Skip to content

Fuzzing non-Android shared libraries with Sloth #6

New issue
New issue
Open
Open
Fuzzing non-Android shared libraries with Sloth#6
@stulle123

Description

@stulle123
stulle123
opened on Feb 3, 2023

Hi there,

I'm trying to fuzz aarch64 shared libraries of an embedded device which doesn't run Android.

To get started I tried to run the example in resources/examples/Skia/jni but libFuzzer crashes immediately.

Here's what I did:

  1. Cross-compiling the example with clang in the docker container:
root@3f226187491f:/# apt install -y lld-10 gcc-10-aarch64-linux-gnu
root@3f226187491f:/# ln -s /usr/aarch64-linux-gnu/lib/libstdc++.so.6.0.28 /usr/aarch64-linux-gnu/lib/libstdc++.so
root@3f226187491f:/examples/Skia/jni/lib# clang++ --target=aarch64-linux-gnu --sysroot=/usr/aarch64-linux-gnu/ -fuse-ld=lld-10 -shared -o libBooFuzz.so fuzz.cpp && cp libBooFuzz.so /usr/aarch64-linux-gnu/lib/
root@3f226187491f:/examples/Skia/jni# clang++ --target=aarch64-linux-gnu --sysroot=/usr/aarch64-linux-gnu/ -fuse-ld=lld-10 -lBooFuzz -o boofuzz boo.cpp
  1. Run Sloth:
root@3f226187491f:/# cp /usr/aarch64-linux-gnu/lib/ld-linux-aarch64.so.1 /lib
root@3f226187491f:/sloth/src# LD_LIBRARY_PATH=/usr/aarch64-linux-gnu/lib/ SLOTH_TARGET_LIBRARY=/usr/aarch64-linux-gnu/lib/libBooFuzz.so ./sloth /examples/Skia/jni/boofuzz
  1. Either I get a core dump by Qemu or a deadly signal by libFuzzer:
==== SLOTH ====
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 929562646
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
qemu: uncaught target signal 4 (Unknown signal 0) - core dumped

==== SLOTH ====
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1216318846
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==28737== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64

Anyone ever tried Sloth with non-Android shared libraries before?

Cheers

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions