googleprojectzero / skcodecfuzzer Goto Github PK
View Code? Open in Web Editor NEWFuzzing harness for testing proprietary image codecs supported by Skia on Android
License: Apache License 2.0
Fuzzing harness for testing proprietary image codecs supported by Skia on Android
License: Apache License 2.0
Android NDK (r21b)
I've get /system/lib64 , /system/bin/linker64 ,/apex/com.android.runtime/lib64 from a Galaxy S20 ROM (G981B).
/home/vagrant/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/home/vagrant/capstone -lcapstone -L/home/vagrant/system/lib64 -lhwui -ldl -lbacktrace -landroidicu -Wl,-rpath -Wl,/home/vagrant/system/lib64 -Wl,--dynamic-linker=/home/vagrant/system/bin/linker64
loader.o: In function `ProcessImage()':
loader.cc:(.text+0x230): undefined reference to `SkCodec::MakeFromStream(std::__1::unique_ptr<SkStream, std::__1::default_delete<SkStream> >, SkCodec::Result*, SkPngChunkReader*, SkCodec::SelectionPolicy)'
loader.o: In function `SkImageInfo::bytesPerPixel() const':
loader.cc:(.text._ZNK11SkImageInfo13bytesPerPixelEv[_ZNK11SkImageInfo13bytesPerPixelEv]+0x14): undefined reference to `SkColorInfo::bytesPerPixel() const'
/home/vagrant/capstone/libcapstone.a(AArch64BaseInfo.o): In function `A64NamedImmMapper_fromString':
AArch64BaseInfo.c:(.text+0xc0): undefined reference to `__ctype_tolower_loc'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `loop_hdlr':
M680XDisassembler.c:(.text+0x490): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `reg_bits_hdlr':
M680XDisassembler.c:(.text+0x798): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `imm_rel_hdlr':
M680XDisassembler.c:(.text+0xbf8): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `immediate_hdlr':
M680XDisassembler.c:(.text+0x22c8): undefined reference to `__fprintf_chk'
/home/vagrant/capstone/libcapstone.a(M680XDisassembler.o): In function `M680X_getInstruction':
M680XDisassembler.c:(.text+0x39c4): undefined reference to `__fprintf_chk'
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
Makefile:23: recipe for target 'loader' failed
make: *** [loader] Error 1```
Hi, I try to reproduce the whole exploitation on :
in FindRegionMethod3
assert(len(candidates) > 0)
AssertionError
It seems that the candidates for libhwui.so is always empty. What is the reason for not being able to find candidates?
Thanks!
2022-04-12 03:56:29,396 [INFO ] Sending test MMS to check if the device is online...
2022-04-12 03:56:41,433 [INFO ] Received ack, phone is up and the setup works.
2022-04-12 03:56:41,433 [INFO ] Crashing the Messages app remotely now to get a clean state for further exploitation.
2022-04-12 03:56:43,716 [INFO ] Starting the ASLR bypass process...
