2\u3001\u5e38\u89c1\u5185\u5b58\u68c0\u6d4b\u5de5\u5177<\/h4>\n
\u5728AddressSanitizer\u51fa\u73b0\u4e4b\u524d\uff0c\u5e02\u9762\u4e0a\u5c31\u5df2\u7ecf\u5b58\u5728\u4e86\u8bb8\u591a\u5185\u5b58\u68c0\u6d4b\u5668\uff0c\u4f8b\u5982\uff1a<\/p>\n
- \n
- Dr.Memory\uff1a\u68c0\u6d4b\u672a\u521d\u59cb\u5316\u7684\u5185\u5b58\u8bbf\u95ee\u3001double free\u3001use after free \u7b49\u9519\u8bef<\/li>\n
- Mudflap\uff1a\u68c0\u6d4b\u6307\u9488\u7684\u89e3\u5f15\u7528\uff0c\u9759\u6001\u63d2\u6869<\/li>\n
- Insure++\uff1a\u68c0\u6d4b\u5185\u5b58\u6cc4\u6f0f<\/li>\n
- Valgrind\uff1a\u53ef\u4ee5\u68c0\u6d4b\u975e\u5e38\u591a\u7684\u5185\u5b58\u9519\u8bef<\/li>\n<\/ul>\n
\u5176\u4e2d\uff0cDr.Memory\u3001Insure++ \u548c Mudflap \u867d\u7136\u5728\u8fd0\u884c\u65f6\u9020\u6210\u7684\u989d\u5916\u635f\u8017\u6bd4\u8f83\u5c11\uff0c\u4f46\u662f\u68c0\u6d4b\u573a\u666f\u6709\u9650\uff1bValgrind \u867d\u7136\u80fd\u591f\u5728\u8bb8\u591a\u573a\u666f\u7684\u68c0\u6d4b\u51fa\u9519\u8bef\uff0c\u4f46\u662f\u5b83\u5b9e\u73b0\u4e86\u81ea\u5df1\u7684\u4e00\u5957 ISA \u5e76\u5728\u5176\u4e4b\u4e0a\u8fd0\u884c\u76ee\u6807\u7a0b\u5e8f\uff0c\u56e0\u6b64\u5b83\u4f1a\u4e25\u91cd\u62d6\u6162\u76ee\u6807\u7a0b\u5e8f\u7684\u901f\u5ea6\u3002\u800c AddressSanitizer \u5728\u8bbe\u8ba1\u65f6\u5c31\u7efc\u5408\u8003\u8651\u4e86\u68c0\u6d4b\u573a\u666f\u3001\u901f\u5ea6\u7684\u5f71\u54cd\u56e0\u7d20\uff0c\u7ed3\u5408\u4e86 Mudflap \u7684\u9759\u6001\u63d2\u6869\u3001Valgrind \u7684\u591a\u573a\u666f\u68c0\u6d4b\u80fd\u529b\uff0c\u6545\u672c\u6587\u4e3b\u8981\u8bb2\u89e3AddressSanitizer\u3002<\/p>\n
3\u3001\u4ec0\u4e48\u662fAddressSanitizer<\/h4>\n
AddressSanitizer\u5373\u5730\u5740\u6d88\u6bd2\u6280\u672f\uff0c\u7b80\u79f0ASan\uff0c\u662f\u4e00\u4e2a\u5feb\u901f\u7684\u5185\u5b58\u9519\u8bef\u68c0\u6d4b\u5de5\u5177\u3002\u5b83\u53ef\u4ee5\u7528\u6765\u68c0\u6d4b\u5185\u5b58\u95ee\u9898\uff0c\u4f8b\u5982\u7f13\u51b2\u533a\u6ea2\u51fa\u6216\u5bf9\u60ac\u7a7a\u6307\u9488\u7684\u975e\u6cd5\u8bbf\u95ee\u7b49\u3002<\/p>\n
\u68c0\u6d4b\u7c7b\u578b\uff1a<\/p>\n
- \n
- Use after free(dangling pointer dereference)\uff1a<\/strong>\u91ca\u653e\u540e\u4f7f\u7528\uff08\u5806\u4e0a\u5206\u914d\u7684\u7a7a\u95f4free\u4e4b\u540e\u88ab\u518d\u6b21\u4f7f\u7528\uff09\u3002<\/li>\n
- Heap buffer overflow\uff1a<\/strong>\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\uff08\u8bbf\u95ee\u7684\u533a\u57df\u5728\u5806\u4e0a, \u4e14\u8d85\u8fc7\u4e86\u5206\u914d\u7684\u7a7a\u95f4\uff09\u3002<\/li>\n
- Stack buffer overflow\uff1a<\/strong>\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\uff08\u8bbf\u95ee\u7684\u533a\u57df\u5728\u6808\u4e0a, \u4e14\u8d85\u8fc7\u4e86\u5206\u914d\u7ed9\u5b83\u7684\u7a7a\u95f4\uff09\u3002<\/li>\n
- Global buffer overflow\uff1a<\/strong>\u5168\u5c40\u7f13\u51b2\u533a\u6ea2\u51fa\uff08\u8bbf\u95ee\u7684\u533a\u57df\u662f\u5168\u5c40\u53d8\u91cf, \u4e14\u8d85\u8fc7\u4e86\u5206\u914d\u7ed9\u5b83\u7684\u7a7a\u95f4\uff09\u3002<\/li>\n
- Use after return\uff1a<\/strong>Return\u540e\u4f7f\u7528\uff08\u51fd\u6570\u5728\u6808\u4e0a\u7684\u5c40\u90e8\u53d8\u91cf\u5728\u51fd\u6570\u8fd4\u56de\u540e\u88ab\u4f7f\u7528\u9ed8\u8ba4\u4e0d\u5f00\u542f\uff09\u3002<\/li>\n
- Use after scope\uff1a<\/strong>\u5728\u4f5c\u7528\u57df\u5916\u4f7f\u7528\uff08\u5c40\u90e8\u53d8\u91cf\u79bb\u5f00\u4f5c\u7528\u57df\u4ee5\u540e\u7ee7\u7eed\u4f7f\u7528\uff09\u3002<\/li>\n
- Initialization order bugs\uff1a<\/strong>\u521d\u59cb\u5316\u987a\u5e8f\u9519\u8bef\uff08\u68c0\u67e5\u5168\u5c40\u53d8\u91cf\u6216\u9759\u6001\u53d8\u91cf\u521d\u59cb\u5316\u7684\u65f6\u5019\u6709\u6ca1\u6709\u5229\u7528\u672a\u521d\u59cb\u5316\u7684\u53d8\u91cf\uff0c\u9ed8\u8ba4\u4e0d\u5f00\u542f\uff09\u3002<\/li>\n
- Memory leaks\uff1a<\/strong>\u5185\u5b58\u6cc4\u6f0f\uff08\u672a\u91ca\u653e\u5806\u4e0a\u5206\u914d\u7684\u5185\u5b58\uff09\u3002<\/li>\n<\/ul>\n
\u636e\u8c37\u6b4c\u7684\u5de5\u7a0b\u5e08\u4ecb\u7ecd \uff0cASan \u5df2\u5728 chromium \u9879\u76ee\u4e0a\u68c0\u6d4b\u51fa\u4e86300\u591a\u4e2a\u6f5c\u5728\u7684\u672a\u77e5bug\uff0c\u800c\u4e14\u5728\u4f7f\u7528 ASan \u4f5c\u4e3a\u5185\u5b58\u9519\u8bef\u68c0\u6d4b\u5de5\u5177\u5bf9\u7a0b\u5e8f\u6027\u80fd\u635f\u8017\u4e5f\u662f\u53ca\u5176\u53ef\u89c2\u7684\u3002\u6839\u636e\u68c0\u6d4b\u7ed3\u679c\u663e\u793a\u53ef\u80fd\u5bfc\u81f4\u6027\u80fd\u964d\u4f4e2\u500d\u5de6\u53f3\uff0c\u6bd4Valgrind\uff08\u5b98\u65b9\u7ed9\u7684\u6570\u636e\u5927\u6982\u662f\u964d\u4f4e10-50\u500d\uff09\u5feb\u4e86\u4e00\u4e2a\u6570\u91cf\u7ea7\u3002\u800c\u4e14\u76f8\u6bd4\u4e8eValgrind\u53ea\u80fd\u68c0\u67e5\u5230\u5806\u5185\u5b58\u7684\u8d8a\u754c\u8bbf\u95ee\u548c\u60ac\u7a7a\u6307\u9488\u7684\u8bbf\u95ee\uff0cASan \u4e0d\u4ec5\u53ef\u4ee5\u68c0\u6d4b\u5230\u5806\u5185\u5b58\u7684\u8d8a\u754c\u548c\u60ac\u7a7a\u6307\u9488\u7684\u8bbf\u95ee\uff0c\u8fd8\u80fd\u68c0\u6d4b\u5230\u6808\u548c\u5168\u5c40\u5bf9\u8c61\u7684\u8d8a\u754c\u8bbf\u95ee\u3002\u8fd9\u4e5f\u662f ASan \u5728\u4f17\u591a\u5185\u5b58\u68c0\u6d4b\u5de5\u5177\u7684\u6bd4\u8f83\u4e0a\u51fa\u7c7b\u62d4\u8403\u7684\u91cd\u8981\u539f\u56e0\uff0c\u57fa\u672c\u4e0a\u73b0\u5728 C\/C++ \u9879\u76ee\u90fd\u4f1a\u4f7f\u7528ASan\u6765\u4fdd\u8bc1\u4ea7\u54c1\u8d28\u91cf\uff0c\u5c24\u5176\u662f\u5927\u9879\u76ee\u4e2d\u66f4\u4e3a\u9700\u8981\u3002<\/p>\n
\u4ecegcc 4.8\u5f00\u59cb\uff0cAddressSanitizer\u6210\u4e3agcc\u7684\u4e00\u90e8\u5206\uff0c\u4f46\u8fd8\u4e0d\u5b8c\u5584\u3002\u8981\u83b7\u5f97\u66f4\u597d\u7684\u4f53\u9a8c\uff0c\u5efa\u8bae\u4f7f\u75284.9\u53ca\u4ee5\u4e0a\u7248\u672c\u3002<\/p>\n
4\u3001AddressSanitizer\u68c0\u6d4b\u539f\u7406<\/h4>\n
ASan\u63a5\u7ba1\u4e86\u6bcf\u6b21\u5185\u5b58\u5206\u914d\/\u91ca\u653e\uff0c\u5e76\u4e14\u6bcf\u4e00\u6b21\u5bf9\u5185\u5b58\u7684\u8bfb\/\u5199\u90fd\u52a0\u4e0a\u4e86\u4e00\u4e2a\u68c0\u67e5 (\u9700\u8981\u7f16\u8bd1\u5668\u7684\u914d\u5408)\u3002<\/p>\n
\u7b97\u6cd5\u601d\u8def<\/strong>\uff1a\u5982\u679c\u60f3\u9632\u4f4fBuffer Overflow\u6f0f\u6d1e\uff0c\u53ea\u9700\u8981\u5728\u6bcf\u5757\u5185\u5b58\u533a\u57df\u53f3\u7aef\uff08\u6216\u4e24\u7aef\uff0c\u80fd\u9632overflow\u548cunderflow\uff09\u52a0\u4e00\u5757\u533a\u57df\uff08RedZone\uff09\uff0c\u4f7fRedZone\u7684\u533a\u57df\u7684\u5f71\u5b50\u5185\u5b58\uff08Shadow Memory)\u8bbe\u7f6e\u4e3a\u4e0d\u53ef\u5199\u5373\u53ef\u3002<\/p>\n
![\"\"](\"https:\/\/yanjingang.com\/blog\/wp-content\/uploads\/2023\/03\/asan-shadow-memory-1024x610.png\")
<\/a><\/p>\n\u9632\u62a4\u7f13\u51b2\u533a\u6ea2\u51fa\u7684\u57fa\u672c\u6b65\u9aa4\uff1a<\/p>\n
- \n
- \u5728\u88ab\u4fdd\u62a4\u7684\u5168\u5c40\u53d8\u91cf\u3001\u5806\u3001\u6808\u524d\u540e\u521b\u5efa redzone\uff0c\u5e76\u5c06 redzone \u6807\u8bb0\u4e3a\u4e2d\u6bd2\u72b6\u6001\u3002<\/li>\n
- \u5c06\u7f13\u51b2\u533a\u548c redzone \u6bcf 8 \u5b57\u8282\u5bf9\u5e94 1 \u5b57\u8282\u7684\u6620\u5c04\u65b9\u5f0f\u5efa\u7acb\u5f71\u5b50\u5185\u5b58\u533a\uff08\u5f71\u5b50\u5185\u5b58\u533a\u4f7f\u7528\u51fd\u6570 MemToShadow \u83b7\u53d6\uff09\u3002<\/li>\n
- \u51fa\u73b0\u5bf9 redzone \u7684\u8bbf\u95ee\uff08\u8bfb\u5199\u6267\u884c\uff09\u884c\u4e3a\u65f6\uff0c\u7531\u4e8e redzone \u5bf9\u5e94\u7684\u5f71\u5b50\u5185\u5b58\u533a\u88ab\u6807\u8bb0\u4e3a\u4e2d\u6bd2\u72b6\u6001\u89e6\u53d1\u62a5\u9519\u3002<\/li>\n
- \u62a5\u9519\u4fe1\u606f\u5305\u542b\u53d1\u751f\u9519\u8bef\u7684\u8fdb\u7a0b\u53f7\u3001\u9519\u8bef\u7c7b\u578b\u3001\u51fa\u9519\u7684\u6e90\u6587\u4ef6\u540d\u3001\u884c\u53f7\u3001\u51fd\u6570\u8c03\u7528\u5173\u7cfb\u3001\u5f71\u5b50\u5185\u5b58\u72b6\u6001\u3002\u5176\u4e2d\u5f71\u5b50\u5185\u5b58\u72b6\u6001\u4fe1\u606f\u4e2d\u51fa\u9519\u7684\u90e8\u5206\u7528\u4e2d\u62ec\u53f7\u6807\u8bc6\u51fa\u6765\u3002<\/li>\n
- \u4e2d\u6bd2\u72b6\u6001\uff1a\u5185\u5b58\u5bf9\u5e94\u7684 shadow \u533a\u6807\u8bb0\u8be5\u5185\u5b58\u4e0d\u80fd\u8bbf\u95ee\u7684\u72b6\u6001\u3002<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/yanjingang.com\/blog\/wp-content\/uploads\/2023\/03\/asan.png\" "\\"asan\\"")
<\/p>\nASan\u4e3b\u8981\u5305\u62ec\u4e24\u90e8\u5206\uff1a\u63d2\u6869(Instrumentation)\u548c\u52a8\u6001\u8fd0\u884c\u5e93(Run-time library)\u3002<\/p>\n
- \n
- \u63d2\u6869\uff1a<\/strong>\u4e3b\u8981\u662f\u9488\u5bf9\u5728llvm\u7f16\u8bd1\u5668\u7ea7\u522b\u5bf9\u8bbf\u95ee\u5185\u5b58\u7684\u64cd\u4f5c(store\uff0cload\uff0calloca\u7b49)\uff0c\u5c06\u5b83\u4eec\u8fdb\u884c\u5904\u7406\u3002\u4e3a\u4e86\u9632\u6b62buffer overflow\uff0c\u9700\u8981\u5c06\u539f\u6765\u5206\u914d\u7684\u5185\u5b58\u4e24\u8fb9\u5206\u914d\u989d\u5916\u7684\u5185\u5b58Redzone\uff0c\u5e76\u5c06\u8fd9\u4e24\u8fb9\u7684\u5185\u5b58\u52a0\u9501\uff0c\u8bbe\u4e3a\u4e0d\u80fd\u8bbf\u95ee\u72b6\u6001(\u4e2d\u6bd2\u72b6\u6001)\u3002<\/li>\n
- \u52a8\u6001\u8fd0\u884c\u5e93\uff1a<\/strong>\u4e3b\u8981\u63d0\u4f9b\u4e00\u4e9b\u8fd0\u884c\u65f6\u7684\u590d\u6742\u7684\u529f\u80fd(\u6bd4\u5982poison\/unpoison shadow memory)\u4ee5\u53ca\u5c06malloc,free\u7b49\u7cfb\u7edf\u8c03\u7528\u51fd\u6570hook\u4f4f\u3002\u5728\u4f7f\u7528\u51fd\u6570 free \u91ca\u653e\u5185\u5b58\u65f6\uff0c\u6240\u91ca\u653e\u7684\u5185\u5b58\u88ab\u9694\u79bb\u5f00\u6765\uff08\u6682\u65f6\u4e0d\u4f1a\u88ab\u5206\u914d\u51fa\u53bb\uff09\uff0c\u5e76\u88ab\u6807\u8bb0\u4e3a\u4e0eRedZone\u76f8\u540c\u7684\u4e2d\u6bd2\u72b6\u6001\uff0c\u4e2d\u6bd2\u7684\u5185\u5b58\u4e00\u65e6\u88ab\u8bbf\u95ee\uff0c\u5373\u53ef\u88ab\u68c0\u6d4b\u5230\u3002ASan \u4f7f\u7528 shadow memory \u8ddf\u8e2a\u54ea\u4e9b\u5b57\u8282\u4e3a\u6b63\u5e38\u5185\u5b58\uff0c\u54ea\u4e9b\u5b57\u8282\u4e3a\u4e2d\u6bd2\u5185\u5b58\u3002\u5b57\u8282\u53ef\u4ee5\u6807\u8bb0\u4e3a\u5b8c\u5168\u6b63\u5e38\uff08shadow memory \u503c\u4e3a 0\uff09\u3001\u5b8c\u5168\u4e2d\u6bd2\uff08shadow memory \u503c\u4e3a\u8d1f\u503c\uff09\u6216\u524d\u9762 k \u4e2a\u5b57\u8282\u672a\u4e2d\u6bd2\uff08shadow memory \u503c\u4e3a k\uff09\u3002\u5982\u679c shadow memory \u663e\u793a\u67d0\u4e2a\u5b57\u8282\u4e2d\u6bd2\uff0c\u5219 ASan \u4f1a\u4f7f\u7a0b\u5e8f\u5d29\u6e83\uff0c\u5e76\u8f93\u51fa\u6709\u7528\u7684\u8c03\u8bd5\u4fe1\u606f\uff0c\u5305\u62ec\u8c03\u7528\u5806\u6808\u3001\u5f71\u5b50\u5185\u5b58\u6620\u5c04\u3001\u5185\u5b58\u8fdd\u4f8b\u7c7b\u578b\u3001\u8bfb\u53d6\u6216\u5199\u5165\u7684\u5185\u5bb9\u3001\u5bfc\u81f4\u8fdd\u4f8b\u7684\u8ba1\u7b97\u673a\u4ee5\u53ca\u5185\u5b58\u5185\u5bb9\u3002<\/li>\n<\/ul>\n
\u63d2\u6869\u793a\u4f8b\uff1a<\/p>\n
