xref: /aosp_15_r20/tools/security/fuzzing/example_fuzzer/README.md (revision d9ecfb0f4d734c9ce41cde8ac4d585b094fd4222) 
1*d9ecfb0fSAndroid Build Coastguard Worker# example_fuzzer
2*d9ecfb0fSAndroid Build Coastguard Worker
3*d9ecfb0fSAndroid Build Coastguard WorkerThis is just a simple fuzzer that will run for a few iterations
4*d9ecfb0fSAndroid Build Coastguard Workerand then crash. It can be used as a smoke test to confirm that
5*d9ecfb0fSAndroid Build Coastguard WorkerASAN+coverage builds and libFuzzer are working correctly.
6*d9ecfb0fSAndroid Build Coastguard Worker
7*d9ecfb0fSAndroid Build Coastguard WorkerFuzz targets (like this one) generally live adjacent to the code that they
8*d9ecfb0fSAndroid Build Coastguard Workerexercise. If you wish to write a new target that exercises the library
9*d9ecfb0fSAndroid Build Coastguard Worker`/external/example`, the fuzz target should generally be in
10*d9ecfb0fSAndroid Build Coastguard Worker`/external/example/test/fuzzers/`.
11*d9ecfb0fSAndroid Build Coastguard Worker
12*d9ecfb0fSAndroid Build Coastguard Worker--------------------------------------------------------------------------------
13*d9ecfb0fSAndroid Build Coastguard Worker
14*d9ecfb0fSAndroid Build Coastguard WorkerTo build the fuzzer, run:
15*d9ecfb0fSAndroid Build Coastguard Worker```
16*d9ecfb0fSAndroid Build Coastguard Worker  $ SANITIZE_TARGET=address SANITIZE_HOST=address mmma -j$(nproc) \
17*d9ecfb0fSAndroid Build Coastguard Worker    tools/security/example_fuzzer
18*d9ecfb0fSAndroid Build Coastguard Worker```
19*d9ecfb0fSAndroid Build Coastguard WorkerTo run on device:
20*d9ecfb0fSAndroid Build Coastguard Worker```
21*d9ecfb0fSAndroid Build Coastguard Worker  $ adb sync data
22*d9ecfb0fSAndroid Build Coastguard Worker  $ adb shell /data/fuzz/example_fuzzer
23*d9ecfb0fSAndroid Build Coastguard Worker```
24*d9ecfb0fSAndroid Build Coastguard WorkerTo run on host:
25*d9ecfb0fSAndroid Build Coastguard Worker```
26*d9ecfb0fSAndroid Build Coastguard Worker  $ $ANDROID_HOST_OUT/fuzz/example_fuzzer
27*d9ecfb0fSAndroid Build Coastguard Worker```
28*d9ecfb0fSAndroid Build Coastguard Worker
29*d9ecfb0fSAndroid Build Coastguard Worker--------------------------------------------------------------------------------
30*d9ecfb0fSAndroid Build Coastguard Worker
31*d9ecfb0fSAndroid Build Coastguard WorkerFor more information, see the libFuzzer documentation at
32*d9ecfb0fSAndroid Build Coastguard Workerhttps://llvm.org/docs/LibFuzzer.html.
33*d9ecfb0fSAndroid Build Coastguard Worker
34*d9ecfb0fSAndroid Build Coastguard WorkerThe output should look like the output below. You should notice that:
35*d9ecfb0fSAndroid Build Coastguard Worker- cov: values are increasing
36*d9ecfb0fSAndroid Build Coastguard Worker- NEW units are discovered
37*d9ecfb0fSAndroid Build Coastguard Worker- a stack-buffer-overflow is caught by AddressSanitizer
38*d9ecfb0fSAndroid Build Coastguard Worker- the overflow is a WRITE
39*d9ecfb0fSAndroid Build Coastguard Worker- the artifact generated starts with 'Hi!'
