File tree Expand file tree Collapse file tree 1 file changed +57
-11
lines changed Expand file tree Collapse file tree 1 file changed +57
-11
lines changed Original file line number Diff line number Diff line change 11# Answer
22
3- Name:
4- ID:
3+ Name: [ 黃崇銘 ]
4+ ID: [ 512558012 ]
55
66## Test Valgrind and ASan
7- ### Result
8- | | Valgrind | Asan |
9- | -------------------- | -------- | ---- |
10- | Heap out-of-bounds | | |
11- | Stack out-of-bounds | | |
12- | Global out-of-bounds | | |
13- | Use-after-free | | |
14- | Use-after-return | | |
7+ | Vulnerability | Result (Valgrind) | Result (ASan) |
8+ | ---------------------| -------------------| ---------------|
9+ | Heap out-of-bounds | Detected | Detected |
10+ | Stack out-of-bounds | Detected | Detected |
11+ | Global out-of-bounds| Detected | Detected |
12+ | Use-after-free | Detected | Detected |
13+ | Use-after-return | Detected | Detected |
1514
1615### Heap out-of-bounds
16+ ** Source code** :
17+ ``` c
18+ #include < stdlib.h>
19+
20+ void heap_out_of_bounds () {
21+ int *arr = malloc(10 * sizeof(int));
22+ arr[10] = 0; // 越界寫
23+ free (arr);
24+ }
25+
1726#### Source code
1827```
19-
28+ void stack_out_of_bounds() {
29+ int arr[ 10] ;
30+ arr[ 10] = 0; // 越界寫
31+ }
2032```
2133#### Valgrind Report
2234```
3042### Stack out-of-bounds
3143#### Source code
3244```
45+ int global_arr[ 10] ;
46+
47+ void global_out_of_bounds() {
48+ global_arr[ 10] = 0; // 越界寫
49+ }
3350
3451```
3552#### Valgrind Report
4461### Global out-of-bounds
4562#### Source code
4663```
64+ #include <stdlib.h>
65+
66+ void use_after_free() {
67+ int * arr = malloc(10 * sizeof(int));
68+ free(arr);
69+ arr[ 0] = 0; // 使用已釋放內存
70+ }
4771
4872```
4973#### Valgrind Report
5882### Use-after-free
5983#### Source code
6084```
85+ int * ptr;
86+
87+ void use_after_return_helper() {
88+ int local_arr[ 10] ;
89+ ptr = &local_arr[ 0] ;
90+ }
91+
92+ void use_after_return() {
93+ use_after_return_helper();
94+ ptr[ 0] = 0; // 使用返回後的局部變量
95+ }
6196
6297```
6398#### Valgrind Report
72107### Use-after-return
73108#### Source code
74109```
110+ void bypass_redzone() {
111+ int arr1[ 8] ;
112+ int arr2[ 8] ;
113+ * ((volatile int * )(&arr1[ 8] )) = 0; // 繞過紅區寫
114+ }
115+
75116
76117```
77118#### Valgrind Report
90131```
91132### Why
92133
134+ void bypass_redzone() {
135+ int arr1[8];
136+ int arr2[8];
137+ *((volatile int *)(&arr1[8])) = 0; // 繞過紅區寫
138+ }
You can’t perform that action at this time.
0 commit comments