On Fri, Mar 16, 2018 at 7:16 PM, Evgenii Stepanov <eugenis@xxxxxxxxxx> wrote: > On Fri, Mar 16, 2018 at 11:09 AM, Andrey Konovalov > <andreyknvl@xxxxxxxxxx> wrote: >> On Thu, Mar 15, 2018 at 5:52 PM, Andrey Ryabinin >>> Wouldn't be better to have some reserved tag value for invalid memory (redzones/free), so that >>> we catch access to such memory with 100% probability? >> >> We could do that. That would reduce the chance to detect a >> use-after-free though, since we're using fewer different tag values >> for the objects themselves. I don't have a strong opinion about which >> one is better though. Note: I misread the message and didn't notice the "/free" part there, so I was considering marking only redzones with a reserved tag value. > > hwasan does not need redzones. Right, by redzones in this case I meant the metadata that is stored right after the object (which includes alloc and free stack handles and perhaps some other allocator stuff). > As for use-after-free, to catch it with > 100% probability one would need infinite memory for the quarantine. It > is possible to guarantee 100% detection of linear buffer overflow by > giving live adjacent chunks distinct tags.