\/\/ \u539f\u59cb\u4ee3\u7801\uff1a\r\nvoid foo() {\r\n char a[8];\r\n ...\r\n return;\r\n}\r\n\r\n\/\/ \u63d2\u6869\u540e\u7684\u68c0\u6d4b\u4ee3\u7801\uff1a\r\nvoid foo() {\r\n char redzone1[32]; \/\/ 32-byte aligned\r\n char a[8]; \/\/ 32-byte aligned\r\n char redzone2[24];\r\n char redzone3[32]; \/\/ 32-byte aligned\r\n int *shadow_base = MemToShadow(redzone1);\r\n shadow_base[0] = 0xffffffff; \/\/ poison redzone1\r\n shadow_base[1] = 0xffffff00; \/\/ poison redzone2, unpoison 'a'\r\n shadow_base[2] = 0xffffffff; \/\/ poison redzone3\r\n ...\r\n shadow_base[0] = shadow_base[1] = shadow_base[2] = 0; \/\/ unpoison all\r\n return;\r\n}<\/code><\/pre>\n\u4ece\u4ee5\u4e0a\u793a\u4f8b\u4e2d\u53ef\u4ee5\u770b\u5230ASan\u5c06malloc\/free\u51fd\u6570\u8fdb\u884c\u4e86\u66ff\u6362\uff0c\u5728malloc\u51fd\u6570\u4e2d\u989d\u5916\u7684\u5206\u914d\u4e86Redzone\u533a\u57df\u7684\u5185\u5b58\uff0c\u5c06\u4e0eRedzone\u533a\u57df\u5bf9\u5e94\u7684\u5f71\u5b50\u5185\u5b58\u52a0\u9501\uff0c\u4e3b\u8981\u7684\u5185\u5b58\u533a\u57df\u5bf9\u5e94\u7684\u5f71\u5b50\u5185\u5b58\u4e0d\u52a0\u9501\u3002free\u51fd\u6570\u5c06\u6240\u6709\u5206\u914d\u7684\u5185\u5b58\u533a\u57df\u52a0\u9501\uff0c\u5e76\u653e\u5230\u4e86\u9694\u79bb\u533a\u57df\u7684\u961f\u5217\u4e2d(\u4fdd\u8bc1\u5728\u4e00\u5b9a\u7684\u65f6\u95f4\u5185\u4e0d\u4f1a\u518d\u88abmalloc\u51fd\u6570\u5206\u914d)\uff0c\u53ef\u68c0\u6d4bUse after free\u7c7b\u7684\u95ee\u9898\u3002<\/p>\n
<\/p>\n
\u4e8c\u3001\u4f7f\u7528<\/h1>\n
1\u3001\u7528\u6cd5<\/h4>\n
1.1\u3001\u542f\u7528AddressSanitizer<\/h6>\n
\u7528-fsanitize=address\u9009\u9879\u7f16\u8bd1\u548c\u94fe\u63a5\u4f60\u7684\u7a0b\u5e8f\uff0c\u7528-fno-omit-frame-pointer\u7f16\u8bd1\uff0c\u4ee5\u5f97\u5230\u66f4\u5bb9\u6613\u7406\u89e3stack trace\uff1a<\/p>\n
gcc -Werror-rdynamic<\/code>-<\/span>fsanitize=<\/span>address -<\/span>fno-<\/span>omit-<\/span>frame-<\/span>pointer -<\/span>g test.<\/span>cc -<\/span>o test<\/code><\/pre>\n\u6216\u5728CMakeLists.txt\u4e2d\u914d\u7f6e\uff1a<\/p>\n
set(CMAKE_CXX_FLAGS \"${CMAKE_CXX_FLAGS} -Werror -rdynamic -fsanitize=address -fno-omit-frame-pointer -g\")<\/code><\/pre>\n1.2\u3001export\u7f16\u8bd1\u9009\u9879<\/h6>\n
ASAN_OPTIONS\u662fAddress-Sanitizier\u7684\u8fd0\u884c\u9009\u9879\u73af\u5883\u53d8\u91cf\uff0c\u53ef\u4ee5\u6839\u636e\u9700\u8981\u9009\u62e9\u6027\u8bbe\u7f6e\uff1a<\/p>\n
- \n
- halt_on_error=0\uff1a\u68c0\u6d4b\u5185\u5b58\u9519\u8bef\u540e\u7ee7\u7eed\u8fd0\u884c<\/li>\n
- detect_leaks=1:\u4f7f\u80fd\u5185\u5b58\u6cc4\u9732\u68c0\u6d4b<\/li>\n
- malloc_context_size=15\uff1a\u5185\u5b58\u9519\u8bef\u53d1\u751f\u65f6\uff0c\u663e\u793a\u7684\u8c03\u7528\u6808\u5c42\u6570\u4e3a15<\/li>\n
- log_path=\/home\/xos\/asan.log:\u5185\u5b58\u68c0\u67e5\u95ee\u9898\u65e5\u5fd7\u5b58\u653e\u6587\u4ef6\u8def\u5f84<\/li>\n
- suppressions=$SUPP_FILE:\u5c4f\u853d\u6253\u5370\u67d0\u4e9b\u5185\u5b58\u9519\u8bef<\/li>\n
- detect_stack_use_after_return=1\uff1a\u68c0\u67e5\u8bbf\u95ee\u6307\u5411\u5df2\u88ab\u91ca\u653e\u7684\u6808\u7a7a\u95f4<\/li>\n
