AddressSanitizer app_process32 crash on Android L MR1 release code

[sksam1987]

Hi ,
I'm trying to debug my android app which loads a shared library ( JNI Native Code).
Following the steps @ https://source.android.com/devices/tech/debug/asan.html#addresssanitizer_in_the_apps
except that I compiled app_process and my shared library ( JNI code ) with -fsanitize=address -fno-omit-frame-pointer and NDK_TOOLCHAIN_VERSION=clang3.5

But on boot-up app_process32 / libclang_rt.asan_arm_android.so is crashing.
Below is the trace ,
#00 pc 00000000
#1 pc 0004d9a9 /system/lib/libclang_rt.asan_arm_android.so
#2 pc 0004d94d /system/lib/libclang_rt.asan_arm_android.so
#3 pc 00047c5b /system/lib/libclang_rt.asan_arm_android.so
#4 pc 00019025 /system/lib/libclang_rt.asan_arm_android.so (__interceptor_prctl+112)
#5 pc 00001430 /system/bin/app_process32
#6 pc 0000fb79 /system/lib/libc.so (__libc_init+44)
#7 pc 00001358 /system/bin/app_process32

Any help in this regard is appreciated.
Thanks.

[eugenis]

Hi,

https://source.android.com/devices/tech/debug/asan.html#addresssanitizer_in_the_apps

this is the recipe for building bundled (i.e. AOSP in-tree) apps with ASan.
If you are building a usual, standalone application you should follow the
link in the "Purpose" section:

https://github.com/google/sanitizers/wiki/AddressSanitizerOnAndroid

That one does not require an AOSP checkout - all the necessary parts are
found in the NDK distribution.

On Wed, Nov 4, 2015 at 6:36 AM, sksam1987 notifications@github.com wrote:

Hi ,
I'm trying to debug my android app which loads a shared library ( JNI
Native Code).
Following the steps @
https://source.android.com/devices/tech/debug/asan.html#addresssanitizer_in_the_apps
except that I compiled app_process and my shared library ( JNI code ) with
-fsanitize=address -fno-omit-frame-pointer and
NDK_TOOLCHAIN_VERSION=clang3.5

But on boot-up app_process32 / libclang_rt.asan_arm_android.so is
crashing.
Below is the trace ,

#00 pc 00000000
#1 #1 pc 0004d9a9
/system/lib/libclang_rt.asan_arm_android.so
#2 #2 pc 0004d94d
/system/lib/libclang_rt.asan_arm_android.so
#3 #3 pc 00047c5b
/system/lib/libclang_rt.asan_arm_android.so
#4 #4 pc 00019025
/system/lib/libclang_rt.asan_arm_android.so (__interceptor_prctl+112)
#5 #5 pc 00001430
/system/bin/app_process32
#6 #6 pc 0000fb79
/system/lib/libc.so (__libc_init+44)
#7 #7 pc 00001358
/system/bin/app_process32

Any help in this regard is appreciated.
Thanks.

—
Reply to this email directly or view it on GitHub
#620.

[sksam1987]

Hi , Thanks for the info !
Earlier I was trying to run ASAN on 5.0 ( < L MR1 ).

I changed the device , now my process is coming up with ASAN but it is not detecting the below heap-use-after-free scenarios in my code .

int* p = (int *)malloc(100);
free(p);
return p[1];

My flags are ASAN_OPTIONS=debug=1,start_deactivated=1,alloc_dealloc_mismatch=0,abort_on_error=1,verbosity=1,allow_user_segv_handler=1

Do I need to append any extra flags to ASAN_OPTIONS to get this work.

Thanks.

[eugenis]

Your malloc is probably optimized away, sometimes this makes ASan miss such
"trivial" bugs. Try building without optimization, or replacing int *p with
int *volatile p.

On Thu, Nov 5, 2015 at 7:10 AM, sksam1987 notifications@github.com wrote:

Hi , Thanks for the info !
Earlier I was trying to run ASAN on 5.0 ( < L MR1 ).

I changed the device , now my process is coming up with ASAN but it is not
detecting the below heap-use-after-free scenarios in my code .

int* p = (int *)malloc(100);
free(p);
return p[1];

My flags are
ASAN_OPTIONS=debug=1,start_deactivated=1,alloc_dealloc_mismatch=0,abort_on_error=1,verbosity=1,allow_user_segv_handler=1

Do I need to append any extra flags to ASAN_OPTIONS to get this work.

