A. 在linux系统下使用内存技术,检测堆越界错误
一般使用c或cpp编程时,堆栈越界访问(read/write)往往会引起很多意想不到的错误,比如延后的进程崩溃等。因此,如果有一种方法,可以让越界访问立即触发系统错误(让进程抛出异常而终止,再生成coremp文件),就可以立即检测出内存越界行为,并将对这种隐藏的错误,及时作出反应,以免在生产环境下造成更大粗唯冲的损失。
我们知道,在windows系统下面,我们可以使用VirtualAlloc系列函数,通过申请2页内存,并设置某页的保护参数(比如,可读,可写等),就可以实现类似的保护机制。这样,当我们对新增加的类(数据结构),就可以重载operator new/delete,将类的边界设置到一页的边缘,再将相邻页设置为不可读不可写。这样就能有效监测堆越界读写问题。而且可以,设置某个编译宏,比如PROTECT_CLASSX。演示代码如下:
在linux下,则需要借助mmap和mprotect来实现这个机制。具体步骤如下,首先用mmap使用PROT_NONE映射一个特殊文件,比如/岩歼dev/zero(或者使用MAP_ANONYMOUS),然后再用mprotect提交内存。上面的例子,可以继续使用,但是只列出来核心的代码,什么重载操作符就不写了,另外,内存映射文件j句柄最好用内存山族池来hold,最后在close掉。演示代码只说明大致用法,并不能直接拿来用。
下面补充mprotect的用法:
再把mmap函数的用法示例如下:
B. linux运行程序段错误··要怎么解决··
在编程中以下几类做法容易导致段错误,基本是是错误地使用指针引起的
1)访问系统数据区,尤其是往 系统保护的内存地址写数据
最常见就是给一个指针以0地址, unsigned char *ptr = 0x00;
2)内存越界(数组越界,变量类型不一致等) 访问到不属于你的内存区域
我以前也遇到过这个问题后来就是参考这个帖子找到问题的,希望可以帮助到你
http://blog.csdn.net/yeyuangen/article/details/6822004
C. linux数组越界漏洞怎么利用
Linux c/c++上常用内存泄露检测工具有valgrind, Rational purify。Valgrind免费。Valgrind可以在 32位或64位 PowerPC/Linux内核上工作。
Valgrind工具包包含多个工具,如Memcheck,Cachegrind,Helgrind, Callgrind,Massif。下面分别介绍个工具的作用:
Memcheck 工具主要检查下面的程序错误:
• 使用未初始化的内存 (Use of uninitialised memory)
• 使用已经释放了的内存 (Reading/writing memory after it has been free’d)
• 使用超过 malloc分配的内存空间(Reading/writing off the end of malloc’d blocks)
• 对堆栈的非法访问 (Reading/writing inappropriate areas on the stack)
• 申请的空间是否有释放 (Memory leaks – where pointers to malloc’d blocks are lost forever)
• malloc/free/new/delete申请和释放内存的匹配(Mismatched use of malloc/new/new [] vs free/delete/delete [])
• src和dst的重叠(Overlapping src and dst pointers in memcpy() and related functions)
Valgrind不检查静态分配数组的使用情况。
Valgrind占用了更多的内存--可达两倍于你程序的正常使用量。如果你用Valgrind来检测使用大量内存的程序就会遇到问题,它可能会用很长的时间来运行测试
2.1. 下载安装
http://www.valgrind.org
安装
./configure;make;make install
2.2. 编译程序
被检测程序加入–g -fno-inline 编译选项保留调试信息。
2.3. 内存泄露检测
$ valgrind --tool=memcheck --log-file=/root/valgrind_log_all --leak-check=full --error-limit=no --show-reachable=yes --trace-children=yes /usr/local/sdata/sbin/rpcbakupsvr
其中--leak-check=full 指的是完全检查内存泄漏,--show-reachable=yes是显示内存泄漏的地点,--trace-children=yes是跟入子进程。当程序正常退出的时候valgrind自然会输出内存泄漏的信息。
1.内存泄露:
#include <stdio.h>void function()
{ int *p = (int*)malloc(10*sizeof(int)); p[10] = 0;
}int main()
{ function(); return 0;
}
相关日志:
==20220== Memcheck, a memory error detector
==20220== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20220== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20220== Command: ./test
==20220== Parent PID: 20160
==20220==
==20220== Invalid write of size 4
==20220== at 0x80483FF: function (in /mnt/Documents/Training/valgrind/test)
==20220== by 0x8048411: main (in /mnt/Documents/Training/valgrind/test)
==20220== Address 0x41be050 is 0 bytes after a block of size 40 alloc'd
==20220== at 0x4028876: malloc (vg_replace_malloc.c:236)
==20220== by 0x80483F5: function (in /mnt/Documents/Training/valgrind/test)
==20220== by 0x8048411: main (in /mnt/Documents/Training/valgrind/test)