- handle_segv=1\uff1a\u5904\u7406\u6bb5\u9519\u8bef\uff1b\u4e5f\u53ef\u4ee5\u6dfb\u52a0handle_sigill=1\u5904\u7406SIGILL\u4fe1\u53f7<\/li>\n
- quarantine_size=4194304:\u5185\u5b58cache\u53ef\u7f13\u5b58free\u5185\u5b58\u5927\u5c0f4M<\/li>\n<\/ul>\n
\u4f8b\u5982\uff1a<\/p>\n
export ASAN_OPTIONS=halt_on_error=0:detect_leaks=1:malloc_context_size=15:log_path=.\/asan.log<\/code><\/pre>\n<\/p>\n
2\u3001\u573a\u666f\u6d4b\u8bd5<\/h4>\n
2.1\u3001 (heap) use after free \u91ca\u653e\u540e\u4f7f\u7528<\/h6>\n
\u4e0b\u9762\u7684\u4ee3\u7801\u4e2d\uff0c\u5206\u914darray\u6570\u7ec4\u5e76\u91ca\u653e\uff0c\u7136\u540e\u8fd4\u56de\u5b83\u7684\u4e00\u4e2a\u5143\u7d20\u3002<\/p>\n
$ vim test_mem.cc\r\n1 \/**\r\n2 * @file\ttest_mem.cc\r\n3 * @brief mem\u95ee\u9898asan\u68c0\u6d4b\u6d4b\u8bd5\r\n4 * @author\tyanjingang\r\n5 * @date\t2023-3-13\r\n6 * @note g++ test_mem.cc -std=c++11 -Wall -Werror -rdynamic -fsanitize=address -fno-omit-frame-pointer -g -o build\/test_mem\r\n7 *\/\r\n8 \r\n9 \r\n10 \/\/ \u5806\u4e0a\u5206\u914d\u7684\u7a7a\u95f4\u88abfree\u4e4b\u540e\u518d\u6b21\u4f7f\u7528\r\n11 int use_after_free(){\r\n12 int *array = new int[100];\r\n13 delete[] array;\r\n14 return array[1];\r\n15 }\r\n16 \r\n17 int main(int argc, char **argv){\r\n18 use_after_free();\r\n19 }\r\n\r\n\r\n\/\/ build\r\n$ g++ test_mem.cc -std=c++11 -Wall -Werror -rdynamic -fsanitize=address -fno-omit-frame-pointer -g -o build\/test_mem\r\n\r\n\/\/ test\r\n$ .\/build\/test_mem<\/code><\/pre>\n\u4ece\u4e0b\u56fe\u63d0\u793a\u7684\u9519\u8bef\u4fe1\u606f\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u975e\u5e38\u660e\u786e\u7684\u770b\u5230\u5185\u5b58\u5f02\u5e38\u8bbf\u95ee\u4fe1\u606f\uff1a<\/p>\n
- \n
- ERROR\uff1a<\/strong>\u5f02\u5e38\u7c7b\u578b\u4e3aheap-use-after-free\u5806\u5185\u5b58\u91ca\u653e\u540e\u88ab\u4f7f\u7528\u3002<\/li>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:14\u884c\u3002<\/li>\n
- freed\uff1a<\/strong>\u5185\u5b58\u91ca\u653e\u4f4d\u7f6e\u5728test_mem.cc:13\u884c\u3002<\/li>\n
- previously allocated\uff1a<\/strong>\u5185\u5b58\u5206\u914d\u4f4d\u7f6e\u5728test_mem.cc:12\u884c\u3002<\/li>\n
- fa\/fd\uff1a<\/strong>\u6700\u4e0b\u65b9\u7684\u5806\u5185\u5b58\u4e2d\uff0cfa\u8868\u793aRedzone\u9632\u62a4\u7f13\u51b2\u533a\uff0cfd\u8868\u793a\u5df2\u88abfree\u91ca\u653e\u7684\u5806\u5185\u5b58\u533a\u57df\u3002<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/yanjingang.com\/blog\/wp-content\/uploads\/2023\/03\/use-after-free-1024x737.png\")
<\/a><\/p>\n2.2\u3001 heap buffer overflow \u5806\u7f13\u5b58\u8bbf\u95ee\u6ea2\u51fa<\/h6>\n
