Excuse the ads! We need some help to keep our site up.
Address Sanitizer는 Google에서 제공하는 취약점 탐지 도구 입니다.
|
OS | x86 | x86_64 | ARM | ARM64 | MIPS | MIPS64 | PowerPC64 |
---|---|---|---|---|---|---|---|
Linux | O | O | O | O | O | ||
OS X | O | O | |||||
iOS Simulator | O | ||||||
FreeBSD | O | O | |||||
Android | O | O |
Option | Description |
---|---|
-fsanitize=address | AddressSanitizer 활성화 |
-fsanitize=kernel-address | Linux kernel용 AddressSanitizer 활성화 |
-fsanitize=thread | ThreadSanitizer 활성화, |
-fsanitize=leak | LeakSanitizer 활성화, memory leak탐지 |
-fno-omit-frame-pointer | 오류 메시지에서 조금더 상세한 스택 trace 결과를 출력 |
-fsanitize=undefined | UndefinedBehaviorSanitizer 활성화 |
clang -o test test.c -fsanitize=address |
gcc -o test test.c -fsanitize=address |
LOCAL_CFLAGS := -fsanitize=address -fno-omit-frame-pointer LOCAL_LDFLAGS := -fsanitize=address LOCAL_ARM_MODE := arm |
NDK_TOOLCHAIN_VERSION=clang3.5 |
APP_ABI := armeabi armeabi-v7a x86 |
#include <stdio.h> #include <stdlib.h> #include <string.h> char UAF(){ char *a = new char[100]; delete [] a; return a[1]; } int main() { UAF(); } |
lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ g++ -o UAF UAF.cpp -fsanitize=address lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ ./UAF ================================================================= ==21446==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00000af91 at pc 0x0000004007e7 bp 0x7fffea6837d0 sp 0x7fffea6837c0 READ of size 1 at 0x60b00000af91 thread T0 #0 0x4007e6 in UAF() (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4007e6) #1 0x4007f9 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4007f9) #2 0x7fe4206f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #3 0x4006b8 in _start (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4006b8) 0x60b00000af91 is located 1 bytes inside of 100-byte region [0x60b00000af90,0x60b00000aff4) freed by thread T0 here: #0 0x7fe420b33caa in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99caa) #1 0x4007ae in UAF() (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4007ae) #2 0x4007f9 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4007f9) #3 0x7fe4206f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) previously allocated by thread T0 here: #0 0x7fe420b336b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) #1 0x400797 in UAF() (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x400797) #2 0x4007f9 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/UAF+0x4007f9) #3 0x7fe4206f082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 UAF() Shadow bytes around the buggy address: 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c167fff95f0: fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==21446==ABORTING lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ |
#include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char *a = new char[100]; printf("%c\n",a[101]); delete [] a; } |
lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ g++ -o HeapBufferOverflow HeapBufferOverflow.cpp -fsanitize=address lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ ./HeapBufferOverflow ================================================================= ==21644==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000aff5 at pc 0x0000004008c8 bp 0x7ffd007ae090 sp 0x7ffd007ae080 READ of size 1 at 0x60b00000aff5 thread T0 #0 0x4008c7 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/HeapBufferOverflow+0x4008c7) #1 0x7f8e9afb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x4007a8 in _start (/home/lazenca0x0/Documents/Definition/addressSanitizer/HeapBufferOverflow+0x4007a8) 0x60b00000aff5 is located 1 bytes to the right of 100-byte region [0x60b00000af90,0x60b00000aff4) allocated by thread T0 here: #0 0x7f8e9b3f46b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) #1 0x400887 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/HeapBufferOverflow+0x400887) #2 0x7f8e9afb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 main Shadow bytes around the buggy address: 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00[04]fa 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==21644==ABORTING lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ |
#include <stdio.h> int main(){ char stack[100]; printf("%c\n",stack[101]); return 0; } |
lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ g++ -o StackBufferOverflow StackBufferOverflow.cpp -fsanitize=address lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ ./StackBufferOverflow ================================================================= ==21732==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffceb0c9de5 at pc 0x0000004009e0 bp 0x7ffceb0c9d50 sp 0x7ffceb0c9d40 READ of size 1 at 0x7ffceb0c9de5 thread T0 #0 0x4009df in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/StackBufferOverflow+0x4009df) #1 0x7f7e27cf882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x400848 in _start (/home/lazenca0x0/Documents/Definition/addressSanitizer/StackBufferOverflow+0x400848) Address 0x7ffceb0c9de5 is located in stack of thread T0 at offset 133 in frame #0 0x400925 in main (/home/lazenca0x0/Documents/Definition/addressSanitizer/StackBufferOverflow+0x400925) This frame has 1 object(s): [32, 132) 'stack' <== Memory access at offset 133 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 main Shadow bytes around the buggy address: 0x10001d611360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d611370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d611380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d611390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d6113a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x10001d6113b0: 00 00 00 00 00 00 00 00 00 00 00 00[04]f4 f4 f4 0x10001d6113c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d6113d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d6113e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d6113f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10001d611400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==21732==ABORTING lazenca0x0@ubuntu:~/Documents/Definition/addressSanitizer$ |