2022-04-12 03:58:02,473 [INFO ] Range [6f00000000 .. 6f00000fff] is readable: True
2022-04-12 03:59:21,210 [INFO ] Range [6f00000000 .. 6f3fffffff] is readable: True
2022-04-12 03:59:21,210 [INFO ] Found address 0x6f00000000 inside CFI in 2 queries
2022-04-12 04:00:38,960 [INFO ] Range [6f00000000 .. 6f7fffffff] is readable: True
2022-04-12 04:01:57,634 [INFO ] Range [6f80000000 .. 6fbfffffff] is readable: True
2022-04-12 04:03:15,449 [INFO ] Range [6fc0000000 .. 6fdfffffff] is readable: True
2022-04-12 04:04:53,112 [INFO ] Range [6fe0000000 .. 6fefffffff] is readable: False
2022-04-12 04:06:00,705 [INFO ] Range [6fe0000000 .. 6fe7ffffff] is readable: False
2022-04-12 04:06:49,435 [INFO ] Range [6fe0000000 .. 6fe3ffffff] is readable: True
2022-04-12 04:26:12,124 [INFO ] Range [6fe4000000 .. 6fe5ffffff] is readable: True
2022-04-12 04:31:37,339 [INFO ] Range [6fe6000000 .. 6fe6ffffff] is readable: True
2022-04-12 04:32:57,045 [INFO ] Range [6fe7000000 .. 6fe77fffff] is readable: True
2022-04-12 04:34:15,726 [INFO ] Range [6fe7800000 .. 6fe7bfffff] is readable: True
2022-04-12 04:35:33,403 [INFO ] Range [6fe7c00000 .. 6fe7dfffff] is readable: True
2022-04-12 04:36:53,171 [INFO ] Range [6fe7e00000 .. 6fe7efffff] is readable: True
2022-04-12 04:38:14,960 [INFO ] Range [6fe7f00000 .. 6fe7f7ffff] is readable: True
2022-04-12 04:39:34,748 [INFO ] Range [6fe7f80000 .. 6fe7fbffff] is readable: True
2022-04-12 04:40:53,445 [INFO ] Range [6fe7fc0000 .. 6fe7fdffff] is readable: True
2022-04-12 04:42:12,143 [INFO ] Range [6fe7fe0000 .. 6fe7feffff] is readable: True
2022-04-12 04:43:29,804 [INFO ] Range [6fe7ff0000 .. 6fe7ff7fff] is readable: True
2022-04-12 04:45:07,474 [INFO ] Range [6fe7ff8000 .. 6fe7ffbfff] is readable: False
2022-04-12 04:46:02,276 [INFO ] Range [6fe7ff8000 .. 6fe7ff9fff] is readable: True
2022-04-12 04:47:22,056 [INFO ] Range [6fe7ffa000 .. 6fe7ffafff] is readable: True
2022-04-12 04:47:31,479 [INFO ] CFI region end 0x6fe7ffb000 found after 22 queries (0 cached)
2022-04-12 04:48:43,825 [INFO ] Range [6fe83fb000 .. 6fe83fbfff] is readable: True
2022-04-12 04:51:01,108 [INFO ] Range [6fe88fb000 .. 6fe88fbfff] is readable: True
2022-04-12 04:52:18,837 [INFO ] Range [6fe8dfb000 .. 6fe8dfbfff] is readable: True
2022-04-12 04:53:37,631 [INFO ] Range [6fe92fb000 .. 6fe92fbfff] is readable: True
2022-04-12 04:54:56,523 [INFO ] Range [6fe97fb000 .. 6fe97fbfff] is readable: True
2022-04-12 04:56:34,248 [INFO ] Range [6fe9cfb000 .. 6fe9cfbfff] is readable: False
2022-04-12 04:57:22,945 [INFO ] Range [6fe9bfb000 .. 6fe9bfbfff] is readable: True
2022-04-12 04:58:42,677 [INFO ] Range [6fea0fb000 .. 6fea0fbfff] is readable: True
2022-04-12 05:00:00,366 [INFO ] Range [6fea5fb000 .. 6fea5fbfff] is readable: True
2022-04-12 05:01:38,076 [INFO ] Range [6feaafb000 .. 6feaafbfff] is readable: False
2022-04-12 05:02:28,836 [INFO ] Range [6fea9fb000 .. 6fea9fbfff] is readable: True
2022-04-12 05:03:46,521 [INFO ] Range [6feaefb000 .. 6feaefbfff] is readable: True
2022-04-12 05:11:15,562 [INFO ] Range [6feb3fb000 .. 6feb3fbfff] is readable: True
2022-04-12 05:12:37,340 [INFO ] Range [6feb8fb000 .. 6feb8fbfff] is readable: True
2022-04-12 05:14:15,036 [INFO ] Range [6febdfb000 .. 6febdfbfff] is readable: False
2022-04-12 05:15:22,722 [INFO ] Range [6febcfb000 .. 6febcfbfff] is readable: False
2022-04-12 05:16:13,446 [INFO ] Range [6febbfb000 .. 6febbfbfff] is readable: True
2022-04-12 05:17:32,184 [INFO ] Range [6fec0fb000 .. 6fec0fbfff] is readable: True
2022-04-12 05:18:50,909 [INFO ] Range [6fec5fb000 .. 6fec5fbfff] is readable: True
2022-04-12 05:20:08,580 [INFO ] Range [6fecafb000 .. 6fecafbfff] is readable: True
2022-04-12 05:21:33,359 [INFO ] Range [6fecffb000 .. 6fecffbfff] is readable: True
