我试着在这个tuto的帮助下捕捉虫子:https://fuzzing-project.org/tutorial2.html
当我使用地址消毒器时,我在堆栈跟踪上没有任何符号解析。
我尝试在这里描述的操作:Meaningful stack traces for address sanitizer in GCC但它对我不起作用。我的操作系统是Ubuntu 14.04
以下是我采取的步骤:
int main() {
int a[2] = {1, 0};
int b=a[2];
}
apt-get安装llvm 3.5export AFL_USE_ASAN=1
export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
export ASAN_OPTIONS=symbolize=1
gcc -o test -fsanitize=address -g3 -ggdb test.c
==13382== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff92d6b0e8 at pc 0x400845 bp 0x7fff92d6b0a0 sp 0x7fff92d6b098
READ of size 4 at 0x7fff92d6b0e8 thread T0
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Failed to use and restart external symbolizer
0x400844 (/media/data/test+0x400844)
0x7fe5e7d4aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
0x400688 (/media/data/test+0x400688)
Address 0x7fff92d6b0e8 is located at offset 40 in frame <main> of T0's stack:
This frame has 1 object(s):
[32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
0x1000725a55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a5600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000725a5610: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
0x1000725a5620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a5630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a5640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a5650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000725a5660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==13382== ABORTING
我没有在堆栈跟踪上得到任何符号。如果我执行sudo我没有任何警告,但我也没有任何符号解析。
==13392== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff911555e8 at pc 0x400845 bp 0x7fff911555a0 sp 0x7fff91155598
READ of size 4 at 0x7fff911555e8 thread T0
0x400844 (/media/data/test+0x400844)
0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
0x400688 (/media/data/test+0x400688)
Address 0x7fff911555e8 is located at offset 40 in frame of T0's stack:
This frame has 1 object(s):
[32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
0x100072222a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100072222ab0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
0x100072222ac0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100072222b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==13392== ABORTING
我也尝试在谷歌页面项目中描述的python脚本asan_symbolize.py,但没有任何结果。
我更新到gcc 4.9。现在它正在运作。这是我在Ubuntu中更新的步骤。
sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update
sudo apt-get install gcc-4.9 g++-4.9
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.9 60 --slave /usr/bin/g++ g++ /usr/bin/g++-4.9
更多细节在这里:https://askubuntu.com/questions/466651/how-do-i-use-the-latest-gcc-4-9-on-ubuntu-14-04
export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ... READ of size 4 at 0x7fff911555e8 thread T0 0x400844 (/media/data/test+0x400844) 0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) 0x400688 (/media/data/test+0x400688)
在Clang下,您需要通过asan_symbolize管道输出以获取符号。我讨论了Clang,因为你显然使用的是LLVM设备(上面的llvm-symbolizer-3.5)。所以你应该这样做:
./test 2>&1 | asan_symbolize
我在asan_symbolize和/usr/bin都有/usr/local/bin:
$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h
我有两个副本,因为一个是通过apt-get(/usr/bin/asan_symbolize)与Clang一起安装的,我偶尔从源头建立Clang(/usr/local/bin/asan_symbolize.py)。
如果您没有副本,那么我相信您可以从Google Code上的address-sanitizer获取它。
一旦开始使用asan_symbolize,您可能会遇到asan_symbolize由于路径更改而无法找到符号的情况(例如,程序或库已从其构建位置复制到目标目录)。为此,请参阅Asan邮件列表中的Specify Symbol Path to asan_symbolize?。
在kcc的回答中,他打算做以下事情:
./test 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize
(我认为在测试Postgres时我必须这样做)。
我最近开始使用GCC的消毒杀菌剂,但我从未使用过Gaz的asan_symbolize。我不确定它能为你效果如何。天真地,我希望它能按预期工作。
我使用以下命令使用gcc 4.8.2编译...
我不确定混音/匹配对你有多好。也许你应该坚持GCC;或者你应该安装Clang并使用它。
Python在Clang及其在Dynamic Analysis with Clang的清洁剂中有一个速成课程。它讨论了获取堆栈跟踪等主题。 (我编写了Python项目的页面,以帮助他们将Clang及其消毒剂添加到其发布工程流程中)。