<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/133640>133640</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
AddressSanitizer's FakeStack metadata can be rewrite by users
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
brandb97
</td>
</tr>
</table>
<pre>
AddressSanitizer save a &flag[pos] in the end of FakeStack, which can be rewrite by users. If you run this code snippet with `-fsanitize=address`, you would get SEGV signal. Because AddressSanitizer try to read &flag[pos] in __asan_stack_free, but it reads wrong place.
```
#include <stdio.h>
struct BigData {
int x[40960];
};
void *test() {
struct BigData x;
int *y = (int *)(&x);
for (int i = 0; i < 50; i++)
y[41030 + i] = 100;
return y;
}
int main() {
test();
return 0;
}
```
You should compile this program with `clang -fsanitize=address source.c -o a.out`. I'm using v18.1.6 to do this experiment.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJx0VE1v4zgM_TX0haihSLETH3xIJpPFnAsssKdClmhbO7Zk6CNp9tcv5KTbdqYrEAgD8T3y2Y-WIZjBErVQHaE6FTLF0fm289LqrtkVndO39qC1pxCepTXR_EMeg7wQSgRe95McoDouLkB1QmMxjoRkNboez_InPUepfgL_htfRqBGVtNgRerp6Ewm7G6ZAPpT4o8ebS-hTZjABldOEwZploYhXE0eEmj314TECiJO8DwU1y_QZfHVp0jhQxOfvf_yJWZicSjySkikQ_qYi-htGh56k_lLKy4sM0r6ELOGl90S5UZcimriCAl69swMuk1RUAjvkqNkj2AG4MFZNSROC-BaiNq4cQXy_V4bok4p4NMNJRomwOwI74OMYG_EVquOWNTWD6gQi38LuLWGHizN56kOkEIHvgTe_UPzC_3pHfmwA_HBDECcEvn_8B96sZPVrzj4heuffCs2KYiCOa_oNq3sO_LhG8wH2dm5ZzYYJhsBzaXVaSTaMfW7jKSZv8faueJWb287S2C-lvj-DB9eDhH0i-fBm_nIJw7jaRbl5MRPdXbd4N3g5_2c4NUk74Fe2w-CSV1QqfHIoS5ci1KzEH8B3M6Zg7ICXzb7clHW2mHZ3fnpdyJuZbCwL3QrdiEYW1G52WyG2TV2xYmyF0kR9x6ivmZS63utOV2K_V7xupOBdYVrOeMWEYJtquxOs7LRkrNt3uuvVbiMFbBnN0kzlNF3m0vmhMCEkajdC1FtWTLKjKawLz7mlK663wHnef99m0FOXhgBbNpkQwztNNHGi374GwHfhfddxpih1dtz_7HqR_NSOMS4BxAH4Gfh5MHFMXancDPycuz1-nhbv_iYVgZ_XGQPw80PEpeX_BgAA____hG3n">