内存越界
命令功能
分析应用程序的内存越界,给出异越界类型和内存访问信息。
命令格式
1 | devkit doctor memoob [-h] [-l {0,1,2,3}] [--package] [--ns] [-o <file>] workload ... |
工具可采集指定应用,命令中“workload...”替换为应用路径加应用参数。
参数说明
参数 |
参数选项 |
说明 |
|---|---|---|
-h/--help |
- |
获取帮助信息。 |
-l/--log-level |
0/1/2/3 |
设置日志级别,默认为2。
|
--package |
- |
设置是否将数据导入数据库,并在指定输出路径中生成压缩包。 |
--ns |
- |
设置应用程序异常后是否终止分析,使用此参数时程序异常后继续分析,不使用则程序异常后终止分析。如需程序异常后继续分析,请在应用程序编译时添加-fsanitize-recover=address选项。 |
-o/--output |
- |
设置报告数据生成文件名,默认为当前所在目录。 |
使用示例
1 | devkit doctor memoob -l 1 --package -o /home/overdemos /home/overdemos |
参数-o /home/overdemos表示在/home/目录下生成名为overdemos.tar的分析报告压缩包,命令最后的/home/overdemos为待分析应用的绝对路径。
返回信息如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 | [INFO]Collect start Stop Collecting while memory overwriting exception caused exit. Note: You can set "-ns" to collect all overwriting exceptions. Collection process may cost a while, please wait ... [INFO]/home/overdemods [INFO]Collect end [INFO]Analysis start Memory Overwriting Report Time:20240807-113323 ================================================================================ Program Name: /home/overdemos Overwriting-1 ──────────────────────────────────────────────────────────────────── PID 3003303 File /home/overdemo2_bak.cpp Function danglingPointerExample() Overwriting Type (heap) use after free Access Type READ Overwriting access point: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x4017dc danglingPointerExample() /home/overdemo2_bak.cpp:24 #1 0x401bd0 main /home/overdemo2_bak.cpp:50 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── Auxiliary Information: freed by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x4016d8 danglingPointerExample() /home/overdemo2_bak.cpp:22 #2 0x401bd0 main /home/overdemo2_bak.cpp:50 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── previously allocated by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x4016cc danglingPointerExample() /home/overdemo2_bak.cpp:21 #2 0x401bd0 main /home/overdemo2_bak.cpp:50 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── More Information: Shadow bytes around the buggy address: 0x200ff35000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa => 0x200ff35000f0: fa fa fa fa fa fa[fd]fa fa fa fa fa fa fa fa fa 0x200ff3500100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003303==ABORTING Overwriting-2 ──────────────────────────────────────────────────────────────────── PID 3003304 File /home/overdemo2_bak.cpp Function outOfBoundsWithVector() Overwriting Type heap buffer overflow Access Type WRITE Overwriting access point: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x401ad8 outOfBoundsWithVector() /home/overdemo2_bak.cpp:31 #1 0x401bb8 main /home/overdemo2_bak.cpp:52 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── Auxiliary Information: allocated by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x401930 outOfBoundsWithVector() /usr/include/c++/10.***new_allocator.h:115 #2 0x401bb8 main /home/overdemo2_bak.cpp:52 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── More Information: Shadow bytes around the buggy address: 0x200ff3640110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa => 0x200ff3640160: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa 0x200ff3640170: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff36401a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff36401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003304==ABORTING Overwriting-3 ──────────────────────────────────────────────────────────────────── PID 3003301 File /home/overdemo2_bak.cpp Function arrayOutOfBoundsExample() Overwriting Type stack buffer overflow Access Type WRITE Overwriting access point: ───────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x40167c arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:16 #1 0x401bc8 main /home/overdemo2_bak.cpp:48 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ───────────────────────────────────────────────────────────────────── Auxiliary Information: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x4014d0 arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:12 ──────────────────────────────────────────────────────────────────── This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) More Information: Shadow bytes around the buggy address: 0x200ffc852a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 => 0x200ffc852a90: f1 f1 f1 f1 00 00[04]f3 f3 f3 f3 f3 00 00 00 00 0x200ffc852aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003301==ABORTING [INFO]Analysis end [INFO]Report start Packaging process may cost a while, please wait ... Export package success! The tar report is allocated in /home/overdemos.tar. [INFO]Report end [INFO]Finalize start [INFO]Finalize end |
报告中对异常提示的内容:
1 2 3 4 5 | This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) |
通过--package参数打包生成TAR包,可将TAR包导入Web界面查看图形化信息;导入详情请参见任务管理中的任务导入部分内容。
父主题: 系统诊断