C/C 动态检测内存错误利器 - ASan
时间:2021-11-04 16:07:22
手机看文章
扫描二维码
随时随地手机看文章
[导读]↓推荐关注↓ASan,即AddressSanitizer,是一个适用于c/c程序的动态内存错误检测器,它由一个编译器检测模块(LLVMpass)和一个替换malloc函数的运行时库组成,在性能及检测内存错误方面都优于Valgrind,你值得拥有。一、适用平台在LLVM3.1版之后...
malloc函数的运行时库组成,在性能及检测内存错误方面都优于Valgrind,你值得拥有。
一、适用平台
在LLVM3.1版之后,ASan就是其的一个组成部分,所以所有适用LLVM的平台,且llvm版本大于3.1的,都可以适用ASan来检查c/c 内存错误。
对于gcc,则是4.8版本之后才加入ASan,但是ASan的完整功能则是要gcc版本在4.9.2以上。
二、强大功能
ASan作为编译器内置功能,支持检测各种内存错误:
-
缓冲区溢出
① 堆内存溢出
② 栈上内存溢出
③ 全局区缓存溢出
-
悬空指针(引用)
① 使用释放后的堆上内存
② 使用返回的栈上内存
③ 使用退出作用域的变量
-
非法释放
① 重复释放
② 无效释放
-
内存泄漏
-
初始化顺序导致的问题
ASan和Valgrind对比如下图:
三、如何使用
-
使用ASan时,只需gcc选项加上-fsanitize=address选项;
-
如果想要在使用asan的时候获取更好的性能,可以加上O1或者更高的编译优化选项;
-
想要在错误信息中让栈追溯信息更友好,可以加上-fno-omit-frame-pointer选项。
-
本文针对linux x86-64平台,gcc编译器环境实验。
本文实验环境:
[root@yglocal ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 8.1.1911 (Core)
Release: 8.1.1911
Codename: Core
[root@yglocal ~]# uname -r
4.18.0-147.el8.x86_64
[root@yglocal ~]# gcc --version
gcc (GCC) 8.3.1 20190507 (Red Hat 8.3.1-4)
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
在centos上使用ASan,编译会报如下错误(gcc 4.8.5):
[root@localhost test]# gcc -g -O2 -fsanitize=address -fno-omit-frame-pointer hello.c
/usr/bin/ld: cannot find /usr/lib64/libasan.so.0.0.0
collect2: error: ld returned 1 exit status
安装libasan即可:
[root@localhost test]# yum install libasan
注:ubuntu x86-64系统只需gcc版本高于4.8即可;但是在rhel/centos上使用ASan功能,除了gcc版本大于4.8之外,还需要安装libasan。
下面针对内存的几种c/c 常见内存错误,编写例子,看下ASan的检测输出情况:
1、堆缓冲区溢出
测试代码:
[root@yglocal asan_test]# vi heap_ovf_test.c
#include
#include
#include
int main()
{
char *heap_buf = (char*)malloc(32*sizeof(char));
memcpy(heap_buf 30, "overflow", 8); //在heap_buf的第30个字节开始,拷贝8个字符
free(heap_buf);
return 0;
}
编译并运行:
[root@yglocal asan_test]# gcc -fsanitize=address -fno-omit-frame-pointer -o heap_ovf_test heap_ovf_test.c
[root@yglocal asan_test]# ./heap_ovf_test
=================================================================
==40602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at pc 0x7f3de8f91a1d bp 0x7ffd4b4ebb60 sp 0x7ffd4b4eb308
WRITE of size 8 at 0x603000000030 thread T0
#0 0x7f3de8f91a1c (/lib64/libasan.so.5 0x40a1c)
#1 0x400845 in main (/root/asan_test/heap_ovf_test 0x400845)
#2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6 0x23872)
#3 0x40075d in _start (/root/asan_test/heap_ovf_test 0x40075d)
0x603000000030 is located 0 bytes to the right of 32-byte region [0x603000000010,0x603000000030)
allocated by thread T0 here:
#0 0x7f3de9040ba8 in __interceptor_malloc (/lib64/libasan.so.5 0xefba8)
#1 0x400827 in main (/root/asan_test/heap_ovf_test 0x400827)
#2 0x7f3de8bb1872 in __libc_start_main (/lib64/libc.so.6 0x23872)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.5 0x40a1c)
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==40602==ABORTING
[root@yglocal asan_test]#
可以看到asan报错:==40602==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000030 at xxxx,下面也列出了发生heap-buffer-overflow时的调用链及heap buffer在哪里申请的。
2、栈缓冲区溢出
测试代码:
[root@yglocal asan_test]# vi stack_ovf_test.c
#include
#include
int main()
{
