hwasan / asan详细分析踩内存之Use after free

时间:2025-04-07 09:47:37

=================================================================

==2708== ERROR: AddressSanitizer: heap-use-after-free on address 0x602e0001fc64 at pc 0x4007f9 bp 0x7ffd8b8b0830 sp 0x7ffd8b8b0828----错误类型说明是对堆的释放后使用,调用地址在0x4007f9.

READ of size 4 at 0x602e0001fc64 thread T0

    #0 0x4007f8 (/home/al/temp/address_sanitizer/use_after_free+0x4007f8)---------------------------错误现场在use_after_free的0x4007f8,在第“return array[argc];”行。

    #1 0x7fcbf515582f (/lib/x86_64-linux-gnu/libc-2.23.so+0x2082f)

#2 0x4006b8 (/home/al/temp/address_sanitizer/use_after_free+0x4006b8)

0x602e0001fc64 is located 4 bytes inside of 400-byte region [0x602e0001fc60,0x602e0001fdf0)

freed by thread T0 here:

    #0 0x7fcbf551083a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1183a)

    #1 0x4007ac (/home/al/temp/address_sanitizer/use_after_free+0x4007ac)---------------------------释放现场,通过addr2line得到对应第“delete [] array;”行。

    #2 0x7fcbf515582f (/lib/x86_64-linux-gnu/libc-2.23.so+0x2082f)

previously allocated by thread T0 here:

    #0 0x7fcbf551067a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1167a)

    #1 0x400795 (/home/al/temp/address_sanitizer/use_after_free+0x400795)---------------------------申请现场,通过addr2line得到对应第“int *array = new int[100];”行。

    #2 0x7fcbf515582f (/lib/x86_64-linux-gnu/libc-2.23.so+0x2082f)

Shadow bytes around the buggy address:

  0x0c063fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c063fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c063fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c063fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c063fffbf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c063fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd fd fd------------------------------------[]表示异常点,0xfd表示此段内存已经被释放。

  0x0c063fffbf90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c063fffbfa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c063fffbfb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa------------------------------------一个shadow字节表示8个字节,共50个0xfd,对应400个字节,也即分配的array大小。

  0x0c063fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c063fffbfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:     fa  //堆的左边界

  Heap righ redzone:     fb  //堆的右边界

Freed Heap region:     fd  //内存中的堆被释放

Stack left redzone:    f1

  Stack mid redzone:     f2

  Stack right redzone:   f3

  Stack partial redzone: f4

  Stack after return:    f5

  Stack use after scope: f8

  Global redzone:        f9

  Global init order:     f6

  Poisoned by user:      f7

  ASan internal:         fe==2708== ABORTING

相关文章