search

google / sanitizers

AddressSanitizer, ThreadSanitizer, MemorySanitizer
Other
11.41k stars 1.03k forks source link

Using ASan on Android with LD_PRELOAD #1154

Open gamebaker opened 4 years ago

gamebaker commented 4 years ago

Hi, I'm using ASan as a shared library on a rooted Android phone, with the LD_PRELOAD method, by these following steps:

  1. Copy "system/bin/app_process64" to "app_process64.real";
  2. Replace the original "app_process64" file with a bash script: 
    #!/system/bin/sh
export ASAN_OPTIONS=start_deactivated=1,alloc_dealloc_mismatch=0,malloc_context_size=0,allow_user_segv_handler=1,halt_on_error=1
export LD_PRELOAD=/data/libclang_rt.asan-aarch64-android.so
exec /system/bin/app_process64.real $@
  3. Launch target app with command line: 
    am start -n com.test.librarytest/.MainActivity

    The system works, but it always ends up with an error:

    
root@A33:/ # am start -n com.test.librarytest/.MainActivity
WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffef5 arg 0x10d30
WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffffe arg 0x163c4
WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6fffffff arg 0x3
=================================================================
==27966==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0055bc37a9b0 in thread T0
#0 0x7f99b752db  (/data/libclang_rt.asan-aarch64-android.so+0x682db)
#1 0x7f98689eef  (/system/lib64/libselinux.so+0x5eef)
#2 0x7f98689403  (/system/lib64/libselinux.so+0x5403)
#3 0x7f99a3ce5f  (/system/lib64/libandroid_runtime.so+0xd3e5f)
#4 0x7f999fa17f  (/system/lib64/libandroid_runtime.so+0x9117f)
#5 0x7f999fa32b  (/system/lib64/libandroid_runtime.so+0x9132b)
#6 0x5589e96eaf  (/system/bin/app_process64.real+0x1eaf)
#7 0x7f99877507  (/system/lib64/libc.so+0x13507)
#8 0x5589e9727b  (/system/bin/app_process64.real+0x227b)

AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/data/libclang_rt.asan-aarch64-android.so+0x682db) ==27966==ABORTING 1|root@A33:/ #


I assume Android alloc some memory before ASan loaded and then free them in Asan, which causes this problem, but I don't know how to fix it. I've been stuck here for a while, so any suggestions?
DanAlbert commented 4 years ago

See https://developer.android.com/ndk/guides/asan for the recommended way of using ASan with Android apps.

eugenis commented 4 years ago

On Sun, Oct 20, 2019 at 7:56 PM gamebaker notifications@github.com wrote:

Hi, I'm using ASan as a shared library on a rooted Android phone, with the LD_PRELOAD method, by these following steps:

  1. Copy "system/bin/app_process64" to "app_process64.real";
  2. Replace the original "app_process64" file with a bash script:

!/system/bin/sh

export ASAN_OPTIONS=start_deactivated=1,alloc_dealloc_mismatch=0,malloc_context_size=0,allow_user_segv_handler=1,halt_on_error=1 export LD_PRELOAD=/data/libclang_rt.asan-aarch64-android.so exec /system/bin/app_process64.real $@

  1. Launch target app with command line: am start -n com.test.librarytest/.MainActivity

The system works, but it always ends up with an error:

root@A33:/ # am start -n com.test.librarytest/.MainActivity WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffef5 arg 0x10d30 WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffffe arg 0x163c4 WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6fffffff arg 0x3

==27966==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0055bc37a9b0 in thread T0

0 0x7f99b752db (/data/libclang_rt.asan-aarch64-android.so+0x682db)

1 https://github.com/google/sanitizers/issues/1 0x7f98689eef

(/system/lib64/libselinux.so+0x5eef)

2 https://github.com/google/sanitizers/issues/2 0x7f98689403

(/system/lib64/libselinux.so+0x5403)

3 https://github.com/google/sanitizers/issues/3 0x7f99a3ce5f

(/system/lib64/libandroid_runtime.so+0xd3e5f)

4 https://github.com/google/sanitizers/issues/4 0x7f999fa17f

(/system/lib64/libandroid_runtime.so+0x9117f)

