1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
---
title: Using Address Sanitizer with clang
url: using-address-sanitizer-with-clang.html
date: 2026-01-15T16:13:13+02:00
type: post
draft: false
tags: []
---
## What -fsanitize=address does
- Enables AddressSanitizer (ASan): a compile and link time instrumentation plus
runtime library that detects memory errors.
- Detects: out-of-bounds accesses (heap, stack, globals), use-after-free, some
use-after-return, double/invalid free, and (on some platforms) leaks.
- How it works: instrumented memory accesses are checked against a shadow
memory; violations produce an error report with a stack trace and abort the
program.
- Trade-offs: ~2x runtime slowdown (varies), higher memory use, large virtual
address space reservation on 64-bit, and requires linking the ASan runtime
(not suitable for production builds).
- Usage: compile and link with `-fsanitize=address` (and typically `-g` and
`-O0`). Runtime behavior can be tuned via `ASAN_OPTIONS` and
symbolization via llvm-symbolizer.
More about ASan on https://clang.llvm.org/docs/AddressSanitizer.html.
## An example how to use it
```c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(void) {
char *p = malloc(10);
if (!p) return 1;
// Out-of-bounds write (heap buffer overflow).
strcpy(p, "This string is way too long for the buffer");
// Use-after-free (unreachable if program aborts on previous error).
free(p);
p[0] = 'x';
return 0;
}
```
Now let's compile with proper flags with `clang -O0 -g -fsanitize=address -o
main main.c`.
If you run the binary it should trigger ASan. You can also specify what to
show with `ASAN_OPTIONS=detect_leaks=1:verbosity=1:symbolize=1 ./main` and you
should see something like this.
> By using any kind of optimization with `-On` will likely optimize the
> problematic code out. But you can never be sure of it.
```text
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x00007fff8000
==28825==Installed the sigaction for signal 11
==28825==Installed the sigaction for signal 7
==28825==Installed the sigaction for signal 8
==28825==T0: FakeStack created: 0x7be4d10f7000 -- 0x7be4d1c00000 stack_size_log: 20; mmapped 11300K, noreserve=0
==28825==T0: stack [0x7ffcf551c000,0x7ffcf5d1c000) size 0x800000; local=0x7ffcf5d1a664
==28825==AddressSanitizer Init done
=================================================================
==28825==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c04d25e001a at pc 0x5653c583826a bp 0x7ffcf5d1a5f0 sp 0x7ffcf5d19da8
WRITE of size 43 at 0x7c04d25e001a thread T0
#0 0x5653c5838269 in strcpy (/home/m/Junk/fsanitize/main+0xb7269) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a)
#1 0x5653c5894e13 in main /home/m/Junk/fsanitize/main.c:10:5
#2 0x7fe4d328bbfb in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7fe4d328bcb4 in __libc_start_main@GLIBC_2.2.5 csu/../csu/libc-start.c:360:3
#4 0x5653c57ad360 in _start /builddir/glibc-2.41/csu/../sysdeps/x86_64/start.S:115
0x7c04d25e001a is located 0 bytes after 10-byte region [0x7c04d25e0010,0x7c04d25e001a)
allocated by thread T0 here:
#0 0x5653c5851ca4 in malloc (/home/m/Junk/fsanitize/main+0xd0ca4) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a)
#1 0x5653c5894de8 in main /home/m/Junk/fsanitize/main.c:6:15
#2 0x7fe4d328bbfb in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/m/Junk/fsanitize/main+0xb7269) (BuildId: 69a0723cc8e27d59eb584f6cc902f6f12915111a) in strcpy
Shadow bytes around the buggy address:
0x7c04d25dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7c04d25dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7c04d25e0000: fa fa 00[02]fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7c04d25e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28825==ABORTING
```
|