\u5982\u4e0b\u4ee3\u7801\u4e2d\uff0c\u8bbf\u95ee\u7684\u4f4d\u7f6e\u8d85\u51fa\u5806\u4e0a\u6570\u7ec4array\u7684\u8fb9\u754c\u3002<\/p>\n
17 \/\/ \u5806\u7f13\u51b2\u533a\u6ea2\u51fa\r\n18 int heap_buffer_overflow(){\r\n19 int* array = new int[100];\r\n20 int res = array[100];\r\n21 delete [] array;\r\n22 return res;\r\n23 }\r\n...\r\n28 heap_buffer_overflow();<\/code><\/pre>\n\u4e0b\u56fe\u63d0\u793a\u7684\u9519\u8bef\u4fe1\u606f\u6307\u51fa\uff1a<\/p>\n
- \n
- ERROR\uff1a<\/strong>\u5f02\u5e38\u7c7b\u578b\u4e3aheap-buffer-overflow\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u3002<\/li>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:20\u884c\u3002<\/li>\n
- allocated\uff1a<\/strong>\u5185\u5b58\u5206\u914d\u4f4d\u7f6e\u5728test_mem.cc:19\u884c\u3002<\/li>\n
- fa\uff1a<\/strong>\u6700\u4e0b\u65b9\u7684\u5806\u5185\u5b58\u4e2d\uff0cfa\u8868\u793aRedzone\u9632\u62a4\u7f13\u51b2\u6bd2\u533a\uff0c\u88ab\u5f02\u5e38\u8bbf\u95ee\u3002<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/yanjingang.com\/blog\/wp-content\/uploads\/2023\/03\/heap-buffer-overflow-1024x598.png\")
<\/a><\/p>\n2.3\u3001 stack buffer overflow \u6808\u7f13\u5b58\u8bbf\u95ee\u6ea2\u51fa<\/h6>\n
\u5982\u4e0b\u4ee3\u7801\u4e2d\uff0c\u8bbf\u95ee\u7684\u4f4d\u7f6e\u8d85\u51fa\u6808\u4e0a\u6570\u7ec4array\u7684\u8fb9\u754c\u3002<\/p>\n
24 \/\/ \u6808\u7f13\u51b2\u533a\u6ea2\u51fa\r\n25 int stack_buffer_overflow(){\r\n26 int array[100];\r\n27 return array[100];\r\n28 }\r\n...\r\n35 stack_buffer_overflow();<\/code><\/pre>\n\u4e0b\u56fe\u63d0\u793a\u7684\u9519\u8bef\u4fe1\u606f\u6307\u51fa\uff1a<\/p>\n
- \n
- ERROR\uff1a<\/strong>\u5f02\u5e38\u7c7b\u578b\u4e3astack-buffer-overflow\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u3002<\/li>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:27\u884c\u3002<\/li>\n
- Address\uff1a<\/strong>\u6808\u5757\u5728\u7ebf\u7a0bT0\u7684\u6808\u4e0a448\u504f\u79fb\u4f4d\u7f6e\u4e0a\uff0cMemory access at offset 448 overflows this variable\u3002<\/li>\n
- f1\/f3\uff1a<\/strong>f1\u4e3aStack Left Redzone\u9632\u62a4\u7f13\u51b2\u6bd2\u533a\uff0cf3\u4e3aStack Right Redzone\u9632\u62a4\u7f13\u51b2\u6bd2\u533a\uff0c\u8fd9\u91cc\u88ab\u5f02\u5e38\u8bbf\u95ee\u3002<\/li>\n<\/ul>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:27\u884c\u3002<\/li>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:20\u884c\u3002<\/li>\n
- READ\uff1a<\/strong>\u5f02\u5e38\u64cd\u4f5c\u7c7b\u578b\u4e3a\u8bfb\uff0c\u5728T0\u7ebf\u7a0b\uff0c\u4f4d\u7f6e\u5728test_mem.cc:14\u884c\u3002<\/li>\n
- ERROR\uff1a<\/strong>\u5f02\u5e38\u7c7b\u578b\u4e3aheap-use-after-free\u5806\u5185\u5b58\u91ca\u653e\u540e\u88ab\u4f7f\u7528\u3002<\/li>\n
