使用GCC 4.8.2的Asan时栈迹中未解析的符号

Question

我尝试使用以下tuto：https://fuzzing-project.org/tutorial2.html来进行bug搜索。

当我使用地址消毒剂时，堆栈跟踪上没有任何符号解析。

我尝试了下面的操作描述：GCC中有意义的地址杀菌剂堆栈跟踪，但它对我不起作用。我的操作系统是Ubuntu 14.04

以下是我所采取的步骤：

1. 我在C中使用了一个测试程序，这是一个典型的一对一错误。 int main() { int a2 = {1，0}；int b=a2；}
2. 我用apt-get安装了llvm3.5
3. 我导出以下变量 出口ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5出口ASAN_OPTIONS=symbolize=1
4. 我用gcc 4.8.2用下面的命令编译 gcc -o -fsanitize=address -g3 -ggdb test.c
5. 当我启动测试程序时，在bug报告中有一些警告。看来AddressSanitizer无法连接到llvm-符号-3.5 ==13382==错误: AddressSanitizer:堆栈-缓冲区溢出地址0x7fff92d6b0e8在pc 0x400845 bp 0x7fff92d6b0a0 sp 0x7fff92d6b098上读取大小为4的地址0x7fff92d6b0e8线程T0 ==13382==警告:在fd3不能从符号读取警告:在fd3不能从符号读取警告:在fd3不能读取符号警告:在fd3不能从符号符读取警告:在fd3警告不能从符号读取:无法使用并重新启动外部符号器) 0x7fe5e7d4aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) 0x400688 (/media/data/test+0x400688)地址0x7fff92d6b0e8位于T0's堆栈帧中偏移量40处:该帧有1个对象：[32，( 40)“a”提示:如果您的程序使用自定义堆栈解压机制或swapcontext (longjmp和C++异常*受*支持)，则可能存在错误。buggy地址周围的阴影字节: 0x1000725a55c0: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000x1000725a5620:00000000000000000000=>0x1000725a5610:000000000000f1 00f4f4 : 0x1000725a5620: f3 00000000000000000000x1000725a5630:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Shadow字节图例(一个影子字节表示8个应用程序字节)：可寻址: 00部分可寻址: 01 02 03 04 05 06 07 Heap左侧红区: fb释放堆区域: fd堆栈左红区: f1堆栈中间红区: f2堆栈右红区: f3堆栈部分红区: f4堆栈返回后的使用: f8全局红区：f9全球init顺序:被用户毒害的f6 : f7 ASan内部: fe ==13382==中止

而且我在书签上没有任何符号。如果我执行sudo，我没有任何警告，但我也没有任何符号分辨率。

​

==13392== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff911555e8 at pc 0x400845 bp 0x7fff911555a0 sp 0x7fff91155598
READ of size 4 at 0x7fff911555e8 thread T0
     0x400844 (/media/data/test+0x400844)
     0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
     0x400688 (/media/data/test+0x400688)
Address 0x7fff911555e8 is located at offset 40 in frame  of T0's stack:
  This frame has 1 object(s):
    [32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
  0x100072222a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100072222ab0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
  0x100072222ac0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13392== ABORTING



I also try the python script asan_symbolize.py describes in the google page project but without any results.

https://code.google.com/p/address-sanitizer/wiki/CallStack

Answer 1

我更新到gcc 4.9。现在起作用了。下面是我在Ubuntu中更新的步骤。

 sudo add-apt-repository ppa:ubuntu-toolchain-r/test
 sudo apt-get update
 sudo apt-get install gcc-4.9 g++-4.9
 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.9 60 --slave /usr/bin/g++ g++ /usr/bin/g++-4.9

这里有更多详细信息：https://askubuntu.com/questions/466651/how-do-i-use-the-latest-gcc-4-9-on-ubuntu-14-04

Answer 2

出口ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ..。阅读0x7fff911555e8线程T0 0x400844 (/media/data/test+0x400844) 0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) 0x400688 (/media/data/test+0x400688)

在Clang下，您需要通过asan_symbolize传输输出以获取符号。我讨论Clang是因为您清楚地使用了LLVM齿轮(上面的llvm符号-3.5)。所以你应该做这样的事：

./test 2>&1 | asan_symbolize

我有asan_symbolize在/usr/bin和/usr/local/bin

$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h

我有两个副本，因为其中一个是通过apt-get (/usr/bin/asan_symbolize)与Clang一起安装的，我有时会从源代码(/usr/local/bin/asan_symbolize.py)构建Clang。

如果您有没有副本，那么我相信您可以从Google上的地址-消毒液获取它。

一旦开始使用asan_symbolize，可能会遇到asan_symbolize由于路径更改而找不到符号的情况(例如，程序或库从其构建位置复制到目标目录)。有关这一点，请参见Asan邮件列表上的象征？。

在kcc的回答中，他的意思是：

./test 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize

(我想我在测试Postgres时必须这样做)。

我最近开始使用GCC的消毒液，但是我从来没有用过asan_symbolize和GCC。我不知道这对你有多好。天真地，我希望它能像预期的那样起作用。

我用gcc 4.8.2用以下命令编译..。

我不知道混合/匹配对你有多好。也许你应该坚持GCC，或者你应该安装Clang并使用它。

Python在Clang和它的杀菌剂在基于Clang的动态分析有一个速成课程。它讨论了诸如获取堆栈跟踪之类的主题。(我为Python项目编写了页面，以帮助他们将Clang及其消毒液添加到发布工程过程中)。