==20220==
==20220==
==20220== HEAP SUMMARY:
==20220== in use at exit: 40 bytes in 1 blocks
==20220== total heap usage: 1 allocs, 0 frees, 40 bytes allocated
==20220==
==20220== LEAK SUMMARY:
==20220== definitely lost: 40 bytes in 1 blocks
==20220== indirectly lost: 0 bytes in 0 blocks
==20220== possibly lost: 0 bytes in 0 blocks
==20220== still reachable: 0 bytes in 0 blocks
==20220== suppressed: 0 bytes in 0 blocks
==20220== Rerun with --leak-check=full to see details of leaked memory
==20220==
==20220== For counts of detected and suppressed errors, rerun with: -v
==20220== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
2.使用未初始化的内存
#include <stdio.h>int main()
{ int a; if (a==1)
{ printf("a==%d\n",a);
} return 0;
}
日志分析:
==20345== Memcheck, a memory error detector
==20345== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20345== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20345== Command: ./test
==20345==
==20345== Conditional jump or move depends on uninitialised value(s)
==20345== at 0x80483F2: main (in /mnt/Documents/Training/valgrind/test)
==20345==
==20345==
==20345== HEAP SUMMARY:
==20345== in use at exit: 0 bytes in 0 blocks
==20345== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==20345==
==20345== All heap blocks were freed -- no leaks are possible
==20345==
==20345== For counts of detected and suppressed errors, rerun with: -v
==20345== Use --track-origins=yes to see where uninitialised values come from
==20345== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
可以使用--track-origins=yes 得到更多的信息
3.内存读写越界
#include <stdio.h>int main()
{ int *a = (int*)malloc(5*sizeof(int)); a[5] = 1; return 0;
}
==20368== Memcheck, a memory error detector
==20368== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==20368== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for right info
==20368== Command: ./test
==20368==
==20368== Invalid write of size 4
==20368== at 0x8048404: main (in /mnt/Documents/Training/valgrind/test)
==20368== Address 0x41be03c is 0 bytes after a block of size 20 alloc'd
==20368== at 0x4028876: malloc (vg_replace_malloc.c:236)
==20368== by 0x80483F8: main (in /mnt/Documents/Training/valgrind/test)
==20368==
==20368==
==20368== HEAP SUMMARY:
==20368== in use at exit: 20 bytes in 1 blocks
==20368== total heap usage: 1 allocs, 0 frees, 20 bytes allocated
==20368==
==20368== LEAK SUMMARY:
==20368== definitely lost: 20 bytes in 1 blocks
==20368== indirectly lost: 0 bytes in 0 blocks
==20368== possibly lost: 0 bytes in 0 blocks
==20368== still reachable: 0 bytes in 0 blocks
==20368== suppressed: 0 bytes in 0 blocks
==20368== Rerun with --leak-check=full to see details of leaked memory
==20368==
==20368== For counts of detected and suppressed errors, rerun with: -v
==20368== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 11 from 6)
4.内存申请释放管理错误
#include <stdio.h>int main()
{ int *a = new int[5]; /*free(a);*/ delete a; return 0;
}