AFLplusplus
Forkserver does not work on Android
@domenukk I am trying to build
LibAFL/fuzzers/binary_only/frida_executable_libpng. I am still gettingerror[E0425]: cannot find functionshmatin cratelibc. I see that you patched it a while ago. But now there is not forkserver.c it's not nowforkserver.rs`. Do we need to add the wrapper to rust version of fork server as well? Using Mac M1.
Originally posted by @barhaterahul in #1625
@barhaterahul This might have regressed in https://github.com/AFLplusplus/LibAFL/pull/3183 - can you try if it worked before that?
CC @Evian-Zhang
We should have an android runner.
I did this in Unicorn which works pretty well: https://github.com/unicorn-engine/unicorn/blob/f8c6db950420d2498700245269d0b647697c5666/.github/workflows/build-uc2.yml#L344
I see. I will check this as soon as possible. Sorry for late response.
It seems to be pretty easy to implement the ashmem in Rust. So don't worry, I'll write a patch tomorrow.
Thanks @Evian-Zhang !! I checked with older version where both c and rust version of forkserver is there. It fails
Here is the log if it is useful
Reproduced exactly here: https://github.com/AFLplusplus/LibAFL/actions/runs/15045873173/job/42288150005?pr=3233#step:8:235
I was able to test @Evian-Zhang 's fix from here https://github.com/Evian-Zhang/LibAFL/tree/android-shmem .
and the error is not there anymore. :).
BTW,
Now, I am getting some other errors related unresolved imports.
I can confirm, after patching the commits from Evian-Zhang(to fix android shmem issue ) to my local updated main as of today, I have unresolved imports still,
$CLANG_PATH=/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android30-clang cargo build --release --target=aarch64-linux-android
....
....
Compiling frida-gum v0.16.10
error[E0432]: unresolved imports `frida_gum_sys::g_main_context_iteration`, `frida_gum_sys::g_main_context_pending`, `frida_gum_sys::g_main_context_push_thread_default`, `frida_gum_sys::g_main_loop_new`
--> /Users/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/frida-gum-0.16.10/src/script/context.rs:16:5
|
16 | g_main_context_iteration, g_main_context_pending, g_main_context_push_thread_default,
| ^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ no `g_main_context_push_thread_default` in the root
| | |
| | no `g_main_context_pending` in the root
| no `g_main_context_iteration` in the root
17 | g_main_loop_new,
| ^^^^^^^^^^^^^^^ no `g_main_loop_new` in the root
|
help: a similar name exists in the module
|
16 | _frida_g_main_context_iteration, g_main_context_pending, g_main_context_push_thread_default,
| +++++++
help: a similar name exists in the module
|
16 | g_main_context_iteration, _frida_g_main_context_pending, g_main_context_push_thread_default,
| +++++++
help: a similar name exists in the module
|
16 | g_main_context_iteration, g_main_context_pending, _frida_g_main_context_push_thread_default,
| +++++++
error[E0432]: unresolved import `frida_gum_sys::g_bytes_get_data`
--> /Users/user/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/frida-gum-0.16.10/src/script/data.rs:20:5
|
20 | use frida_gum_sys::g_bytes_get_data;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ no `g_bytes_get_data` in the root
For more information about this error, try `rustc --explain E0432`.
error: could not compile `frida-gum` (lib) due to 2 previous errors
warning: build failed, waiting for other jobs to finish...
It looks like some functions have been namespaced. Do you feel like submitting a PR to frida-rust?
