Notes of a simple UAF in TextTrack destructor
Notes of CVE-2016-1856
To replace compiler, just add LOCAL_CXX and LOCAL_CC to your afl-gcc in Android.mk, set AFL_CXX, AFL_CC and AFL_AS to your AOSP cross compile toolchain. After that, execute “lunch” to choose arch-x86 product and “mm” your source code.
One last problem is the shell code to be instrument produced by official AFL is x86 based only, and it containing shm calling instructions, so you need to write ashmem calling shell codes to replace them, and you need to rewrite whole shell codes of AFL if you want to porting AFL to arch-arm, that’s potential work to do in the future.
I made afl-fuzz running on Android-5.1.1-x86 successfully, and I add param ‘-t 100’ to give emulator some more time to wait for signals because the binary running on emulator is much slower than host PC.
Sorry code is not published yet.
Leave a Comment