40*d9ecfb0fSAndroid Build Coastguard Worker
41*d9ecfb0fSAndroid Build Coastguard Worker--------------------------------------------------------------------------------
42*d9ecfb0fSAndroid Build Coastguard Worker
43*d9ecfb0fSAndroid Build Coastguard Worker```
44*d9ecfb0fSAndroid Build Coastguard WorkerINFO: Seed: 1154663995
45*d9ecfb0fSAndroid Build Coastguard WorkerINFO: Loaded 1 modules   (10 inline 8-bit counters): 10 [0x5bde606000, 0x5bde60600a),
46*d9ecfb0fSAndroid Build Coastguard WorkerINFO: Loaded 1 PC tables (10 PCs): 10 [0x5bde606010,0x5bde6060b0),
47*d9ecfb0fSAndroid Build Coastguard WorkerINFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
48*d9ecfb0fSAndroid Build Coastguard WorkerINFO: A corpus is not provided, starting from an empty corpus
49*d9ecfb0fSAndroid Build Coastguard Worker#2  INITED cov: 5 ft: 5 corp: 1/1b lim: 4 exec/s: 0 rss: 23Mb
50*d9ecfb0fSAndroid Build Coastguard Worker#2133 NEW    cov: 8 ft: 8 corp: 2/26b lim: 25 exec/s: 0 rss: 23Mb L: 25/25 MS: 1 CrossOver-
51*d9ecfb0fSAndroid Build Coastguard Worker#2162 REDUCE cov: 8 ft: 8 corp: 2/24b lim: 25 exec/s: 0 rss: 23Mb L: 23/23 MS: 4 CMP-EraseBytes-InsertRepeatedBytes-InsertByte- DE: "\x18\x00\x00\x00\x00\x00\x00\x00"-
52*d9ecfb0fSAndroid Build Coastguard Worker=================================================================
53*d9ecfb0fSAndroid Build Coastguard Worker==32069==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x007fe3caf8c3 at pc 0x0078919740f4 bp 0x007fe3caf890 sp 0x007fe3caf020
54*d9ecfb0fSAndroid Build Coastguard WorkerWRITE of size 4 at 0x007fe3caf8c3 thread T0
55*d9ecfb0fSAndroid Build Coastguard Worker    #0 0x78919740f0  (/system/lib64/libclang_rt.asan-aarch64-android.so+0xb30f0)
56*d9ecfb0fSAndroid Build Coastguard Worker    #1 0x5bde5e0354  (/data/fuzz/example_fuzzer+0xf354)
57*d9ecfb0fSAndroid Build Coastguard Worker    #2 0x5bde5f1574  (/data/fuzz/example_fuzzer+0x20574)
58*d9ecfb0fSAndroid Build Coastguard Worker    #3 0x5bde5f1118  (/data/fuzz/example_fuzzer+0x20118)
59*d9ecfb0fSAndroid Build Coastguard Worker    #4 0x5bde5f2314  (/data/fuzz/example_fuzzer+0x21314)
60*d9ecfb0fSAndroid Build Coastguard Worker    #5 0x5bde5f2fc0  (/data/fuzz/example_fuzzer+0x21fc0)
61*d9ecfb0fSAndroid Build Coastguard Worker    #6 0x5bde5e4c10  (/data/fuzz/example_fuzzer+0x13c10)
62*d9ecfb0fSAndroid Build Coastguard Worker    #7 0x5bde5e0568  (/data/fuzz/example_fuzzer+0xf568)
63*d9ecfb0fSAndroid Build Coastguard Worker    #8 0x7891304254  (/apex/com.android.runtime/lib64/bionic/libc.so+0x7c254)
64*d9ecfb0fSAndroid Build Coastguard Worker
65*d9ecfb0fSAndroid Build Coastguard WorkerAddress 0x007fe3caf8c3 is located in stack of thread T0 at offset 35 in frame
66*d9ecfb0fSAndroid Build Coastguard Worker    #0 0x5bde5e008c  (/data/fuzz/example_fuzzer+0xf08c)
67*d9ecfb0fSAndroid Build Coastguard Worker
68*d9ecfb0fSAndroid Build Coastguard Worker  This frame has 2 object(s):
69*d9ecfb0fSAndroid Build Coastguard Worker    [32, 35) 'buffer.i' (line 23) <== Memory access at offset 35 overflows this variable
70*d9ecfb0fSAndroid Build Coastguard Worker    [48, 72) 'null_terminated_string' (line 31)
71*d9ecfb0fSAndroid Build Coastguard WorkerHINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
72*d9ecfb0fSAndroid Build Coastguard Worker      (longjmp and C++ exceptions *are* supported)
