C ++中的AddressSanitizer黑名单不起作用 [英] AddressSanitizer blacklist in c++ not working

问题描述

我正在尝试让地址清理器黑名单在C ++项目中工作，但其未按预期工作。我在他们的网站上尝试了该示例，如果我使用 clang 进行编译，则可以正常工作。

 构建％cat prevent.txt 
 fun：bad_foo 
 
 build％cat foo.c 
 #include< stdlib.h> 
 void bad_foo（）{
 int * a =（int *）malloc（40）; 
 a [10] = 1； 
} 
 int main（）{bad_foo（）; } 
 
 build％clang -fsanitize = address -fsanitize-blacklist = suppress.txt foo.c; ./a.out 
退出代码：0 
  

但我使用 clang ++ ，它被忽略。

  build％cp foo.c foo.cpp 
 build％clang ++ -fsanitize =地址-fsanitize-blacklist = suppress.txt foo.cpp; ./a.out 
 ========================================== ======================= 
 == 9943 ==错误：AddressSanitizer：地址0x6040000003f8在pc 0x00010ff93ee8 bp 0x7ffedfc6c340上的堆缓冲区溢出sp 0x7ffedfc6c338 
在0x6040000003f8线程T0 
上写大小为4的dSYM：[/Users/.../build/./a.out.dSYM/Contents/Resources/DWARF/a.out]可以不匹配符号所有者0x7fe1b060edc0 
＃0 0x10ff93ee7 in bad_foo（）（a.out：x86_64 + 0x100000ee7）
＃1 0x10ff93f08 main（a.out：x86_64 + 0x100000f08）
＃2 0x7fff7940508在开始时（libdyld.dylib：x86_64 + 0x1708c）
 
 0x6040000003f8位于40字节区域右边的0字节[0x6040000003d0,0x6040000003f8）
在这里由线程T0分配：
＃0 0x10fff2173在wrap_malloc中（libclang_rt.asan_osx_dynamic.dylib：x86_64h + 0x5c173）
＃1 0x10ff93e93在bad_foo（）中（a.out：x86_64 + 0x100000e93）
＃2 0x10ff93f08在main（ ：x86_64 + 0x100000f08）
＃3 0x7fff7940508c开始（libdyld.dylib：x86_64 + 0x1708c）
 
摘要：AddressSanitizer：bad_foo（）中的堆缓冲区溢出（a.out：x86_64 + 0x100000ee7）
越野车地址周围的影子字节：
 0x1c0800000020： fa fa 00 00 00 00 00 fa fa 00 00 00 00 00 05 
 0x1c0800000030：fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05 
 0x1c0800000040：fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07 
 0x1c0800000050：fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa 
 0x1c0800000060：fa fa 00 00 00 00 00 fa fa 00 00 00 00 00 fa 
 => 0x1c0800000070：fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 [fa] 
 0x1c0800000080：fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
 0x1c0800000090：fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
 0x1c08000000a0：fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa $ b 0x1c08000000b0：fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa 
 0x1c08000000c0：fa fa fa fa fa fa fa fa fa fa fa fa fa fa $ fa 
影子字节图例（一个影子字节代表8个应用程序离子字节）：
可寻址：00 
部分可寻址：01 02 03 04 05 06 07 
左左红色区​​堆：fa 
释放堆区域：fd 
左左堆区：f1 
堆栈中间redzone：f2 
堆栈右redzone：f3 
返回后的堆栈：f5 
范围后的堆栈使用：f8 
全局redzone：f9 
全局初始化顺序：f6 
用户中毒：f7 
容器溢出：fc 
数组cookie：ac 
对象内部区域：bb 
 ASan内部：fe 
左alloca区域：ca 
右alloca区域：cb 
阴影间隙：cc 
 == 9943 ==中止
 [1] 9943中止./a.out 
退出代码：134 
  

我正在使用releases.llvm.org中的clang-7

  build％clang --version 
 clang版本7.0.0（tags / RELEASE_700 / final）
目标： x86_64-apple-darwin18.2.0 
线程模式l：posix 
 InstalledDir：/Users/.../clang+llvm-7.0.0-x86_64-apple-darwin/bin 
  

