googleprojectzero / skcodecfuzzer Goto Github PK

Android NDK (r21b)

I've get /system/lib64 , /system/bin/linker64 ,/apex/com.android.runtime/lib64 from a Galaxy S20 ROM (G981B).

/home/vagrant/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/home/vagrant/capstone -lcapstone -L/home/vagrant/system/lib64 -lhwui -ldl -lbacktrace -landroidicu -Wl,-rpath -Wl,/home/vagrant/system/lib64 -Wl,--dynamic-linker=/home/vagrant/system/bin/linker64
loader.o: In function `ProcessImage()':
loader.cc:(.text+0x230): undefined reference to `SkCodec::MakeFromStream(std::__1::unique_ptr<SkStream, std::__1::default_delete<SkStream> >, SkCodec::Result*, SkPngChunkReader*, SkCodec::SelectionPolicy)'
loader.o: In function `SkImageInfo::bytesPerPixel() const':
loader.cc:(.text._ZNK11SkImageInfo13bytesPerPixelEv[_ZNK11SkImageInfo13bytesPerPixelEv]+0x14): undefined reference to `SkColorInfo::bytesPerPixel() const'
/home/vagrant/capstone/libcapstone.a(AArch64BaseInfo.o): In function `A64NamedImmMapper_fromString':
AArch64BaseInfo.c:(.text+0xc0): undefined reference to `__ctype_tolower_loc'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `loop_hdlr':
M680XDisassembler.c:(.text+0x490): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `reg_bits_hdlr':
M680XDisassembler.c:(.text+0x798): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `imm_rel_hdlr':
M680XDisassembler.c:(.text+0xbf8): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `immediate_hdlr':
M680XDisassembler.c:(.text+0x22c8): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `M680X_getInstruction':
M680XDisassembler.c:(.text+0x39c4): undefined reference to `__fprintf_chk'
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
Makefile:23: recipe for target 'loader' failed
make: *** [loader] Error 1```

Hi, I try to reproduce the whole exploitation on :

1. Samsung Note 9 (Android 9, security patch January 1, 2019 )
2. SAMSUNG Galaxy A30s (Android 10, security patch 1 March 2020 )
3. However, Both models always have the following error:

in FindRegionMethod3
assert(len(candidates) > 0)
AssertionError

It seems that the candidates for libhwui.so is always empty. What is the reason for not being able to find candidates?
Thanks!

2022-04-12 03:56:29,396 [INFO ] Sending test MMS to check if the device is online...
2022-04-12 03:56:41,433 [INFO ] Received ack, phone is up and the setup works.
2022-04-12 03:56:41,433 [INFO ] Crashing the Messages app remotely now to get a clean state for further exploitation.
2022-04-12 03:56:43,716 [INFO ] Starting the ASLR bypass process...
2022-04-12 03:58:02,473 [INFO ] Range [6f00000000 .. 6f00000fff] is readable: True
2022-04-12 03:59:21,210 [INFO ] Range [6f00000000 .. 6f3fffffff] is readable: True
2022-04-12 03:59:21,210 [INFO ] Found address 0x6f00000000 inside CFI in 2 queries
2022-04-12 04:00:38,960 [INFO ] Range [6f00000000 .. 6f7fffffff] is readable: True
2022-04-12 04:01:57,634 [INFO ] Range [6f80000000 .. 6fbfffffff] is readable: True
2022-04-12 04:03:15,449 [INFO ] Range [6fc0000000 .. 6fdfffffff] is readable: True
2022-04-12 04:04:53,112 [INFO ] Range [6fe0000000 .. 6fefffffff] is readable: False
2022-04-12 04:06:00,705 [INFO ] Range [6fe0000000 .. 6fe7ffffff] is readable: False
2022-04-12 04:06:49,435 [INFO ] Range [6fe0000000 .. 6fe3ffffff] is readable: True
2022-04-12 04:26:12,124 [INFO ] Range [6fe4000000 .. 6fe5ffffff] is readable: True
2022-04-12 04:31:37,339 [INFO ] Range [6fe6000000 .. 6fe6ffffff] is readable: True
2022-04-12 04:32:57,045 [INFO ] Range [6fe7000000 .. 6fe77fffff] is readable: True
2022-04-12 04:34:15,726 [INFO ] Range [6fe7800000 .. 6fe7bfffff] is readable: True
2022-04-12 04:35:33,403 [INFO ] Range [6fe7c00000 .. 6fe7dfffff] is readable: True
2022-04-12 04:36:53,171 [INFO ] Range [6fe7e00000 .. 6fe7efffff] is readable: True
2022-04-12 04:38:14,960 [INFO ] Range [6fe7f00000 .. 6fe7f7ffff] is readable: True
2022-04-12 04:39:34,748 [INFO ] Range [6fe7f80000 .. 6fe7fbffff] is readable: True
2022-04-12 04:40:53,445 [INFO ] Range [6fe7fc0000 .. 6fe7fdffff] is readable: True
2022-04-12 04:42:12,143 [INFO ] Range [6fe7fe0000 .. 6fe7feffff] is readable: True
2022-04-12 04:43:29,804 [INFO ] Range [6fe7ff0000 .. 6fe7ff7fff] is readable: True
2022-04-12 04:45:07,474 [INFO ] Range [6fe7ff8000 .. 6fe7ffbfff] is readable: False
2022-04-12 04:46:02,276 [INFO ] Range [6fe7ff8000 .. 6fe7ff9fff] is readable: True
2022-04-12 04:47:22,056 [INFO ] Range [6fe7ffa000 .. 6fe7ffafff] is readable: True
2022-04-12 04:47:31,479 [INFO ] CFI region end 0x6fe7ffb000 found after 22 queries (0 cached)
2022-04-12 04:48:43,825 [INFO ] Range [6fe83fb000 .. 6fe83fbfff] is readable: True
2022-04-12 04:51:01,108 [INFO ] Range [6fe88fb000 .. 6fe88fbfff] is readable: True
2022-04-12 04:52:18,837 [INFO ] Range [6fe8dfb000 .. 6fe8dfbfff] is readable: True
2022-04-12 04:53:37,631 [INFO ] Range [6fe92fb000 .. 6fe92fbfff] is readable: True
2022-04-12 04:54:56,523 [INFO ] Range [6fe97fb000 .. 6fe97fbfff] is readable: True
2022-04-12 04:56:34,248 [INFO ] Range [6fe9cfb000 .. 6fe9cfbfff] is readable: False
2022-04-12 04:57:22,945 [INFO ] Range [6fe9bfb000 .. 6fe9bfbfff] is readable: True
2022-04-12 04:58:42,677 [INFO ] Range [6fea0fb000 .. 6fea0fbfff] is readable: True
2022-04-12 05:00:00,366 [INFO ] Range [6fea5fb000 .. 6fea5fbfff] is readable: True
2022-04-12 05:01:38,076 [INFO ] Range [6feaafb000 .. 6feaafbfff] is readable: False
2022-04-12 05:02:28,836 [INFO ] Range [6fea9fb000 .. 6fea9fbfff] is readable: True
2022-04-12 05:03:46,521 [INFO ] Range [6feaefb000 .. 6feaefbfff] is readable: True
2022-04-12 05:11:15,562 [INFO ] Range [6feb3fb000 .. 6feb3fbfff] is readable: True
2022-04-12 05:12:37,340 [INFO ] Range [6feb8fb000 .. 6feb8fbfff] is readable: True
2022-04-12 05:14:15,036 [INFO ] Range [6febdfb000 .. 6febdfbfff] is readable: False
2022-04-12 05:15:22,722 [INFO ] Range [6febcfb000 .. 6febcfbfff] is readable: False
2022-04-12 05:16:13,446 [INFO ] Range [6febbfb000 .. 6febbfbfff] is readable: True
2022-04-12 05:17:32,184 [INFO ] Range [6fec0fb000 .. 6fec0fbfff] is readable: True
2022-04-12 05:18:50,909 [INFO ] Range [6fec5fb000 .. 6fec5fbfff] is readable: True
2022-04-12 05:20:08,580 [INFO ] Range [6fecafb000 .. 6fecafbfff] is readable: True
2022-04-12 05:21:33,359 [INFO ] Range [6fecffb000 .. 6fecffbfff] is readable: True
2022-04-12 05:22:52,043 [INFO ] Range [6fed4fb000 .. 6fed4fbfff] is readable: True
2022-04-12 05:24:10,763 [INFO ] Range [6fed9fb000 .. 6fed9fbfff] is readable: True
2022-04-12 05:25:48,482 [INFO ] Range [6fedefb000 .. 6fedefbfff] is readable: False
2022-04-12 05:26:36,187 [INFO ] Range [6feddfb000 .. 6feddfbfff] is readable: True
Traceback (most recent call last):
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 445, in
main(sys.argv)
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 442, in main
exploit.Pwn()
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 315, in Pwn
libhwui_base = self.FindRegionMethod3(analysis_start_addr,
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 246, in FindRegionMethod3
assert(len(candidates) > 0)
AssertionError

I found the qmg file, Signal_sigsegv_4003f4fca8_6549_e9bf68c239eb55c8654336e2f9f25111.qmg from the README.md file and accessibility_light_easy_off.qmg from https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-2-effective-fuzzing-qmage.html.
Could you share the files? I'm checking them only for test purposes.

Thank you.

With ndk-r21b, skia for android 9 and capstone-4.0.2, i got successfully a binary named loader.

file loader
loader: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /git/SkCodecFuzzer/deps/android/system/bin/linker64, not stripped

When i execute ./run.sh which is included, "Invalid argument" against prctl is raised in my case, while another arm64 binary is working well (Also, It is working well after compilation without dynamic linker option README.md mentions) . Anything else i could do?

In case of Another arm64 binary:
qemu-aarch64 -strace ./f
20221 brk(NULL) = 0x0000000000569000
20221 brk(0x0000000000569fc8) = 0x0000000000569fc8
20221 uname(0x40007ffe88) = 0
20221 readlinkat(AT_FDCWD,"/proc/self/exe",0x00000040007fef80,4096) = 11
20221 brk(0x000000000058afc8) = 0x000000000058afc8
20221 brk(0x000000000058b000) = 0x000000000058b000
20221 faccessat(AT_FDCWD,"/etc/ld.so.nohwcap",F_OK,0) = -1 errno=2 (No such file or directory)
20221 fstat(1,0x00000040007ffde8) = 0
20221 write(1,0x57c030,18)Hello from ARM64!
= 18
20221 exit_group(0)

In case of running the loader compiled without the dynamic linker on device:
./loader
Error: missing required --input (-i) option

Usage: [LIBC_HOOKS_ENABLE=1] ./loader [OPTION]...

Required arguments:
-i, --input specify input file path for decoding

Optional arguments:
-o, --output save raw decoded RGBA image colors to specified output file
-l, --log_malloc log heap allocator activity to stderr (LIBC_HOOKS_ENABLE=1 needed)
-d, --default_malloc use the default system heap allocator
-h, --help display this help and exit

In case of running the loader compiled with the dynamic linker extracted from device:
./run.sh
19930 mmap(NULL,20480,PROT_NONE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001032000
19930 prctl(1398164801,0,274894888960,20480,274894482102,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x0000004001033000,12288,PROT_READ|PROT_WRITE) = 0
19930 prctl(1398164801,0,274894893056,12288,274894482168,0) = -1 errno=22 (Invalid argument)
19930 set_tid_address(274894861656,0,274894893056,12288,274894482168,0) = 19930
19930 faccessat(-100,"/dev/urandom",R_OK,0) = 0
19930 futex(0x0000004001027fc8,FUTEX_PRIVATE_FLAG|FUTEX_WAKE,2147483647,NULL,NULL,0) = 0
19930 getrandom(274893454368,40,1,0,0,0) = 40
19930 mmap(NULL,1104,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001037000
19930 prctl(1398164801,0,274894909440,1104,274894480656,0) = -1 errno=22 (Invalid argument)
19930 sched_getscheduler(0,0,8,3885048629,274894909568,274894861640) = 0
19930 mmap(NULL,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001038000
19930 mprotect(0x0000004001038000,4096,PROT_NONE) = 0
19930 sigaltstack(0x4000ed3ca0,(nil)) = 0
19930 prctl(1398164801,0,274894917632,16384,274894482179,0) = -1 errno=22 (Invalid argument)
19930 prctl(1398164801,0,274894913536,4096,274894482199,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x000000400101a000,49152,PROT_READ) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ) = 0
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103d000
19930 prctl(1398164801,0,274894934016,4096,274894482791,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103e000
19930 prctl(1398164801,0,274894938112,4096,274894470243,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,24,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103f000
19930 prctl(1398164801,0,274894942208,24,274894470409,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001040000
19930 prctl(1398164801,0,274894946304,4096,274894470243,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,24,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001041000
19930 prctl(1398164801,0,274894950400,24,274894470409,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001042000
19930 prctl(1398164801,0,274894954496,4096,274894434791,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x0000004001042000,4096,PROT_READ|PROT_WRITE) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0x000000000000014e} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
./run.sh: line 19: 19930 Segmentation fault (core dumped) LD_LIBRARY_PATH=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android:$ANDROID_PATH/lib64 qemu-aarch64 -strace ./loader "$@"
root@babo-400B4C-400B5C-200B4C-200B5C:/git/SkCodecFuzzer/source#

I've downloaded all the dependencies:
Android NDK (r21b)
Skia (its awkward but the default references didn't work, I've changed those references, most In Skia, and proceed.. all things apparently fine)
Libbacktrace OK
Capstone OK

I've get /system/lib64 and /system/bin/linker64 from a Galaxy S8 ROM (G950FXXU6DSK5).

The error:

gilmarwsr@lnx:~/Documents/fuzzer/SkCodecFuzzer/source$ make
/home/gilmarwsr/Documents/fuzzer/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/home/gilmarwsr/Documents/fuzzer/capstone -lcapstone -L/home/gilmarwsr/Documents/fuzzer/s8/lib64 -lhwui -ldl -lbacktrace -landroidicu -Wl,-rpath -Wl,/home/gilmarwsr/Documents/fuzzer/s8/lib64 -Wl,--dynamic-linker=/home/gilmarwsr/Documents/fuzzer/s8/bin/linker64
/home/gilmarwsr/Documents/fuzzer/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/../lib/gcc/aarch64-linux-android/4.9.x/../../../../aarch64-linux-android/bin/ld: cannot find -landroidicu
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile:23: loader] Error

Ubuntu16.04 LTS

ubuntu@~/SkCodecFuzzer/source$
make
/home/ubuntu/Android/Sdk/ndk/21.1.6352462/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -c -o loader.o loader.cc -D_LIBCPP_ABI_NAMESPACE=__1 -I/home/ubuntu/SkCodecFuzzer/skia/include/core -I/home/ubuntu/SkCodecFuzzer/skia/include/codec -I/home/ubuntu/SkCodecFuzzer/skia/include/config -I/home/ubuntu/SkCodecFuzzer/skia/include/config/android -I/home/ubuntu/SkCodecFuzzer/capstone-4.0.1/include -I/home/ubuntu/SkCodecFuzzer/libbacktrace/include
In file included from loader.cc:35:
/home/ubuntu/SkCodecFuzzer/skia/include/codec/SkAndroidCodec.h:11:10: fatal error: 'include/codec/SkCodec.h' file not found
#include "include/codec/SkCodec.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Makefile:17: recipe for target 'loader.o' failed
make: *** [loader.o] Error 1

all deps

./
├── deps
│   └── capstone-4.0.1
├── libbacktrace
│   ├── include
│   └── testdata
├── skia
│   ├── animations
│   ├── .............
│   └── tools
├── source
├── system
│   ├── bin
│   ├── lib
│   └── lib64
└── third_party
    └── libdislocator

modified Makefile

ANDROID_NDK=/home/ubuntu/Android/Sdk/ndk/21.1.6352462
SKIA_PATH=/home/ubuntu/SkCodecFuzzer/skia
CAPSTONE_PATH=/home/ubuntu/SkCodecFuzzer/capstone-4.0.1
ANDROID_PATH=/home/ubuntu/SkCodecFuzzer/system
LIBBACKTRACE_PATH=/home/ubuntu/SkCodecFuzzer/libbacktrace
....

I need to know how to do it step by step and what this software is and how to connect the phone.

[

Environment

• android-ndk-r21e
• capstone-4.0.2
• skia 11-release

error message

/root/SkCodecFuzzer/android-ndk-r21e/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/root/SkCodecFuzzer/deps/capstone-5.0-rc2 -lcapstone -L/root/SkCodecFuzzer/system/lib64 -lhwui -ldl -lbacktrace -landroidicu -lstatspull -Wl,-rpath -Wl,/root/SkCodecFuzzer/system/lib64 -Wl,--dynamic-linker=/root/SkCodecFuzzer/system/bin/linker64
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_addBoolAnnotation@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeAttributionChain@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeBool@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeString@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeFloat@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_release@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libmediautils.so: undefined reference to `_Unwind_Backtrace@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_release@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowException@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeInt64@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEventList_addStatsEvent@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_setUid@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeInt32@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowNullPointerException@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_setAtomId@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_write@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_GetIP@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_setTimeoutMillis@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_GetRegionStart@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_setPullAtomCallback@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libselinux.so: undefined reference to `__system_properties_init@LIBC_Q'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetNioBufferBaseArrayOffset@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_RaiseException@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_create@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_SetGR@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_SetIP@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_build@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetNioBufferBaseArray@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_setCoolDownMillis@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_obtain@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetFDFromFileDescriptor@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `_Unwind_Resume@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libmediandk.so: undefined reference to `JNI_GetCreatedJavaVMs@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeByteArray@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_DeleteException@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowExceptionFmt@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_setCString@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_delete@LIBMEDIAMETRICS_1'
.................................
.................................
.................................

Not sure why the desired symbol needs a suffix @LIBXXXXX

has AStatsManager_PullAtomMetadata_obtain but not AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL

root@vm:~/SkCodecFuzzer/source# grep "AStatsManager_PullAtomMetadata_obtain" -r /root/SkCodecFuzzer/system/lib64/libhwui.so
Binary file /root/SkCodecFuzzer/system/lib64/libhwui.so matches
root@vm:~/SkCodecFuzzer/source# grep "AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL" -r /root/SkCodecFuzzer/system/lib64/libhwui.so

I am trying to run the harness on a physical Android device with LIBC_HOOKS_ENABLE=1, but got an error of AFL libdisallocator:

[!] Running on Android, heap chunks will be automatically 8-byte aligned.
*** [AFL] bad allocator canary on realloc() ***
ASAN:SIGABRT
==15909==ERROR: AddressSanitizer: ABRT on unknown address 0x7d000003e25 (pc 0x70c1eb506c sp 0x7fe8c5c320 bp 0x7fe8c5c320 T0)
......

The harness can successfully execute in qemu or with the -d (unset LIBC_HOOKS_ENABLE) option.
Any idea about that?

what is this error

Does any fuzz details and process with the afl-qemu?
This repo only have the harness and exploit file.

I used the solution with #1 (comment)

However, I used capstone 4.0.1 and capstone 4.0.2 still got these error (below).