2022-04-12 05:22:52,043 [INFO ] Range [6fed4fb000 .. 6fed4fbfff] is readable: True
2022-04-12 05:24:10,763 [INFO ] Range [6fed9fb000 .. 6fed9fbfff] is readable: True
2022-04-12 05:25:48,482 [INFO ] Range [6fedefb000 .. 6fedefbfff] is readable: False
2022-04-12 05:26:36,187 [INFO ] Range [6feddfb000 .. 6feddfbfff] is readable: True
Traceback (most recent call last):
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 445, in
main(sys.argv)
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 442, in main
exploit.Pwn()
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 315, in Pwn
libhwui_base = self.FindRegionMethod3(analysis_start_addr,
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 246, in FindRegionMethod3
assert(len(candidates) > 0)
AssertionError
I found the qmg file, Signal_sigsegv_4003f4fca8_6549_e9bf68c239eb55c8654336e2f9f25111.qmg from the README.md file and accessibility_light_easy_off.qmg from https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-2-effective-fuzzing-qmage.html.
Could you share the files? I'm checking them only for test purposes.
Thank you.
With ndk-r21b, skia for android 9 and capstone-4.0.2, i got successfully a binary named loader.
file loader
loader: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /git/SkCodecFuzzer/deps/android/system/bin/linker64, not stripped
When i execute ./run.sh which is included, "Invalid argument" against prctl is raised in my case, while another arm64 binary is working well (Also, It is working well after compilation without dynamic linker option README.md mentions) . Anything else i could do?
In case of Another arm64 binary:
qemu-aarch64 -strace ./f
20221 brk(NULL) = 0x0000000000569000
20221 brk(0x0000000000569fc8) = 0x0000000000569fc8
20221 uname(0x40007ffe88) = 0
20221 readlinkat(AT_FDCWD,"/proc/self/exe",0x00000040007fef80,4096) = 11
20221 brk(0x000000000058afc8) = 0x000000000058afc8
20221 brk(0x000000000058b000) = 0x000000000058b000
20221 faccessat(AT_FDCWD,"/etc/ld.so.nohwcap",F_OK,0) = -1 errno=2 (No such file or directory)
20221 fstat(1,0x00000040007ffde8) = 0
20221 write(1,0x57c030,18)Hello from ARM64!
= 18
20221 exit_group(0)
In case of running the loader compiled without the dynamic linker on device:
./loader
Error: missing required --input (-i) option
Usage: [LIBC_HOOKS_ENABLE=1] ./loader [OPTION]...
Required arguments:
-i, --input specify input file path for decoding
Optional arguments:
-o, --output save raw decoded RGBA image colors to specified output file
-l, --log_malloc log heap allocator activity to stderr (LIBC_HOOKS_ENABLE=1 needed)
-d, --default_malloc use the default system heap allocator
-h, --help display this help and exit
In case of running the loader compiled with the dynamic linker extracted from device:
./run.sh
19930 mmap(NULL,20480,PROT_NONE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001032000
19930 prctl(1398164801,0,274894888960,20480,274894482102,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x0000004001033000,12288,PROT_READ|PROT_WRITE) = 0
19930 prctl(1398164801,0,274894893056,12288,274894482168,0) = -1 errno=22 (Invalid argument)
19930 set_tid_address(274894861656,0,274894893056,12288,274894482168,0) = 19930
19930 faccessat(-100,"/dev/urandom",R_OK,0) = 0
19930 futex(0x0000004001027fc8,FUTEX_PRIVATE_FLAG|FUTEX_WAKE,2147483647,NULL,NULL,0) = 0
19930 getrandom(274893454368,40,1,0,0,0) = 40
19930 mmap(NULL,1104,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001037000
19930 prctl(1398164801,0,274894909440,1104,274894480656,0) = -1 errno=22 (Invalid argument)
19930 sched_getscheduler(0,0,8,3885048629,274894909568,274894861640) = 0
19930 mmap(NULL,20480,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001038000
19930 mprotect(0x0000004001038000,4096,PROT_NONE) = 0
19930 sigaltstack(0x4000ed3ca0,(nil)) = 0
19930 prctl(1398164801,0,274894917632,16384,274894482179,0) = -1 errno=22 (Invalid argument)
19930 prctl(1398164801,0,274894913536,4096,274894482199,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x000000400101a000,49152,PROT_READ) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400102a000,4096,PROT_READ) = 0
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103d000
19930 prctl(1398164801,0,274894934016,4096,274894482791,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ|PROT_WRITE) = 0
19930 mprotect(0x000000400103d000,4096,PROT_READ) = 0
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103e000
19930 prctl(1398164801,0,274894938112,4096,274894470243,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,24,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x000000400103f000
19930 prctl(1398164801,0,274894942208,24,274894470409,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001040000
19930 prctl(1398164801,0,274894946304,4096,274894470243,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,24,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001041000
19930 prctl(1398164801,0,274894950400,24,274894470409,0) = -1 errno=22 (Invalid argument)
19930 mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x0000004001042000
19930 prctl(1398164801,0,274894954496,4096,274894434791,0) = -1 errno=22 (Invalid argument)
19930 mprotect(0x0000004001042000,4096,PROT_READ|PROT_WRITE) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0x000000000000014e} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
./run.sh: line 19: 19930 Segmentation fault (core dumped) LD_LIBRARY_PATH=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/aarch64-linux-android:$ANDROID_PATH/lib64 qemu-aarch64 -strace ./loader "$@"
root@babo-400B4C-400B5C-200B4C-200B5C:/git/SkCodecFuzzer/source#
I've downloaded all the dependencies:
Android NDK (r21b)
Skia (its awkward but the default references didn't work, I've changed those references, most In Skia, and proceed.. all things apparently fine)
Libbacktrace OK
Capstone OK
I've get /system/lib64 and /system/bin/linker64 from a Galaxy S8 ROM (G950FXXU6DSK5).
The error:
gilmarwsr@lnx:~/Documents/fuzzer/SkCodecFuzzer/source$ make
/home/gilmarwsr/Documents/fuzzer/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/home/gilmarwsr/Documents/fuzzer/capstone -lcapstone -L/home/gilmarwsr/Documents/fuzzer/s8/lib64 -lhwui -ldl -lbacktrace -landroidicu -Wl,-rpath -Wl,/home/gilmarwsr/Documents/fuzzer/s8/lib64 -Wl,--dynamic-linker=/home/gilmarwsr/Documents/fuzzer/s8/bin/linker64
/home/gilmarwsr/Documents/fuzzer/android-ndk-r21b/toolchains/llvm/prebuilt/linux-x86_64/bin/../lib/gcc/aarch64-linux-android/4.9.x/../../../../aarch64-linux-android/bin/ld: cannot find -landroidicu
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile:23: loader] Error
Ubuntu16.04 LTS
ubuntu@~/SkCodecFuzzer/source$
make
/home/ubuntu/Android/Sdk/ndk/21.1.6352462/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -c -o loader.o loader.cc -D_LIBCPP_ABI_NAMESPACE=__1 -I/home/ubuntu/SkCodecFuzzer/skia/include/core -I/home/ubuntu/SkCodecFuzzer/skia/include/codec -I/home/ubuntu/SkCodecFuzzer/skia/include/config -I/home/ubuntu/SkCodecFuzzer/skia/include/config/android -I/home/ubuntu/SkCodecFuzzer/capstone-4.0.1/include -I/home/ubuntu/SkCodecFuzzer/libbacktrace/include
In file included from loader.cc:35:
/home/ubuntu/SkCodecFuzzer/skia/include/codec/SkAndroidCodec.h:11:10: fatal error: 'include/codec/SkCodec.h' file not found
#include "include/codec/SkCodec.h"
^~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Makefile:17: recipe for target 'loader.o' failed
make: *** [loader.o] Error 1
all deps
./
├── deps
│ └── capstone-4.0.1
├── libbacktrace
│ ├── include
│ └── testdata
├── skia
│ ├── animations
│ ├── .............
│ └── tools
├── source
├── system
│ ├── bin
│ ├── lib
│ └── lib64
└── third_party
└── libdislocator
modified Makefile
ANDROID_NDK=/home/ubuntu/Android/Sdk/ndk/21.1.6352462
SKIA_PATH=/home/ubuntu/SkCodecFuzzer/skia
CAPSTONE_PATH=/home/ubuntu/SkCodecFuzzer/capstone-4.0.1
ANDROID_PATH=/home/ubuntu/SkCodecFuzzer/system
LIBBACKTRACE_PATH=/home/ubuntu/SkCodecFuzzer/libbacktrace
....
Environment
error message
/root/SkCodecFuzzer/android-ndk-r21e/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android29-clang++ -o loader loader.o common.o tokenizer.o libdislocator.o -L/root/SkCodecFuzzer/deps/capstone-5.0-rc2 -lcapstone -L/root/SkCodecFuzzer/system/lib64 -lhwui -ldl -lbacktrace -landroidicu -lstatspull -Wl,-rpath -Wl,/root/SkCodecFuzzer/system/lib64 -Wl,--dynamic-linker=/root/SkCodecFuzzer/system/bin/linker64
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_addBoolAnnotation@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeAttributionChain@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeBool@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeString@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeFloat@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_release@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libmediautils.so: undefined reference to `_Unwind_Backtrace@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_release@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowException@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeInt64@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEventList_addStatsEvent@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_setUid@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeInt32@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowNullPointerException@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_setAtomId@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_write@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_GetIP@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_setTimeoutMillis@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_GetRegionStart@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_setPullAtomCallback@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libselinux.so: undefined reference to `__system_properties_init@LIBC_Q'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetNioBufferBaseArrayOffset@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_RaiseException@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_create@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_SetGR@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_SetIP@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_build@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetNioBufferBaseArray@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsManager_PullAtomMetadata_setCoolDownMillis@LIBSTATSPULL'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_obtain@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniGetFDFromFileDescriptor@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `_Unwind_Resume@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libmediandk.so: undefined reference to `JNI_GetCreatedJavaVMs@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `AStatsEvent_writeByteArray@LIBSTATSSOCKET'
/root/SkCodecFuzzer/system/lib64/libstatspull.so: undefined reference to `_Unwind_DeleteException@LIBC_R'
/root/SkCodecFuzzer/system/lib64/libhwui.so: undefined reference to `jniThrowExceptionFmt@LIBNATIVEHELPER_1'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_setCString@LIBMEDIAMETRICS_1'
/root/SkCodecFuzzer/system/lib64/libmediadrm.so: undefined reference to `mediametrics_delete@LIBMEDIAMETRICS_1'
.................................
.................................
.................................
Not sure why the desired symbol needs a suffix @LIBXXXXX
has AStatsManager_PullAtomMetadata_obtain but not AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL
root@vm:~/SkCodecFuzzer/source# grep "AStatsManager_PullAtomMetadata_obtain" -r /root/SkCodecFuzzer/system/lib64/libhwui.so
Binary file /root/SkCodecFuzzer/system/lib64/libhwui.so matches
root@vm:~/SkCodecFuzzer/source# grep "AStatsManager_PullAtomMetadata_obtain@LIBSTATSPULL" -r /root/SkCodecFuzzer/system/lib64/libhwui.so
I am trying to run the harness on a physical Android device with LIBC_HOOKS_ENABLE=1, but got an error of AFL libdisallocator:
[!] Running on Android, heap chunks will be automatically 8-byte aligned.
*** [AFL] bad allocator canary on realloc() ***
ASAN:SIGABRT
==15909==ERROR: AddressSanitizer: ABRT on unknown address 0x7d000003e25 (pc 0x70c1eb506c sp 0x7fe8c5c320 bp 0x7fe8c5c320 T0)
......
The harness can successfully execute in qemu or with the -d (unset LIBC_HOOKS_ENABLE) option.
Any idea about that?
Does any fuzz details and process with the afl-qemu?
This repo only have the harness and exploit file.
I used the solution with #1 (comment)
However, I used capstone 4.0.1 and capstone 4.0.2 still got these error (below).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.