Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer on a android application. #1100

Closed
NitzDKoder opened this issue May 28, 2019 · 12 comments
Closed

AddressSanitizer on a android application. #1100

NitzDKoder opened this issue May 28, 2019 · 12 comments
Assignees

Comments

@NitzDKoder
Copy link

NitzDKoder commented May 28, 2019

Hello All,

1) Does AddressSanitizer(sanitizer) built into android studio like iOS/Xcode?
https://developer.apple.com/documentation/code_diagnostics/address_sanitizer/enabling_the_address_sanitizer

2)Memory leak : AddressSanitizer detects Memory leaks on android?

3)Memory corruption: How to enable AddressSanitizer on an android app such that it detects C library(.SO shared library )memory corruption?

What was tried:
https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid
1)Add this to my project(64 bit) android.mk
LOCAL_CFLAGS := -fsanitize=address -fno-omit-frame-pointer
LOCAL_LDFLAGS := -fsanitize=address
LOCAL_ARM_MODE := aarch64
LD_PRELOAD := libclang_rt.asan-aarch64-android.so

2)APP_ABI := arm64-v8a

3)wrap.sh created with below content and placed in lib/arm64-v8a/wrap.sh

 #!/system/bin/sh
    HERE="$(cd "$(dirname "$0")" && pwd)"
    export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1
    export LD_PRELOAD=$HERE/libclang_rt.asan-aarch64-android.so
    exec "$@"


4) libclang_rt.asan-aarch64-android.so is placed in lib/arm64-v8a/ libclang_rt.asan-aarch64-android.so.

5)Build ndk project using GCC 4.9 and load my 64 bit shared library(.SO).

a)above setup is enough to detect below corruptions ??

Stack and heap buffer overflow/underflow.
Heap use after free.
Stack use outside scope.
Stack use after return (HWAsan only on Android).
Double free/wild free.

b) if any corruption detected while running the app, does the traces gets printed to console/logcat?

Thanks

@eugenis
Copy link
Contributor

eugenis commented May 29, 2019 via email

@kusumakara
Copy link

Hi Kostya,

We have two native libraries in our app. We enabled -fsanitize=address on one of the library
And added some code to currupt memmory explicitly.

Code:

char ptr = (char) malloc(10);
ptr[10] = 'c';
char buff[10] = {0};
strcpy(buff, "This String Will Overflow the Buffer");

App is crashing. But in adb logs its not printing detailed memory corruptions data.

@ How I confirm generated .so -fsanitize=address flag is enabled or not.

@eugenis
Copy link
Contributor

eugenis commented Jun 1, 2019 via email

@NitzDKoder
Copy link
Author

NitzDKoder commented Jun 15, 2019

@eugenis please confirm if any android ndk with GCC asan supported version exist, which we can try?

@eugenis
Copy link
Contributor

eugenis commented Jun 17, 2019 via email

@kusumakara
Copy link

@earthdok

If i build through android studio. Its printing memory address properly.

My wrap.sh file location is app\libs\arm64-v8a\wrap.sh (Where my native libs are available)

06-24 17:02:34.535 I/com.kodiak.ui(10355): Addressable: 00
06-24 17:02:34.535 I/com.kodiak.ui(10355): Partially addressable: 01 02 03 04 05 06 07
06-24 17:02:34.535 I/com.kodiak.ui(10355): Heap left redzone: fa
06-24 17:02:34.535 I/com.kodiak.ui(10355): Freed heap region: fd
06-24 17:02:34.535 I/com.kodiak.ui(10355): Stack left redzone: f1

If I build through command line.

./gradlew assemblearmv7debug -q

its excluding my wrap.sh file. So that i changed wrap.sh file location.

app\src\main\resources\lib\arm64-v8a\wrap.sh

Build is success but its printing wrong address like below

06-24 18:10:11.672 I/wrap.sh (12767): Addressable: �[1m�[0m00�[1m�[0m
06-24 18:10:11.672 I/wrap.sh (12767): Partially addressable: �[1m�[0m01�[1m�[0m �[1m�[0m02�[1m�[0m �[1m�[0m03�[1m�[0m �[1m�[0m04�[1m�[0m �[1m�[0m05�[1m�[0m �[1m�[0m06�[1m�[0m �[1m�[0m07�[1m�[0m
06-24 18:10:11.672 I/wrap.sh (12767): Heap left redzone: �[1m�[31mfa�[1m�[0m

If I build through command-line. Where exactly place my wrap.sh file.

My wrap.sh file content.
#!/system/bin/sh
HERE="$(cd "$(dirname "$0")" && pwd)"
export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1 fast_unwind_on_malloc=1
export LD_PRELOAD=$HERE/libclang_rt.asan-aarch64-android.so
exec "$@"

Please confirm me I can build addresssanitizer through command line?

@eugenis
Copy link
Contributor

eugenis commented Jun 24, 2019

@DanAlbert AFAIK gradle does not copy wrap.sh automatically, but if placed in the appropriate directory manually, things should work fine.

@DanAlbert
Copy link
Member

DanAlbert commented Jun 25, 2019

That's correct. android/ndk#954 explains the various difficulties with using ASan with wrap.sh right now and how to solve them.

@kusumakara
Copy link

kusumakara commented Jun 26, 2019

Thanks, @eugenis

After adding below flags to my wrap.sh file. Its working now and printing AddressSanitizer SUMMARY.

#!/system/bin/sh HERE="$(cd "$(dirname "$0")" && pwd)" export ASAN_OPTIONS=log_to_syslog=false,allow_user_segv_handler=1,symbolize=1,detect_stack_use_after_return=1,check_initialization_order=true,quarantine_size_mb=64,color=never export LD_PRELOAD="$HERE/libclang_rt.asan-aarch64-android.so" exec "$@"

@NitzDKoder
Copy link
Author

NitzDKoder commented Jun 27, 2019

@eugenis @DanAlbert
1)https://code.google.com/archive/p/android-ndk-stacktrace-analyzer/wikis/Usage.wiki

2)https://developer.android.com/ndk/guides/ndk-stack

When NON-ASAN build crashes.

Above tools were tried to get the line number of crash function/Memory corruption function, but unsucessful.

Please help in this.
Also suggest

  1. which NDK version is best for ASAN?
  2. Which system(windows /MAC / Linux) is better for NDK(.SO) building to get backtraces?

Thanks

@eugenis
Copy link
Contributor

eugenis commented Jun 28, 2019 via email

@NitzDKoder
Copy link
Author

@eugenis thanks addr2line is working with obj level shared libaray(.SO). And we are able to see the line number now.

@eugenis eugenis closed this as completed Jul 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants