[klee-dev] Question on use-after-free detection.
Yoonseok Ko
yoon-seok.ko at inria.fr
Sat Jan 2 18:16:35 GMT 2021
Hello,
I have an additional question on this comment: https://github.com/klee/klee/issues/1254 <https://github.com/klee/klee/issues/1254>
@ccadar mentioned that KLEE already finds the kind of bugs that AddressSanitizer detects, but I don't clearly understand.
For example, consider the following code fragment:
```
int *o1 = (int*)malloc(4);
free(o1);
int *o2 = (int*)malloc(4);
*o1 = 10; /* use-after-free */
```
The code uses the memory block allocated to the object 'o1' after it is freed (at line 2).
ASan simply detects and reports it as 'use-after-free'.
But, KLEE does not report an alarm when the second `malloc` allocates the same memory block as allocated by the first `malloc`.
Since KLEE simply relies on the standard malloc semantics, the same memory block can be allocated.
And, when there is a memory access, KLEE only checks whether the dereferenced memory block is *currently* valid.
So, the last line `*o1 = 10` is valid because `o2 == o1`.
Do you support any other mechanism to catch such an issue?
Thank you.
Best regards,
Yoonseok
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the klee-dev
mailing list