- \u52a8\u6001\u8fd0\u884c\u5e93\uff1a<\/strong>\u4e3b\u8981\u63d0\u4f9b\u4e00\u4e9b\u8fd0\u884c\u65f6\u7684\u590d\u6742\u7684\u529f\u80fd(\u6bd4\u5982poison\/unpoison shadow memory)\u4ee5\u53ca\u5c06malloc,free\u7b49\u7cfb\u7edf\u8c03\u7528\u51fd\u6570hook\u4f4f\u3002\u5728\u4f7f\u7528\u51fd\u6570 free \u91ca\u653e\u5185\u5b58\u65f6\uff0c\u6240\u91ca\u653e\u7684\u5185\u5b58\u88ab\u9694\u79bb\u5f00\u6765\uff08\u6682\u65f6\u4e0d\u4f1a\u88ab\u5206\u914d\u51fa\u53bb\uff09\uff0c\u5e76\u88ab\u6807\u8bb0\u4e3a\u4e0eRedZone\u76f8\u540c\u7684\u4e2d\u6bd2\u72b6\u6001\uff0c\u4e2d\u6bd2\u7684\u5185\u5b58\u4e00\u65e6\u88ab\u8bbf\u95ee\uff0c\u5373\u53ef\u88ab\u68c0\u6d4b\u5230\u3002ASan \u4f7f\u7528 shadow memory \u8ddf\u8e2a\u54ea\u4e9b\u5b57\u8282\u4e3a\u6b63\u5e38\u5185\u5b58\uff0c\u54ea\u4e9b\u5b57\u8282\u4e3a\u4e2d\u6bd2\u5185\u5b58\u3002\u5b57\u8282\u53ef\u4ee5\u6807\u8bb0\u4e3a\u5b8c\u5168\u6b63\u5e38\uff08shadow memory \u503c\u4e3a 0\uff09\u3001\u5b8c\u5168\u4e2d\u6bd2\uff08shadow memory \u503c\u4e3a\u8d1f\u503c\uff09\u6216\u524d\u9762 k \u4e2a\u5b57\u8282\u672a\u4e2d\u6bd2\uff08shadow memory \u503c\u4e3a k\uff09\u3002\u5982\u679c shadow memory \u663e\u793a\u67d0\u4e2a\u5b57\u8282\u4e2d\u6bd2\uff0c\u5219 ASan \u4f1a\u4f7f\u7a0b\u5e8f\u5d29\u6e83\uff0c\u5e76\u8f93\u51fa\u6709\u7528\u7684\u8c03\u8bd5\u4fe1\u606f\uff0c\u5305\u62ec\u8c03\u7528\u5806\u6808\u3001\u5f71\u5b50\u5185\u5b58\u6620\u5c04\u3001\u5185\u5b58\u8fdd\u4f8b\u7c7b\u578b\u3001\u8bfb\u53d6\u6216\u5199\u5165\u7684\u5185\u5bb9\u3001\u5bfc\u81f4\u8fdd\u4f8b\u7684\u8ba1\u7b97\u673a\u4ee5\u53ca\u5185\u5b58\u5185\u5bb9\u3002<\/li>\n<\/ul>\n
- \u63d2\u6869\uff1a<\/strong>\u4e3b\u8981\u662f\u9488\u5bf9\u5728llvm\u7f16\u8bd1\u5668\u7ea7\u522b\u5bf9\u8bbf\u95ee\u5185\u5b58\u7684\u64cd\u4f5c(store\uff0cload\uff0calloca\u7b49)\uff0c\u5c06\u5b83\u4eec\u8fdb\u884c\u5904\u7406\u3002\u4e3a\u4e86\u9632\u6b62buffer overflow\uff0c\u9700\u8981\u5c06\u539f\u6765\u5206\u914d\u7684\u5185\u5b58\u4e24\u8fb9\u5206\u914d\u989d\u5916\u7684\u5185\u5b58Redzone\uff0c\u5e76\u5c06\u8fd9\u4e24\u8fb9\u7684\u5185\u5b58\u52a0\u9501\uff0c\u8bbe\u4e3a\u4e0d\u80fd\u8bbf\u95ee\u72b6\u6001(\u4e2d\u6bd2\u72b6\u6001)\u3002<\/li>\n
- Heap buffer overflow\uff1a<\/strong>\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\uff08\u8bbf\u95ee\u7684\u533a\u57df\u5728\u5806\u4e0a, \u4e14\u8d85\u8fc7\u4e86\u5206\u914d\u7684\u7a7a\u95f4\uff09\u3002<\/li>\n
- Use after free(dangling pointer dereference)\uff1a<\/strong>\u91ca\u653e\u540e\u4f7f\u7528\uff08\u5806\u4e0a\u5206\u914d\u7684\u7a7a\u95f4free\u4e4b\u540e\u88ab\u518d\u6b21\u4f7f\u7528\uff09\u3002<\/li>\n
![\"\"](\"https:\/\/yanjingang.com\/blog\/wp-content\/uploads\/2023\/03\/asan-shadow-memory.png\")
<\/a><\/p>\n