内存越界
命令功能
分析应用程序的内存越界,给出异越界类型和内存访问信息。
命令格式
devkit doctor memoob [-h] [-l {0,1,2,3}] [--package] [--ns] [-o <file>] workload ...
workload...为采集的应用,实际使用请替换为应用路径。
参数说明
参数 |
参数选项 |
说明 |
|---|---|---|
-h/--help |
- |
获取帮助信息。 |
-l/--log-level |
0/1/2/3 |
设置日志级别,默认为2。
|
--package |
- |
设置是否将数据导入数据库,并在指定输出路径中生成压缩包。 |
--ns |
- |
设置应用程序异常后是否终止分析,使用此参数时程序异常后继续分析,不使用则程序异常后终止分析。如需程序异常后继续分析,请在应用程序编译时添加-fsanitize-recover=address选项。 |
-o/--output |
- |
设置报告数据生成文件名,默认为当前所在目录。 |
使用示例
devkit doctor memoob -l 1 --package -o /home/overdemos /home/overdemos
参数-o /home/overdemos表示在/home/目录下生成名为overdemos.tar的分析报告压缩包,命令最后的/home/overdemos为待分析应用的绝对路径。
返回信息如下:
[INFO]Collect start
Stop Collecting while memory overwriting exception caused exit. Note: You can set "-ns" to collect all overwriting exceptions.
Collection process may cost a while, please wait ...
[INFO]/home/overdemods
[INFO]Collect end
[INFO]Analysis start
Memory Overwriting Report Time:20240807-113323
================================================================================
Program Name: /home/overdemos
Overwriting-1
────────────────────────────────────────────────────────────────────
PID 3003303
File /home/overdemo2_bak.cpp
Function danglingPointerExample()
Overwriting Type (heap) use after free
Access Type READ
Overwriting access point:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x4017dc danglingPointerExample() /home/overdemo2_bak.cpp:24
#1 0x401bd0 main /home/overdemo2_bak.cpp:50
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
Auxiliary Information:
freed by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x4016d8 danglingPointerExample() /home/overdemo2_bak.cpp:22
#2 0x401bd0 main /home/overdemo2_bak.cpp:50
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
previously allocated by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x4016cc danglingPointerExample() /home/overdemo2_bak.cpp:21
#2 0x401bd0 main /home/overdemo2_bak.cpp:50
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
More Information:
Shadow bytes around the buggy address:
0x200ff35000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff35000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=> 0x200ff35000f0: fa fa fa fa fa fa[fd]fa fa fa fa fa fa fa fa fa
0x200ff3500100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3500140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003303==ABORTING
Overwriting-2
────────────────────────────────────────────────────────────────────
PID 3003304
File /home/overdemo2_bak.cpp
Function outOfBoundsWithVector()
Overwriting Type heap buffer overflow
Access Type WRITE
Overwriting access point:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x401ad8 outOfBoundsWithVector() /home/overdemo2_bak.cpp:31
#1 0x401bb8 main /home/overdemo2_bak.cpp:52
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
Auxiliary Information:
allocated by thread T0 here:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#1 0x401930 outOfBoundsWithVector() /usr/include/c++/10.***new_allocator.h:115
#2 0x401bb8 main /home/overdemo2_bak.cpp:52
#3 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#4 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#5 0x4013ec _start (/home/overdemos+0x4013ec)
────────────────────────────────────────────────────────────────────
More Information:
Shadow bytes around the buggy address:
0x200ff3640110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=> 0x200ff3640160: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa
0x200ff3640170: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff3640190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff36401a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff36401b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003304==ABORTING
Overwriting-3
────────────────────────────────────────────────────────────────────
PID 3003301
File /home/overdemo2_bak.cpp
Function arrayOutOfBoundsExample()
Overwriting Type stack buffer overflow
Access Type WRITE
Overwriting access point:
─────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x40167c arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:16
#1 0x401bc8 main /home/overdemo2_bak.cpp:48
#2 0xffff9ec62fbc UNKNOWN (/usr/lib64/libc.so.6+0x2afbc)
#3 0xffff9ec63094 __libc_start_main (/usr/lib64/libc.so.6+0x2b094)
#4 0x4013ec _start (/home/overdemos+0x4013ec)
─────────────────────────────────────────────────────────────────────
Auxiliary Information:
────────────────────────────────────────────────────────────────────
Idx Address Function File
────────────────────────────────────────────────────────────────────
#0 0x4014d0 arrayOutOfBoundsExample() /home/overdemo2_bak.cpp:12
────────────────────────────────────────────────────────────────────
This frame has 1 object(s):
[32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
More Information:
Shadow bytes around the buggy address:
0x200ffc852a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=> 0x200ffc852a90: f1 f1 f1 f1 00 00[04]f3 f3 f3 f3 f3 00 00 00 00
0x200ffc852aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ffc852ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable 00
Partially addressable 01 02 03 04 05 06 07
Heap left redzone fa
Freed heap region fd
Stack left redzone f1
Stack mid redzone f2
Stack right redzone f3
Stack after return f5
Stack use after scope f8
Global redzone f9
Global init order f6
Poisoned by user f7
Container overflow fc
Array cookie ac
Intra object redzone bb
ASan internal fe
Left alloca redzone ca
Right alloca redzone cb
Shadow gap cc
==3003301==ABORTING
[INFO]Analysis end
[INFO]Report start
Packaging process may cost a while, please wait ...
Export package success!
The tar report is allocated in /home/overdemos.tar.
[INFO]Report end
[INFO]Finalize start
[INFO]Finalize end
报告中对异常提示的内容:
This frame has 1 object(s): [32, 52) 'arr' (line 13) <== Memory access at offset 52 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported)
通过--package参数打包生成TAR包,可将TAR包导入Web界面查看图形化信息;导入详情请参见任务管理中的任务导入部分内容。
父主题: 系统诊断