了解由未定义行为清理程序 (UBSan) 触发的运行时错误
zel*_*ell 5 security sanitizer gsl ubsan
当启用未定义的消毒剂时,我在 GNU 科学库 (GSL) 中发现了一个运行时错误:
deque.c:58:11: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
deque.c:59:11: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
deque.c:60:11: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
deque.c:61:12: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 ff ff ff ff 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
但我不知道如何导致这些错误,或者如何修复它们。有人可以帮忙解释一下吗?此外,这是一个应该向开发人员提出的重要问题(例如,这个蜜蜂是否可以被用作安全攻击)?
源代码“deque.c”可以在这里找到,运行时错误的相关行如下所示(错误发生在第 58、59、60、61 行)。
deque 的定义在这里,在同一个文件中:
[添加] 调用代码deque_init如下,在mmacc.cGSL 的 movstat 库中:
static int
mmacc_init(const size_t n, void * vstate)
{
mmacc_state_t * state = (mmacc_state_t *) vstate;
state->n = n;
state->k = 0;
state->xprev = 0.0;
state->rbuf = (ringbuf *) ((unsigned char *) vstate + sizeof(mmacc_state_t));
state->minque = (deque *) ((unsigned char *) state->rbuf + ringbuf_size(n));
state->maxque = (deque *) ((unsigned char *) state->minque + deque_size(n + 1));
ringbuf_init(n, state->rbuf);
deque_init(n + 1, state->minque);
deque_init(n + 1, state->maxque);
return GSL_SUCCESS;
}
在ringbuf_size上面的代码中的功能是指下面的代码在ringbuf.cGSL的movstat库。
static size_t
ringbuf_size(const size_t n)
{
size_t size = 0;
size += sizeof(ringbuf);
size += n * sizeof(ringbuf_type_t); /* b->array */
return size;
}
小智 3
我对这个库不太熟悉,但这就是您收到错误的原因。
deque.c:58:11: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
我们可以看到,指针确实移动了 4。让我们找出原因。
指针来自
deque.c:58:11: runtime error: member access within misaligned address 0x0000024010f4 for type 'struct deque', which requires 8 byte alignment
0x0000024010f4: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
由此我们可以判断要么state->rbuf是未对齐,要么ringbuf_size返回的值未与8对齐。通过快速测试,我们可以看到,确实ringbuf_size返回了未对齐的值。通过一个简单的程序,我打印了n、sizeof(ringbuf)、n * sizeof(ringbuf_type_t)和最终结果。
0 24 + 0 = 24
1 24 + 4 = 28
2 24 + 8 = 32
3 24 + 12 = 36
4 24 + 16 = 40
5 24 + 20 = 44
6 24 + 24 = 48
7 24 + 28 = 52
8 24 + 32 = 56
9 24 + 36 = 60
10 24 + 40 = 64
11 24 + 44 = 68
12 24 + 48 = 72
13 24 + 52 = 76
14 24 + 56 = 80
15 24 + 60 = 84
正如您所看到的,如果您使用奇数作为size,那么您会得到未对齐的指针(在您的情况下为 5)。原因是:
sizeof(size_t) = 8
sizeof(ringbuf_type_t) = 4
示例修复可能是添加
state->minque = (deque *) ((unsigned char *) state->rbuf + ringbuf_size(n));
在功能上ringbuf_size。这样,结果就变成了:
0 24 + 0 = 24
1 24 + 4 = 32
2 24 + 8 = 32
3 24 + 12 = 40
4 24 + 16 = 40
5 24 + 20 = 48
6 24 + 24 = 48
7 24 + 28 = 56
8 24 + 32 = 56
9 24 + 36 = 64
10 24 + 40 = 64
11 24 + 44 = 72
12 24 + 48 = 72
13 24 + 52 = 80
14 24 + 56 = 80
15 24 + 60 = 88
| 归档时间: |
|
| 查看次数: |
173 次 |
| 最近记录: |