On Fri, Mar 16, 2018 at 11:24 AM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote: > On Fri, Mar 16, 2018 at 7:16 PM, Evgenii Stepanov <eugenis@xxxxxxxxxx> wrote: >> On Fri, Mar 16, 2018 at 11:09 AM, Andrey Konovalov >> <andreyknvl@xxxxxxxxxx> wrote: >>> On Thu, Mar 15, 2018 at 5:52 PM, Andrey Ryabinin >>>> Wouldn't be better to have some reserved tag value for invalid memory (redzones/free), so that >>>> we catch access to such memory with 100% probability? >>> >>> We could do that. That would reduce the chance to detect a >>> use-after-free though, since we're using fewer different tag values >>> for the objects themselves. I don't have a strong opinion about which >>> one is better though. > > Note: I misread the message and didn't notice the "/free" part there, > so I was considering marking only redzones with a reserved tag value. > >> >> hwasan does not need redzones. > > Right, by redzones in this case I meant the metadata that is stored > right after the object (which includes alloc and free stack handles > and perhaps some other allocator stuff). Oh, I did not realize we have free (as in beer, not as in use-after-free) redzones between allocations. Yes, reserving a color sounds like a good idea. > >> As for use-after-free, to catch it with >> 100% probability one would need infinite memory for the quarantine. It >> is possible to guarantee 100% detection of linear buffer overflow by >> giving live adjacent chunks distinct tags.
