Android native crash call stack analyze method

Crash logs got when we are fuzzing for reproducing vulnerabilities. They include information of crashed process, thread, the register values and call stacks. Wherein, the call stack is the first and most information attracts us, for it helps us to figure out root causes the most.

Crash log would be like this:


03-26 01:38:53.878 424 424 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
03-26 01:38:53.883 424 424 F DEBUG : r0 00000000 r1 b618b9b4 r2 ffffffe2 r3 00000000
03-26 01:38:53.883 424 424 F DEBUG : r4 b619e450 r5 b6f4d000 r6 00000001 r7 b618b990
03-26 01:38:53.883 424 424 F DEBUG : r8 00000022 r9 b614c800 sl 0000eb8f fp b618f320
03-26 01:38:53.883 424 424 F DEBUG : ip b6a115dc sp beaac4f8 lr b6e046d3 pc b69b367a cpsr 200f0030
03-26 01:38:53.888 424 424 F DEBUG :
03-26 01:38:53.888 424 424 F DEBUG : backtrace:
03-26 01:38:53.888 424 424 F DEBUG : #00 pc 0001767a /system/lib/libc.so (__memcpy_base+113)
03-26 01:38:53.888 424 424 F DEBUG : #01 pc 001976cf /system/lib/libstagefright.so (_ZN7android8OMXCodec16drainInputBufferEPNS0_10BufferInfoE+3242)
03-26 01:38:53.888 424 424 F DEBUG : #02 pc 0019c9ed /system/lib/libstagefright.so (_ZN7android8OMXCodec17drainInputBuffersEv+280)
03-26 01:38:53.888 424 424 F DEBUG : #03 pc 0019ff1b /system/lib/libstagefright.so (_ZN7android8OMXCodec4readEPPNS_11MediaBufferEPKNS_11MediaSource11ReadOptionsE+438)
03-26 01:38:53.888 424 424 F DEBUG : #04 pc 00008a1b /system/bin/stagefright
03-26 01:38:53.888 424 424 F DEBUG : #05 pc 00017359 /system/lib/libc.so (__libc_init+44)
03-26 01:38:53.889 424 424 F DEBUG : #06 pc 00004ca8 /system/bin/stagefright
03-26 01:38:54.017 424 424 F DEBUG :
03-26 01:38:54.017 424 424 F DEBUG : Tombstone written to: /data/tombstones/tombstone_09

 

We can see there is something wrong with libstagefright.so and finally crashes our testing program. What we want is corresponding the call stacks onto source code lines.

Android source code provides us a simple but powerful tool for this purpose.

Go to your android source code directory, and execute the following commands:
cd /data/simon_huang/rom/android-6.0.1_r66/
source build/envsetup.sh
lunch aosp_shamu-userdebug
//totally same with used when building android

And then, run command:
development/scripts/stack

Then you get a prompt says:

“Reading native crash info from stdin”

Just copy and paste all the crash logs into the terminal.
And then press key CTRL+D .

The call stack with source code line numbers will give like this:


Reading symbols from /data/simon_huang/rom/android-6.0.1_r66/out/target/product/shamu/symbols
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
r0 00000000 r1 b618b9b4 r2 ffffffe2 r3 00000000
r4 b619e450 r5 b6f4d000 r6 00000001 r7 b618b990
r8 00000022 r9 b614c800 sl 0000eb8f fp b618f320
ip b6a115dc sp beaac4f8 lr b6e046d3 pc b69b367a cpsr 200f0030
Using arm toolchain from: /data/simon_huang/rom/android-6.0.1_r66/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9/bin/


Stack Trace:
RELADDR FUNCTION FILE:LINE
0001767a __memcpy_base+114 /data/simon_huang/rom/android-6.0.1_r66/bionic/libc/arch-arm/krait/bionic/memcpy_base.S:93
001976cf android::OMXCodec::drainInputBuffer(android::OMXCodec::BufferInfo*)+3242 /data/simon_huang/rom/android-6.0.1_r66/frameworks/av/media/libstagefright/OMXCodec.cpp:2861
0019c9ed android::OMXCodec::drainInputBuffers()+280 /data/simon_huang/rom/android-6.0.1_r66/frameworks/av/media/libstagefright/OMXCodec.cpp:2783
0019ff1b android::OMXCodec::read(android::MediaBuffer**, android::MediaSource::ReadOptions const*)+438 /data/simon_huang/rom/android-6.0.1_r66/frameworks/av/media/libstagefright/OMXCodec.cpp:3717
00008a1b main+13306 /data/simon_huang/rom/android-6.0.1_r66/frameworks/av/cmds/stagefright/stagefright.cpp:1116
00017359 __libc_init+44 /data/simon_huang/rom/android-6.0.1_r66/bionic/libc/bionic/libc_init_dynamic.cpp:113
00004ca8 _start+96 android-afl/llvm_mode/afl-llvm-rt.o.c:?