Reputation: 51
In which cases is the ASAN shadow memory checked on pointer dereference?
Consider this example:
#include <stdio.h>
#include <stdint.h>
void __asan_poison_memory_region(void const volatile *addr, size_t size);
void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
int main(void) {
uint64_t a[10] = {0};
__asan_poison_memory_region(a, 10*sizeof(uint64_t));
uint64_t* b = a;
__asan_poison_memory_region(b, 10*sizeof(uint64_t));
a[1] = 4; // nothing
b[1] = 4; // use-after-poision
return 0;
}
Compile with:
clang -fsanitize=address asan.c -o asan.exe
You will notice that the address sanitizer only reports the b[1]=4 access and not the a[1]=2 access despite the memory being poisoned (actually twice).
So the ASAN looks at the shadow memory only in the b case, am I right? Here is my question, when does it check whether memory has been poisoned and when not?
I want to experiment with ASAN a little and see what cool things are possible to do with it. But I realize that the simplified view I had of how ASAN works is wrong, I cannot mark arbitrary portions of memory as poisoned and have a guarantee that ASAN will report the illegal access, maybe you can enlighten me what is going on?
Expected behaviour: both accesses are reported (the first one actually because the program stops) and even withb[1]=4; uncommented ASAN still reports an error about a[1] = 4;.
Upvotes: 0
Views: 90
Answers (0)
Related Questions
- How to allocate aligned memory only using the standard library?
- How to find the size of an array (from a pointer pointing to the first element array)?
- What is the difference between these two functions: `ioremap_uc()` and `set_memory_uc`?
- Coroutine frame seems to be prematurely marked as destroyed when using address sanitizer
- ASAN AddressSanitizer complains on memory leak
- What exactly is a C pointer if not a memory address?
- Logging control, for Address Sanitizer PLUS Undefined Behavior Sanitizer?
- C program runs in Cygwin but not Linux (Malloc)