How to submit a complete bug report applicable to Android platform

Some types of information are very helpful to include in a bug report for the Android platform, as this information helps us reproduce the bugs faster and may also qualify the report for a higher reward amount.

This document provides the following information to help you improve your reports:

  • The requirements for a complete report
  • The requirements for a complete Proof of Concept (PoC)
  • A sample report to help you understand what we are looking for in a complete report

Complete report requirements

To ensure your report is complete:

  • Explain the issue in detail.
    • Include the source file and function (specify the line of code) where the issue occurs.
  • Specify steps to reproduce the issue; including sample code where appropriate.
  • Provide the build fingerprint from the device used to reproduce the issue; run adb shell getprop ro.build.fingerprint and adb shell cat /proc/version for kernel vulnerabilities.
  • Include a proof of concept, or a malformed file; for example a media file that reproduces the issue when decoded.
    • For a media file, a high quality PoC will include precisely which changes in which parts of the file are necessary to cause the crash, including structural information (e.g. this given tag has a field malformed in this way, rather than “replaced byte 773 with 0x03”).
    • The content of the PoC must be free of intellectual property rights. For example, it cannot contain 3rd party company logos or other materials where 3rd parties may assert IP rights.
    • The content of the PoC must not contain adult or otherwise inappropriate content.
  • Include crash artifacts including stack trace (if available).
    • Full crash stack with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.
    • HWASAN/ASAN/KASAN crash reports; if run with an address sanitizer, with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.

PoC requirements

To ensure your PoC is complete:

  • Include a build-able source for a proof of concept.
    • Source with all includes (not just C code posted into a bug).
    • .mk files and Makefile
    • Detailed instructions for PoCs that must be built as part of the Android build.
    • For APKS: A full Android Studio project with Gradle files (useful so we can simply build them).
    • Instructions on how to build the PoC (if they go beyond "Run Gradle" or "Run make" or if there are some special libraries that need to be in the build path).
  • Ensure the PoC crashes as described in report. If there are multiple crash addresses (example in a Use After Free), then please show several examples.
  • If it’s Information Disclosure, provide what info gets leaked, and why it’s important (is this data from another process [kernel] or does it contain user data such as pictures, videos etc. [user]).
  • If it requires modifications to the kernel or a system process to demonstrate the vulnerability, include detailed instructions on what changes are necessary and why.
  • Include instructions on how to run the PoC (for example: put it in a specific directory, use special arguments in the command line, copy multiple files etc.).

Sample complete report

A complete report should include the following elements listed below.

Title

Include a title in your report which in one line describes the issue, the cause of issue, and the affected component.

Example: Crafted Binder Request Causes Heap UAF in MediaServer

Issue Description

To put together a complete issue description:

Briefly describe the issue including source file and function

Example: A UAF problem found in libOmxVdec.so. Specifically, the omx_vdec::free_output_buffer() unmaps the memory with the size "drv_ctx.ptr_outputbuffer[index].mmaped_size". Unfortunately, "drv_ctx.ptr_outputbuffer[index].mmaped_size" can be controlled by a third-party APP, and larger than the actually mmaped size. Then, omx_vdec::free_output_buffer() would unmap memory regions which are being used by other modules of mediaserver, leading to a UAF problem.

Provide details such as what the root cause of the issue is, and steps to reproduce the issue

Example:

  1. The third-party APP sends the "ENABLE_NATIVE_BUFFERS" binder request to mediaserver to enable the "m_enable_android_native_buffers" of libOmxVdec.
  2. The third-party APP sends the "USE_BUFFER" binder request to mediaserver for output ports.
  3. Mediaserver invokes omx_vdec::use_output_buffer() to get "handle" from the share memory provided by the third-party APP (line 4736) and sets "handle->size" to "drv_ctx.op_buf.buffer_size" (line 4756). Since there's no validation for the "drv_ctx.op_buf.buffer_size", we could set it to a large value.

