[llvm-bugs] [Bug 133640] AddressSanitizer's FakeStack metadata can be rewrite by users

LLVM Bugs via llvm-bugs Sun, 30 Mar 2025 08:56:49 -0700

Issue	133640
Summary	AddressSanitizer's FakeStack metadata can be rewrite by users
Labels	new issue
Assignees
Reporter	brandb97

    AddressSanitizer save a &flag[pos] in the end of FakeStack, which can be rewrite by users. If you run this code snippet with `-fsanitize=address`, you would get SEGV signal. Because AddressSanitizer try to read &flag[pos] in __asan_stack_free, but it reads wrong place.


```
#include <stdio.h>

struct BigData {
        int x[40960];
};

void *test() {
        struct BigData x;
        int *y = (int *)(&x);
        for (int i = 0; i < 50; i++)
                y[41030 + i] = 100;
        return y;
}

int main() {
        test();
 return 0;
}
```
You should compile this program with `clang -fsanitize=address source.c -o a.out`. I'm using v18.1.6 to do this experiment.

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 133640] AddressSanitizer's FakeStack metadata can be rewrite by users

Reply via email to