How to submit a complete bug report applicable to Android platform

Table of contents

  1. Complete Report Requirements
  2. PoC Requirements
  3. Sample complete report

There are the few pieces of information that are very helpful if included in a bug report applicable to Android platform. These will help us reproduce the bugs faster and may also qualify the report for higher reward amount.

This document lists the requirements for complete report and PoC. Also, we have provided a sample report which will help the researchers to understand what we are looking for in a complete report.

Complete Report Requirements

  • Explain the issue in detail.
    • Include source file and function (specify line of code) where the issue is.
  • Specify steps to reproduce the issue; including sample code where appropriate.
  • Build fingerprint from the device used to reproduce the issue; run adb shell getprop ro.build.fingerprint and adb shell cat /proc/version for kernel vulnerabilities
  • Proof of Concept; or a malformed file; for example a media file that reproduces the issue when decoded.
    • For a media file, a high quality PoC will include precisely which changes in which parts of the file are necessary to cause the crash, including the structural information (that is, this given tag has a field malformed in this way, rather than “replaced byte 773 with 0x03”)
    • The content of the PoC must be intellectual property rights free. For example it cannot contain 3rd party company logo’s or other materials where 3rd parties may assert IP rights.
    • The content of the PoC must not contain adult or other inappropriate content.
  • Crash Artifacts including stack trace (if available)
    • Full crash stack with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.
    • ASAN/KASAN crash reports if run with an address sanitizer, with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.

PoC Requirements

  • Build-able source for a Proof of Concept.
    • Source with all includes (not just C code posted into a bug)
    • .mk files and Makefile
    • Detailed instructions for PoCs that must be built as part of the Android build
    • For apks full project with gradle files (useful so we can just build them)
    • Instructions on how to build the poc (if they are more than just run gradle or make; also if there are some special libraries that need to be in the build path)
  • PoC should crash as described in report. If there are multiple crash addresses (example in a Use After Free) then please show several examples.
  • If it’s Information Disclosure, provide what info gets leaked, and why it’s important (Is this data from another process [kernel] or does it contain user data such as pictures, videos etc. [user])
  • If it requires modifications to the kernel or a system process to demonstrate the vulnerability, include detailed instructions on what changes are necessary and why.
  • Instructions on how to run the poc (example put it in a specific directory, use special arguments in the command line, copy multiple files etc.)

Sample complete report

Title: Include a title of report which in one line lists the issue, cause of issue and component affected

[sample] Crafted Binder Request Causes Heap UAF in MediaServer

Issue Description:

Briefly describe the issue including source file and function

[sample] a UAF problem found in libOmxVdec.so. Specifically, the omx_vdec::free_output_buffer() unmaps the memory with the size "drv_ctx.ptr_outputbuffer[index].mmaped_size". Unfortunately, "drv_ctx.ptr_outputbuffer[index].mmaped_size" can be controlled by a third-party APP, and larger than the actually mmaped size. Then, omx_vdec::free_output_buffer() would unmap memory regions which is being used by other modules of mediaserver, leading to a UAF problem.

Provide details such as what is the root cause of the issue, steps to reproduce the issue

[sample] Firstly, the third-party APP sends the "ENABLE_NATIVE_BUFFERS" binder request to mediaserver to enable the "m_enable_android_native_buffers" of libOmxVdec.

Secondly, the third-party APP sends the "USE_BUFFER" binder request to mediaserver for output ports. Then, mediaserver invokes omx_vdec::use_output_buffer() to get "handle" from the share memory provided by the third-party APP (line 4736) and sets "handle->size" to "drv_ctx.op_buf.buffer_size" (line 4756). Since there's no validation for the "drv_ctx.op_buf.buffer_size", we could set it to a large value.