Include function code with line numbers and add comments (if possible) to specify the line of vulnerable code

Example:

hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
 5128 OMX_ERRORTYPE omx_vdec::free_output_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
 5129 {
 5130     unsigned int index = 0;
 5131
 5132     if (bufferHdr  NULL || m_out_mem_ptr  NULL) {
 5133         return OMX_ErrorBadParameter;
 5134     }
 5135
 5136     index = bufferHdr - m_out_mem_ptr;
 5137     DEBUG_PRINT_LOW("Free output Buffer index = d",index);
 5138
 5139     if (index < drv_ctx.op_buf.actualcount
 5140             &x%x drv_ctx.ptr_outputbuffer) {
 5141         DEBUG_PRINT_LOW("Free output Buffer index = %d addr = %p", index,
 5142                 drv_ctx.ptr_outputbuffer[index].bufferaddr);
 5143
 5144         struct vdec_setbuffer_cmd setbuffers;
 5145         setbuffers.buffer_type = VDEC_BUFFER_TYPE_OUTPUT;
 5146         memcpy (&setbuffers.buffer,&drv_ctx.ptr_outputbuffer[index],
 5147                 sizeof (vdec_bufferpayload));
 5148
 5149         if (!dynamic_buf_mode) {
 5150 #ifdef ANDROID
 5151             if (m_enable_android_native_buffers) {
 5152                 if (!secure_mode) {
 5153                     if (drv_ctx.ptr_outputbuffer[index].pmem_fd > 0) {
 5154                         munmap(drv_ctx.ptr_outputbuffer[index].bufferaddr,
 5155                                 drv_ctx.ptr_outputbuffer[index].mmaped_size);  ** ← size used by munmap was freed
 5156                     }
 5157                 }
 5158                 drv_ctx.ptr_outputbuffer[index].pmem_fd = -1;

Provide crash artifacts including stack trace (if available)

Example:

01-01 07:05:29.444  6608  6608 F DEBUG   : Revision: 'rev_1.0'
01-01 07:05:29.444  6608  6608 F DEBUG   : ABI: 'arm'
01-01 07:05:29.445  6608  6608 F DEBUG   : pid: 6584, tid: 6605, name: OMXCallbackDisp  >>> /system/bin/mediaserver <<<
01-01 07:05:29.445  6608  6608 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xeae15000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r0 f2a83000  r1 00000001  r2 00000000  r3 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r4 f2b005c8  r5 f2b005c0  r6 eae15000  r7 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     r8 00000000  r9 00000004  sl f2a97588  fp 00000000
01-01 07:05:29.445  6608  6608 F DEBUG   :     ip f308085c  sp f0280858  lr f30676dd  pc f30676ea  cpsr 20030030
01-01 07:05:29.465  6608  6608 F DEBUG   :
01-01 07:05:29.465  6608  6608 F DEBUG   : backtrace:
01-01 07:05:29.465  6608  6608 F DEBUG   :     #00 pc 0006e6ea  /system/lib/libc.so (je_tcache_arena_dissociate+29)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #01 pc 0006f051  /system/lib/libc.so (tcache_destroy+24)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #02 pc 0006f02f  /system/lib/libc.so (je_tcache_cleanup+10)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #03 pc 0006f50d  /system/lib/libc.so (je_tsd_cleanup+28)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #04 pc 0006fd11  /system/lib/libc.so (je_tsd_cleanup_wrapper+16)
01-01 07:05:29.465  6608  6608 F DEBUG   :     #05 pc 000473ad  /system/lib/libc.so (_Z21pthread_key_clean_allv+80)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #06 pc 000470c7  /system/lib/libc.so (pthread_exit+36)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #07 pc 00047005  /system/lib/libc.so (_ZL15__pthread_startPv+24)
01-01 07:05:29.466  6608  6608 F DEBUG   :     #08 pc 00019e1d  /system/lib/libc.so (__start_thread+6)

Provide Asan output (if available)

Example:

