Open gamebaker opened 4 years ago
See https://developer.android.com/ndk/guides/asan for the recommended way of using ASan with Android apps.
On Sun, Oct 20, 2019 at 7:56 PM gamebaker notifications@github.com wrote:
Hi, I'm using ASan as a shared library on a rooted Android phone, with the LD_PRELOAD method, by these following steps:
- Copy "system/bin/app_process64" to "app_process64.real";
- Replace the original "app_process64" file with a bash script:
!/system/bin/sh
export ASAN_OPTIONS=start_deactivated=1,alloc_dealloc_mismatch=0,malloc_context_size=0,allow_user_segv_handler=1,halt_on_error=1 export LD_PRELOAD=/data/libclang_rt.asan-aarch64-android.so exec /system/bin/app_process64.real $@
- Launch target app with command line: am start -n com.test.librarytest/.MainActivity
The system works, but it always ends up with an error:
root@A33:/ # am start -n com.test.librarytest/.MainActivity WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffef5 arg 0x10d30 WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6ffffffe arg 0x163c4 WARNING: linker: /data/libclang_rt.asan-aarch64-android.so: unused DT entry: type 0x6fffffff arg 0x3
==27966==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0055bc37a9b0 in thread T0
0 0x7f99b752db (/data/libclang_rt.asan-aarch64-android.so+0x682db)
1 https://github.com/google/sanitizers/issues/1 0x7f98689eef
(/system/lib64/libselinux.so+0x5eef)
2 https://github.com/google/sanitizers/issues/2 0x7f98689403
(/system/lib64/libselinux.so+0x5403)
3 https://github.com/google/sanitizers/issues/3 0x7f99a3ce5f
(/system/lib64/libandroid_runtime.so+0xd3e5f)
4 https://github.com/google/sanitizers/issues/4 0x7f999fa17f
(/system/lib64/libandroid_runtime.so+0x9117f)
5 https://github.com/google/sanitizers/issues/5 0x7f999fa32b
(/system/lib64/libandroid_runtime.so+0x9132b)
6 https://github.com/google/sanitizers/issues/6 0x5589e96eaf
(/system/bin/app_process64.real+0x1eaf)
7 https://github.com/google/sanitizers/issues/7 0x7f99877507
(/system/lib64/libc.so+0x13507)
8 https://github.com/google/sanitizers/issues/8 0x5589e9727b
(/system/bin/app_process64.real+0x227b) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/data/ libclang_rt.asan-aarch64-android.so+0x682db) ==27966==ABORTING 1|root@A33:/ #
I assume Android alloc some memory before ASan loaded and then free them in Asan, which causes this problem, but I don't know how to fix it. I've been stuck here for a while, so any suggestions?
This is a reasonable assumption. I also don't know how this could happen. Try symbolizing the stack trace, and if possible understanding where the corresponding memory allocation is done. Try adding verbosity=2,debug=1 to ASAN_OPTIONS.
What Android version is this? There was a reallocarray() function added to bionic at some point; without a corresponding change in compiler-rt you'd get exactly this type of crash.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/1154?email_source=notifications&email_token=AADG4SQG5GLCWYGGG4OYJD3QPUK47A5CNFSM4JCXPPBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HTBOTJQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADG4SS6OOYJ2O6TS5A5OZLQPUK47ANCNFSM4JCXPPBA .
@DanAlbert The wrap.sh way is only available for API level 27 and above, but the device for testing is Android 5.1.1, so doesn't work here, sigh. Thanks for replying.
@eugenis The Android version is 5.1.1, by "corresponding change in compiler-rt" do you mean compile of ASan, or compile of Android? I've tried adding verbosity=2,debug=1 to ASAN_OPTIONS, but it gives the same log, nothing changed. I'm kind of a newbie to this, so I gonna try symbolizing the stack trace to make some progress, hope I can figure this out. Thanks for replying, it helps.
On Mon, Oct 21, 2019 at 6:31 PM gamebaker notifications@github.com wrote:
This is a reasonable assumption. I also don't know how this could happen. Try symbolizing the stack trace, and if possible understanding where the corresponding memory allocation is done. Try adding verbosity=2,debug=1 to ASAN_OPTIONS. What Android version is this? There was a reallocarray() function added to bionic at some point; without a corresponding change in compiler-rt you'd get exactly this type of crash.
The Android version is 5.1.1, by "corresponding change in compiler-rt" do you mean compile of ASan, or compile of Android? I've tried adding verbosity=2,debug=1 to ASAN_OPTIONS, but it gives the same log, nothing changed. I'm kind of a newbie to this, so I gonna try symbolizing the stack trace to make some progress, hope I can figure this out. Thanks for replying, it helps.
5.1.1. is L-MR1, should be good enough for ASan (but barely!). Nothing really comes to mind. Your best bet would be to figure out which malloc call this memory comes from, and then - why have it not been intercepted.
I presume you've seen this old documentation: https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid/01f8df1ac1a447a8475cdfcb03e8b13140042dbd
You can try the script, but it does almost exactly what you are doing: https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/asan/scripts/asan_device_setup
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/1154?email_source=notifications&email_token=AADG4SQU2ZWKABZBTBP2VTTQPZJX5A5CNFSM4JCXPPBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB4JKRY#issuecomment-544773447, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADG4SVT42LAQNPYSMSO2TLQPZJX5ANCNFSM4JCXPPBA .
Hi, I encountered a similar issue: A chunk of memory was malloced by /apex/com.android.runtime/lib64/bionic/libc.so, but freed by /system/lib64/lbclang_rt.asan-aarch64-android.so . The memory was malloced here: https://android.googlesource.com/platform/bionic/+/master/libc/bionic/__cxa_thread_atexit_impl.cpp#36 any suggestions would be appreciated. Thanks!
Hi, I encountered a similar issue: I've noticed a pattern: if during the initialization of a static variable, the assigned value is an object created with 'new' from bionic, this issue occurs.
Hi, I'm using ASan as a shared library on a rooted Android phone, with the LD_PRELOAD method, by these following steps:
The system works, but it always ends up with an error:
AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/data/libclang_rt.asan-aarch64-android.so+0x682db) ==27966==ABORTING 1|root@A33:/ #