Memory Overwriting
Command Function
Analyzes memory overwriting problems of applications and provides memory overwriting and access information.
Syntax
1 | devkit doctor memoob [-h] [-l {0,1,2,3}] [--package] [--ns] [-o <file>] workload workload ... |
The tool can collect data of a specified application. Replace workload workload ... in the command with the application path and application parameter.
Parameter Description
Parameter |
Option |
Description |
|---|---|---|
-h/--help |
- |
Obtains help information. This parameter is optional. |
-l/--log-level |
0/1/2/3 |
Log level, which defaults to 2. This parameter is optional.
NOTE:
The default level is 2 (WARNING).
|
--package |
- |
Indicates whether to import data to the database and generate compressed packages in the specified output path. This parameter is optional. |
--ns |
- |
Indicates whether to stop analysis when the application becomes abnormal. If this parameter is used, the analysis does not stop. If this parameter is not used, the analysis stops. This parameter is optional. To continue the analysis, add the -fsanitize-recover=address setting when compiling the application. |
-o/--output |
- |
Report package name and output path. If you enter a name only, the report package is generated in the current directory by default. This option must be used together with --package. |
Example
1 | devkit doctor memoob -l 1 --package -o /home/overdemos /home/overdemos |
The -o /home/overdemos parameter indicates that an analysis report package named overdemos.tar is generated in the /home/ directory. /home/overdemos is the absolute path of the application to be analyzed.
Command output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 | [INFO]Collect start Stop Collecting while memory overwriting exception caused exit. Note: You can set "-ns" to collect all overwriting exceptions. Collection process may cost a while, please wait ... [INFO]/home/overdemods [INFO]Collect end [INFO]Analysis start Memory Overwriting Report Time:20240807-113323 ================================================================================ Program Name: /home/overdemos Overwriting-1 ──────────────────────────────────────────────────────────────────── PID 3003303 File /home/overdemo2_bak.cpp Function danglingPointerExample() Overwriting Type (heap) use after free Access Type READ Overwriting access point: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x4017dc danglingPointerExample() /home/overdemo2_bak.cpp:24 #1 0x401bd0 main /home/overdemo2_bak.cpp:50 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── Auxiliary Information: freed by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x4016d8 danglingPointerExample() /home/overdemo2_bak.cpp:22 #2 0x401bd0 main /home/overdemo2_bak.cpp:50 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── previously allocated by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x4016cc danglingPointerExample() /home/overdemo2_bak.cpp:21 #2 0x401bd0 main /home/overdemo2_bak.cpp:50 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── More Information: Shadow bytes around the buggy address: 0x200ff35000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff35000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa => 0x200ff35000f0: fa fa fa fa fa fa[fd]fa fa fa fa fa fa fa fa fa 0x200ff3500100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3500140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003303==ABORTING Overwriting-2 ──────────────────────────────────────────────────────────────────── PID 3003304 File /home/overdemo2_bak.cpp Function outOfBoundsWithVector() Overwriting Type heap buffer overflow Access Type WRITE Overwriting access point: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x401ad8 outOfBoundsWithVector() /home/overdemo2_bak.cpp:31 #1 0x401bb8 main /home/overdemo2_bak.cpp:52 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── Auxiliary Information: allocated by thread T0 here: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #1 0x401930 outOfBoundsWithVector() /usr/include/c++/10.***new_allocator.h:115 #2 0x401bb8 main /home/overdemo2_bak.cpp:52 #3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #5 0x4013ec _start (/home/overdemos+0x4013ec) ──────────────────────────────────────────────────────────────────── More Information: Shadow bytes around the buggy address: 0x200ff3640110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa => 0x200ff3640160: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa 0x200ff3640170: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff3640190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff36401a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff36401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003304==ABORTING Overwriting-3 ──────────────────────────────────────────────────────────────────── PID 3003301 File /home/overdemo2_bak.cpp Function arrayOutOfBoundsExample() Overwriting Type stack buffer overflow Access Type WRITE Overwriting access point: ───────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x40167c arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:16 #1 0x401bc8 main /home/overdemo2_bak.cpp:48 #2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc) #3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094) #4 0x4013ec _start (/home/overdemos+0x4013ec) ───────────────────────────────────────────────────────────────────── Auxiliary Information: ──────────────────────────────────────────────────────────────────── Idx Address Function File ──────────────────────────────────────────────────────────────────── #0 0x4014d0 arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:12 ──────────────────────────────────────────────────────────────────── This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) More Information: Shadow bytes around the buggy address: 0x200ffc852a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 => 0x200ffc852a90: f1 f1 f1 f1 00 00[04]f3 f3 f3 f3 f3 00 00 00 00 0x200ffc852aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200ffc852ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable 00 Partially addressable 01 02 03 04 05 06 07 Heap left redzone fa Freed heap region fd Stack left redzone f1 Stack mid redzone f2 Stack right redzone f3 Stack after return f5 Stack use after scope f8 Global redzone f9 Global init order f6 Poisoned by user f7 Container overflow fc Array cookie ac Intra object redzone bb ASan internal fe Left alloca redzone ca Right alloca redzone cb Shadow gap cc ==3003301==ABORTING [INFO]Analysis end [INFO]Report start Packaging process may cost a while, please wait ... Export package success! The tar report is allocated in /home/overdemos.tar. [INFO]Report end [INFO]Finalize start [INFO]Finalize end |
The exception information in the report is as follows:
1 2 3 4 5 | This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) |
Use the --package parameter to generate a TAR package. You can import the TAR package to the WebUI to view the graphical information. For details about how to import a TAR package, see Task Management.
Parent topic: System Diagnosis