android - 模拟器中 AOSP 上的 ASAN 未捕获内存错误
问题描述
我正在构建一个可执行的二进制 stagefright(来自 frameworks/av/cmds/stagefright)
我用 ASAN 构建了它
nm -an stagefright | grep asan
U __asan_alloca_poison
U __asan_allocas_unpoison
U __asan_handle_no_return
U __asan_init
U __asan_memcpy
U __asan_memmove
U __asan_memset
U __asan_option_detect_stack_use_after_return
U __asan_report_load1
U __asan_report_load2
U __asan_report_load4
U __asan_report_load8
U __asan_report_load_n
U __asan_report_store1
U __asan_report_store16
U __asan_report_store2
U __asan_report_store4
U __asan_report_store8
U __asan_report_store_n
U __asan_set_shadow_00
U __asan_set_shadow_f8
U __asan_stack_free_5
U __asan_stack_free_6
U __asan_stack_malloc_0
U __asan_stack_malloc_1
U __asan_stack_malloc_5
U __asan_stack_malloc_6
U __asan_version_mismatch_check_v8
000000000001f0e0 t asan.module_ctor
000000000001f980 t asan.module_ctor
0000000000020880 t asan.module_ctor
readelf -l stagefright
Elf file type is DYN (Shared object file)
Entry point 0xb000
There are 10 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x0000000000000230 0x0000000000000230 R 0x8
INTERP 0x0000000000000270 0x0000000000000270 0x0000000000000270
0x000000000000001a 0x000000000000001a R 0x1
[Requesting program interpreter: /system/bin/linker_asan64]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000000aeac 0x000000000000aeac R 0x1000
LOAD 0x000000000000b000 0x000000000000b000 0x000000000000b000
0x00000000000163b0 0x00000000000163b0 R E 0x1000
LOAD 0x0000000000022000 0x0000000000022000 0x0000000000022000
0x0000000000001098 0x000000000000203f RW 0x1000
DYNAMIC 0x00000000000227c8 0x00000000000227c8 0x00000000000227c8
0x00000000000002c0 0x00000000000002c0 RW 0x8
GNU_RELRO 0x0000000000022000 0x0000000000022000 0x0000000000022000
0x0000000000001098 0x0000000000002000 R 0x1
GNU_EH_FRAME 0x0000000000009700 0x0000000000009700 0x0000000000009700
0x00000000000003f4 0x00000000000003f4 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x0
NOTE 0x000000000000028c 0x000000000000028c 0x000000000000028c
0x0000000000000038 0x0000000000000038 R 0x4
我还在 main() 中放置了缓冲区溢出代码和堆溢出,但它永远不会被捕获。
IE
int main(int argc, char **argv) {
char buf[10];
memcpy(&buf,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",100000000000000);
android::ProcessState::self()->startThreadPool();
跑
ASAN_OPTIONS=verbosity=1 ./stagefright <
==26540==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=16M
thread_local_quarantine_size_kb=64K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==26540==Installed the sigaction for signal 11
==26540==Installed the sigaction for signal 7
==26540==Installed the sigaction for signal 8
==26540==T0: stack [0x7fff0d440000,0x7fff0dc40000) size 0x800000; local=0x7fff0dc3cf24
==26540==AddressSanitizer Init done
==26540==T1: stack [0x7a56eeba8000,0x7a56eeca0d50) size 0xf8d50; local=0x7a56eeca0cd4
==26540==T2: stack [0x7a56e8103000,0x7a56e81fbd50) size 0xf8d50; local=0x7a56e81fbcd4
为什么 ASAN 没有抓住它?
我将适当的文件从 aosp/out/target/product/generic_x86_64/symbols/data/asan/system/lib64 复制到 /data/asan/system/lib64/ (在模拟器上)
有任何想法吗?
谢谢,
解决方案
推荐阅读
- typeorm - TypeORM - 将 take/limit 与 leftJoinAndSelect 一起使用未按预期工作
- python - web2py:检测下拉小部件的变化
- mysql - 无法在 sysdatabases 中找到数据库的条目
- java - Groovy 中的日期格式匹配
- html - 为什么 flexbox 在包裹项目时不向下推后续内容?
- firebase - 安装 firebase 失败 - 该操作被您的操作系统拒绝
- apache-spark - 警告:跳过远程 jar hdfs
- javascript - 如何使用角度计算表格中项目的长度
- css - 如何修复使用 CSS3 媒体查询时不正常的菜单?
- python - 如何通过迭代一个单词来更新一个空的python字典,产生类似:{'letter in word':position of letter}?