char stack_buf[4] = {0};
strcpy(stack_buf, "1234");
return 0;
}
编译并运行:
[root@yglocal asan_test]# ./stack_ovf_test
=================================================================
==38634==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf3d8b8d4 at pc 0x7f8714bbaa1d bp 0x7ffcf3d8b8a0 sp 0x7ffcf3d8b048
WRITE of size 5 at 0x7ffcf3d8b8d4 thread T0
#0 0x7f8714bbaa1c (/lib64/libasan.so.5 0x40a1c)
#1 0x400949 in main (/root/asan_test/stack_ovf_test 0x400949)
#2 0x7f87147da872 in __libc_start_main (/lib64/libc.so.6 0x23872)
#3 0x4007cd in _start (/root/asan_test/stack_ovf_test 0x4007cd)
Address 0x7ffcf3d8b8d4 is located in stack of thread T0 at offset 36 in frame
#0 0x400895 in main (/root/asan_test/stack_ovf_test 0x400895)
This frame has 1 object(s):
[32, 36) 'stack_buf' <== Memory access at offset 36 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.5 0x40a1c)
Shadow bytes around the buggy address:
0x10001e7a96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001e7a9710: 00 00 00 00 00 00 f1 f1 f1 f1[04]f2 f2 f2 f3 f3
0x10001e7a9720: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a9740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001e7a9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
......
可以看到asan报错:==38634==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf3d8b8d4 at xxx,发生stack buffer overflow时函数的调用链信息。
3、使用悬空指针
测试代码:
[root@yglocal asan_test]# vi dangling_pointer_test.c
#include
#include
#include
int main()
{
char *p = (char*)malloc(32*sizeof(char));
free(p);
int a = p[1];
return 0;
}
编译并运行:
[root@yglocal asan_test]# gcc -fsanitize=address -fno-omit-frame-pointer -o dangling_pointer_test dangling_pointer_test.c
[root@yglocal asan_test]# ./dangling_pointer_test
===================================================================83532==ERROR:
AddressSanitizer: heap-use-after-free on address 0x603000000011 at pc 0x0000004007c4 bp 0x7ffd7f562760 sp 0x7ffd7f562750
READ of size 1 at 0x603000000011 thread T0
#0 0x4007c3 in main (/root/asan_test/dangling_pointer_test 0x4007c3)
#1 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872)
#2 0x4006ad in _start (/root/asan_test/dangling_pointer_test 0x4006ad)
0x603000000011 is located 1 bytes inside of 32-byte region [0x603000000010,0x603000000030)
freed by thread T0 here:
#0 0x7f5619b5c7e0 in __interceptor_free (/lib64/libasan.so.5 0xef7e0)
#1 0x400787 in main (/root/asan_test/dangling_pointer_test 0x400787)
#2 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872)
previously allocated by thread T0 here:
#0 0x7f5619b5cba8 in __interceptor_malloc (/lib64/libasan.so.5 0xefba8)
#1 0x400777 in main (/root/asan_test/dangling_pointer_test 0x400777)
#2 0x7f56196cd872 in __libc_start_main (/lib64/libc.so.6 0x23872)
SUMMARY: AddressSanitizer: heap-use-after-free (/root/asan_test/dangling_pointer_test 0x4007c3) in main
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
......
4、使用栈上返回的变量
[root@yglocal asan_test]# vi use-after-return.c
#include
#include
#include
int *ptr;
void get_pointer()
{
int local[10];
ptr = 
下载文档
