HackMD 連結 - HackMD

# HackMD 連結 https://hackmd.io/@cckaron/SJNyJJddO # 2021 Software Testing Lab7 學號: 309551023 姓名: 高俊凱系所: 資科工碩(一) ## 編譯環境 gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0 ## 第1題 ### Heap out-of-bounds read/write ``` #include <stdio.h> #include <stdlib.h> int main() { char *str = malloc(3); str[3] = 'b'; printf("%c\n",str[3]); free(str); return 0; } ``` ``` ================================================================= ==11362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000013 at pc 0x55d56270729f bp 0x7fffe05f46d0 sp 0x7fffe05f46c0 WRITE of size 1 at 0x602000000013 thread T0 #0 0x55d56270729e in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x129e) #1 0x7fc84d6b50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #2 0x55d56270718d in _start (/home/chunkaigao/CLionProjects/Lab7/a.out+0x118d) 0x602000000013 is located 0 bytes to the right of 3-byte region [0x602000000010,0x602000000013) allocated by thread T0 here: #0 0x7fc84d98dbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x55d56270725e in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x125e) #2 0x7fc84d6b50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/chunkaigao/CLionProjects/Lab7/a.out+0x129e) in main Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa[03]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11362==ABORTING ``` ``` ==11346== Memcheck, a memory error detector ==11346== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==11346== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==11346== Command: ./a.out ==11346== ==11346== Invalid write of size 1 ==11346== at 0x1091AB: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11346== Address 0x4a50043 is 0 bytes after a block of size 3 alloc'd ==11346== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11346== by 0x10919E: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11346== ==11346== Invalid read of size 1 ==11346== at 0x1091B6: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11346== Address 0x4a50043 is 0 bytes after a block of size 3 alloc'd ==11346== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11346== by 0x10919E: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11346== b ==11346== ==11346== HEAP SUMMARY: ==11346== in use at exit: 0 bytes in 0 blocks ==11346== total heap usage: 2 allocs, 2 frees, 1,027 bytes allocated ==11346== ==11346== All heap blocks were freed -- no leaks are possible ==11346== ==11346== For lists of detected and suppressed errors, rerun with: -s ==11346== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ``` :::info ASan 能, valgrind 能 ::: ### Stack out-of-bounds read/write ``` #include <stdio.h> int main() { int arr[] = {1,2,3}; printf("arr[10] is %d\n", arr[3]); return 0; } ``` ``` ================================================================= ==11649==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0e0912dc at pc 0x5646db3ec3c0 bp 0x7fff0e0912a0 sp 0x7fff0e091290 READ of size 4 at 0x7fff0e0912dc thread T0 #0 0x5646db3ec3bf in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x13bf) #1 0x7f5d73aef0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #2 0x5646db3ec18d in _start (/home/chunkaigao/CLionProjects/Lab7/a.out+0x118d) Address 0x7fff0e0912dc is located in stack of thread T0 at offset 44 in frame #0 0x5646db3ec258 in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x1258) This frame has 1 object(s): [32, 44) 'arr' (line 4) <== Memory access at offset 44 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/chunkaigao/CLionProjects/Lab7/a.out+0x13bf) in main Shadow bytes around the buggy address: 0x100061c0a200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100061c0a250: 00 00 00 00 00 00 f1 f1 f1 f1 00[04]f3 f3 00 00 0x100061c0a260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100061c0a2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11649==ABORTING ``` ``` ==11661== Memcheck, a memory error detector ==11661== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==11661== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==11661== Command: ./a.out ==11661== arr[10] is -969055488 ==11661== ==11661== HEAP SUMMARY: ==11661== in use at exit: 0 bytes in 0 blocks ==11661== total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated ==11661== ==11661== All heap blocks were freed -- no leaks are possible ==11661== ==11661== For lists of detected and suppressed errors, rerun with: -s ==11661== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ``` :::info ASan 能, valgrind 不能 ::: ### Global out-of-bounds read/write ``` int global_array[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; int main() { global_array[10] = 10; // Error: out of bounds access of global variable return 0; } ``` ``` ================================================================= ==12003==ERROR: AddressSanitizer: global-buffer-overflow on address 0x557479b94048 at pc 0x557479b91203 bp 0x7ffdb358ba60 sp 0x7ffdb358ba50 WRITE of size 4 at 0x557479b94048 thread T0 #0 0x557479b91202 in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x1202) #1 0x7f64103c90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #2 0x557479b9110d in _start (/home/chunkaigao/CLionProjects/Lab7/a.out+0x110d) 0x557479b94048 is located 0 bytes to the right of global variable 'global_array' defined in 'main.c:4:5' (0x557479b94020) of size 40 SUMMARY: AddressSanitizer: global-buffer-overflow (/home/chunkaigao/CLionProjects/Lab7/a.out+0x1202) in main Shadow bytes around the buggy address: 0x0aaf0f36a7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0aaf0f36a800: 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 0x0aaf0f36a810: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0aaf0f36a820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf0f36a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12003==ABORTING ``` ``` ==12019== Memcheck, a memory error detector ==12019== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==12019== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==12019== Command: ./a.out ==12019== ==12019== ==12019== HEAP SUMMARY: ==12019== in use at exit: 0 bytes in 0 blocks ==12019== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==12019== ==12019== All heap blocks were freed -- no leaks are possible ==12019== ==12019== For lists of detected and suppressed errors, rerun with: -s ==12019== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ``` :::info ASan 能, valgrind 不能 ::: ### Use-after-free ``` #include <stdio.h> #include <stdlib.h> int main() { int *intArr = malloc(2 * sizeof(int) ); intArr[0] = 100; intArr[1] = 200; free(intArr); printf("%d\n",intArr[0]); return 0; } ``` ``` ================================================================= ==11503==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000010 at pc 0x5568e5ad032c bp 0x7fff516158f0 sp 0x7fff516158e0 READ of size 4 at 0x602000000010 thread T0 #0 0x5568e5ad032b in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x132b) #1 0x7fae381ce0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #2 0x5568e5ad018d in _start (/home/chunkaigao/CLionProjects/Lab7/a.out+0x118d) 0x602000000010 is located 0 bytes inside of 8-byte region [0x602000000010,0x602000000018) freed by thread T0 here: #0 0x7fae384a67cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) #1 0x5568e5ad02f4 in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x12f4) #2 0x7fae381ce0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: #0 0x7fae384a6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x5568e5ad025e in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x125e) #2 0x7fae381ce0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free (/home/chunkaigao/CLionProjects/Lab7/a.out+0x132b) in main Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11503==ABORTING ``` ``` ==11518== Memcheck, a memory error detector ==11518== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==11518== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==11518== Command: ./a.out ==11518== ==11518== Invalid read of size 4 ==11518== at 0x1091CB: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11518== Address 0x4a50040 is 0 bytes inside a block of size 8 free'd ==11518== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11518== by 0x1091C6: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11518== Block was alloc'd at ==11518== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==11518== by 0x10919E: main (in /home/chunkaigao/CLionProjects/Lab7/a.out) ==11518== 100 ==11518== ==11518== HEAP SUMMARY: ==11518== in use at exit: 0 bytes in 0 blocks ==11518== total heap usage: 2 allocs, 2 frees, 1,032 bytes allocated ==11518== ==11518== All heap blocks were freed -- no leaks are possible ==11518== ==11518== For lists of detected and suppressed errors, rerun with: -s ==11518== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ``` :::info ASan 能, valgrind 能 ::: ### Use-after-return ``` char* x; void foo() { char stack_buffer[42]; x = &stack_buffer[13]; } int main() { foo(); *x = 42; // user after return return 0; } ``` ``` ================================================================= ==13609==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f41fd87c02d at pc 0x0000004c3321 bp 0x7ffcd2ab25a0 sp 0x7ffcd2ab2598 WRITE of size 1 at 0x7f41fd87c02d thread T0 #0 0x4c3320 in main (/home/chunkaigao/CLionProjects/Lab7/a.out+0x4c3320) #1 0x7f4200e0a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #2 0x41b2dd in _start (/home/chunkaigao/CLionProjects/Lab7/a.out+0x41b2dd) Address 0x7f41fd87c02d is located in stack of thread T0 at offset 45 in frame #0 0x4c311f in foo (/home/chunkaigao/CLionProjects/Lab7/a.out+0x4c311f) This frame has 1 object(s): [32, 74) 'stack_buffer' <== Memory access at offset 45 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-return (/home/chunkaigao/CLionProjects/Lab7/a.out+0x4c3320) in main Shadow bytes around the buggy address: 0x0fe8bfb077b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb077c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb077d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb077e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb077f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe8bfb07800: f5 f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x0fe8bfb07810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb07820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb07830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb07840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe8bfb07850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==13609==ABORTING ``` ``` ==13723== Memcheck, a memory error detector ==13723== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==13723== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==13723== Command: ./a.out ==13723== ==13723== ==13723== HEAP SUMMARY: ==13723== in use at exit: 0 bytes in 0 blocks ==13723== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==13723== ==13723== All heap blocks were freed -- no leaks are possible ==13723== ==13723== For lists of detected and suppressed errors, rerun with: -s ==13723== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ``` :::info ASan 能, valgrind 不能 ::: :::danger 執行 ASan 要用 "ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out" ::: ## 第2題 :::info Ans: **找不出來** ::: ### 以新增兩個 char array 為例 ``` #include <stdio.h> int main() { char arr[] = {'a', 'b', 'c'}; char arr2[] = {'d', 'e', 'f', 'g'}; return 0; } ``` ### 讀取 arr[4] 會觸發 redzone ``` #include <stdio.h> int main() { char arr[] = {'a', 'b', 'c'}; char arr2[] = {'d', 'e', 'f', 'g'}; /* RedZone */ printf("arr[4] is %c\n", arr[4]); // Boom! return 0; } ``` :::info 印出結果: a ::: ![](https://i.imgur.com/QxPkKan.png) ### 讀取 arr[16] 不會觸發 redzone ``` #include <stdio.h> int main() { char arr[] = {'a', 'b', 'c'}; char arr2[] = {'d', 'e', 'f', 'g'}; /* Safe */ printf("arr[16] is %c\n", arr[16]); return 0; } ``` :::info 印出結果: d ::: ![](https://i.imgur.com/UWgZQEF.png)