feature: x64 support

[schrnz]

Hi,

I am working on x64 support for chizpurfle so that it can run on (more efficient) emulators. I know that chizpurfle is meant to fuzz vendor services, which you typically don't have on emulators, but the fuzzer can also target regular AOSP services and I would like to use it for that purpose.

What I have done already:

• replace chizpurfle/lib/{frida-core, frida-gum} with x64 equivalents
• change abiFilters in the gradle build file to x86_64
• use a frida-server version that supports x64

Unfortunately, the frida stalker components seem to kill the systemserver:

06-07 12:01:04.781 28020 28020 D AndroidRuntime: Calling main entry italiaken.fantasticbeasts.chizpurfle.Main
06-07 12:01:04.783 28020 28020 I Chizpurfle: Welcome, I am a Chizpurfle!
06-07 12:01:04.784 28020 28020 D Chizpurfle: 4194304, 402653184, 3841248
06-07 12:01:04.786 28020 28020 I Chizpurfle: Chizpurfle evolutionary fuzzer started
06-07 12:01:04.938 25901 25901 I system_server: type=1400 audit(0.0:592): avc: denied { open } for path="/data/local/tmp/libstalker-server.so" dev="dm-0" ino=61455 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-07 12:01:04.938 25901 25901 I system_server: type=1400 audit(0.0:593): avc: denied { execute } for path="/data/local/tmp/libstalker-server.so" dev="dm-0" ino=61455 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-07 12:01:04.962 25901 28043 I NativeStalkerServer: enter
06-07 12:01:04.958 28044 28044 I system_server: type=1400 audit(0.0:594): avc: denied { execute } for name="sh" dev="vda" ino=520 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
06-07 12:01:04.967 25901 28043 D NativeStalkerServer: ulimit unlimited
06-07 12:01:04.967 25901 28043 D NativeStalkerServer: socket open (200)
06-07 12:01:04.967 25901 28043 I NativeStalkerServer: binding to local socket: stalker_socket
06-07 12:01:04.967 25901 28043 I NativeStalkerServer: listening from the local socket
06-07 12:01:04.958 28044 28044 I system_server: type=1400 audit(0.0:595): avc: denied { read open } for path="/system/bin/sh" dev="vda" ino=520 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
06-07 12:01:04.958 28044 28044 I system_server: type=1400 audit(0.0:596): avc: denied { execute_no_trans } for path="/system/bin/sh" dev="vda" ino=520 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
06-07 12:01:04.958 28044 28044 I sh      : type=1400 audit(0.0:597): avc: denied { getattr } for path="/system/bin/sh" dev="vda" ino=520 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
06-07 12:01:04.984 25901 28043 I NativeStalkerServer: excluding libstalker-server.so /data/local/tmp/libstalker-server.so 0x7033adb7c000 0x7033adffd000
06-07 12:01:04.988 25901 28043 I NativeStalkerServer: excluding libc.so /system/lib64/libc.so 0x7033cb134000 0x7033cb227000
06-07 12:01:04.988 25901 28043 I NativeStalkerServer: excluding libc++.so /system/lib64/libc++.so 0x7033cb9b7000 0x7033cbab4000
06-07 12:01:04.989 25901 28043 I NativeStalkerServer: excluding libutils.so /system/lib64/libutils.so 0x7033ce66f000 0x7033ce693000
06-07 12:01:04.999 25901 28043 D NativeStalkerServer: receiving...
06-07 12:01:04.999 25901 28043 D NativeStalkerServer: received 87 bytes: {"m":0,"white":[],"black":["binder","signal","finalize","reference","heaptask","pool"]}
06-07 12:01:05.003 25901 25907 W art     : Receiving file descriptor from ADB failed (socket 25): Function not implemented
06-07 12:01:05.003 25901 25908 F art     : art/runtime/base/mutex.cc:853] futex wait failed for a thread wait condition variable: Function not implemented
06-07 12:01:05.004 25901 25909 F art     : art/runtime/base/mutex.cc:853] futex wait failed for a thread wait condition variable: Function not implemented
06-07 12:01:05.015 25901 25910 F art     : art/runtime/base/mutex.cc:853] futex wait failed for a thread wait condition variable: Function not implemented
06-07 12:01:05.028 25901 25921 E IPCThreadState: getAndExecuteCommand(fd=8) returned unexpected error -38, aborting
06-07 12:01:05.028 25901 25911 F art     : art/runtime/base/mutex.cc:853] futex wait failed for Task processor condition: Function not implemented
--------- beginning of crash
06-07 12:01:05.028 25901 25921 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 25921 (Binder:25901_1)
06-07 12:01:05.028  1301  1301 W         : debuggerd: handling request: pid=25901 uid=1000 gid=1000 tid=25921
06-07 12:01:05.029 25901 25922 E IPCThreadState: getAndExecuteCommand(fd=8) returned unexpected error -38, aborting
06-07 12:01:05.029 25901 25922 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 25922 (Binder:25901_2)
06-07 12:01:05.029 25901 25922 I libc    : Another thread contacted debuggerd first; not contacting debuggerd.
06-07 12:01:05.032 25901 25956 E         : ***** ERROR! android_os_fileobserver_observe() got a short event!
