• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# example_fuzzer
2
3This is just a simple fuzzer that will run for a few iterations
4and then crash. It can be used as a smoke test to confirm that
5ASAN+coverage builds and libFuzzer are working correctly.
6
7Fuzz targets (like this one) generally live adjacent to the code that they
8exercise. If you wish to write a new target that exercises the library
9`/external/example`, the fuzz target should generally be in
10`/external/example/test/fuzzers/`.
11
12--------------------------------------------------------------------------------
13
14To build the fuzzer, run:
15```
16  $ SANITIZE_TARGET=address SANITIZE_HOST=address mmma -j$(nproc) \
17    tools/security/example_fuzzer
18```
19To run on device:
20```
21  $ adb sync data
22  $ adb shell /data/fuzz/example_fuzzer
23```
24To run on host:
25```
26  $ $ANDROID_HOST_OUT/fuzz/example_fuzzer
27```
28
29--------------------------------------------------------------------------------
30
31For more information, see the libFuzzer documentation at
32https://llvm.org/docs/LibFuzzer.html.
33
34The output should look like the output below. You should notice that:
35- cov: values are increasing
36- NEW units are discovered
37- a stack-buffer-overflow is caught by AddressSanitizer
38- the overflow is a WRITE
39- the artifact generated starts with 'Hi!'
40
41--------------------------------------------------------------------------------
42
43```
44INFO: Seed: 1154663995
45INFO: Loaded 1 modules   (10 inline 8-bit counters): 10 [0x5bde606000, 0x5bde60600a),
46INFO: Loaded 1 PC tables (10 PCs): 10 [0x5bde606010,0x5bde6060b0),
47INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
48INFO: A corpus is not provided, starting from an empty corpus
49#2  INITED cov: 5 ft: 5 corp: 1/1b lim: 4 exec/s: 0 rss: 23Mb
50#2133 NEW    cov: 8 ft: 8 corp: 2/26b lim: 25 exec/s: 0 rss: 23Mb L: 25/25 MS: 1 CrossOver-
51#2162 REDUCE cov: 8 ft: 8 corp: 2/24b lim: 25 exec/s: 0 rss: 23Mb L: 23/23 MS: 4 CMP-EraseBytes-InsertRepeatedBytes-InsertByte- DE: "\x18\x00\x00\x00\x00\x00\x00\x00"-
52=================================================================
53==32069==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x007fe3caf8c3 at pc 0x0078919740f4 bp 0x007fe3caf890 sp 0x007fe3caf020
54WRITE of size 4 at 0x007fe3caf8c3 thread T0
55    #0 0x78919740f0  (/system/lib64/libclang_rt.asan-aarch64-android.so+0xb30f0)
56    #1 0x5bde5e0354  (/data/fuzz/example_fuzzer+0xf354)
57    #2 0x5bde5f1574  (/data/fuzz/example_fuzzer+0x20574)
58    #3 0x5bde5f1118  (/data/fuzz/example_fuzzer+0x20118)
59    #4 0x5bde5f2314  (/data/fuzz/example_fuzzer+0x21314)
60    #5 0x5bde5f2fc0  (/data/fuzz/example_fuzzer+0x21fc0)
61    #6 0x5bde5e4c10  (/data/fuzz/example_fuzzer+0x13c10)
62    #7 0x5bde5e0568  (/data/fuzz/example_fuzzer+0xf568)
63    #8 0x7891304254  (/apex/com.android.runtime/lib64/bionic/libc.so+0x7c254)
64
65Address 0x007fe3caf8c3 is located in stack of thread T0 at offset 35 in frame
66    #0 0x5bde5e008c  (/data/fuzz/example_fuzzer+0xf08c)
67
68  This frame has 2 object(s):
69    [32, 35) 'buffer.i' (line 23) <== Memory access at offset 35 overflows this variable
70    [48, 72) 'null_terminated_string' (line 31)
71HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
72      (longjmp and C++ exceptions *are* supported)
73SUMMARY: AddressSanitizer: stack-buffer-overflow (/system/lib64/libclang_rt.asan-aarch64-android.so+0xb30f0)
74Shadow bytes around the buggy address:
75  0x001ffc795ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
76  0x001ffc795ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
77  0x001ffc795ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
78  0x001ffc795ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
79  0x001ffc795f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80=>0x001ffc795f10: 00 00 00 00 f1 f1 f1 f1[03]f2 00 00 00 f3 f3 f3
81  0x001ffc795f20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
82  0x001ffc795f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
83  0x001ffc795f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
84  0x001ffc795f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
85  0x001ffc795f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
86Shadow byte legend (one shadow byte represents 8 application bytes):
87  Addressable:           00
88  Partially addressable: 01 02 03 04 05 06 07
89  Heap left redzone:       fa
90  Freed heap region:       fd
91  Stack left redzone:      f1
92  Stack mid redzone:       f2
93  Stack right redzone:     f3
94  Stack after return:      f5
95  Stack use after scope:   f8
96  Global redzone:          f9
97  Global init order:       f6
98  Poisoned by user:        f7
99  Container overflow:      fc
100  Array cookie:            ac
101  Intra object redzone:    bb
102  ASan internal:           fe
103  Left alloca redzone:     ca
104  Right alloca redzone:    cb
105  Shadow gap:              cc
106==32069==ABORTING
107MS: 4 CopyPart-InsertByte-PersAutoDict-CMP- DE: "\x18\x00\x00\x00\x00\x00\x00\x00"-"Hi!"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
1080x48,0x69,0x21,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,
109Hi!\x00\x00\x00\x00\x00\x00\x00\x0a
110artifact_prefix='./'; Test unit written to ./crash-8a4daff3931e139b7dfff19e7e47dc75c29c3a5e
111Base64: SGkhAAAAAAAAAAo=
112```
113