时间戳

首页 > 解决方案 > 模拟器中 AOSP 上的 ASAN 未捕获内存错误

android - 模拟器中 AOSP 上的 ASAN 未捕获内存错误

问题描述

我正在构建一个可执行的二进制 stagefright(来自 frameworks/av/cmds/stagefright)

我用 ASAN 构建了它

nm -an stagefright | grep asan
                 U __asan_alloca_poison
                 U __asan_allocas_unpoison
                 U __asan_handle_no_return
                 U __asan_init
                 U __asan_memcpy
                 U __asan_memmove
                 U __asan_memset
                 U __asan_option_detect_stack_use_after_return
                 U __asan_report_load1
                 U __asan_report_load2
                 U __asan_report_load4
                 U __asan_report_load8
                 U __asan_report_load_n
                 U __asan_report_store1
                 U __asan_report_store16
                 U __asan_report_store2
                 U __asan_report_store4
                 U __asan_report_store8
                 U __asan_report_store_n
                 U __asan_set_shadow_00
                 U __asan_set_shadow_f8
                 U __asan_stack_free_5
                 U __asan_stack_free_6
                 U __asan_stack_malloc_0
                 U __asan_stack_malloc_1
                 U __asan_stack_malloc_5
                 U __asan_stack_malloc_6
                 U __asan_version_mismatch_check_v8
000000000001f0e0 t asan.module_ctor
000000000001f980 t asan.module_ctor
0000000000020880 t asan.module_ctor

readelf -l stagefright 

Elf file type is DYN (Shared object file)
Entry point 0xb000
There are 10 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x0000000000000230 0x0000000000000230  R      0x8
  INTERP         0x0000000000000270 0x0000000000000270 0x0000000000000270
                 0x000000000000001a 0x000000000000001a  R      0x1
      [Requesting program interpreter: /system/bin/linker_asan64]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x000000000000aeac 0x000000000000aeac  R      0x1000
  LOAD           0x000000000000b000 0x000000000000b000 0x000000000000b000
                 0x00000000000163b0 0x00000000000163b0  R E    0x1000
  LOAD           0x0000000000022000 0x0000000000022000 0x0000000000022000
                 0x0000000000001098 0x000000000000203f  RW     0x1000
  DYNAMIC        0x00000000000227c8 0x00000000000227c8 0x00000000000227c8
                 0x00000000000002c0 0x00000000000002c0  RW     0x8
  GNU_RELRO      0x0000000000022000 0x0000000000022000 0x0000000000022000
                 0x0000000000001098 0x0000000000002000  R      0x1
  GNU_EH_FRAME   0x0000000000009700 0x0000000000009700 0x0000000000009700
                 0x00000000000003f4 0x00000000000003f4  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x0
  NOTE           0x000000000000028c 0x000000000000028c 0x000000000000028c
                 0x0000000000000038 0x0000000000000038  R      0x4

我还在 main() 中放置了缓冲区溢出代码和堆溢出,但它永远不会被捕获。

IE

int main(int argc, char **argv) {
        char buf[10];
        memcpy(&buf,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",100000000000000);
        android::ProcessState::self()->startThreadPool();


ASAN_OPTIONS=verbosity=1 ./stagefright                                                 <
==26540==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=16M
thread_local_quarantine_size_kb=64K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==26540==Installed the sigaction for signal 11
==26540==Installed the sigaction for signal 7
==26540==Installed the sigaction for signal 8
==26540==T0: stack [0x7fff0d440000,0x7fff0dc40000) size 0x800000; local=0x7fff0dc3cf24
==26540==AddressSanitizer Init done
==26540==T1: stack [0x7a56eeba8000,0x7a56eeca0d50) size 0xf8d50; local=0x7a56eeca0cd4
==26540==T2: stack [0x7a56e8103000,0x7a56e81fbd50) size 0xf8d50; local=0x7a56e81fbcd4

为什么 ASAN 没有抓住它?

我将适当的文件从 aosp/out/target/product/generic_x86_64/symbols/data/asan/system/lib64 复制到 /data/asan/system/lib64/ (在模拟器上)

有任何想法吗?

谢谢,

标签: androidandroid-sourceaddress-sanitizer

解决方案

推荐阅读