4

我在这个教程的帮助下尝试寻找错误:https ://fuzzing-project.org/tutorial2.html

当我使用地址清理器时,堆栈跟踪上没有任何符号解析。

我尝试了此处描述的操作:针对 GCC 中的地址清理程序的有意义的堆栈跟踪,但它对我不起作用。我的操作系统是 Ubuntu 14.04

以下是我采取的步骤:

  1. 我在 C 中使用了一个测试程序,这是一个典型的错误

    int main() {
        int a[2] = {1, 0};
        int b=a[2];
    }
    
  2. 我安装 llvm 3.5apt-get

  3. 我导出以下变量

    export AFL_USE_ASAN=1
    export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
    export ASAN_OPTIONS=symbolize=1
    
  4. 我使用以下命令编译 gcc 4.8.2

    gcc -o test -fsanitize=address -g3 -ggdb test.c
    
  5. 当我启动测试程序时,我在错误报告中收到了警告。似乎 AddressSanitizer 无法连接到 llvm-symbolizer-3.5

    ==13382== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff92d6b0e8 at pc 0x400845 bp 0x7fff92d6b0a0 sp 0x7fff92d6b098
    READ of size 4 at 0x7fff92d6b0e8 thread T0
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Can't read from symbolizer at fd 3
    ==13382== WARNING: Failed to use and restart external symbolizer
         0x400844 (/media/data/test+0x400844)
         0x7fe5e7d4aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
         0x400688 (/media/data/test+0x400688)
    Address 0x7fff92d6b0e8 is located at offset 40 in frame <main> of T0's stack:
      This frame has 1 object(s):
        [32, 40) 'a'
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    Shadow bytes around the buggy address:
      0x1000725a55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a5600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x1000725a5610: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
      0x1000725a5620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a5630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a5640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a5650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x1000725a5660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==13382== ABORTING
    

而且我在堆栈跟踪上没有任何符号。如果我执行 sudo 我没有任何警告,但我也没有任何符号解析。


==13392== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff911555e8 at pc 0x400845 bp 0x7fff911555a0 sp 0x7fff91155598
READ of size 4 at 0x7fff911555e8 thread T0
     0x400844 (/media/data/test+0x400844)
     0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
     0x400688 (/media/data/test+0x400688)
Address 0x7fff911555e8 is located at offset 40 in frame  of T0's stack:
  This frame has 1 object(s):
    [32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
  0x100072222a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100072222ab0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
  0x100072222ac0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13392== ABORTING

我也尝试了谷歌页面项目中描述的python脚本asan_symbolize.py,但没有任何结果。

https://code.google.com/p/address-sanitizer/wiki/CallStack

4

2 回答 2

2

我更新到 gcc 4.9。现在它正在工作。这是我在 Ubuntu 中更新的步骤。

 sudo add-apt-repository ppa:ubuntu-toolchain-r/test
 sudo apt-get update
 sudo apt-get install gcc-4.9 g++-4.9
 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.9 60 --slave /usr/bin/g++ g++ /usr/bin/g++-4.9

更多详细信息:https ://askubuntu.com/questions/466651/how-do-i-use-the-latest-gcc-4-9-on-ubuntu-14-04

于 2015-04-18T18:59:17.767 回答
2
export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
...
READ of size 4 at 0x7fff911555e8 thread T0
     0x400844 (/media/data/test+0x400844)
     0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
     0x400688 (/media/data/test+0x400688)

Clang下,您需要通过管道传输输出asan_symbolize以获取符号。我讨论 Clang 是因为您显然在使用 LLVM 设备(上面的 llvm-symbolizer-3.5)。因此,您应该执行以下操作:

./test 2>&1 | asan_symbolize

我有asan_symbolize两个/usr/bin/usr/local/bin

$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h

我有两个副本,因为其中一个是通过apt-get( /usr/bin/asan_symbolize) 与 Clang 一起安装的,并且我有时会从源代码构建 Clang ( /usr/local/bin/asan_symbolize.py)。

如果您没有副本,那么我相信您可以从Google Code 上的address-sanitizer获取它。


一旦开始使用asan_symbolize,您可能会遇到asan_symbolize由于路径更改而找不到符号的情况(例如,程序或库从其构建位置复制到目标目录)。为此,请参阅指定 asan_symbolize 的符号路径?在 Asan 邮件列表中。

kcc 的回答中,他的意思是:

./test 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize

(我想我在测试 Postgres 时必须这样做)。


我最近开始使用 GCC 的消毒剂,但我从未asan_symbolizeGCC一起使用过。我不确定它对你的效果如何。天真地,我希望它会按预期工作。


我使用以下命令使用 gcc 4.8.2 进行编译...

我不确定混合/匹配对您的效果如何。也许你应该坚持 GCC;或者你应该安装 Clang 并使用它。


Python 在使用 Clang 进行动态分析时有一个关于 Clang 及其消毒剂的速成课程。它讨论了诸如获取堆栈跟踪之类的主题。(我为 Python 项目编写了页面,以帮助他们将 Clang 及其清理程序添加到其发布工程过程中)。

于 2015-07-21T12:22:32.800 回答