I moved forward one step to build for android after making some changes here(https://github.com/frida/frida-rust/pull/208) , I am getting build error from libafl_frida/build.rs: 23
#[cfg(not(target_vendor = "apple"))]
if target_family == "unix" {
println!("cargo:rustc-link-lib=dylib=c++");
}
#[cfg(target_vendor = "apple")]
println!("cargo:rustc-link-lib=dylib=resolv");
println!("cargo:rerun-if-changed=build.rs");
println!("cargo:rerun-if-changed=test_harness.cpp");
println!("cargo:rerun-if-changed=src/gettls.c");
// Build the test harness
// clang++ -shared -fPIC -O0 -o test_harness.so test_harness.cpp
// Check if we have clang++ installed
Error :
error: linking with `/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android30-clang` failed: exit status: 1
|
= note: "/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android30-clang" "/var/folders/75/fxj_sqcd54l10_nzp884qwq80000gq/T/rustcD3JXVR/symbols.o" "<1 object files omitted>" "-Wl,--as-needed" "-Wl,-Bstatic" "/var/folders/75/fxj_sqcd54l10_nzp884qwq80000gq/T/rustcD3JXVR/{liblibmimalloc_sys-52a0b2d54f4833ab.rlib,liblibafl_frida-5a992fc4db7d7f85.rlib,liblibafl_targets-2389084bb74173e3.rlib,libfrida_gum_sys-0036ef0693b89de6.rlib}.rlib" "<sysroot>/lib/rustlib/aarch64-linux-android/lib/{libcompiler_builtins-*}.rlib" "-Wl,-Bdynamic" "-ldl" "-lc++" "-lresolv" "-lc" "-ldl" "-llog" "-lunwind" "-ldl" "-lm" "-lc" "-L" "/var/folders/75/fxj_sqcd54l10_nzp884qwq80000gq/T/rustcD3JXVR/raw-dylibs" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-L" "/Users/user/Documents/work/mobile/testfuzz/frida-rust/frida-gum-sys" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/frida-gum-sys-fba14c8b4005a32d/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/frida-gum-sys-fba14c8b4005a32d/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/frida-gum-sys-fba14c8b4005a32d/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/frida-gum-sys-fba14c8b4005a32d/out" "-L" "$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/darwin-x86_64/sysroot/" "-L" "/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/lib/clang/20/lib/linux/" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_frida-d7ccc261f58da2d0/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_targets-89114043ad58dfa2/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_targets-89114043ad58dfa2/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_targets-89114043ad58dfa2/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_targets-89114043ad58dfa2/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libafl_targets-89114043ad58dfa2/out" "-L" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/build/libmimalloc-sys-7ee21b058054ea4b/out" "-o" "/Users/user/Documents/work/mobile/testfuzz/LibAFL/fuzzers/binary_only/frida_libpng/target/aarch64-linux-android/release/deps/frida_fuzzer-28ef44c5b1665b09" "-Wl,--gc-sections" "-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-nodefaultlibs" "-rdynamic"
= note: some arguments are omitted. use `--verbose` to show all linker arguments
= note: ld.lld: error: unable to find library `-lresolv`
clang: error: linker command failed with exit code 1 (use -v to see invocation)
I researched it a bit and found that there is no libresolv.so for android, in android the required symbols are resolved by bionic libc. However there is no condition to link against libc from bionic for --target aarch64-linux-android. I will check if we can add marco for that.
I revisited this, and I was able to somehow build LibAFL for Android after last libresolv.so error.
I made 2 changes to fix this,
1. Added following 5 lines after 22 /LibAFL/crates/libafl_frida/build.rs
if target_os == "android" {
println!("cargo:rustc-link-lib=c++");
let compiler_rt_path = "$ANDROID_NDK/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/lib/clang/20/lib/linux/";
println!("cargo:rustc-link-search=native={}", compiler_rt_path);
println!("cargo:rustc-link-lib=static=clang_rt.builtins-aarch64-android");
}
2. Commented these lines.
#[cfg(target_vendor = "apple")] println!("cargo:rustc-link-lib=dylib=resolv");
I know this is dirty to include NDK path and commenting those lines, this is not generic solution,but I could not solve this any other way.
And somehow even if I was building for Android target on Mac M1 the line#[cfg(target_vendor = "apple")] println!("cargo:rustc-link-lib=dylib=resolv"); was still triggering and giving the same resolv error.Only after making this 2 changes it was succesful.
The error that was getting following
cargo ndk -t arm64-v8a build --release
Building arm64-v8a (aarch64-linux-android)
warning: [email protected]: Frida gumjs devkit not found, downloading from https://github.com/frida/frida/releases/download/17.5.1/frida-gumjs-devkit-17.5.1-android-arm64.tar.xz...