06-07 12:01:05.028 28054 28054 I debuggerd64: type=1400 audit(0.0:598): avc: denied { read } for name="libstalker-server.so" dev="dm-0" ino=61455 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-07 12:01:05.028 28054 28054 I debuggerd64: type=1400 audit(0.0:599): avc: denied { open } for path="/data/local/tmp/libstalker-server.so" dev="dm-0" ino=61455 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-07 12:01:05.028 28054 28054 I debuggerd64: type=1400 audit(0.0:600): avc: denied { getattr } for path="/data/local/tmp/libstalker-server.so" dev="dm-0" ino=61455 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
06-07 12:01:05.090 28054 28054 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-07 12:01:05.090 28054 28054 F DEBUG   : Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:7.1.1/NYC/5464897:userdebug/test-keys'
06-07 12:01:05.090 28054 28054 F DEBUG   : Revision: '0'
06-07 12:01:05.090 28054 28054 F DEBUG   : ABI: 'x86_64'
06-07 12:01:05.092 28054 28054 F DEBUG   : pid: 25901, tid: 25921, name: Binder:25901_1  >>> system_server <<<
06-07 12:01:05.092 28054 28054 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
06-07 12:01:05.093 28054 28054 F DEBUG   : Abort message: 'art/runtime/base/mutex.cc:853] futex wait failed for a thread wait condition variable: Function not implemented'
06-07 12:01:05.094 28054 28054 F DEBUG   :     rax 0000000000000000  rbx 00007033c3dbd4f8  rcx ffffffffffffffff  rdx 0000000000000006
06-07 12:01:05.094 28054 28054 F DEBUG   :     rsi 0000000000006541  rdi 000000000000652d
06-07 12:01:05.094 28054 28054 F DEBUG   :     r8  0000000000000000  r9  00007033cf42e090  r10 0000000000000008  r11 0000000000000206
06-07 12:01:05.094 28054 28054 F DEBUG   :     r12 0000000000006541  r13 0000000000000006  r14 00007033c383b0c8  r15 0000000000000001
06-07 12:01:05.094 28054 28054 F DEBUG   :     cs  0000000000000033  ss  000000000000002b
06-07 12:01:05.094 28054 28054 F DEBUG   :     rip 00007033cb1c1be7  rbp 0000000000000026  rsp 00007033c3dbd238  eflags 0000000000000206
06-07 12:01:05.096 28054 28054 F DEBUG   : 
06-07 12:01:05.096 28054 28054 F DEBUG   : backtrace:
06-07 12:01:05.096 28054 28054 F DEBUG   :     #00 pc 000000000008dbe7  /system/lib64/libc.so (tgkill+7)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #01 pc 000000000008a681  /system/lib64/libc.so (pthread_kill+65)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #02 pc 00000000000302c1  /system/lib64/libc.so (raise+17)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #03 pc 00000000000287fd  /system/lib64/libc.so (abort+77)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #04 pc 000000000005fdf1  /system/lib64/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+193)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #05 pc 0000000000080b67  /system/lib64/libbinder.so (_ZN7android10PoolThread10threadLoopEv+23)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #06 pc 0000000000012c99  /system/lib64/libutils.so (_ZN7android6Thread11_threadLoopEPv+313)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #07 pc 00000000000ab0d3  /system/lib64/libandroid_runtime.so (_ZN7android14AndroidRuntime15javaThreadShellEPv+99)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #08 pc 00000000000897f1  /system/lib64/libc.so (_ZL15__pthread_startPv+177)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #09 pc 0000000000029a6b  /system/lib64/libc.so (__start_thread+11)
06-07 12:01:05.096 28054 28054 F DEBUG   :     #10 pc 000000000001cae5  /system/lib64/libc.so (__bionic_clone+53)
06-07 12:01:08.643  1301  1301 W         : debuggerd: resuming target 25901
06-07 12:01:08.715  1411  1411 E         : eof
06-07 12:01:08.715  1411  1411 E         : failed to read size
06-07 12:01:08.715  1411  1411 I         : closing connection

Since I don't have much experience with frida, I could not make any sense of this, yet. The adb filedescriptor error seems to be the reason or at least a symptom and I am curious if anyone by chance ever saw a similar error? Maybe something stalker specific that only turns into a problem when running in an x64 emulator? Any help is appreciated.

[akiannillo]

@schrnz can you check this comment? #2 (comment)

I see in your logs a lot of audits.

[schrnz]

I will try the sepolicy trick but here is the thing: all my tests were conducted on at least a userdebug build with SELlinux set to permissive. I don't know too much about SELinux in detail, but while working with ARTist, I see those logs all over the place if I, e.g., do some nasty things from the dex2oat compiler binary (executing shell commands and the like). However, as long as SELinux is set to permissive, all of these commands always go through. Whole toolchains of mine depend on the fact that SELinux is not blocking these things when set to permissive =/