Include function code with line numbers and add comments (if possible) to specify the line of vulnerable code:

[sample]
hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
 5128 OMX_ERRORTYPE omx_vdec::free_output_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
 5129 {
 5130     unsigned int index = 0;
 5131
 5132     if (bufferHdr  NULL || m_out_mem_ptr  NULL) {
 5133         return OMX_ErrorBadParameter;
 5134     }
 5135
 5136     index = bufferHdr - m_out_mem_ptr;
 5137     DEBUG_PRINT_LOW("Free ouput Buffer index = d",index);
 5138
 5139     if (index < drv_ctx.op_buf.actualcount
 5140             &x%x drv_ctx.ptr_outputbuffer) {
 5141         DEBUG_PRINT_LOW("Free ouput Buffer index = %d addr = %p", index,
 5142                 drv_ctx.ptr_outputbuffer[index].bufferaddr);
 5143
 5144         struct vdec_setbuffer_cmd setbuffers;
 5145         setbuffers.buffer_type = VDEC_BUFFER_TYPE_OUTPUT;
 5146         memcpy (&setbuffers.buffer,&drv_ctx.ptr_outputbuffer[index],
 5147                 sizeof (vdec_bufferpayload));
 5148
 5149         if (!dynamic_buf_mode) {
 5150 #ifdef ANDROID
 5151             if (m_enable_android_native_buffers) {
 5152                 if (!secure_mode) {
 5153                     if (drv_ctx.ptr_outputbuffer[index].pmem_fd > 0) {
 5154                         munmap(drv_ctx.ptr_outputbuffer[index].bufferaddr,
 5155                                 drv_ctx.ptr_outputbuffer[index].mmaped_size);  ** ← size used by munmap was freed
 5156                     }
 5157                 }
 5158                 drv_ctx.ptr_outputbuffer[index].pmem_fd = -1;

Provide crash artifacts including stack trace (if available)

[sample]
01-01 07:05:29.444  6608  6608 F DEBUG   : Revision: 'rev_1.0'
01-01 07:05:29.444  6608  6608 F DEBUG   : ABI: 'arm'
01-01 07:05:29.445  6608  6608 F DEBUG   : pid: 6584, tid: 6605, name: OMXCallbackDisp  >>> /system/bin/mediaserver <<<
01-01 07:05:29.445  6608  6608 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xeae15000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r0 f2a83000  r1 00000001  r2 00000000  r3 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r4 f2b005c8  r5 f2b005c0  r6 eae15000  r7 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r8 00000000  r9 00000004  sl f2a97588  fp 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     ip f308085c  sp f0280858  lr f30676dd  pc f30676ea  cpsr 20030030
01-01 07:05:29.465  6608  6608 F DEBUG   :
01-01 07:05:29.465  6608  6608 F DEBUG   : backtrace:
01-01 07:05:29.465  6608  6608 F DEBUG   :     #00 pc 0006e6ea  /system/lib/libc.so (je_tcache_arena_dissociate+29)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #01 pc 0006f051  /system/lib/libc.so (tcache_destroy+24)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #02 pc 0006f02f  /system/lib/libc.so (je_tcache_cleanup+10)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #03 pc 0006f50d  /system/lib/libc.so (je_tsd_cleanup+28)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #04 pc 0006fd11  /system/lib/libc.so (je_tsd_cleanup_wrapper+16)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #05 pc 000473ad  /system/lib/libc.so (_Z21pthread_key_clean_allv+80)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #06 pc 000470c7  /system/lib/libc.so (pthread_exit+36)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #07 pc 00047005  /system/lib/libc.so (_ZL15__pthread_startPv+24)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #08 pc 00019e1d  /system/lib/libc.so (__start_thread+6)

Asan output (if available)

[sample]
03-23 18:03:53.807  1700  1719 I         : =================================================================
03-23 18:03:53.807  1700  1719 I         : 
03-23 18:03:53.807  1700  1719 I         : 
03-23 18:03:53.807  1700  1719 I         : ==1700==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xe0902c38 at pc 0xe361adec bp 0xe4aff180 sp 0xe4aff178
03-23 18:03:53.807  1700  1719 I         : 
03-23 18:03:53.808  1700  1719 I         : 
03-23 18:03:53.808  1700  1719 I         : WRITE of size 1 at 0xe0902c38 thread T4 (le.hevc.decoder)
03-23 18:03:53.808  1700  1719 I         : 
03-23 18:03:53.902  1700  1719 I         :     #0 0xe361adeb in ihevcd_parse_pps /proc/self/cwd/external/libhevc/decoder/ihevcd_parse_headers.c:1782:39
03-23 18:03:53.902  1700  1719 I         : 
03-23 18:03:53.902  1700  1719 I         :     #1 0xe3611c8f in ihevcd_nal_unit /proc/self/cwd/external/libhevc/decoder/ihevcd_nal.c:443:19
03-23 18:03:53.902  1700  1719 I         : 
03-23 18:03:53.903  1700  1719 I         :     #2 0xe360de47 in ihevcd_decode /proc/self/cwd/external/libhevc/decoder/ihevcd_decode.c:604:15
03-23 18:03:53.903  1700  1719 I         : 
03-23 18:03:53.904  1700  1719 I         :     #3 0xe360c497 in ihevcd_cxa_api_function /proc/self/cwd/external/libhevc/decoder/ihevcd_api.c:3552:19
03-23 18:03:53.904  1700  1719 I         : 
03-23 18:03:53.905  1700  1719 I         :     #4 0xe35f9f09 in android::SoftHEVC::onQueueFilled(unsigned int) /proc/self/cwd/frameworks/av/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp:576:22
03-23 18:03:53.905  1700  1719 I         : 
03-23 18:03:53.906  1700  1719 I         :     #5 0xe70601e1 in android::SimpleSoftOMXComponent::onMessageReceived(android::sp<android::AMessage> const&) (/system/lib/libstagefright_omx.so+0x231e1)
03-23 18:03:53.906  1700  1719 I         : 
03-23 18:03:53.907  1700  1719 I         :     #6 0xe706121b  (/system/lib/libstagefright_omx.so+0x2421b)
03-23 18:03:53.907  1700  1719 I         : 
03-23 18:03:53.907  1700  1719 I         :     #7 0xe6fcc3d1 in android::AHandler::deliverMessage(android::sp<android::AMessage> const&) (/system/lib/libstagefright_foundation.so+0xf3d1)
03-23 18:03:53.907  1700  1719 I         : 
03-23 18:03:53.908  1700  1719 I         :     #8 0xe6fce653 in android::AMessage::deliver() (/system/lib/libstagefright_foundation.so+0x11653)
03-23 18:03:53.908  1700  1719 I         : 
03-23 18:03:53.908  1700  1719 I         :     #9 0xe6fccf3b in android::ALooper::loop() (/system/lib/libstagefright_foundation.so+0xff3b)
03-23 18:03:53.908  1700  1719 I         : 
03-23 18:03:53.909  1700  1719 I         :     #10 0xe6f473c1 in android::Thread::_threadLoop(void*) (/system/lib/libutils.so+0xe3c1)
03-23 18:03:53.909  1700  1719 I         : 
03-23 18:03:53.915  1700  1719 I         :     #11 0xe6e63023 in __pthread_start(void*) (/system/lib/libc.so+0x47023)
03-23 18:03:53.915  1700  1719 I         : 
03-23 18:03:53.915  1700  1719 I         :     #12 0xe6e35e3d in __start_thread (/system/lib/libc.so+0x19e3d)
=============================Truncated==========================

Build fingerprint from the device used to reproduce the issue

run adb shell getprop ro.build.fingerprint (this is a user mode vulnerability, so no kernel information is required).

CTS test

Submitted CTS tests must apply cleanly to AOSP's master branch, comply with Coding Style Guidelines, and be accepted by Android Engineering as the most appropriate.

Patch / fix

Submitted patches must apply cleanly to AOSP's master branch, comply with Coding Style Guidelines, and be accepted by Android Engineering as the most appropriate fix.