Thanks.

—
Reply to this email directly or view it on GitHub
#620 (comment).

[sksam1987]

Hi Eugenis ,
I tried using volatile and removing the compiler optimisations but ASAN could not detect heap corruptions. Then I introduced stack corruption ( Array buffer overflow ) ; this time program counter has become invalid. I used runtime lib (libclang_rt.asan-arm-android.so) from NDK r10d.
Am I missing anything ? And can ASAN run on ARM 64 Android currently ?

: ==4394==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x00000000 bp 0x8dc1faf0 sp 0x8d0fee30 T193)
: ==4394==Hint: pc points to the zero page.
: AddressSanitizer can not provide additional info.
: SUMMARY: AddressSanitizer: SEGV ??:0 ??

#0 0xb6afc13b (/system/lib/libclang_rt.asan-arm-android.so+0x4c13b)
#1 0xafd2b68f (/system/lib/libart.so+0x25968f)
==4394==ABORTING
Fatal signal 6 (SIGABRT), code -6 in tid 4603 (ServiceModule)

Thanks.

[eugenis]

Could you provide a test case and reproduction instructions? I'm not sure
what's going wrong here.

On Tue, Nov 10, 2015 at 8:08 AM, sksam1987 notifications@github.com wrote:

Hi Eugenis ,
I tried using volatile and removing the compiler optimisations but ASAN
could not detect heap corruptions. Then I introduced stack corruption (
Array buffer overflow ) ; this time program counter has become invalid. I
used runtime lib (libclang_rt.asan-arm-android.so) from NDK r10d.
Am I missing anything ? And can ASAN run on ARM 64 Android currently ?

: ==4394==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x00000000 bp 0x8dc1faf0 sp 0x8d0fee30 T193)
: ==4394==Hint: pc points to the zero page.
: AddressSanitizer can not provide additional info.
: SUMMARY: AddressSanitizer: SEGV ??:0 ??

#0 0xb6afc13b (/system/lib/libclang_rt.asan-arm-android.so+0x4c13b)
#1 #1 0xafd2b68f
(/system/lib/libart.so+0x25968f)
==4394==ABORTING
Fatal signal 6 (SIGABRT), code -6 in tid 4603 (ServiceModule)

Thanks.

—
Reply to this email directly or view it on GitHub
#620 (comment).

[sksam1987]

Hi Eugenis ,
Below are the two code snippets on my Android device.

1. abc[101]=1 is the stack buffer overflow I introduced in Code Snippet - 1 and ASAN is crashing .
   ( Crash log snippets in my previous comments ).
2. Heap Double Free and Use after free are not detected in Code Snippet - 2.

Code Snippet - 1

int* volatile p = (int *)malloc(100);
int abc[100];
<< Log Print1 >>
abc[101]=1;
<< Log Print2 >>
free(p);

return p[1];

Code Snippet - 2

int* volatile p = (int *)malloc(100);
free(p);
free(p);

return p[1];

Thanks.

[eugenis]

I actually need something that I could run and see the problem locally.
Like device type & build number, NDK/SDK version, Android.mk contents. Did
you run asan_device_setup before starting the application?

On Wed, Nov 11, 2015 at 9:43 AM, sksam1987 notifications@github.com wrote:

Hi Eugenis ,
Below are the two code snippets on my Android device.

abc[101]=1 is the stack buffer overflow I introduced in Code Snippet -
1 and ASAN is crashing .
( Crash log snippets in my previous comments ).
2.

Heap Double Free and Use after free are not detected in Code Snippet -
2.

Code Snippet - 1

int* volatile p = (int *)malloc(100);
int abc[100];
<< Log Print1 >>
abc[101]=1;
<< Log Print2 >>
free(p);
return p[1]; Code Snippet - 2

int* volatile p = (int *)malloc(100);
free(p);
free(p);
return p[1];

Thanks.

—
Reply to this email directly or view it on GitHub
#620 (comment).

[bending1]

@sksam1987 Do you use Asanitizers on shared library successful?

#732

This is my problem? Can you give me some advise? Thanks~

[morehouse]

No response from @sksam1987 for 2 years. Closing.