_2ND_ARCH_VARIANT=armv8-a
TARGET_2ND_CPU_VARIANT=cortex-a73
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-5.4.0-56-generic-x86_64-Ubuntu-18.04.5-LTS
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=RP1A.201105.002
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=device/google/muskie device/google/wahoo vendor/google/camera hardware/google/camera hardware/google/pixel hardware/qcom/msm8998
============================================
out/soong/make_vars-aosp_walleye.mk was modified, regenerating...
out/soong/Android-aosp_walleye.mk was modified, regenerating...
out/soong/make_vars-aosp_walleye.mk was modified, regenerating...
out/soong/Android-aosp_walleye.mk was modified, regenerating...
[ 99% 24159/24259] including hardware/qcom/camera/Android.mk ...
hardware/qcom/camera/msm8998/QCamera2/Android.mk: warning: camera.msm8998: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/camera/msm8998/QCamera2/stack/mm-camera-interface/Android.mk: warning: libmmcamera_interface: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 99% 24161/24259] including hardware/qcom/display/Android.mk ...
hardware/qcom/display/msm8998/include/Android.mk:9: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libqservice/../common.mk: warning: libqservice: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libqdutils/../common.mk: warning: libqdutils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libqdutils/../common.mk: warning: libqdMetaData: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/sdm/libs/utils/Android.mk:33: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/sdm/libs/core/Android.mk:75: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/sdm/libs/core/Android.mk:88: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libcopybit/Android.mk:23: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/gpu_tonemapper/Android.mk:9: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
hardware/qcom/display/msm8998/libdrmutils/Android.mk: warning: libdrmutils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/display/msm8998/libgralloc1/../common.mk: warning: gralloc.msm8998: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 99% 24162/24259] including hardware/qcom/gps/Android.mk ...
hardware/qcom/gps/msm8998/core/Android.mk: warning: libloc_core: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/location/Android.mk: warning: liblocation_api: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/Android.mk: warning: libgps.utils: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/platform_lib_abstractions/loc_pla/src/Android.mk: warning: libloc_pla: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/gps/msm8998/utils/platform_lib_abstractions/loc_stub/src/Android.mk: warning: libloc_stub: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 99% 24164/24259] including hardware/qcom/media/Android.mk ...
hardware/qcom/media/msm8998/mm-core/Android.mk: warning: libOmxCore: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/media/msm8998/libstagefrighthw/Android.mk: warning: libstagefrighthw: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
hardware/qcom/media/msm8998/mm-video-v4l2/vidc/venc/Android.mk:60: warning: "venc: PQ compiled out"
[ 99% 24166/24260] including hardware/qcom/msm8998/json-c/Android.mk ...
hardware/qcom/msm8998/json-c/Android.mk: warning: libjson: LOCAL_COPY_HEADERS is deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers
[ 99% 24167/24261] including hardware/qcom/msm8998/thermal-engine/Android.mk ...
hardware/qcom/msm8998/thermal-engine/Android.mk:25: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
[ 99% 24168/24262] including hardware/qcom/msm8998/time-services/Android.mk ...
hardware/qcom/msm8998/time-services/Android.mk:14: warning: BUILD_COPY_HEADERS has been deprecated. See https://android.googlesource.com/platform/build/+/master/Changes.md#copy_headers.
[100% 24262/24262] writing build rules ...
build/make/core/Makefile:49: warning: overriding commands for target `out/target/product/walleye/vendor/etc/IPACM_cfg.xml'
build/make/core/base_rules.mk:492: warning: ignoring old commands for target `out/target/product/walleye/vendor/etc/IPACM_cfg.xml'
build/make/core/Makefile:49: warning: overriding commands for target `out/target/product/walleye/vendor/etc/gps.conf'
build/make/core/base_rules.mk:492: warning: ignoring old commands for target `out/target/product/walleye/vendor/etc/gps.conf'
out/target/product/walleye/obj/CONFIG/kati_packaging/dist.mk was modified, regenerating...
ninja: no work to do.
After launching the out file from host:
INFO: Seed: 2688533161
INFO: Loaded 2 modules (17709 inline 8-bit counters): 17702 [0x7f997ef5a3f0, 0x7f997ef5e916), 7 [0x55c6c661c908, 0x55c6c661c90f),
INFO: Loaded 2 PC tables (17709 PCs): 17702 [0x7f997ef5e918,0x7f997efa3b78), 7 [0x55c6c661c910,0x55c6c661c980),
INFO: Loaded 2 modules (17709 inline 8-bit counters): 17702 [0x7f997ef5a3f0, 0x7f997ef5e916), 7 [0x55c6c661c908, 0x55c6c661c90f),
INFO: Loaded 2 PC tables (17709 PCs): 17702 [0x7f997ef5e918,0x7f997efa3b78), 7 [0x55c6c661c910,0x55c6c661c980),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 1 ft: 1 corp: 1/1b exec/s: 0 rss: 28Mb
#524288 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 174762 rss: 405Mb
#1048576 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 174762 rss: 589Mb
#2097152 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 190650 rss: 589Mb
#4194304 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 182361 rss: 589Mb
#8388608 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 178481 rss: 589Mb
#16777216 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 176602 rss: 589Mb
#2097152 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 190650 rss: 589Mb
#4194304 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 182361 rss: 589Mb
#8388608 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 178481 rss: 589Mb
#16777216 pulse cov: 1 ft: 1 corp: 1/1b lim: 4096 exec/s: 176602 rss: 589Mb
Regards
Stay safe!
Dominik
--
You received this message because you are subscribed to a topic in the Google Groups "libfuzzer" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/libfuzzer/HQkdx6D63C8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to libfuzzer+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/64a99c34-aee0-4d5e-b265-d9417d2c324an%40googlegroups.com.
Dominik Kwiatkowski
Dec 14, 2020, 4:21:14 PM12/14/20
to libfuzzer
I'm wondering if the problem is in the location of my source file (fuzz_me_fuzzer.cpp) . The location of build instructions in out/soong/ folder and then adding the build instruction into the out/soong/Android.bp file:
cc_fuzz {
name: "fuzz_me_fuzzer",
srcs: [
"fuzz_me_fuzzer.cpp",
],
// If the fuzzer has a dependent library, uncomment the following section and
// include it.
// static_libs: [
// "libfoo", // Dependent library
// ],
//
// The advanced features below allow you to package your corpus and
// dictionary files during building. You can find more information about
// these features at:
// - Corpus: https://llvm.org/docs/LibFuzzer.html#corpus
// - Dictionaries: https://llvm.org/docs/LibFuzzer.html#dictionaries
// These features are not required for fuzzing, but are highly recommended
// to gain extra coverage.
// To include a corpus folder, uncomment the following line.
// corpus: ["corpus/*"],
// To include a dictionary, uncomment the following line.
// dictionary: "fuzz_me_fuzzer.dict",
}
In the official android/libfuzzer instruction (https://source.android.com/devices/tech/debug/libfuzzer) there is no information where I have to place the source file and instructions. One other thing - when I build the
fuzz_me_fuzzer.cpp manualy with clang++
$clang++ -g -fsanitize=address,fuzzer fuzz_me_fuzzer.cpp -o fuzz_me_fuzzer
the output is executable file:
$ file fuzz_me_fuzzer
fuzz_me_fuzzer: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
fuzz_me_fuzzer: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
but the output of soong build is the LSB shared object:
$ file out/host/linux-x86/fuzz/x86_64/fuzz_me_fuzzer/fuzz_me_fuzzer
out/host/linux-x86/fuzz/x86_64/fuzz_me_fuzzer/fuzz_me_fuzzer: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, with debug_info, not stripped
out/host/linux-x86/fuzz/x86_64/fuzz_me_fuzzer/fuzz_me_fuzzer: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, with debug_info, not stripped
I don't know is this important but I'am placing this because of informational purpose
mit...@google.com
Dec 21, 2020, 2:10:23 PM12/21/20
to libfuzzer
Hi Dominic,
Sorry for any delays here.
