0x603e0001fc64 is located 4 bytes inside of 400-byte region [0x603e0001fc60,0x603e0001fdf0)

此外,ASAN的log中不仅有出错时的堆栈信息,还有该内存区域之前free时的堆栈信息。因此我们可以清楚地知道该区域是如何被释放的,从而快速定位问题,解决问题。

1.3.2 Heap-Buffer-Overflow

想要检测HeapBufferOverflow的问题,只需要保证一点:

正常的Heap前后需要插入一定长度的安全区,而且此安全区对应的shadow memory需要被标记为特殊的状态。在ASAN的实现里,安全区被标记为0xfa。

测试代码:

和ASAN相比,HWASAN具有哪些缺点?

ASAN输出的错误信息:

1405==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0060bef84165 at pc 0x0058714bfb24 bp 0x007fdff09590 sp 0x007fdff09588WRITE of size 1 at 0x0060bef84165 thread T0 #0 0x58714bfb20 (/system/bin/bootanimation+0x8b20) #1 0x7b434cd994 (/apex/com.android.runtime/lib64/bionic/libc.so+0x7e994)

0x0060bef84165 is located 1 bytes to the right of 100-byte region [0x0060bef84100,0x0060bef84164)allocated by thread T0 here: #0 0x7b4250a1a4 (/system/lib64/libclang_rt.asan-aarch64-android.so+0xc31a4) #1 0x58714bfac8 (/system/bin/bootanimation+0x8ac8) #2 0x7b434cd994 (/apex/com.android.runtime/lib64/bionic/libc.so+0x7e994) #3 0x58714bb04c (/system/bin/bootanimation+0x404c) #4 0x7b45361b04 (/system/bin/bootanimation+0x54b04)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/system/bin/bootanimation+0x8b20) Shadow bytes around the buggy address: 0x001c17df07d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x001c17df07e0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa 0x001c17df07f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x001c17df0800: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x001c17df0810: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa=》0x001c17df0820: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa 0x001c17df0830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x001c17df0840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x001c17df0850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x001c17df0860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x001c17df0870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

可以看到最终出错的shadow memory值为0x4,表示该shadow memroy对应的normal memory中只有前4个bytes是可寻址的。0x4的shadow memory前还有12个0x0,表示其前面的12个memory region(每个region有8个byte)都是完全可寻址的。因此所有可寻址的大小=12×8+4=100,正是代码中malloc的size。之所以此次访问会出错,是因为地址0x60bef84165意图访问最后一个region的第五个byte,而该region只有前四个byte可寻址。由于0x4后面是0xfa,因此此次错误属于HeapBufferOverflow。