AddressSanitizer on a android application.

[NitzDKoder]

Hello All,

1) Does AddressSanitizer(sanitizer) built into android studio like iOS/Xcode?
https://developer.apple.com/documentation/code_diagnostics/address_sanitizer/enabling_the_address_sanitizer

2)Memory leak : AddressSanitizer detects Memory leaks on android?

3)Memory corruption: How to enable AddressSanitizer on an android app such that it detects C library(.SO shared library )memory corruption?

What was tried:
https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid
1)Add this to my project(64 bit) android.mk
LOCAL_CFLAGS := -fsanitize=address -fno-omit-frame-pointer
LOCAL_LDFLAGS := -fsanitize=address
LOCAL_ARM_MODE := aarch64
LD_PRELOAD := libclang_rt.asan-aarch64-android.so

2)APP_ABI := arm64-v8a

3)wrap.sh created with below content and placed in lib/arm64-v8a/wrap.sh

 #!/system/bin/sh
    HERE="$(cd "$(dirname "$0")" && pwd)"
    export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1
    export LD_PRELOAD=$HERE/libclang_rt.asan-aarch64-android.so
    exec "$@"

4) libclang_rt.asan-aarch64-android.so is placed in lib/arm64-v8a/ libclang_rt.asan-aarch64-android.so.

5)Build ndk project using GCC 4.9 and load my 64 bit shared library(.SO).

a)above setup is enough to detect below corruptions ??

Stack and heap buffer overflow/underflow.
Heap use after free.
Stack use outside scope.
Stack use after return (HWAsan only on Android).
Double free/wild free.

b) if any corruption detected while running the app, does the traces gets printed to console/logcat?

Thanks

[eugenis]

Hi, LOCAL_ARM_MODE := aarch64 is unnecessary, Compiler should be clang, not gcc. Need "android:debuggable" in the manifest. Other than that, everything looks great. There is not studio support or leak detection.

…

On Tue, May 28, 2019 at 3:56 AM Nithin Malikarunja ***@***.***> wrote: Hello All, *1) Does AddressSanitizer(sanitizer) built into android studio like iOS/Xcode?* https://developer.apple.com/documentation/code_diagnostics/address_sanitizer/enabling_the_address_sanitizer *2)Memory leak : AddressSanitizer detects Memory leaks on android?* *3)Memory corruption: How to enable AddressSanitizer on an android app such that it detects C library(.SO shared library )memory corruption?* *What was tired:* https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid *1)Add this to my project(64 bit) android.mk <http://android.mk>* LOCAL_CFLAGS := -fsanitize=address -fno-omit-frame-pointer LOCAL_LDFLAGS := -fsanitize=address LOCAL_ARM_MODE := aarch64 LD_PRELOAD := libclang_rt.asan-aarch64-android.so *2)APP_ABI := arm64-v8a* *3)wrap.sh created with below content and placed in lib/arm64-v8a/wrap.sh* #!/system/bin/sh HERE="$(cd "$(dirname "$0")" && pwd)" export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1 export LD_PRELOAD=$HERE/libclang_rt.asan-aarch64-android.so exec "$@" *4) libclang_rt.asan-aarch64-android.so <http://libclang_rt.asan-aarch64-android.so> is placed in lib/arm64-v8a/ libclang_rt.asan-aarch64-android.so <http://libclang_rt.asan-aarch64-android.so>.* *5)Build ndk project using GCC 4.9 and load my 64 bit shared library(.SO).* *a)above setup is enough to detect below corruptions ??* Stack and heap buffer overflow/underflow. Heap use after free. Stack use outside scope. Stack use after return (HWAsan only on Android). Double free/wild free. *b) if any corruption detected while running the app, does the traces gets printed to console/logcat?* Thanks — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1100?email_source=notifications&email_token=AADG4SRMOCI3VEOKJOPQZYLPXUFU5A5CNFSM4HQCGD7KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GWGJDOQ>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADG4SQMOGRCVLN6NM3A2MLPXUFU5ANCNFSM4HQCGD7A> .

[kusumakara]

Hi Kostya,

We have two native libraries in our app. We enabled -fsanitize=address on one of the library
And added some code to currupt memmory explicitly.

Code:

char ptr = (char) malloc(10);
ptr[10] = 'c';
char buff[10] = {0};
strcpy(buff, "This String Will Overflow the Buffer");

App is crashing. But in adb logs its not printing detailed memory corruptions data.

@ How I confirm generated .so -fsanitize=address flag is enabled or not.

[eugenis]

Check if the library depends on libclang_rt.asan-* using readelf -d.

…

On Fri, May 31, 2019 at 7:06 AM kusumakara ***@***.***> wrote: Hi Kostya, We have two native libraries in our app. We enabled -fsanitize=address on one of the library And added some code to currupt memmory explicitly. *Code:* char *ptr = (char*) malloc(10); ptr[10] = 'c'; char buff[10] = {0}; strcpy(buff, "This String Will Overflow the Buffer"); App is crashing. But in adb logs its not printing detailed memory corruptions data. @ How I confirm *generated .so* -fsanitize=address flag is enabled or not. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#1100?email_source=notifications&email_token=AADG4SVJ3DVDUPLWGN5V7I3PYEWHTA5CNFSM4HQCGD7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWVKACA#issuecomment-497721352>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADG4SXX752AP5E5M4GB6PDPYEWHTANCNFSM4HQCGD7A> .

[NitzDKoder]

@eugenis please confirm if any android ndk with GCC asan supported version exist, which we can try?

[eugenis]

As far as I know, such thing does not exist.

…

On Fri, Jun 14, 2019 at 9:12 PM Nithin Malikarunja ***@***.***> wrote: @eugenis please confirm if the android ndk with GCC asan version exist which we can try? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[kusumakara]

@earthdok

If i build through android studio. Its printing memory address properly.

My wrap.sh file location is app\libs\arm64-v8a\wrap.sh (Where my native libs are available)

06-24 17:02:34.535 I/com.kodiak.ui(10355): Addressable: 00
06-24 17:02:34.535 I/com.kodiak.ui(10355): Partially addressable: 01 02 03 04 05 06 07
06-24 17:02:34.535 I/com.kodiak.ui(10355): Heap left redzone: fa
06-24 17:02:34.535 I/com.kodiak.ui(10355): Freed heap region: fd
06-24 17:02:34.535 I/com.kodiak.ui(10355): Stack left redzone: f1

If I build through command line.

./gradlew assemblearmv7debug -q

its excluding my wrap.sh file. So that i changed wrap.sh file location.

app\src\main\resources\lib\arm64-v8a\wrap.sh

Build is success but its printing wrong address like below

06-24 18:10:11.672 I/wrap.sh (12767): Addressable: �[1m�[0m00�[1m�[0m
06-24 18:10:11.672 I/wrap.sh (12767): Partially addressable: �[1m�[0m01�[1m�[0m �[1m�[0m02�[1m�[0m �[1m�[0m03�[1m�[0m �[1m�[0m04�[1m�[0m �[1m�[0m05�[1m�[0m �[1m�[0m06�[1m�[0m �[1m�[0m07�[1m�[0m
06-24 18:10:11.672 I/wrap.sh (12767): Heap left redzone: �[1m�[31mfa�[1m�[0m

If I build through command-line. Where exactly place my wrap.sh file.

My wrap.sh file content.
#!/system/bin/sh
HERE="$(cd "$(dirname "$0")" && pwd)"
export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1 fast_unwind_on_malloc=1
export LD_PRELOAD=$HERE/libclang_rt.asan-aarch64-android.so
exec "$@"

Please confirm me I can build addresssanitizer through command line?

[eugenis]

@DanAlbert AFAIK gradle does not copy wrap.sh automatically, but if placed in the appropriate directory manually, things should work fine.

[DanAlbert]

That's correct. android/ndk#954 explains the various difficulties with using ASan with wrap.sh right now and how to solve them.

[kusumakara]

Thanks, @eugenis

After adding below flags to my wrap.sh file. Its working now and printing AddressSanitizer SUMMARY.

#!/system/bin/sh HERE="$(cd "$(dirname "$0")" && pwd)" export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1,symbolize=1,detect_stack_use_after_return=1,check_initialization_order=true,quarantine_size_mb=64,color=never export LD_PRELOAD="$HERE/libclang_rt.asan-aarch64-android.so" exec "$@"

[NitzDKoder]

@eugenis @DanAlbert
1)https://code.google.com/archive/p/android-ndk-stacktrace-analyzer/wikis/Usage.wiki

2)https://developer.android.com/ndk/guides/ndk-stack

When NON-ASAN build crashes.

Above tools were tried to get the line number of crash function/Memory corruption function, but unsucessful.

Please help in this.
Also suggest

1. which NDK version is best for ASAN?
2. Which system(windows /MAC / Linux) is better for NDK(.SO) building to get backtraces?

Thanks

[eugenis]

Nice. This looks like a real bug, as far as I can tell without seeing the source. Have you tried this: https://source.android.com/devices/tech/debug/asan#symbolization ? The first option is the easiest to use if you don't care about symbols in platform libraries. Unfortunately, I don't know where to get prebuilt llvm-symbolizer for aarch64-android... You can also do it manually on the host by running addr2line -fi -e path/to/library.so 0xaaa 0xaaa 0xaaa replacing 0xaaa with offsets from the asan report: #0 0x76d18550a7 (/data/app/com.company.ui-4SAD7wU_5H1-MMdNytD1oA==/lib/arm64/libcdeAndroidPort.so+0x68d0a7) ^^^ in this case, 0x68d0a7.

…

On Wed, Jun 26, 2019 at 8:27 PM Nithin Malikarunja ***@***.***> wrote: @eugenis <https://github.com/eugenis> @DanAlbert <https://github.com/DanAlbert> 1) https://code.google.com/archive/p/android-ndk-stacktrace-analyzer/wikis/Usage.wiki 2)https://developer.android.com/ndk/guides/ndk-stack Above tools were tried to get the line number of crash function, but unsucessful. Please help in this. Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1100?email_source=notifications&email_token=AADG4SWAJVBVJDCMYO7AECDP4QXTVA5CNFSM4HQCGD7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYVRZYY#issuecomment-506141923>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADG4SVLO224ZARIDVJQB2LP4QXTVANCNFSM4HQCGD7A> .

[NitzDKoder]

@eugenis thanks addr2line is working with obj level shared libaray(.SO). And we are able to see the line number now.