> executable vs. LSB shared object
This is fine - it's just that Android builds with PIC (`-fPIC -pie`) by default.
> out/soong/Android.bp
This is definitely the wrong place to put your fuzz target build files/etc. If you're looking for a good staging directory, you can always use `tools/security/fuzzing/` (which is where example_fuzzer lives).
To help me diagnose further, can you provide me the `git log -n1` inside of `build/soong`?
Dominik Kwiatkowski
Dec 21, 2020, 7:22:26 PM12/21/20
to libfuzzer
Here is the
`git log -n1`
output
inside build/soong folder:
destrudo@ubuntu:~/android-11.0.0_r17/build/soong$ git log -n1
commit 02d76b9cd64d752d7a8cdd74afaad55db0d67040 (HEAD, tag: android-vts-11.0_r2, tag: android-vts-11.0_r1, tag: android-security-11.0.0_r1, tag: android-platform-11.0.0_r2, tag: android-platform-11.0.0_r1, tag: android-cts-11.0_r2, tag: android-cts-11.0_r1, tag: android-11.0.0_r5, tag: android-11.0.0_r4, tag: android-11.0.0_r3, tag: android-11.0.0_r25, tag: android-11.0.0_r2, tag: android-11.0.0_r17, tag: android-11.0.0_r1, tag: m/android-11.0.0_r17, aosp/android11-tests-release, aosp/android11-security-release, aosp/android11-s1-release, aosp/android11-release)
Merge: 0ce5d89d5 d771592f8
Author: android-build-team Robot <android-buil...@google.com>
Date: Wed Jul 22 22:12:44 2020 +0000
Merge cherrypicks of [12212499, 12213565, 12213741, 12213742, 12213743, 12213702, 12213319, 12213491, 12213118, 12213065, 12213602, 12213603] into rvc-release
Change-Id: I131b23ebe4f88331ec4992fcc27ece8a0a064851
commit 02d76b9cd64d752d7a8cdd74afaad55db0d67040 (HEAD, tag: android-vts-11.0_r2, tag: android-vts-11.0_r1, tag: android-security-11.0.0_r1, tag: android-platform-11.0.0_r2, tag: android-platform-11.0.0_r1, tag: android-cts-11.0_r2, tag: android-cts-11.0_r1, tag: android-11.0.0_r5, tag: android-11.0.0_r4, tag: android-11.0.0_r3, tag: android-11.0.0_r25, tag: android-11.0.0_r2, tag: android-11.0.0_r17, tag: android-11.0.0_r1, tag: m/android-11.0.0_r17, aosp/android11-tests-release, aosp/android11-security-release, aosp/android11-s1-release, aosp/android11-release)
Merge: 0ce5d89d5 d771592f8
Author: android-build-team Robot <android-buil...@google.com>
Date: Wed Jul 22 22:12:44 2020 +0000
Merge cherrypicks of [12212499, 12213565, 12213741, 12213742, 12213743, 12213702, 12213319, 12213491, 12213118, 12213065, 12213602, 12213603] into rvc-release
Change-Id: I131b23ebe4f88331ec4992fcc27ece8a0a064851
Mitch Phillips
Dec 21, 2020, 7:35:10 PM12/21/20
to Dominik Kwiatkowski, libfuzzer
Looks like you have a pretty old checkout. Would you mind running `repo sync -j8 -q` in your full Android checkout folder (note, you might have to stash/revert any changed files in your source tree) in order to bring it up to date and try again?
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/c0071cc7-9733-472d-8295-83e06a1d659cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages