4

I give a try to bug hunting with the help of this tuto : https://fuzzing-project.org/tutorial2.html

When I'm using address-sanitizer, I don't have any symbol resolution on the stack trace.

I try the manipulation describe here : Meaningful stack traces for address sanitizer in GCC but it doesn't work for me. My OS is Ubuntu 14.04

Here are the steps I take :

  1. I use a test program in C which is a classic off-by-one-error

    int main() {
    int a[2] = {1, 0};
    int b=a[2];
}

  2. I install llvm 3.5 with apt-get

  3. I export The following variables

    export AFL_USE_ASAN=1
export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
export ASAN_OPTIONS=symbolize=1

  4. I compile with gcc 4.8.2 with the following command

    gcc -o test -fsanitize=address -g3 -ggdb test.c

  5. There are the warnings I've got in the bug report when I launch the test program. It seems that AddressSanitizer can't connect to llvm-symbolizer-3.5

    ==13382== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff92d6b0e8 at pc 0x400845 bp 0x7fff92d6b0a0 sp 0x7fff92d6b098
READ of size 4 at 0x7fff92d6b0e8 thread T0
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Can't read from symbolizer at fd 3
==13382== WARNING: Failed to use and restart external symbolizer
     0x400844 (/media/data/test+0x400844)
     0x7fe5e7d4aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
     0x400688 (/media/data/test+0x400688)
Address 0x7fff92d6b0e8 is located at offset 40 in frame <main> of T0's stack:
  This frame has 1 object(s):
    [32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x1000725a55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a5600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000725a5610: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
  0x1000725a5620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a5630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a5640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a5650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000725a5660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13382== ABORTING

And I don't get any symbol on the stacktrace. If I perform a sudo I don't have any warnings but I don't have any symbol resolution either.


==13392== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff911555e8 at pc 0x400845 bp 0x7fff911555a0 sp 0x7fff91155598
READ of size 4 at 0x7fff911555e8 thread T0
     0x400844 (/media/data/test+0x400844)
     0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
     0x400688 (/media/data/test+0x400688)
Address 0x7fff911555e8 is located at offset 40 in frame  of T0's stack:
  This frame has 1 object(s):
    [32, 40) 'a'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions are supported)
Shadow bytes around the buggy address:
  0x100072222a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100072222ab0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f4]f4 f4
  0x100072222ac0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100072222b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13392== ABORTING

I also try the python script asan_symbolize.py describes in the google page project but without any results.

https://code.google.com/p/address-sanitizer/wiki/CallStack

yugr
  • 19,769
  • 3
  • 51
  • 96
overtur
  • 91
  • 2
  • 7

2 Answers2

2

I updated to gcc 4.9. Now it's working. Here's the step I take in Ubuntu to update.

 sudo add-apt-repository ppa:ubuntu-toolchain-r/test
 sudo apt-get update
 sudo apt-get install gcc-4.9 g++-4.9
 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.9 60 --slave /usr/bin/g++ g++ /usr/bin/g++-4.9

More details here : https://askubuntu.com/questions/466651/how-do-i-use-the-latest-gcc-4-9-on-ubuntu-14-04

Community
  • 1
  • 1
overtur
  • 91
  • 2
  • 7
2
export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5
...
READ of size 4 at 0x7fff911555e8 thread T0
     0x400844 (/media/data/test+0x400844)
     0x7f4721057ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
     0x400688 (/media/data/test+0x400688)

Under Clang, you need to pipe your output through asan_symbolize to get the symbols. I discuss Clang because you are clearly using LLVM gear (llvm-symbolizer-3.5 above). So you should do something like:

./test 2>&1 | asan_symbolize

I have asan_symbolize in both /usr/bin and /usr/local/bin:

$ find /usr/ -name asan*
/usr/bin/asan_symbolize
/usr/lib/llvm-3.4/lib/clang/3.4/include/sanitizer/asan_interface.h
/usr/local/bin/asan_symbolize.py
/usr/local/lib/clang/3.5.0/include/sanitizer/asan_interface.h

I have two copies because one was installed with Clang via apt-get (/usr/bin/asan_symbolize), and I build Clang from sources on occasion (/usr/local/bin/asan_symbolize.py).

If you have no copies, then I believe you can fetch it from address-sanitizer on Google Code.

Once you start using asan_symbolize, you might encounter a situation where asan_symbolize cannot find the symbols due to a path change (for example, a program or library was copied from its build location to a destination directory). For that, see Specify Symbol Path to asan_symbolize? on the Asan mailing list.

In kcc's answer, he meant to do something like:

./test 2>&1 | sed "s/<old path>/<new path>/g" | asan_symbolize

(I think I had to do it when testing Postgres).

I recently started using GCC's sanitizers, but I have never used asan_symbolize with GCC. I'm not sure how well its going to work for you. Naively, I would expect its going to work as expected.

I compile with gcc 4.8.2 with the following command...

I'm not sure how well mixing/matching will work for you. Perhaps you should stick to GCC; or you should install Clang and use it.

Python has a crash course in Clang and its sanitizers at Dynamic Analysis with Clang. It discusses topics like getting stack traces. (I wrote the page for the the Python project to help them add Clang and its sanitizers to its release engineering process).

jww
  • 97,681
  • 90
  • 411
  • 885