Memory Overwriting
Command Function
Analyzes memory overwriting problems of applications and provides memory overwriting and access information.
Syntax
devkit doctor memoob [-h] [-l {0,1,2,3}] [--package] [--ns] [-o <file>] workload ...
In the preceding command, workload... indicates the application whose information is collected. Replace it with the actual application path.
Parameter Description
Parameter |
Option |
Description |
|---|---|---|
-h/--help |
- |
Obtains help information. |
-l/--log-level |
0/1/2/3 |
Log level, which defaults to 2.
|
--package |
- |
Indicates whether to import data to the database and generate compressed packages in the specified output path. |
--ns |
- |
Indicates whether to stop analysis when the application becomes abnormal. If this parameter is used, the analysis does not stop. If this parameter is not used, the analysis stops. To continue the analysis, add the -fsanitize-recover=address setting when compiling the application. |
-o/--output |
- |
Report file name. Reports are generated in the current directory by default. |
Example
devkit doctor memoob -l 1 --package -o /home/overdemos /home/overdemos
The -o /home/overdemos parameter indicates that an analysis report package named overdemos.tar is generated in the /home/ directory. /home/overdemos is the absolute path of the application to be analyzed.
Command output:
[INFO]Collect start
Stop Collecting while memory overwriting exception caused exit. Note: You can set "-ns" to collect all overwriting exceptions.
Collection process may cost a while, please wait ...
[INFO]/home/overdemods
[INFO]Collect end
[INFO]Analysis start
Memory Overwriting Report Time:20240807-113323
================================================================================
Program Name: /home/overdemos
Overwriting-1
────────────────────────────────────────────────────────────────────
PID 3003303
File /home/overdemo2_bak.cpp
Function danglingPointerExample()
Overwriting Type (heap) use after free
Access Type READ
Overwriting access point:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x4017dc danglingPointerExample() /home/overdemo2_bak.cpp:24
#1 0x401bd0 main /home/overdemo2_bak.cpp:50
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
Auxiliary Information:
freed by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x4016d8 danglingPointerExample() /home/overdemo2_bak.cpp:22
#2 0x401bd0 main /home/overdemo2_bak.cpp:50
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
previously allocated by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x4016cc danglingPointerExample() /home/overdemo2_bak.cpp:21
#2 0x401bd0 main /home/overdemo2_bak.cpp:50
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
More Information:
Shadow bytes around the buggy address:
0x200ff35000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=> 0x200ff35000f0: fa fa fa fa fa fa[fd]fa fa fa fa fa fa fa fa fa
0x200ff3500100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003303==ABORTING
Overwriting-2
────────────────────────────────────────────────────────────────────
PID 3003304
File /home/overdemo2_bak.cpp
Function outOfBoundsWithVector()
Overwriting Type heap buffer overflow
Access Type WRITE
Overwriting access point:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x401ad8 outOfBoundsWithVector() /home/overdemo2_bak.cpp:31
#1 0x401bb8 main /home/overdemo2_bak.cpp:52
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
Auxiliary Information:
allocated by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x401930 outOfBoundsWithVector() /usr/include/c++/10.***new_allocator.h:115
#2 0x401bb8 main /home/overdemo2_bak.cpp:52
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
More Information:
Shadow bytes around the buggy address:
0x200ff3640110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=> 0x200ff3640160: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa
0x200ff3640170: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff36401a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff36401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003304==ABORTING
Overwriting-3
────────────────────────────────────────────────────────────────────
PID 3003301
File /home/overdemo2_bak.cpp
Function arrayOutOfBoundsExample()
Overwriting Type stack buffer overflow
Access Type WRITE
Overwriting access point:
─────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x40167c arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:16
#1 0x401bc8 main /home/overdemo2_bak.cpp:48
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
─────────────────────────────────────────────────────────────────────
Auxiliary Information:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x4014d0 arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:12
────────────────────────────────────────────────────────────────────
This frame has 1 object(s):
[32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
More Information:
Shadow bytes around the buggy address:
0x200ffc852a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=> 0x200ffc852a90: f1 f1 f1 f1 00 00[04]f3 f3 f3 f3 f3 00 00 00 00
0x200ffc852aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003301==ABORTING
[INFO]Analysis end
[INFO]Report start
Packaging process may cost a while, please wait ...
Export package success!
The tar report is allocated in /home/overdemos.tar.
[INFO]Report end
[INFO]Finalize start
[INFO]Finalize end
The exception information in the report is as follows:
This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported)
Use the --package parameter to generate a TAR package. You can import the TAR package to the WebUI to view the graphical information. For details about how to import a TAR package, see Task Management.
Parent topic: System Diagnosis