Compiling libafl_frida v0.15.4 (/LibAFL/crates/libafl_frida)
Compiling frida_fuzzer v0.15.4 (/LibAFL/fuzzers/binary_only/frida_libheif)
warning: unused import: `path::PathBuf`
--> src/fuzzer.rs:5:5
|
5 | path::PathBuf,
| ^^^^^^^^^^^^^
|
= note: `#[warn(unused_imports)]` (part of `#[warn(unused)]`) on by default
warning: unused import: `libafl::state::HasCurrentStageId`
--> src/fuzzer.rs:51:5
|
51 | use libafl::state::HasCurrentStageId;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error: linking with `/Users/user/.cargo/bin/cargo-ndk` failed: exit status: 1
|
= note: "/Users/user/.cargo/bin/cargo-ndk" "<1 object files omitted>" "-Wl,--as-needed" "-Wl,-Bstatic" "/var/folders/75/fxj_sqcd54l10_nzp884qwq80000gq/T/rustcNrICgQ/{liblibmimalloc_sys-07916a350168cf6a,liblibafl_frida-473e4c444c042753,liblibafl_targets-d68f67e61b807322,libfrida_gum_sys-158eb484f08500ae}.rlib" "<sysroot>/lib/rustlib/aarch64-linux-android/lib/libcompiler_builtins-*.rlib" "-Wl,-Bdynamic" "-ldl" "-lresolv" "-lc++" "-lc++" "-ldl" "-llog" "-lunwind" "-ldl" "-lm" "-lc" "-L" "/var/folders/75/fxj_sqcd54l10_nzp884qwq80000gq/T/rustcNrICgQ/raw-dylibs" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-L" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/build/frida-gum-sys-efe5b78eca33b3d8/out" "-L" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/build/frida-gum-sys-efe5b78eca33b3d8/out" "-L" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/build/libafl_frida-e9f25f96c7edd980/out" "-L" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/build/libafl_targets-13061ca6cb8b182b/out" "-L" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/build/libmimalloc-sys-27bd9a84bb4a191a/out" "-L" "/frida-rust/frida-gum-sys" "-L" "/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/lib/clang/20/lib/linux/" "-o" "/LibAFL/fuzzers/binary_only/frida_libheif/target/aarch64-linux-android/release/deps/frida_fuzzer-952438c681223dc6" "-Wl,--gc-sections" "-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-nodefaultlibs" "-L/Users/user/Library/Android/sdk/ndk/29.0.13113456/toolchains/llvm/prebuilt/darwin-x86_64/lib/clang/20/lib/linux/" "-lclang_rt.builtins-aarch64-android" "-rdynamic"
= note: some arguments are omitted. use `--verbose` to show all linker arguments
= note: ld.lld: error: unable to find library -lresolv
clang: error: linker command failed with exit code 1 (use -v to see invocation)
warning: `frida_fuzzer` (bin "frida_fuzzer") generated 2 warnings
error: could not compile `frida_fuzzer` (bin "frida_fuzzer") due to 1 previous error; 2 warnings emitted
note: If the build failed due to a missing target, you can run this command:
note:
note: rustup target install aarch64-linux-android`
Also I had to modify my ~/.cargo/config.toml as follow,
[build]
target = "aarch64-linux-android"
[target.aarch64-linux-android]
ar = "aallvm-ar"
linker = $ANDROID_NDK/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android35-clang"
rustflags = [
"-C","link-arg=-L$ANDROID_NDK/toolchains/llvm/prebuilt/darwin-x86_64/lib/clang/20/lib/linux/",
"-C","link-arg=-lclang_rt.builtins-aarch64-android"
]
Any ideas how to solve this in a generic way? @domenukk @Evian-Zhang
Aah the issue is that we're mixing up what we build for and where we build on in build.rs:
#[cfg(target_vendor = "apple")] println!("cargo:rustc-link-lib=dylib=resolv");
This should really be reading the CARGO_CFG_TARGET_VENDOR env variable and then do things accordingly.
The build.rs gets compiled for the platform we compile on, so the cfg is correctly assuming apple platform, instead we need to do a runtime check what we build for with the env variables. https://doc.rust-lang.org/cargo/reference/environment-variables.html
I am now able to build successfully for Android target on Mac M1. I have created a PR to fix this https://github.com/AFLplusplus/LibAFL/pull/3510 @domenukk But one job failed but that was due to no storage space on runner.(https://github.com/AFLplusplus/LibAFL/actions/runs/19407698040/job/55524798387?pr=3510)
Changes made are,
- Checking now CARGO_CFG_TARGET_VENDOR as you suggested.
- Used
CARGO_CFG_TARGET_VENDORinasan_rt.rsas well, as I was facing similar problem there.This fixes https://github.com/AFLplusplus/LibAFL/issues/3509 also.