0%

AddressSanitizer

Posted on Edited on In , , ,
Symbols count in article: 2.3k Reading time ≈ 2 mins.

AddressSanitizer (aka ASan) is a memory error detector for C/C++. It finds:

  • Use after free (dangling pointer dereference)
  • Heap buffer overflow
  • Stack buffer overflow
  • Global buffer overflow
  • Use after return
  • Use after scope
  • Initialization order bugs
  • Memory leaks

使用

在编译器标志中增加一个参数 -fsanitize=address,增加 -ggdb 输出信息更丰富

int main()
{
    int a[2] = {1, 0};
    int b = a[2];
}

输出如下

$ gcc -fsanitize=address -ggdb -o test test.c
$ ./test
=================================================================
==18256==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc339d108 at pc 0x561625653aa9 bp 0x7ffcc339d0c0 sp 0x7ffcc339d0b0
READ of size 4 at 0x7ffcc339d108 thread T0
    #0 0x561625653aa8 in main /data/test.c:4
    #1 0x7f75ff18fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #2 0x561625653899 in _start (/data/test+0x899)

Address 0x7ffcc339d108 is located in stack of thread T0 at offset 40 in frame
    #0 0x561625653989 in main /data/test.c:2

  This frame has 1 object(s):
    [32, 40) 'a' <== Memory access at offset 40 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/test.c:4 in main
Shadow bytes around the buggy address:
  0x10001866b9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866b9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba10: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10001866ba20: 00[f2]f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001866ba70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18256==ABORTING

GCC

$ man gcc
    -fsanitize=address
    -fsanitize=kernel-address
    -fsanitize=thread
    -fsanitize=leak
    -fsanitize=undefined

Ref

  1. AddressSanitizer
  2. AddressSanitizerFlags
  3. AddressSanitizerCallStack
  4. AddressSanitizer使用介绍
  5. Address Sanitizer 用法