C ++不支持吗？

解决方案

在C ++中函数名称将被修改，并且看起来黑名单要求我们使用被修改的名称，例如：

 乐趣：_Z7bad_foov 
  

然后它将对我有用。我们可以从示例，我认为您正在使用中看到，他们有一个使用也是错误的名称，但他们没有解释：

 ＃关闭特定功能的检查（使用错误的名称）： 
 fun：MyFooBar 
 fun：_Z8MyFooBarv 
  

您可以使用< a href = https://en.wikipedia.org/wiki/Nm_(Unix） rel = nofollow noreferrer> nm 来查找错误的名称，例如当我这样做时为您的例子：

  nm a.out 
  

我看到这样的东西：

  0000000100000e80 T __Z7bad_foov 
 ... 
  

不确定为什么我们会获得额外的 _ ，但是我们这样做了。 / p>

I'm trying to get address sanitizer blacklist working in a C++ project but its not working as expected. I tried the example on their website, if I compile with clang, it works fine.

build % cat suppress.txt
fun:bad_foo

build % cat foo.c
#include <stdlib.h>
void bad_foo() {
  int *a = (int*)malloc(40);
  a[10] = 1;
}
int main() { bad_foo(); }

build % clang -fsanitize=address -fsanitize-blacklist=suppress.txt foo.c ; ./a.out
Exit code: 0

But as soon as I use clang++, its ignored.

build % cp foo.c foo.cpp
build % clang++ -fsanitize=address -fsanitize-blacklist=suppress.txt foo.cpp ; ./a.out
=================================================================
==9943==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000003f8 at pc 0x00010ff93ee8 bp 0x7ffedfc6c340 sp 0x7ffedfc6c338
WRITE of size 4 at 0x6040000003f8 thread T0
Provided dSYM: [/Users/.../build/./a.out.dSYM/Contents/Resources/DWARF/a.out] does not match symbol owner 0x7fe1b060edc0
    #0 0x10ff93ee7 in bad_foo() (a.out:x86_64+0x100000ee7)
    #1 0x10ff93f08 in main (a.out:x86_64+0x100000f08)
    #2 0x7fff7940508c in start (libdyld.dylib:x86_64+0x1708c)

0x6040000003f8 is located 0 bytes to the right of 40-byte region [0x6040000003d0,0x6040000003f8)
allocated by thread T0 here:
    #0 0x10fff2173 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c173)
    #1 0x10ff93e93 in bad_foo() (a.out:x86_64+0x100000e93)
    #2 0x10ff93f08 in main (a.out:x86_64+0x100000f08)
    #3 0x7fff7940508c in start (libdyld.dylib:x86_64+0x1708c)

SUMMARY: AddressSanitizer: heap-buffer-overflow (a.out:x86_64+0x100000ee7) in bad_foo()
Shadow bytes around the buggy address:
  0x1c0800000020: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05
  0x1c0800000030: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 05
  0x1c0800000040: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07
  0x1c0800000050: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x1c0800000060: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x1c0800000070: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00[fa]
  0x1c0800000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0800000090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c08000000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c08000000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c08000000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9943==ABORTING
[1]    9943 abort      ./a.out
Exit code: 134

I'm using clang-7 from releases.llvm.org

build % clang --version
clang version 7.0.0 (tags/RELEASE_700/final)
Target: x86_64-apple-darwin18.2.0
Thread model: posix
InstalledDir: /Users/.../clang+llvm-7.0.0-x86_64-apple-darwin/bin

Is this not supported under C++?

解决方案

In C++ function names will be mangled and it looks like the blacklist requires us to use mangled names, for example:

fun:_Z7bad_foov

then it will works for me. We can see form the example I think you are using they have an example of using a mangled name as well but they don't explain it:

# Turn off checks for a particular functions (use mangled names):
fun:MyFooBar
fun:_Z8MyFooBarv

You can use a utility like nm to find the mangled name, for example for your exmaple when I do:

nm a.out

I see something like this:

0000000100000e80 T __Z7bad_foov
...

Not sure why we obtain an extra _ but we do.

这篇关于C ++中的AddressSanitizer黑名单不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！