On Fri, Mar 16, 2018 at 11:09 AM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote: > On Thu, Mar 15, 2018 at 5:52 PM, Andrey Ryabinin > <aryabinin@xxxxxxxxxxxxx> wrote: >> On 03/13/2018 08:00 PM, Andrey Konovalov wrote: >>> On Tue, Mar 13, 2018 at 4:05 PM, 'Alexander Potapenko' via kasan-dev >>> <kasan-dev@xxxxxxxxxxxxxxxx> wrote: >>>> Does it make sense to generate the redzone tag from the object tag >>>> (e.g. by addding 1 to it)? >>> >>> Yes, I think so, will do! >>> >> >> Wouldn't be better to have some reserved tag value for invalid memory (redzones/free), so that >> we catch access to such memory with 100% probability? > > We could do that. That would reduce the chance to detect a > use-after-free though, since we're using fewer different tag values > for the objects themselves. I don't have a strong opinion about which > one is better though. hwasan does not need redzones. As for use-after-free, to catch it with 100% probability one would need infinite memory for the quarantine. It is possible to guarantee 100% detection of linear buffer overflow by giving live adjacent chunks distinct tags.
