Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzing non-Android shared libraries with Sloth #6

Open
stulle123 opened this issue Feb 3, 2023 · 0 comments
Open

Fuzzing non-Android shared libraries with Sloth #6

stulle123 opened this issue Feb 3, 2023 · 0 comments

Comments

@stulle123
Copy link

stulle123 commented Feb 3, 2023
edited

Hi there,

I'm trying to fuzz aarch64 shared libraries of an embedded device which doesn't run Android.

To get started I tried to run the example in resources/examples/Skia/jni but libFuzzer crashes immediately.

Here's what I did:

  1. Cross-compiling the example with clang in the docker container:
root@3f226187491f:/# apt install -y lld-10 gcc-10-aarch64-linux-gnu
root@3f226187491f:/# ln -s /usr/aarch64-linux-gnu/lib/libstdc++.so.6.0.28 /usr/aarch64-linux-gnu/lib/libstdc++.so
root@3f226187491f:/examples/Skia/jni/lib# clang++ --target=aarch64-linux-gnu --sysroot=/usr/aarch64-linux-gnu/ -fuse-ld=lld-10 -shared -o libBooFuzz.so fuzz.cpp && cp libBooFuzz.so /usr/aarch64-linux-gnu/lib/
root@3f226187491f:/examples/Skia/jni# clang++ --target=aarch64-linux-gnu --sysroot=/usr/aarch64-linux-gnu/ -fuse-ld=lld-10 -lBooFuzz -o boofuzz boo.cpp
  1. Run Sloth:
root@3f226187491f:/# cp /usr/aarch64-linux-gnu/lib/ld-linux-aarch64.so.1 /lib
root@3f226187491f:/sloth/src# LD_LIBRARY_PATH=/usr/aarch64-linux-gnu/lib/ SLOTH_TARGET_LIBRARY=/usr/aarch64-linux-gnu/lib/libBooFuzz.so ./sloth /examples/Skia/jni/boofuzz
  1. Either I get a core dump by Qemu or a deadly signal by libFuzzer:
==== SLOTH ====
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 929562646
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
qemu: uncaught target signal 4 (Unknown signal 0) - core dumped

==== SLOTH ====
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1216318846
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==28737== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64

Anyone ever tried Sloth with non-Android shared libraries before?

Cheers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stulle123