mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
update 4.3_gcc_arg.md
This commit is contained in:
parent
fb43a1a168
commit
182316d0b6
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
- [常用选择](#常用选项)
|
- [常用选择](#常用选项)
|
||||||
- [Address sanitizer](#address-sanitizer)
|
- [Address sanitizer](#address-sanitizer)
|
||||||
|
- [mcheck](#mcheck)
|
||||||
- [参考资料](#参考资料)
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
@ -100,5 +101,62 @@ Shadow byte legend (one shadow byte represents 8 application bytes):
|
|||||||
参考:https://en.wikipedia.org/wiki/AddressSanitizer
|
参考:https://en.wikipedia.org/wiki/AddressSanitizer
|
||||||
|
|
||||||
|
|
||||||
|
## mcheck
|
||||||
|
利用 mcheck 可以实现堆内存的一致性状态检查。其定义在 `/usr/include/mcheck.h`,是一个 GNU 扩展函数,原型如下:
|
||||||
|
```c
|
||||||
|
#include <mcheck.h>
|
||||||
|
|
||||||
|
int mcheck(void (*abortfunc)(enum mcheck_status mstatus));
|
||||||
|
```
|
||||||
|
可以看到参数是一个函数指针,但检查到堆内存异常时,通过该指针调用 abortfunc 函数,同时传入一个 mcheck_status 类型的参数。
|
||||||
|
|
||||||
|
举个例子,下面的程序存在 double-free 的问题:
|
||||||
|
```c
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
void main() {
|
||||||
|
char *p;
|
||||||
|
p = malloc(1000);
|
||||||
|
fprintf(stderr, "About to free\n");
|
||||||
|
free(p);
|
||||||
|
fprintf(stderr, "About to free a second time\n");
|
||||||
|
free(p);
|
||||||
|
fprintf(stderr, "Finish\n");
|
||||||
|
}
|
||||||
|
```
|
||||||
|
通过设置参数 `-lmcheck` 来链接 mcheck 函数:
|
||||||
|
```
|
||||||
|
$ gcc -lmcheck mcheck.c
|
||||||
|
$ ./a.out
|
||||||
|
About to free
|
||||||
|
About to free a second time
|
||||||
|
block freed twice
|
||||||
|
Aborted (core dumped)
|
||||||
|
```
|
||||||
|
|
||||||
|
还可以通过设置环境变量 `MALLOC_CHECK_` 来实现,这样就不需要重新编译程序。
|
||||||
|
```
|
||||||
|
$ gcc mcheck.c
|
||||||
|
$ #检查到错误时不作任何提示
|
||||||
|
$ MALLOC_CHECK_=0 ./a.out
|
||||||
|
About to free
|
||||||
|
About to free a second time
|
||||||
|
Finish
|
||||||
|
$ #检查到错误时打印一条信息到标准输出
|
||||||
|
$ MALLOC_CHECK_=1 ./a.out
|
||||||
|
About to free
|
||||||
|
About to free a second time
|
||||||
|
*** Error in `./a.out': free(): invalid pointer: 0x0000000001fb9010 ***
|
||||||
|
Finish
|
||||||
|
$ #检查到错误时直接中止程序
|
||||||
|
$ MALLOC_CHECK_=2 ./a.out
|
||||||
|
About to free
|
||||||
|
About to free a second time
|
||||||
|
Aborted (core dumped)
|
||||||
|
```
|
||||||
|
具体参考 `man 3 mcheck` 和 `man 3 mallopt`。
|
||||||
|
|
||||||
|
|
||||||
## 参考资料
|
## 参考资料
|
||||||
- [GCC online documentation](https://gcc.gnu.org/onlinedocs/)
|
- [GCC online documentation](https://gcc.gnu.org/onlinedocs/)
|
||||||
|
Loading…
Reference in New Issue
Block a user