C ++中的AddressSanitizer黑名单不起作用 [英] AddressSanitizer blacklist in c++ not working
问题描述
我正在尝试让地址清理器黑名单在C ++项目中工作,但其未按预期工作。我在他们的网站上尝试了该示例,如果我使用 clang
进行编译,则可以正常工作。
构建%cat prevent.txt
fun:bad_foo
build%cat foo.c
#include< stdlib.h>
void bad_foo(){
int * a =(int *)malloc(40);
a [10] = 1;
}
int main(){bad_foo(); }
build%clang -fsanitize = address -fsanitize-blacklist = suppress.txt foo.c; ./a.out
退出代码:0
但我使用 clang ++
,它被忽略。
build%cp foo.c foo.cpp
build%clang ++ -fsanitize =地址-fsanitize-blacklist = suppress.txt foo.cpp; ./a.out
========================================== =======================
== 9943 ==错误:AddressSanitizer:地址0x6040000003f8在pc 0x00010ff93ee8 bp 0x7ffedfc6c340上的堆缓冲区溢出sp 0x7ffedfc6c338
在0x6040000003f8线程T0
上写大小为4的dSYM:[/Users/.../build/./a.out.dSYM/Contents/Resources/DWARF/a.out]可以不匹配符号所有者0x7fe1b060edc0
#0 0x10ff93ee7 in bad_foo()(a.out:x86_64 + 0x100000ee7)
#1 0x10ff93f08 main(a.out:x86_64 + 0x100000f08)
#2 0x7fff7940508在开始时(libdyld.dylib:x86_64 + 0x1708c)
0x6040000003f8位于40字节区域右边的0字节[0x6040000003d0,0x6040000003f8)
在这里由线程T0分配:
#0 0x10fff2173在wrap_malloc中(libclang_rt.asan_osx_dynamic.dylib:x86_64h + 0x5c173)
#1 0x10ff93e93在bad_foo()中(a.out:x86_64 + 0x100000e93)
#2 0x10ff93f08在main( :x86_64 + 0x100000f08)
#3 0x7fff7940508c开始(libdyld.dylib:x86_64 + 0x1708c)
摘要:AddressSanitizer:bad_foo()中的堆缓冲区溢出(a.out:x86_64 + 0x100000ee7)
越野车地址周围的影子字节:
0x1c0800000020: fa fa 00 00 00 00 00 fa fa 00 00 00 00 00 05
0x1c0800000030:fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05
0x1c0800000040:fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07
0x1c0800000050:fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x1c0800000060:fa fa 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=> 0x1c0800000070:fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 [fa]
0x1c0800000080:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000090:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c08000000a0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa $ b 0x1c08000000b0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa
0x1c08000000c0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa
影子字节图例(一个影子字节代表8个应用程序离子字节):
可寻址:00
部分可寻址:01 02 03 04 05 06 07
左左红色区堆:fa
释放堆区域:fd
左左堆区:f1
堆栈中间redzone:f2
堆栈右redzone:f3
返回后的堆栈:f5
范围后的堆栈使用:f8
全局redzone:f9
全局初始化顺序:f6
用户中毒:f7
容器溢出:fc
数组cookie:ac
对象内部区域:bb
ASan内部:fe
左alloca区域:ca
右alloca区域:cb
阴影间隙:cc
== 9943 ==中止
[1] 9943中止./a.out
退出代码:134
我正在使用releases.llvm.org中的clang-7
build%clang --version
clang版本7.0.0(tags / RELEASE_700 / final)
目标: x86_64-apple-darwin18.2.0
线程模式l:posix
InstalledDir:/Users/.../clang+llvm-7.0.0-x86_64-apple-darwin/bin
C ++不支持吗?
在C ++中函数名称将被修改,并且看起来黑名单要求我们使用被修改的名称,例如:
乐趣:_Z7bad_foov
然后它将对我有用。我们可以从示例,我认为您正在使用中看到,他们有一个使用也是错误的名称,但他们没有解释:
#关闭特定功能的检查(使用错误的名称):
fun:MyFooBar
fun:_Z8MyFooBarv
您可以使用< a href = https://en.wikipedia.org/wiki/Nm_(Unix) rel = nofollow noreferrer> nm 来查找错误的名称,例如当我这样做时为您的例子:
nm a.out
我看到这样的东西:
0000000100000e80 T __Z7bad_foov
...
不确定为什么我们会获得额外的 _
,但是我们这样做了。 / p>
I'm trying to get address sanitizer blacklist working in a C++ project but its not working as expected. I tried the example on their website, if I compile with clang
, it works fine.
build % cat suppress.txt
fun:bad_foo
build % cat foo.c
#include <stdlib.h>
void bad_foo() {
int *a = (int*)malloc(40);
a[10] = 1;
}
int main() { bad_foo(); }
build % clang -fsanitize=address -fsanitize-blacklist=suppress.txt foo.c ; ./a.out
Exit code: 0
But as soon as I use clang++
, its ignored.
build % cp foo.c foo.cpp
build % clang++ -fsanitize=address -fsanitize-blacklist=suppress.txt foo.cpp ; ./a.out
=================================================================
==9943==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000003f8 at pc 0x00010ff93ee8 bp 0x7ffedfc6c340 sp 0x7ffedfc6c338
WRITE of size 4 at 0x6040000003f8 thread T0
Provided dSYM: [/Users/.../build/./a.out.dSYM/Contents/Resources/DWARF/a.out] does not match symbol owner 0x7fe1b060edc0
#0 0x10ff93ee7 in bad_foo() (a.out:x86_64+0x100000ee7)
#1 0x10ff93f08 in main (a.out:x86_64+0x100000f08)
#2 0x7fff7940508c in start (libdyld.dylib:x86_64+0x1708c)
0x6040000003f8 is located 0 bytes to the right of 40-byte region [0x6040000003d0,0x6040000003f8)
allocated by thread T0 here:
#0 0x10fff2173 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c173)
#1 0x10ff93e93 in bad_foo() (a.out:x86_64+0x100000e93)
#2 0x10ff93f08 in main (a.out:x86_64+0x100000f08)
#3 0x7fff7940508c in start (libdyld.dylib:x86_64+0x1708c)
SUMMARY: AddressSanitizer: heap-buffer-overflow (a.out:x86_64+0x100000ee7) in bad_foo()
Shadow bytes around the buggy address:
0x1c0800000020: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05
0x1c0800000030: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05
0x1c0800000040: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07
0x1c0800000050: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x1c0800000060: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x1c0800000070: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00[fa]
0x1c0800000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c08000000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c08000000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c08000000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9943==ABORTING
[1] 9943 abort ./a.out
Exit code: 134
I'm using clang-7 from releases.llvm.org
build % clang --version
clang version 7.0.0 (tags/RELEASE_700/final)
Target: x86_64-apple-darwin18.2.0
Thread model: posix
InstalledDir: /Users/.../clang+llvm-7.0.0-x86_64-apple-darwin/bin
Is this not supported under C++?
In C++ function names will be mangled and it looks like the blacklist requires us to use mangled names, for example:
fun:_Z7bad_foov
then it will works for me. We can see form the example I think you are using they have an example of using a mangled name as well but they don't explain it:
# Turn off checks for a particular functions (use mangled names):
fun:MyFooBar
fun:_Z8MyFooBarv
You can use a utility like nm to find the mangled name, for example for your exmaple when I do:
nm a.out
I see something like this:
0000000100000e80 T __Z7bad_foov
...
Not sure why we obtain an extra _
but we do.
这篇关于C ++中的AddressSanitizer黑名单不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!