我在这个教程的帮助下尝试寻找错误:https ://fuzzing-project.org/tutorial2.html
当我使用地址清理器时,堆栈跟踪上没有任何符号解析。
我尝试了此处描述的操作:针对 GCC 中的地址清理程序的有意义的堆栈跟踪,但它对我不起作用。我的操作系统是 Ubuntu 14.04
以下是我采取的步骤:
我在 C 中使用了一个测试程序,这是一个典型的错误
int main() { int a[2] = {1, 0}; int b=a[2]; }
我安装 llvm 3.5
apt-get
我导出以下变量
export AFL_USE_ASAN=1 export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 export ASAN_OPTIONS=symbolize=1
我使用以下命令编译 gcc 4.8.2
gcc -o test -fsanitize=address -g3 -ggdb test.c
当我启动测试程序时,我在错误报告中收到了警告。似乎 AddressSanitizer 无法连接到 llvm-symbolizer-3.5
==13382== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff92d6b0e8 at pc 0x400845 bp 0x7fff92d6b0a0 sp 0x7fff92d6b098 READ of size 4 at 0x7fff92d6b0e8 thread T0 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Can't read from symbolizer at fd 3 ==13382== WARNING: Failed to use and restart external symbolizer 0x400844 (/media/data/test+0x400844) 0x7fe5e7d4aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) 0x400688 (/media/data/test+0x400688) Address 0x7fff92d6b0e8 is located at offset 40 in frame <main> of T0's stack: This frame has 1 object(s): [32, 40) 'a' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Shadow bytes around the buggy address: 0x1000725a55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a5600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000725a5610: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4 0x1000725a5620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a5630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a5640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a5650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000725a5660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==13382== ABORTING
而且我在堆栈跟踪上没有任何符号。如果我执行 sudo 我没有任何警告,但我也没有任何符号解析。
==13392== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff911555e8 at pc 0x400845 bp 0x7fff911555a0 sp 0x7fff91155598
READ of size 4 at 0x7fff911555e8 thread T0
0x400844 (/media/data/test+0x400844)
0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
0x400688 (/media/data/test+0x400688)
Address 0x7fff911555e8 is located at offset 40 in frame of T0's stack:
This frame has 1 object(s):
[32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x100072222a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100072222ab0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
0x100072222ac0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==13392== ABORTING
我也尝试了谷歌页面项目中描述的python脚本asan_symbolize.py
,但没有任何结果。