5 https://github.com/google/sanitizers/issues/5 0x7f999fa32b

(/system/lib64/libandroid_runtime.so+0x9132b)

6 https://github.com/google/sanitizers/issues/6 0x5589e96eaf

(/system/bin/app_process64.real+0x1eaf)

7 https://github.com/google/sanitizers/issues/7 0x7f99877507

(/system/lib64/libc.so+0x13507)

8 https://github.com/google/sanitizers/issues/8 0x5589e9727b

(/system/bin/app_process64.real+0x227b) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/data/ libclang_rt.asan-aarch64-android.so+0x682db) ==27966==ABORTING 1|root@A33:/ #

I assume Android alloc some memory before ASan loaded and then free them in Asan, which causes this problem, but I don't know how to fix it. I've been stuck here for a while, so any suggestions?

This is a reasonable assumption. I also don't know how this could happen. Try symbolizing the stack trace, and if possible understanding where the corresponding memory allocation is done. Try adding verbosity=2,debug=1 to ASAN_OPTIONS.

What Android version is this? There was a reallocarray() function added to bionic at some point; without a corresponding change in compiler-rt you'd get exactly this type of crash.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/1154?email_source=notifications&email_token=AADG4SQG5GLCWYGGG4OYJD3QPUK47A5CNFSM4JCXPPBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HTBOTJQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADG4SS6OOYJ2O6TS5A5OZLQPUK47ANCNFSM4JCXPPBA .

gamebaker commented 4 years ago

@DanAlbert The wrap.sh way is only available for API level 27 and above, but the device for testing is Android 5.1.1, so doesn't work here, sigh. Thanks for replying.

gamebaker commented 4 years ago

@eugenis The Android version is 5.1.1, by "corresponding change in compiler-rt" do you mean compile of ASan, or compile of Android? I've tried adding verbosity=2,debug=1 to ASAN_OPTIONS, but it gives the same log, nothing changed. I'm kind of a newbie to this, so I gonna try symbolizing the stack trace to make some progress, hope I can figure this out. Thanks for replying, it helps.

eugenis commented 4 years ago

On Mon, Oct 21, 2019 at 6:31 PM gamebaker notifications@github.com wrote:

This is a reasonable assumption. I also don't know how this could happen. Try symbolizing the stack trace, and if possible understanding where the corresponding memory allocation is done. Try adding verbosity=2,debug=1 to ASAN_OPTIONS. What Android version is this? There was a reallocarray() function added to bionic at some point; without a corresponding change in compiler-rt you'd get exactly this type of crash.

The Android version is 5.1.1, by "corresponding change in compiler-rt" do you mean compile of ASan, or compile of Android? I've tried adding verbosity=2,debug=1 to ASAN_OPTIONS, but it gives the same log, nothing changed. I'm kind of a newbie to this, so I gonna try symbolizing the stack trace to make some progress, hope I can figure this out. Thanks for replying, it helps.

5.1.1. is L-MR1, should be good enough for ASan (but barely!). Nothing really comes to mind. Your best bet would be to figure out which malloc call this memory comes from, and then - why have it not been intercepted.

I presume you've seen this old documentation: https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid/01f8df1ac1a447a8475cdfcb03e8b13140042dbd

You can try the script, but it does almost exactly what you are doing: https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/asan/scripts/asan_device_setup

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/1154?email_source=notifications&email_token=AADG4SQU2ZWKABZBTBP2VTTQPZJX5A5CNFSM4JCXPPBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB4JKRY#issuecomment-544773447, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADG4SVT42LAQNPYSMSO2TLQPZJX5ANCNFSM4JCXPPBA .

Enna1 commented 1 year ago

Hi, I encountered a similar issue: A chunk of memory was malloced by /apex/com.android.runtime/lib64/bionic/libc.so, but freed by /system/lib64/lbclang_rt.asan-aarch64-android.so . The memory was malloced here: https://android.googlesource.com/platform/bionic/+/master/libc/bionic/__cxa_thread_atexit_impl.cpp#36 any suggestions would be appreciated. Thanks!

linux-xhyang commented 8 months ago

Hi, I encountered a similar issue: I've noticed a pattern: if during the initialization of a static variable, the assigned value is an object created with 'new' from bionic, this issue occurs.