Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AddressSanitizer, What do these terms mean?

So I'm using the AddressSanitizer. But it uses some dense terms when describing the problem.

Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00[fa]fa 00 00 00 fa fa fa 00 00
  0x0c067fff8010: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7320==ABORTING

What does Heap left redzone mean? (and the others but I'm mostly interested in the fa as there is one [fa] which indicates the problem probably?)

like image 478
Tarick Welling Avatar asked Mar 01 '20 15:03

Tarick Welling


People also ask

What is AddressSanitizer error?

AddressSanitizer is a fast memory error detector. It consists of a compiler instrumentation module and a run-time library. The tool can detect the following types of bugs: Out-of-bounds accesses to heap, stack and globals.

How does Fsanitize address work?

The "-fsanitize=address" flag is used to tell the compiler to add AddressSanitizer. Additionally, due to some environmental configuration settings on OSC systems, we must also statically link against Asan. This is done using the "-static-libasan" flag. It's helpful to compile the code with debug symbols.

What is C++ AddressSanitizer?

Starting in Visual Studio 2019 version 16.9, the Microsoft C/C++ compiler (MSVC) and IDE supports the AddressSanitizer. AddressSanitizer (ASan) is a compiler and runtime technology that exposes many hard-to-find bugs with zero false positives: Alloc/dealloc mismatches and new / delete type mismatches.


Video Answer


1 Answers

What does Heap left redzone mean?

When AddressSanitizer heap interposer allocates heap memory in response to something like:

char *p = malloc(5);

it allocates more memory than you asked for. Let's say it allocates 32 bytes at address q. It then would mark the first 16 bytes (region [q, q+15]) as inaccessible heap left red zone (fa), the next 5 bytes as addressable (0), and the next 11 bytes as heap right red zone (fb).

Finally it would return the q+16 to the application (assigned to p).

Now if the application attempts to read or write from p-1, p-2, ... p-15, all such attempts would be detected because they will all land on the left red zone. This is heap underflow.

Similarly, attempts to access p+5, p+6, ... p+10 (heap overflow) would be detected because they will all land on the right red zone.

Why would an application ever have heap underflow? Consider this code:

int idx = get_valid_index(...);  // return -1 on failure
...
if (p[idx] == ...) {   // BUG: forgot to check idx!=-1

This actually happens more often that you'd think, and appears to have happened to you.

like image 140
Employed Russian Avatar answered Oct 20 '22 18:10

Employed Russian