A. 在linux系統下使用內存技術,檢測堆越界錯誤
一般使用c或cpp編程時,堆棧越界訪問(read/write)往往會引起很多意想不到的錯誤,比如延後的進程崩潰等。因此,如果有一種方法,可以讓越界訪問立即觸發系統錯誤(讓進程拋出異常而終止,再生成coremp文件),就可以立即檢測出內存越界行為,並將對這種隱藏的錯誤,及時作出反應,以免在生產環境下造成更大粗唯沖的損失。
我們知道,在windows系統下面,我們可以使用VirtualAlloc系列函數,通過申請2頁內存,並設置某頁的保護參數(比如,可讀,可寫等),就可以實現類似的保護機制。這樣,當我們對新增加的類(數據結構),就可以重載operator new/delete,將類的邊界設置到一頁的邊緣,再將相鄰頁設置為不可讀不可寫。這樣就能有效監測堆越界讀寫問題。而且可以,設置某個編譯宏,比如PROTECT_CLASSX。演示代碼如下:
在linux下,則需要藉助mmap和mprotect來實現這個機制。具體步驟如下,首先用mmap使用PROT_NONE映射一個特殊文件,比如/岩殲dev/zero(或者使用MAP_ANONYMOUS),然後再用mprotect提交內存。上面的例子,可以繼續使用,但是只列出來核心的代碼,什麼重載操作符就不寫了,另外,內存映射文件j句柄最好用內存山族池來hold,最後在close掉。演示代碼只說明大致用法,並不能直接拿來用。
下面補充mprotect的用法:
再把mmap函數的用法示例如下:
B. linux運行程序段錯誤··要怎麼解決··
在編程中以下幾類做法容易導致段錯誤,基本是是錯誤地使用指針引起的
1)訪問系統數據區,尤其是往 系統保護的內存地址寫數據
最常見就是給一個指針以0地址, unsigned char *ptr = 0x00;
2)內存越界(數組越界,變數類型不一致等) 訪問到不屬於你的內存區域
我以前也遇到過這個問題後來就是參考這個帖子找到問題的,希望可以幫助到你
http://blog.csdn.net/yeyuangen/article/details/6822004
C. linux數組越界漏洞怎麼利用
Linux c/c++上常用內存泄露檢測工具有valgrind, Rational purify。Valgrind免費。Valgrind可以在 32位或64位 PowerPC/Linux內核上工作。
Valgrind工具包包含多個工具,如Memcheck,Cachegrind,Helgrind, Callgrind,Massif。下面分別介紹個工具的作用:
Memcheck 工具主要檢查下面的程序錯誤:
• 使用未初始化的內存 (Use of uninitialised memory)
• 使用已經釋放了的內存 (Reading/writing memory after it has been free』d)
• 使用超過 malloc分配的內存空間(Reading/writing off the end of malloc』d blocks)
• 對堆棧的非法訪問 (Reading/writing inappropriate areas on the stack)
• 申請的空間是否有釋放 (Memory leaks – where pointers to malloc』d blocks are lost forever)
• malloc/free/new/delete申請和釋放內存的匹配(Mismatched use of malloc/new/new [] vs free/delete/delete [])
• src和dst的重疊(Overlapping src and dst pointers in memcpy() and related functions)
Valgrind不檢查靜態分配數組的使用情況。
Valgrind佔用了更多的內存--可達兩倍於你程序的正常使用量。如果你用Valgrind來檢測使用大量內存的程序就會遇到問題,它可能會用很長的時間來運行測試
2.1. 下載安裝
http://www.valgrind.org
安裝
./configure;make;make install
2.2. 編譯程序
被檢測程序加入–g -fno-inline 編譯選項保留調試信息。
2.3. 內存泄露檢測
$ valgrind --tool=memcheck --log-file=/root/valgrind_log_all --leak-check=full --error-limit=no --show-reachable=yes --trace-children=yes /usr/local/sdata/sbin/rpcbakupsvr
其中--leak-check=full 指的是完全檢查內存泄漏,--show-reachable=yes是顯示內存泄漏的地點,--trace-children=yes是跟入子進程。當程序正常退出的時候valgrind自然會輸出內存泄漏的信息。
1.內存泄露:
#include <stdio.h>void function()
{ int *p = (int*)malloc(10*sizeof(int)); p[10] = 0;
}int main()
{ function(); return 0;
}
相關日誌:
==20220== Memcheck, a memory error detector
==20220== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20220== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20220== Command: ./test
==20220== Parent PID: 20160
==20220==
==20220== Invalid write of size 4
==20220== at 0x80483FF: function (in /mnt/Documents/Training/valgrind/test)
==20220== by 0x8048411: main (in /mnt/Documents/Training/valgrind/test)
==20220== Address 0x41be050 is 0 bytes after a block of size 40 alloc'd
==20220== at 0x4028876: malloc (vg_replace_malloc.c:236)
==20220== by 0x80483F5: function (in /mnt/Documents/Training/valgrind/test)
==20220== by 0x8048411: main (in /mnt/Documents/Training/valgrind/test)
==20220==
==20220==
==20220== HEAP SUMMARY:
==20220== in use at exit: 40 bytes in 1 blocks
==20220== total heap usage: 1 allocs, 0 frees, 40 bytes allocated
==20220==
==20220== LEAK SUMMARY:
==20220== definitely lost: 40 bytes in 1 blocks
==20220== indirectly lost: 0 bytes in 0 blocks
==20220== possibly lost: 0 bytes in 0 blocks
==20220== still reachable: 0 bytes in 0 blocks
==20220== suppressed: 0 bytes in 0 blocks
==20220== Rerun with --leak-check=full to see details of leaked memory
==20220==
==20220== For counts of detected and suppressed errors, rerun with: -v
==20220== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
2.使用未初始化的內存
#include <stdio.h>int main()
{ int a; if (a==1)
{ printf("a==%d\n",a);
} return 0;
}
日誌分析:
==20345== Memcheck, a memory error detector
==20345== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20345== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20345== Command: ./test
==20345==
==20345== Conditional jump or move depends on uninitialised value(s)
==20345== at 0x80483F2: main (in /mnt/Documents/Training/valgrind/test)
==20345==
==20345==
==20345== HEAP SUMMARY:
==20345== in use at exit: 0 bytes in 0 blocks
==20345== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==20345==
==20345== All heap blocks were freed -- no leaks are possible
==20345==
==20345== For counts of detected and suppressed errors, rerun with: -v
==20345== Use --track-origins=yes to see where uninitialised values come from
==20345== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
可以使用--track-origins=yes 得到更多的信息
3.內存讀寫越界
#include <stdio.h>int main()
{ int *a = (int*)malloc(5*sizeof(int)); a[5] = 1; return 0;
}
==20368== Memcheck, a memory error detector
==20368== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20368== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20368== Command: ./test
==20368==
==20368== Invalid write of size 4
==20368== at 0x8048404: main (in /mnt/Documents/Training/valgrind/test)
==20368== Address 0x41be03c is 0 bytes after a block of size 20 alloc'd
==20368== at 0x4028876: malloc (vg_replace_malloc.c:236)
==20368== by 0x80483F8: main (in /mnt/Documents/Training/valgrind/test)
==20368==
==20368==
==20368== HEAP SUMMARY:
==20368== in use at exit: 20 bytes in 1 blocks
==20368== total heap usage: 1 allocs, 0 frees, 20 bytes allocated
==20368==
==20368== LEAK SUMMARY:
==20368== definitely lost: 20 bytes in 1 blocks
==20368== indirectly lost: 0 bytes in 0 blocks
==20368== possibly lost: 0 bytes in 0 blocks
==20368== still reachable: 0 bytes in 0 blocks
==20368== suppressed: 0 bytes in 0 blocks
==20368== Rerun with --leak-check=full to see details of leaked memory
==20368==
==20368== For counts of detected and suppressed errors, rerun with: -v
==20368== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
4.內存申請釋放管理錯誤
#include <stdio.h>int main()
{ int *a = new int[5]; /*free(a);*/ delete a; return 0;
}