03-23 18:03:53.807  1700  1719 I         : =================================================================
03-23 18:03:53.807  1700  1719 I         :
03-23 18:03:53.807  1700  1719 I         :
03-23 18:03:53.807  1700  1719 I         : ==1700==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xe0902c38 at pc 0xe361adec bp 0xe4aff180 sp 0xe4aff178
03-23 18:03:53.807  1700  1719 I         :
03-23 18:03:53.808  1700  1719 I         :
03-23 18:03:53.808  1700  1719 I         : WRITE of size 1 at 0xe0902c38 thread T4 (le.hevc.decoder)
03-23 18:03:53.808  1700  1719 I         :
03-23 18:03:53.902  1700  1719 I         :     #0 0xe361adeb in ihevcd_parse_pps /proc/self/cwd/external/libhevc/decoder/ihevcd_parse_headers.c:1782:39
03-23 18:03:53.902  1700  1719 I         :
03-23 18:03:53.902  1700  1719 I         :     #1 0xe3611c8f in ihevcd_nal_unit /proc/self/cwd/external/libhevc/decoder/ihevcd_nal.c:443:19
03-23 18:03:53.902  1700  1719 I         :
03-23 18:03:53.903  1700  1719 I         :     #2 0xe360de47 in ihevcd_decode /proc/self/cwd/external/libhevc/decoder/ihevcd_decode.c:604:15
03-23 18:03:53.903  1700  1719 I         :
03-23 18:03:53.904  1700  1719 I         :     #3 0xe360c497 in ihevcd_cxa_api_function /proc/self/cwd/external/libhevc/decoder/ihevcd_api.c:3552:19
03-23 18:03:53.904  1700  1719 I         :
03-23 18:03:53.905  1700  1719 I         :     #4 0xe35f9f09 in android::SoftHEVC::onQueueFilled(unsigned int) /proc/self/cwd/frameworks/av/media/libstagefright/codecs/hevcdec/SoftHEVC.cpp:576:22
03-23 18:03:53.905  1700  1719 I         :
03-23 18:03:53.906  1700  1719 I         :     #5 0xe70601e1 in android::SimpleSoftOMXComponent::onMessageReceived(android::sp<android::AMessage> const&) (/system/lib/libstagefright_omx.so+0x231e1)
03-23 18:03:53.906  1700  1719 I         :
03-23 18:03:53.907  1700  1719 I         :     #6 0xe706121b  (/system/lib/libstagefright_omx.so+0x2421b)
03-23 18:03:53.907  1700  1719 I         :
03-23 18:03:53.907  1700  1719 I         :     #7 0xe6fcc3d1 in android::AHandler::deliverMessage(android::sp<android::AMessage> const&) (/system/lib/libstagefright_foundation.so+0xf3d1)
03-23 18:03:53.907  1700  1719 I         :
03-23 18:03:53.908  1700  1719 I         :     #8 0xe6fce653 in android::AMessage::deliver() (/system/lib/libstagefright_foundation.so+0x11653)
03-23 18:03:53.908  1700  1719 I         :
03-23 18:03:53.908  1700  1719 I         :     #9 0xe6fccf3b in android::ALooper::loop() (/system/lib/libstagefright_foundation.so+0xff3b)
03-23 18:03:53.908  1700  1719 I         :
03-23 18:03:53.909  1700  1719 I         :     #10 0xe6f473c1 in android::Thread::_threadLoop(void*) (/system/lib/libutils.so+0xe3c1)
03-23 18:03:53.909  1700  1719 I         :
03-23 18:03:53.915  1700  1719 I         :     #11 0xe6e63023 in __pthread_start(void*) (/system/lib/libc.so+0x47023)
03-23 18:03:53.915  1700  1719 I         :
03-23 18:03:53.915  1700  1719 I         :     #12 0xe6e35e3d in __start_thread (/system/lib/libc.so+0x19e3d)
=============================Truncated==========================

Provide the build fingerprint from the device used to reproduce the issue

Run adb shell getprop ro.build.fingerprint (this is a user mode vulnerability, so no kernel information is required).

CTS test

Submitted CTS tests must apply cleanly to AOSP's master branch, comply with Coding Style Guidelines, and be accepted by Android Engineering as the most appropriate.

Patch / fix

Submitted patches must apply cleanly to AOSP's master branch, comply with Coding Style Guidelines, and be accepted by Android Engineering as the most appropriate fix.

Resources

For general information on the Android reward program, see Android Security Rewards Program Rules.