73*d9ecfb0fSAndroid Build Coastguard WorkerSUMMARY: AddressSanitizer: stack-buffer-overflow (/system/lib64/libclang_rt.asan-aarch64-android.so+0xb30f0)
74*d9ecfb0fSAndroid Build Coastguard WorkerShadow bytes around the buggy address:
75*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
76*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
77*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
78*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
79*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80*d9ecfb0fSAndroid Build Coastguard Worker=>0x001ffc795f10: 00 00 00 00 f1 f1 f1 f1[03]f2 00 00 00 f3 f3 f3
81*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f20: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
82*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
83*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
84*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
85*d9ecfb0fSAndroid Build Coastguard Worker  0x001ffc795f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
86*d9ecfb0fSAndroid Build Coastguard WorkerShadow byte legend (one shadow byte represents 8 application bytes):
87*d9ecfb0fSAndroid Build Coastguard Worker  Addressable:           00
88*d9ecfb0fSAndroid Build Coastguard Worker  Partially addressable: 01 02 03 04 05 06 07
89*d9ecfb0fSAndroid Build Coastguard Worker  Heap left redzone:       fa
90*d9ecfb0fSAndroid Build Coastguard Worker  Freed heap region:       fd
91*d9ecfb0fSAndroid Build Coastguard Worker  Stack left redzone:      f1
92*d9ecfb0fSAndroid Build Coastguard Worker  Stack mid redzone:       f2
93*d9ecfb0fSAndroid Build Coastguard Worker  Stack right redzone:     f3
94*d9ecfb0fSAndroid Build Coastguard Worker  Stack after return:      f5
95*d9ecfb0fSAndroid Build Coastguard Worker  Stack use after scope:   f8
96*d9ecfb0fSAndroid Build Coastguard Worker  Global redzone:          f9
97*d9ecfb0fSAndroid Build Coastguard Worker  Global init order:       f6
98*d9ecfb0fSAndroid Build Coastguard Worker  Poisoned by user:        f7
99*d9ecfb0fSAndroid Build Coastguard Worker  Container overflow:      fc
100*d9ecfb0fSAndroid Build Coastguard Worker  Array cookie:            ac
101*d9ecfb0fSAndroid Build Coastguard Worker  Intra object redzone:    bb
102*d9ecfb0fSAndroid Build Coastguard Worker  ASan internal:           fe
103*d9ecfb0fSAndroid Build Coastguard Worker  Left alloca redzone:     ca
104*d9ecfb0fSAndroid Build Coastguard Worker  Right alloca redzone:    cb
105*d9ecfb0fSAndroid Build Coastguard Worker  Shadow gap:              cc
106*d9ecfb0fSAndroid Build Coastguard Worker==32069==ABORTING
107*d9ecfb0fSAndroid Build Coastguard WorkerMS: 4 CopyPart-InsertByte-PersAutoDict-CMP- DE: "\x18\x00\x00\x00\x00\x00\x00\x00"-"Hi!"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
108*d9ecfb0fSAndroid Build Coastguard Worker0x48,0x69,0x21,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,
109*d9ecfb0fSAndroid Build Coastguard WorkerHi!\x00\x00\x00\x00\x00\x00\x00\x0a
110*d9ecfb0fSAndroid Build Coastguard Workerartifact_prefix='./'; Test unit written to ./crash-8a4daff3931e139b7dfff19e7e47dc75c29c3a5e
111*d9ecfb0fSAndroid Build Coastguard WorkerBase64: SGkhAAAAAAAAAAo=
112*d9ecfb0fSAndroid Build Coastguard Worker```
113