[klee-dev] Question on use-after-free detection.
Cristian Cadar
c.cadar at imperial.ac.uk
Sat Jan 2 19:31:02 GMT 2021
You are right, KLEE doesn't catch this use-after-free bug currently, as
it doesn't implement a quarantine. It wouldn't it be too hard to add
this though (you might want to refer to the ASan paper for details).
Best,
Cristian
On 02/01/2021 18:16, Yoonseok Ko wrote:
> Hello,
>
> I have an additional question on this comment:
> https://github.com/klee/klee/issues/1254
> <https://github.com/klee/klee/issues/1254>
>
> @ccadar mentioned that KLEE already finds the kind of bugs that
> AddressSanitizer detects, but I don't clearly understand.
>
> For example, consider the following code fragment:
> ```
> int *o1 = (int*)malloc(4);
> free(o1);
> int *o2 = (int*)malloc(4);
> *o1 = 10; /* use-after-free */
> ```
>
> The code uses the memory block allocated to the object 'o1' after it is
> freed (at line 2).
> ASan simply detects and reports it as 'use-after-free'.
>
> But, KLEE does not report an alarm when the second `malloc` allocates
> the same memory block as allocated by the first `malloc`.
> Since KLEE simply relies on the standard malloc semantics, the same
> memory block can be allocated.
> And, when there is a memory access, KLEE only checks whether the
> dereferenced memory block is *currently* valid.
> So, the last line `*o1 = 10` is valid because `o2 == o1`.
>
> Do you support any other mechanism to catch such an issue?
>
> Thank you.
>
> Best regards,
> Yoonseok
>
>
> _______________________________________________
> klee-dev mailing list
> klee-dev at imperial.ac.uk
> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
>
More information about the klee-dev
mailing list